Decrypting Cisco type-7 password

There are many ways a Cisco Type-7 password could be decrypted. Look at the following encoded passwords.

It could be decoded using any of the following methods:

  1. Using Cisco IOS
  2. An online website
  3. A freeware program
  4. A Perl script

Continue reading “Decrypting Cisco type-7 password”


IE Just wont DIE!!!!!

Had really annoying problem yesterday. Was  busy setting up Role-Based TACACS access on Cisco ACS and happily configuring the NDG (Network Device groups), the Command Authorization Sets etc.

Started testing and kept on getting “% Authentication failed” on the CLI.
At first you realize you must have made a typo or forgot to do something. Double check the config, the ACS setup and confirm the passwords are correct with no Null Spaces. But still no luck.

Continue reading “IE Just wont DIE!!!!!”

Cisco Autosecure

Cisco always attempts to make our lives easier, or at least sometimes.

When you setup your last CE router, did you make sure all the necessary security measure were setup? Is it protected against DOS attacks, stack or buffer overflows? Aare you logging the correct info in case someone tries to access your network?

Cisco, quite some time ago, wrote a macro command combining what they believe to be the necessary and recommended features that should be enabled on every CE router.

There are two main parts of this command:

  • Securing the Forwarding Plane
  • Securing the Management Plane

Just because this command could make your life easier, you should understand each action that is executed, or else you might disable or break a needed function.

Continue reading “Cisco Autosecure”

FWSM IOS upgrade

If you need to upgrade the IOS on a FWSM (Firewall Switch Module), you will soon find out, that the upgrade works slightly different to routers. You don’t have the option of using multiple ‘boot system’ commands, nor can you copy more than one IOS image to the FWSM flash. But then what about failback, if you don’t have the old/current IOS version? (and no you can’t just tftp/ftp the current image from a FWSM when in-use). So now what?

A really neat yet fairly undocumented feature is how the FWSM  addresses the space allocation of the Flash memory. Refer to the application partitions (cf:4 and cf:5), see a previous post that listed the partition break down.

Application Partition cf:4 is used by default,  but cf:5 not.  Because cf:5 provides a secondary partition to boot from,  it allows you to test config on a new IOS version. If you boot of cf:5 appose to cf:4, you have a clean and fresh ‘dir flash:‘ to load a new IOS image on, while leaving the working ‘dir flash:‘ intact .

Just change the default boot partition to cf:5 from the switch, with
boot device module {MOD-NUMBER} cf:5

Then reload the module, and load the ‘test’ IOS image to flash (now cf:5) and do any tests necessary. Once happy remove the above command and upgrade to the new IOS on the default partition cf:4.

FWSM – Reset passwords and AAA

Password recovery on a router is easy, and it is even easier to find the steps if you dont know.

What if you forget the login and enable passwords, or you created a lockout situation because of AAA settings on a FWSM (Firewall Switch Module) blade inside a Cisco 6500 or Cisco 7600?

You have two options.

  1. The Cisco way
  2. The Alternative way (as always)

The Cisco way is not hard but needs understanding of the hardware. The FWSM has a 128-MB Flash memory card that stores the operating system, configurations, and other data. The Flash memory includes six partitions, referenced as ‘cf:n‘.

  • Maintenance partition (cf:1) — Contains the maintenance software.
  • Network configuration partition (cf:2) — Contains the network configuration of the maintenance software.
  • Crash dump partition (cf:3) — Stores the crash dump information.
  • Application partitions (cf:4 and cf:5)—Stores the application software image, system configuration, and ASDM. By default, the FWSM boots off and installs the IOS images on cf:4. You can use cf:5 as a test/backup partition. The contents of this partition (cf:4) is seen with the command ‘dir flash:’
  • Security context partition (cf:6)—64 MB are dedicated to this partition, which stores security context configurations (if desired) and RSA keys in a navigable file system. The contents of this partition is seen with the command ‘dir disk:’

Continue reading “FWSM – Reset passwords and AAA”

Fortigate Limitation

I discovered a real annoying limitation to the Fortigate firewalls today.  And although this limitation wont be encountered on a daily basis, I know this is not a unusual setup, and above that I know that Cisco Pix Firewall support this, as I have done this before.

Suppose the the following scenario:


Suppose traffic from the Big Bad Internet is destined to company  BOB’s application server at

On the Fortigate you create a port-nat to the  server’s internal address of

Continue reading “Fortigate Limitation”

Fortigate tcp dump

In order to see a tcp dump of information flowing through a fortigate, the diagnose sniffer command can be used from cli.   The command syntax:

diagnose sniffer packet {interface | all}  ‘net z.z.z.z/p and/or host x.x.x.x and/or port yyy’  [options]

You can narrow your search by filtering on any or the following:

net/prefix : print a whole netblock
host          : print only one host
port          : print only a specific port number
and/or      : allows additional options

The Options field at the end are as follow:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name

Option ‘4’ is particularly useful, in that it shows the associated interface for the directional traffic


diagnose sniffer packet any ‘net and host and port 3389’

diagnose sniffer packet any ‘host and host and port 3389’ 4

Fortigate Commands

I configure/support Fortigate firewalls on a daily basis, the baby 60DSL’s, the  200A’s, but mostly the big 3016B’s.

Although I do use the Fortimanager front-end extensively for revision history, I still prefer and often do work from the command line, so I tought I’ll share the commands I use often.

Monitoring commands:


  • Show global or vdom config

sh system interface

  • Equivalent to show run interface

diagnose hardware deviceinfo nic

  • Equivalent to show interface

get system status

  • show version information

sh firewall policy 6

  • show firewall rule numer 6

sh router policy

  • Show Policy Routing rules

diagnose system session list

  • Show the excisting translations

diagnose system session clear

  • Clears all xlate/translations

diagnose ip arp list

  • Shows the arp table of connected hosts

get router info routing-table all

  • Equivalent to ‘show ip route’

diagnose system top

  • Show System Processes running with PIDs

diagnose system kill 9 <id>

  • Kill the specific PID

diag test auth ldap <server_name> <username> <password>

  • Ldap test query from the Forti to the AD

Find Pix VPN password

Ok, so an interesting problem I came across today, I needed to confirm what the password for a IPSEC tunnel was on a pix, without changing it. The dilemma was that it shows as *******, not very useful!?

crypto map IPSEC interface outside
isakmp enable outside
isakmp key ******** address netmask no-xauth
isakmp policy 100 authentication pre-share

To find the password do the following

Setup a TFTP-server and create a file to upload the pix config to. Make sure you have write and access permission to that file, and also confirm that the pix can reach the tftp-server beforehand.

Then from the pix:

Pix 6.35 Syntax

tftp-server [<if_name>] <ip> <directory>
write net [<tftp_ip>]:<filename>


(config)# tftp-server outside /
(config)# write net
Building configuration…
TFTP write ‘//myfw’ at on interface 0

The file containing the config “myfw” should list the password in plain text.

crypto map IPSEC interface outside
isakmp enable outside
isakmp key qweRTY!@# address netmask no-xauth
isakmp policy 100 authentication pre-share