Category: Security


Resetting Passwords – Cisco PIX 501 or Why are Some Consultants Pricks – Part 2

Filed Under: Cisco, Firewalls, Security by Christopher Webb — 1 Comment
May 6, 2009

So, forget the brute force idea I mentioned in my earlier post.  I knew brute forcing any security appliance would be harder than I wanted to mess with.  I also didn’t want to reset the PIX to factory defaults, since before this, i had never touched a Cisco device.  The users are using the VPN as well and I really just didn’t want to mess with this.  I just needed to open RDP to get to their server and the previous vendor magically forgot the password to the device when I took over their IT.  Anyway, this is what I used to reset their password.  As far as resolving some of their VPN issues… I’ll be consulting with some of my associates with more Cisco experience than myself.

To start, you need to download the np**.bin files from the Cisco.com.  You will also need TFTP server software(i used TFTPD).

First, plug into the PIX with a console cable, verify your connection.(When connected, I used HyperTerminal).

Turn off, then back on the PIX.  Right after the power goes back on, send a “BREAK” character(honestly, not sure what that means) or hit the ESC key(this is what I did).

For a PIX without a floppy drive and only 2 interfaces(like the one I was on), it automatically defaults traffic to the internal interface.  This is what you want. Just in case use interface command to pick the right one.
interface 1

Use the “address” command to specify the IP of the PIX internal interface.
address 192.168.11.1
Use “server” command to specify IP of TFTP server containing the PIX pw recovery file.(the np**.bin)
server 192.168.11.49
Use “file” command to specify which file on the tftp server.
file np70.bin
Use “tftp” command to start download.
tftp
Then you get a question about wanting to erase the passwords.  enter “y”

The default password is “cisco”, there is no default enable password.  Use the passwd <new password>command to create an enable password.  You’re all done.  Let me know if I missed something.


Tags: , , ,
Comment

Uninstalling Trend Micro Client/Server Security without a Password or Why are Some Consultants Pricks

Filed Under: Antivirus, Linux - Scripting, Security, Windows by Christopher Webb — 21 Comments
May 4, 2009

So, I have been working with a new client recently.  They switched from another IT vendor with a “lack of communication skills”.  The other provider would never tell them if they were going to reboot the server, did not provide ANY antivirus, on the server or clients, and several other issues that I don’t really care about(seem personal).  During the transition, I told my client to request all passwords from their previous vendor(PIX fw password, domain admin, local admin pw if different, and pw to wireless router)  The vendor gave the domain administrator password up(although they had some GPO’s restricting it from adding new users and other things because they used custom admin accounts instead), but “didn’t remember”  the Cisco PIX pw.  Either they really are a horrible IT provider or they are assholes… you choose.  Although this really isn’t as uncommon as I wish it was, I had having to dick with resetting passwords and trying to pry information out of people.  Anyway, before the April 1 Conficker was supposed to hit, they had provided them with a free trial of Trend’s newest worry-free small business client/security.  I thought this was a huge sign that the vendor was trying, since they didn’t have av for the previous 2 years and the event viewer was flooded with errors and the clients just though IT didn’t work altogether.  Shortly after this 30-day trial was installed, the transition was made.  I ordered the client Symantec Endpoint Protection 11.0 (MR4) w/ SEPM (my preferred av).  I went to install the new av and realized, since they never had av before, I had not had my clients ask for an uninstall password for the av.  I called the company and asked them for the uninstall password.  Of course, they “forgot” this password as well…

Off I go on one of my favorite tasks: removing av from an entire office without a management console to expedite or a password to even do it remotely fast on each machine.  First, I decided to take it off of the server and put SEPM on the server.  I wanted to make sure the server was taken care of first.  I used this page (update 5/10/2011, looks like Trend removed this site.  Let me know if you find an updated link) to take care of it.  Worked ok, except when the server came back online, it could not pick up a network connection.  Of course it is set with a static IP.  I tried WinSockFix, which I would not recommend to use on a server, but by the time i used it, I was somewhat desperate.  I checked all services.  Removed some updates that I had known to cause issues before on SBS 2003(951746 and 951748, if ipsec service wont start and these were recently installed, remove and reboot.  they cause issues on SBS ’03 and kill networking).  Finally, downloaded the newest drivers for the NIC from dell and moved over on my flash drive.  installed them, with no effect, so I rolled back the driver and… it worked.  That was my dumb ass not realizing right off the bat to just reinstall the driver.  We all make mistakes I guess.  Anyway, I got SEP and SEPM on the server, but now had to uninstall trend from all of the clients.  What a nightmare.  It isn’t a big company, but I didn’t want to go through and kick anyone off of their machines unnecessarily and have to manually do each machine.  Here’s what I did to remove trend from the clients:

First, remote registry service must be running on the clients and you must be using a domain administrator account. By default, remote registry is enabled on XP.  Here is what to do:  to allow uninstall of clients without a password, you can modify with regedit and connect to remote computer, but if working with multiple machines, I use multi-remote registry change.  The trial version does everything you need, but only 10 clients at a time.  This is worth it for me to save some cash.  i had multiple pcs, but not enough to pay for the product, although i may purchase it now, just to support the company in hopes of a tool for vista.  select the client computers and modify the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\Allow Uninstall

change the value to 1.

(do a “replace” in multi remote changing value from 0 to 1)

Now, we are able to uninstall the application without the password.  We need the path to the uninstaller for Trend. This is found by going to the

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\ WINDOWS\CURRENT VERSION\UNINSTALL

registry key and looking for the subkey dealing with uninstalling trend client\server.  I only put this section in, because you can find the manual uninstall for any application this way.  I have the path for trend’s for you already, though.

“C:\Program Files\Trend Micro\Client Server Security Agent\ntrmv.exe”

Now, we know how to uninstall it, but to remotely run the uninstaller, we need a tool called psexec.  This is part of the PsTools Suite from sysinternals(now microsoft).  Use the psexec command from the command prompt like so:

psexec \\computer_name "C:\Program Files\Trend Micro\Client Server Security Agent\ntrmv.exe"

Now it will uninstall from that machine.  You could make a quick batch file to have it run through every machine on the domain doing this, but I don’t feel like writing that out here.  leave a comment if you want more detail.  Anyway, there is no restart required for this uninstall, so you are good to install whatever new AV you have…  next time, brute forcing a Pix 501 because jerks won’t give you passwords.


Tags: , , , , , , , , , ,
Comment

Switch to our mobile site