SHow hidden passwords in Cisco ASA or Router PDF Print E-mail
Written by John Nikolatos   
Wednesday, 20 June 2012

Problem

Once a pre-shared key is configured, it is encrypted, and you cannot see it in the running configuration. It is displayed as *******.

Example:

		pixfirewall#show running-config
	
	Cryptochecksum: 1b6862ce 661c9155 ff13b462 7b11c531
	
	: Saved: Written by enable_15 at 00:38:35.188 UTC Fri Feb 16 2007
	
	!PIX Version 7.2(2)
	
	!
	
	hostname pixfirewalldomain-name default.domain.invalidenable password 8Ry2YjIyt7RRXU24 encrypted
	
	names
	
	!
	
	interface Ethernet0 
	
	nameif inside security-level 100 
	
	ip address 172.16.124.1 255.255.255.0
	
	crypto isakmp policy 1 
	
	authentication pre-share 
	
	encryption des 
	
	hash md5 
	
	group 2 lifetime 86400
	
	!--- Output is suppressed.
	
	tunnel-group mytunnel type ipsec-ra
	
	tunnel-group mytunnel general-attributes
	
	 default-group-policy myGROUP
	
	tunnel-group mytunnel ipsec-attributes
	
	 pre-shared-key *
	
	telnet timeout 5ssh timeout 5	
	

Solutions

Use any of the solutions in this section to solve the problem.

Solution 1

In order to recover a pre-shared key in the VPN configuration, issue the more system:running-config command. This command shows the pre-shared key in clear-text format.

Example:

		pixfirewall#more system:running-configCryptochecksum: 1b6862ce 661c9155 ff13b462 7b11c531: 
	
	Saved: Written by enable_15 at 00:38:35.188 UTC Fri Feb 16 2007!
	
	PIX Version 7.2(2)!hostname pixfirewall
	
	domain-name default.domain.invalid
	
	enable password 8Ry2YjIyt7RRXU24 encryptednames!
	
	interface Ethernet0 
	
	nameif inside security-level 100
	
	 ip address 172.16.124.1 255.255.255.0
	
	crypto isakmp policy 1 
	
	authentication pre-share 
	
	encryption des 
	
	hash md5 
	
	group 2 
	
	lifetime 86400
	
	!--- Output is suppressed.
	
	tunnel-group mytunnel type ipsec-ra
	
	tunnel-group mytunnel general-attributes
	
	 default-group-policy myGROUP
	
	tunnel-group mytunnel ipsec-attributes 
	
	pre-shared-key cisco
	
	telnet timeout 5ssh timeout 5	
	

Solution 2

Copy your configuration to a TFTP server. This is needed because once the configuration is sent to the TFTP server, the pre-shared key appears as clear text (instead of ******** , as in the show run command).

Issue this command in order to copy your configuration to a TFTP server:

		ASA#write net [[tftp server_ip]:[filename]]:	
	

OR

		ASA#copy running-config tftp:	
	

Once the file is saved on the TFTP server, you can open it with a text editor and view the passwords in clear text.

Example:

		pixfirewall#copy running-config tftp:Source filename [running-config]?Address or name of remote host []? 172.16.124.2Destination filename [running-config]?Cryptochecksum: 1b6862ce 661c9155 ff13b462 7b11c531!3312 bytes copied in 0.420 secs	
	
Text Editor View

 

preshared-key-recover-1.gif

Refer to the

write net section of the Cisco Security Appliance Command Reference in order to learn more about this command.

Solution 3

In order to get the clear text of the pre-shared key, access the PIX/ASA through HTTPS.

Create a username/password to get the access of the PIX/ASA configuration.

		pix(config)#username username password password	
	

In order to enable the security appliance HTTP server, use the http server enable command in global configuration mode. In order to disable the HTTP server, use the no form of this command.

		hostname(config)#http server enable 	
	

In order to specify hosts that can access the HTTP server internal to the security appliance, use the http command in global configuration mode. In order to remove one or more hosts, use the no form of this command. In order to remove the attribute from the configuration, use the no form of this command without arguments.

		hostname(config)#http 10.10.99.1 255.255.255.255 outside	
	

Use the username/password to login to the PIX/ASA using the browser as this example shows.

		https://10.10.99.1/config	
	

Solution 4

The configuration can also be uploaded to an FTP server. This is the command:

		ASA#copy running-config ftp:<url>	
	

Example:

		ASA#copy run ftp://172.16.124.2/running-config
	
	Source filename [running-config]?
	
	Address or name of remote host [172.16.124.2]?
	
	Destination filename [running-config]?
	
	Cryptochecksum: 1b6862ce 661c9155 ff13b462 7b11c531!3312 bytes copied in 1.120 secs (3312 bytes/sec)	
	
 
< Prev   Next >

valid xhtml? | valid CSS?

Joomla Templates by Joomlashack