PDA

View Full Version : Lost Admin Password UTM-1050 w/ SPLAT



BoostinChick
2010-01-07, 10:15
Recently had a turn over of equipment and the UTM-1050 no one knows the admin log on info. I ran it by Check Point and the technical help person said that I would need to do a factory reset on the device. With the risk of losing the rule base and settings this is not a solution I am comfortable with. Just seeing if any experts out there had any "work around" for this. I have checked the Check Point Secure Knowledge database and Google could not find anything solid relating to the UTM-1 devices.

Thanks!

melipla
2010-01-07, 13:23
I thought you could hook up a USB cdrom and boot from a linux CD? From there it would be a trivial "lost root password" recovery...

boldin
2010-01-07, 14:04
This is what we use:
1. Obtain a CentOS 5.3 #1 iso or CD/DVD. Boot up with it. Press F5 for Rescue and then enter "linux rescue"
No need to activate network connectivity, just use the defaults.
2. mkdir /checkpoint
3. mount /dev/sda7 /checkpoint
4. mount /dev/sda1 /checkpoint/boot
5. chroot /checkpoint
6. /bin/expert_password (change expert password here)
7. \passwd admin (change admin password cpshell here)
8. reboot system

I haven't done this myself, but documented from a coworker who says it works...

cciesec2006
2010-01-07, 14:41
This is what we use:
1. Obtain a CentOS 5.3 #1 iso or CD/DVD. Boot up with it. Press F5 for Rescue and then enter "linux rescue"
No need to activate network connectivity, just use the defaults.
2. mkdir /checkpoint
3. mount /dev/sda7 /checkpoint
4. mount /dev/sda1 /checkpoint/boot
5. chroot /checkpoint
6. /bin/expert_password (change expert password here)
7. \passwd admin (change admin password cpshell here)
8. reboot system

I haven't done this myself, but documented from a coworker who says it works...


This method works ONLY if you did NOT change the "cpshell" to "bash" in the /etc/passwd file for "admin" account.

If you change from "cpshell" to "bash" in the /etc/passwd file for the "admin" account, this method does NOT work. In that case, you have to use this method:


#1: boot up with CentOS 5.3 CD #1 iso. You can do this from the IBM RSA Rack card if you have one. Go to "F5" to for rescue, then enter "linux rescue"

#2: do not need to active network connecvitity, just follow the default,

#3: mkdir /checkpoint

#4 mount /dev/sda7 /checkpoint

#5: mount /dev/sda1 /checkpoint/boot

#6: chroot /checkpoint

#7: /bin/expert_password (change your expert password here)

#8: \passwd admin (change admin password cpshell here)

#9: reboot the box

belvdr
2010-01-07, 15:09
This method works ONLY if you did NOT change the "cpshell" to "bash" in the /etc/passwd file for "admin" account.

If you change from "cpshell" to "bash" in the /etc/passwd file for the "admin" account, this method does NOT work. In that case, you have to use this method:


#1: boot up with CentOS 5.3 CD #1 iso. You can do this from the IBM RSA Rack card if you have one. Go to "F5" to for rescue, then enter "linux rescue"

#2: do not need to active network connecvitity, just follow the default,

#3: mkdir /checkpoint

#4 mount /dev/sda7 /checkpoint

#5: mount /dev/sda1 /checkpoint/boot

#6: chroot /checkpoint

#7: /bin/expert_password (change your expert password here)

#8: \passwd admin (change admin password cpshell here)

#9: reboot the box

I am not seeing any difference from boldin's instructions.

boldin
2010-01-07, 15:20
Actually, I think a coworker may have ganked the instructions from cciesec's earlier post somewhere here on cpug - they look disturbingly similar...

BoostinChick
2010-01-25, 13:59
I also forgot to mention that the physical device(s) is/are across the country. Is this the only known method? This would mean I get to take a trip...

rubber_chicken
2010-01-25, 14:40
Remember that this thing you're trying to talk to is a firewall. Its job is to tell you to get knotted.

You'll need physical access to it to regain control.

BoostinChick
2010-01-25, 16:43
Remember that this thing you're trying to talk to is a firewall. Its job is to tell you to get knotted.

You'll need physical access to it to regain control.Heh, just making sure I understood what all the options were. Thanks, will update if I can get it to work.

rubber_chicken
2010-01-25, 20:22
Depending on what infrastructure you have and the technical level of local staff you might be able to jury rig a backdoor.

