PIX密码恢复（到pix7.0版本）

liuxingyuan · 发表于 2009-3-8 11:13:38

Password Recovery Procedure for the PIX（PIX的密码恢复流程）

Introduction（引言）
This document describes how to recover a PIX password for PIX software releases through 7.0. Note that performing password recovery on the PIX erases only the password, not the configuration. If there are Telnet or console aaa authentication commands in versions 6.2 and later, the system also prompts to remove these.
本文档描述了怎样恢复PIX密码，包含了到7.0的PIX软件版本。注意到的是在PIX上提供的密码恢复工具仅擦除密码，而不擦除配置。如果在版本6.2或以后版本，如果存在Telnet或console上的aaa认证，该系统也提示删除它们。
Note: If you have configured AAA on the PIX and the AAA server is down, you can access the PIX by entering the Telnet password initially, and then pix as the username and the enable password (enable password password) for the password. If there is no enable password in the PIX configuration, enter pix for the username and press ENTER. If the enable and Telnet passwords are set but not known, continue with the password recovery process.
注释：如果在PIX上你已经配置了AAA并且AAA服务器不可用，您能使用Telnet的密码访问PIX，然后检查用户名和enable密码。如果在PIX的配置中没有enable密码，输入用户名和按ENTER进入pix。如果enable和Telnet密码已经设置但是忘记了，继续使用密码恢复程序。
The PIX Password Lockout Utility is based on the PIX software release you run. Use show version in order to know the software version running on your PIX/ASA Security appliance.
PIX密码锁定工具基于您所运行的PIX软件版本。使用show version获取再您的PIX/ASA安全设备上正在运行的软件版本。
Note: Refer to Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance for ASA 5500 Series Adaptive Security Appliance Password Recovery.
注释：恢复ASA5500系列自适应安全设备的密码，参考ASA5500系列自适应安全设备密码恢复程序。
Prerequisites（先决条件）
Requirements（要求）
There are no specific requirements for this document.
本文档没有特殊的要求。
Components Used（使用组件）
The information in this document requires these hardware devices:
在本文档中的信息要求这些硬件设备：
l A PC （一台PC）
l A working serial terminal or terminal emulator（工作的串口终端或其他终端仿真）
l Approximately 10 minutes of PIX and network downtime（大约10分钟的PIX和网络停止时间）
Note: You must have approximately 10 minutes of PIX and network downtime to perform this procedure.
注释：你必须有约10分钟的PIX和网络停止时间去执行这个流程。
You need the PIX Password Lockout Utility to use the password recovery procedure, which includes these files:
使用密码恢复流程你需要PIX密码锁定工具，包括这些文件：
（1）The appropriate binary file, depending on the PIX software version you run:
根据您运行的PIX软件版本，选择合适的二进制文档：
l np70.bin (7.x and 8.0 release)
l np63.bin (6.3 release)
l np62.bin (6.2 release)
l np61.bin (6.1 release)
l np60.bin (6.0 release)
l np53.bin (5.3 release)
l np52.bin (5.2 release)
l np51.bin (5.1 release)
l np50.bin (5.0 release)
l np44.bin (4.4 release)
l nppix.bin (4.3 and earlier releases)
Note: You need to determine what .bin file to use, which depends upon the PIX code that your PIX currently runs irrespective of the BIOS version.
注释：你需要决定使用哪一个.bin文件，取决于当前运行的PIX代码，而不用考虑BIOS版本
（2）rawrite.exe (needed only for PIX machines with a floppy drive)
(rawrite.exe仅用于使用软驱的PIX机器)
（3）TFTP Server Software (needed only for PIX machines without a floppy drive) TFTP server software is no longer available from Cisco.com, but you can find many TFTP servers by searching for "tftp server" on your favorite Internet search engine. Cisco does not specifically recommend any particular TFTP implementation.
TFTP服务软件（用于没有软驱的PIX机器）Cisco.com不再提供TFTP服务软件，但是你可以通过使用您喜欢的任何Internet搜索引擎找到许多TFTP服务器。Cisco不特别指定使用TFTP的实现方式。
Conventions（协议）
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
参考Cisco技术系统协议获取关于文档协议的更多信息。

[ 本帖最后由 liuxingyuan 于 2009-3-8 11:16 编辑 ]

