Friday, August 9, 2013

Reseting CheckPoint Firewall Smart-1 admin password


Good day!!!

Today i faced with new problem. An admin password for Checkpoint Firewall Appliance. The problem is that, default factory password does  not work at all. Ok!

Description

There is a solicitation comes from Network team asking for support on solving admin password to enter into Checkpoint Firewall Smart-1, because default factory doesnt work. They ran default factory procedure to reset the password but some errors occurred every time they  tried.

Assumptions

The appliance´s model is something like IP128x, Operating System IPSO-6.2-GA039-04.14.2010-225515-1, Application R75/R71, BIOS Version V2.15.13, rack mountable.

Problem definition

 Every time they ran the procedure to reset the password, went for bootmgr, run /etc/overpw, bla bla bla... it gives same error like:

fcks ....
...
/dev/ad0s4f: NO WRITE ACCESS
/dev/ad0s4f: UNEXPECTED INCONSISTENCY; RUN fsck MANUALLY.
mount_v9fs: not found
mkdir: /var/tmp2: Read-only file system
/etc/overpw: cannot create /tmp/forget.XX: No such file or directory
/etc/overpw: cannot create /tmp/forget.XX: No such file or directory
mv: /tmp/forget.XX: No such file or directory

    Admin password changed.  You may enter ^D to continue booting.  
    THIS IS A TEMPORARY PASSWORD CHANGE.
    PLEASE USE VOYAGER TO CREATE A PERMENANT PASSWORD FOR THE USER ADMIN.




After ^D it asks for login and password, giving the some answer like incorrect password which i conclude that it does not assume the new password at all.

Solution (workarround)

One thing i realize is that we can make our own very cheap firewall running any unix flavour and customize as we want. Looking inside the appliance i figured out that it´s running freeBSD. I mean /etc/overpw has a bug. Let´s do it:

  • boot into single-user mode (follow freeBSD or Checkpoint Firewall Factory procedure)
  • Unmount the file system: #umount -af
  • Mount the file system again with read-write flags: #mount -afw -t ufs
  • Test if it has write access with #fsck you will notice that only root partition is not writable but /config and /preserve are:
# fsck
** /dev/ad0s4f (NO WRITE)
** Last Mounted on /
** Root file system
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
1762 files, 39170 used, 199233 free (29 frags, 49801 blocks, 0.0% fragmentation)
** /dev/ad0s4a
** Last Mounted on /config
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
6 files, 45 used, 15990 free (10 frags, 3995 blocks, 0.1% fragmentation)
** /dev/ad0s4h 
** Last Mounted on /preserve
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
2905 files, 397072 used, 198435 free (163 frags, 49568 blocks, 0.0% fragmentation)

  • Change to /config directory because it is writable partition that we want and the right place to find the password file: #cd /config   follow the steps to change the admin password.
  • Generate encrypted password and store into a variable called passwd like: #passwd=`/bin/fpasswd -- 123456`
  • Read and store the password file into a variable called originalconfig like: #originalconfig= `readlink /config/active`
  • Now grep the line passwd:admin:passwd out of the originalfile to tmpfile like:       #grep -v "^passwd:admin:passwd"  $originalconfig > tmpfile
  • Insert the some line into temporary file with new password, using the following  command: #echo    "passwd:admin:passwd $passwd" >> tmpfile
  • Replace the original password file originalconfig  with new temporary file which has the line with new password like: #mv tmpfile  $originalconfig
  • At last, press crtl-D to reboot the FreeBSD

Fellows, be carefull with plicas(`) and the spaces when copy-past the commands. lol


That´s all folks