I'm thinking a laptop connected to the internet via a mobile broadband device. Add LogMeIn, a console cable and some magic pixie dust. You might just wing it. Worth a crack at least. Might save a trip?

BoostinChick
2010-01-26, 15:30
Depending on what infrastructure you have and the technical level of local staff you might be able to jury rig a backdoor.

I'm thinking a laptop connected to the internet via a mobile broadband device. Add LogMeIn, a console cable and some magic pixie dust. You might just wing it. Worth a crack at least. Might save a trip?I wish! Good idea though. I will be taking a trip within the next 2 weeks. Get's me out of the office.

schynam
2012-07-04, 09:50
This method works ONLY if you did NOT change the "cpshell" to "bash" in the /etc/passwd file for "admin" account.

If you change from "cpshell" to "bash" in the /etc/passwd file for the "admin" account, this method does NOT work. In that case, you have to use this method:


#1: boot up with CentOS 5.3 CD #1 iso. You can do this from the IBM RSA Rack card if you have one. Go to "F5" to for rescue, then enter "linux rescue"

#2: do not need to active network connecvitity, just follow the default,

#3: mkdir /checkpoint

#4 mount /dev/sda7 /checkpoint

#5: mount /dev/sda1 /checkpoint/boot

#6: chroot /checkpoint

#7: /bin/expert_password (change your expert password here)

#8: \passwd admin (change admin password cpshell here)

#9: reboot the box



I have tried this booting from a CentOS 5.5 Install CD1 with no luck. Although I used a Windows 7 box. Do I have to be on a Unix/Linux machine?

schynam
2012-07-24, 15:20
This method works ONLY if you did NOT change the "cpshell" to "bash" in the /etc/passwd file for "admin" account.

If you change from "cpshell" to "bash" in the /etc/passwd file for the "admin" account, this method does NOT work. In that case, you have to use this method:


#1: boot up with CentOS 5.3 CD #1 iso. You can do this from the IBM RSA Rack card if you have one. Go to "F5" to for rescue, then enter "linux rescue"

#2: do not need to active network connecvitity, just follow the default,

#3: mkdir /checkpoint

#4 mount /dev/sda7 /checkpoint

#5: mount /dev/sda1 /checkpoint/boot

#6: chroot /checkpoint

#7: /bin/expert_password (change your expert password here)

#8: \passwd admin (change admin password cpshell here)

#9: reboot the box



#4 mount /dev/sda7 /checkpoint

got to this point after booting up with CentOS live CD.
Got error message: mount: Cannot read /etc/fstab: No such file or directory


Please help!

schynam
2012-07-24, 17:33
CheckPoint provided another option by reinstalling the UTM-1. Hopefully that works.

https://supportcenter.checkpoint.com/supportcenter/portal?js_peid=P-114a7bc3b09-10006&eventSubmit_doGoviewsolutiondetails&solutionid=sk33876

Installing the Messaging Security package on the UTM-1 appliance using a DVD or USB Key

To install:

Connect the console cable to the appliance serial port. (Using the supplied serial console cable to the RJ45 port, open a hyperterminal and connect to the UTM-1 appliance. In the Port Settings window, the setting for the Serial console is 9600 8N1 (9600 BPS, 8 bits, no parity, 1 stop bit). From the Flow control drop down menu, select Hardware. Configure the hyperterminal parameters.)
Connect a DVD drive or USB disk-on-key to a 450, 1050 or 2050 UTM-1 appliance.
Boot the UTM-1 appliance.
When prompted, press "B" to bring up the boot menu.
On the boot menu:
If you are booting from a DVD, select "USB-CDROM" as the first boot device. The system boots up.
If you are booting from a USB key:
Select "USB-HDD" as the first boot device. The system boots up.
On the Select Partition Screen window, select the /dev/sda1 partition.
The standard SecurePlatform installation begins.
When prompted:
Select the default IP address 192.168.1.1 with subnet 255.255.255.0 and default route 192.168.1.254.

Note: You can enter an alternative IP address, if necessary.

Select "SecurePlatform", not "SecurePlatform PRO".
Select port 4434 for the UTM-1 WebUI.
When installation completes, remove the DVD from the drive or disconnect the USB key, and reboot.



There are several options available according to this link:


https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk36923

Solution

Important:

This SecureKnowledge solution applies to UTM-1 xx50 and xx70 series appliances.