liuxingyuan · 发表于 2009-3-8 11:16:49

Step−by−Step Procedure（流程步骤）
PIX With a Floppy Drive（使用软驱的PIX）
Complete these steps to recover your password:
恢复您的密码完成这些步骤：
1. Execute the rawrite.exe file on your PC and answer the questions on the screen using the correct password recovery file.
在您的PC上执行rawrite.exe文件，并且回答使用正确的密码恢复文件。
2. Install a serial terminal or a PC with terminal emulation software on the PIX console port.
安装一个串口终端或使用终端仿真软件连接PIX的console端口。
3.Verify that you have a connection with the PIX, and that characters are going from the terminal to the PIX, and from the PIX to the terminal. Note: Because you are locked out, you only see a password prompt.
验证你与PIX之间是否存在连接，字符从终端到PIX，和从PIX到终端。注：因为您被锁在系统之外，您只能看到密码提示。
4. Insert the PIX Password Lockout Utility disk into the floppy drive of the PIX.
插入PIX密码锁定工具磁盘到PIX的软驱中。
5. Push the Reset button on the front of the PIX. The PIX reboots from the floppy and prints this
message:
Erasing Flash Password. Please eject diskette and reboot.
按在PIX前面板上的Reset按钮。PIX从软盘启动并显示这个消息：
Erasing Flash Password. Please eject diskette and reboot.
6.Eject the disk and press the Reset button. You are now able to log in without a password. Press ENTER when you are prompted for a password.
退出磁盘并且按Reset键。您现在可以登录进系统不使用密码。按ENTER当提示您输入密码的时候。
7.The default Telnet password after this process is "cisco." There is no default enable password. Go into configuration mode and issue the passwd your_password command to change your Telnet password and the enable password your_enable_password command to create an enable password, and then save your configuration.
使用这个程序后默认的telnet密码是”cisco”.没有默认的enable密码。进入配置模式适用passd your_password命令更改您的Telnet密码，enable password your_enable_password命令创建新的enable密码，然后保存您的配置。
PIX Without a Floppy Drive （没有软驱的PIX）
Complete these steps to recover your password:
Note: Sample output from the password recovery procedure is available in this document.
恢复您的密码完成这些步骤。
注：恢复密码流程在本文中有示例。
1. Install a serial terminal or a PC with terminal emulation software on the PIX console port.
安装一个串口终端或使用终端仿真软件连接PIX的console端口。
2. Verify that you have a connection with the PIX, and that characters are going from the terminal to the PIX, and from the PIX to the terminal. Note: Because you are locked out, you only see a password prompt.
验证你与PIX之间是否存在连接，字符从终端到PIX，和从PIX到终端。注：因为您被锁在系统之外，您只能看到密码提示。
3. Immediately after you power on the PIX Firewall and the startup messages appear, send a BREAK character or press the ESC key. The monitor> prompt is displayed. If needed, type ? (question mark) to list the available commands.
在PIX防火墙加电并且开始消息显示时立即发送BREAK字符或按ESC键。monitor>提示符显示。如果有必要，键入？列出可用的命令。
4.Use the interface command to specify which interface the ping traffic should use. For floppiless
PIXes with only two interfaces, the monitor command defaults to the inside interface.
使用interface命令指定哪一个接口ping流量可被使用。对于只有两个接口的无软驱PIX，monitor命令默认是inside接口。（可以在PC与PIX连通后，测试，只要interface命令能够初始化这个端口即可，可以在show version的命令下看到可用的接口）
5. Use the address command to specify the IP address of the PIX Firewall's interface.
使用address命令为PIX防火墙接口制定IP地址。
6. Use the server command to specify the IP address of the remote TFTP server containing the PIX
password recovery file.
使用Server命令提供包含有密码恢复文件的远程TFTP服务器的IP地址。
7.Use the file command to specify the filename of the PIX password recovery file. For example, the 5.1 release uses a file named np51.bin.
使用file命令指定PIX密码恢复文件的文件名。例如，使用np51.bin恢复5.1版本。
8. If needed, enter the gateway command to specify the IP address of a router gateway through which the server is accessible.
如果需要，键入gateway命令提供路由器网关的IP地址使TFTP服务器可访问。
9. If needed, use the ping command to verify accessibility. If this command fails, fix access to the server before continuing.
如果需要使用ping命令验证可访问。如果该命令失败，继续下一步之前修复，使服务器可访问。
10. Use the tftp command to start the download.
使用tftp命令开始下载
11. As the password recovery file loads, this message is displayed:
Do you wish to erase the passwords? [yn] y
Passwords have been erased.
Note: If there are Telnet or console aaa authentication commands in version 6.2, the system also
prompts to remove these.
当密码恢复文件加载，显示了如下的消息：
Do you wish to erase the passwords? [yn] y
密码被擦除。
注：在version6.2版本内，如果有Telnet或console aaa认证命令，系统提示去移出这些。
12. The default Telnet password after this process is "cisco." There is no default enable password. Go into configuration mode and issue the passwd your_password command to change your Telnet password and the enable password your_enable_password command to create an enable password, and then save your configuration.
使用这个程序后默认的telnet密码是”cisco”.没有默认的enable密码。进入配置模式适用passd your_password命令更改您的Telnet密码，enable password your_enable_password命令创建新的enable密码，然后保存您的配置。

liuxingyuan · 发表于 2009-3-8 11:17:35

Sample Output
This example of floppiless PIX password recovery with the TFTP server on the outside interface is taken from a lab environment.
本示例为无软驱PIX密码恢复流程，试验环境为：TFTP服务器在outside接口。
Network Diagram
网络架构

[ 本帖最后由 liuxingyuan 于 2009-3-8 11:20 编辑 ]

liuxingyuan · 发表于 2009-3-8 11:24:15

本程序使用到的相关文件
密码恢复文件

PIX 密码恢复.rar (242.66 KB, 下载次数: 8)
TFTP

ciscotftpserver1.1.part1.rar (683.59 KB, 下载次数: 1)

ciscotftpserver1.1.part2.rar (552.05 KB, 下载次数: 1)

已使用该方法在PIX6.3版本上测试通过不会对配置产生影响，仅删除了telnet和enable密码

[ 本帖最后由 liuxingyuan 于 2009-3-8 11:32 编辑 ]

账号		自动登录	找回密码
密码			注册