Cisco Pix Password Recovery


Having physical access to the Pix, console cable, cross over cable, tftp server software installed, having either access to the internet or having the files downloaded on to your machine.

Step 1:
Connect the cat5 cable to interface fa0 or fe0 (the first port on the pix) and the other end to your machine.
Connect the console cable up normally to your machine and the pix as well.
Have hyperterminal opened and already setup.

Step 2:
Power on the Pix!
Assuming you can get into the pix without being able to go into enable mode, execute the command:
show version
If you are unable to get in at all, then watch for the version information while the pix boots and write it down.

Step 3:
Once you have the version, lets just say it's 6.3, you download np63.bin from the cisco website and place it in your tftp directory.
(The files are listed on Cisco's pix password recovery page noted below)

Step 4:
Configure your ethernet port on your machine give it something simple like:
and that's all!

Step 5:
Reboot the Pix and when it starts to boot up hit CTRL + Break at the same time.
This will boot you into a 'monitor mode" type thing where you will issue the following commands:
interface 0
file np63.bin

Step 6:
After you issue the tftp command it should grab the file assuming your tftp server is started and your network connection is good.
Once it loads the .bin script you just uploaded it will ask you if you want to delete the following lines (the ones that have the encrypted password in them) from the configuration.
You say yes here.

Step 7:
Reboot and type enable without having a password on your Pix!

I normally save the encrypted hashes in a text file and then use john the ripper to crack them that way I know what they were and then store them in my dictionary file for future reference.
For instructions please see my tutorial entitled "Using John to Crack Cisco md5"