You can only perform the procedure described in this SecureKnowledge solution for the R65 MSS image. This procedure does not apply/work for R70 UTM-1 image.

The only way to take a xx50 series appliance to R70 is via the R70 for SecurePlatform upgrade package, to be upgraded via the WebUI.

For xx70 series appliance, you can also see sk35362: Partial or incomplete boot menu on UTM-1/Power-1 appliance for UTM-1 and Power-1 appliances.

If you want to restore your UTM-1 appliance to Factory Default (RFD) using a clean ISO (not the one already installed on the machine) there are several methods that can be used.

Refer to sk33876: Installing UTM-1 NGX R65 with Messaging Security for instructions on how to restore your UTM-1 appliance to Factory Default using a USB key. (However, not all USB keys can be made bootable (depends on vendor).)

You can use the following procedure to restore your UTM-1 appliance to Factory Default using a CD.

Download the image from the Download Center, e.g. the NGX R65 with Messaging Security ISO package, UTM-1 NGX R65 with Messaging Security CD ISO Image for the UTM-1 Appliance and burn the ISO to a CD.

Boot the machine from an external CDROM (USB-CDROM). The machine will now boot from the CD, using the new ISO as its image.


Notes:

Do not use an image not supported by UTM-1 (for example, NGX R60).

schynam
2012-07-24, 18:10
CheckPoint provided another option by reinstalling the UTM-1. Hopefully that works.

https://supportcenter.checkpoint.com/supportcenter/portal?js_peid=P-114a7bc3b09-10006&eventSubmit_doGoviewsolutiondetails&solutionid=sk33876

Installing the Messaging Security package on the UTM-1 appliance using a DVD or USB Key

To install:

Connect the console cable to the appliance serial port. (Using the supplied serial console cable to the RJ45 port, open a hyperterminal and connect to the UTM-1 appliance. In the Port Settings window, the setting for the Serial console is 9600 8N1 (9600 BPS, 8 bits, no parity, 1 stop bit). From the Flow control drop down menu, select Hardware. Configure the hyperterminal parameters.)
Connect a DVD drive or USB disk-on-key to a 450, 1050 or 2050 UTM-1 appliance.
Boot the UTM-1 appliance.
When prompted, press "B" to bring up the boot menu.
On the boot menu:
If you are booting from a DVD, select "USB-CDROM" as the first boot device. The system boots up.
If you are booting from a USB key:
Select "USB-HDD" as the first boot device. The system boots up.
On the Select Partition Screen window, select the /dev/sda1 partition.
The standard SecurePlatform installation begins.
When prompted:
Select the default IP address 192.168.1.1 with subnet 255.255.255.0 and default route 192.168.1.254.

Note: You can enter an alternative IP address, if necessary.

Select "SecurePlatform", not "SecurePlatform PRO".
Select port 4434 for the UTM-1 WebUI.
When installation completes, remove the DVD from the drive or disconnect the USB key, and reboot.



There are several options available according to this link:


https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk36923

Solution

Important:

This SecureKnowledge solution applies to UTM-1 xx50 and xx70 series appliances.

You can only perform the procedure described in this SecureKnowledge solution for the R65 MSS image. This procedure does not apply/work for R70 UTM-1 image.

The only way to take a xx50 series appliance to R70 is via the R70 for SecurePlatform upgrade package, to be upgraded via the WebUI.

For xx70 series appliance, you can also see sk35362: Partial or incomplete boot menu on UTM-1/Power-1 appliance for UTM-1 and Power-1 appliances.

If you want to restore your UTM-1 appliance to Factory Default (RFD) using a clean ISO (not the one already installed on the machine) there are several methods that can be used.

Refer to sk33876: Installing UTM-1 NGX R65 with Messaging Security for instructions on how to restore your UTM-1 appliance to Factory Default using a USB key. (However, not all USB keys can be made bootable (depends on vendor).)

You can use the following procedure to restore your UTM-1 appliance to Factory Default using a CD.

Download the image from the Download Center, e.g. the NGX R65 with Messaging Security ISO package, UTM-1 NGX R65 with Messaging Security CD ISO Image for the UTM-1 Appliance and burn the ISO to a CD.

Boot the machine from an external CDROM (USB-CDROM). The machine will now boot from the CD, using the new ISO as its image.


Notes:

Do not use an image not supported by UTM-1 (for example, NGX R60).




This seems to work and may be easier than using the CentOS live CD for anyone who does not care to reinstall the UTM-1..