Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Fri Jun 02, 2023 3:52 am


Author Message
mandrei99
Post  Post subject: How to recover a branch SRX root password \w protected console (insecure)  |  Posted: Tue Jan 27, 2015 6:37 pm

Joined: Tue Aug 04, 2009 9:16 am
Posts: 250

Offline
 

How to recover a branch SRX root password \w protected console (insecure)

Some SRX firewalls need to be deployed in insecure environments, thus forcing administrators to protect the console from being accessed by non-root users. This complicates things when root password is lost and no way to login to the box to overwrite it.

Trying to recover a lost root password in SRX when the console is protected against non-root access:


(press space at the second prompt “Hit [Enter] to boot immediately, or space bar for command prompt.”)
Code:
Checking datalines... OK
Checking address lines... OK
Checking 512K memory for U-Boot... OK.
Running U-Boot CRC Test... OK.
Flash:  4 MB
USB:   scanning bus for devices... 3 USB Device(s) found
       scanning bus for storage devices... 1 Storage Device(s) found
Clearing DRAM....... done
BIST check passed.
Boot Media: nand-flash usb
Net:   pic init done (err = 0)octeth0
POST Passed
Press SPACE to abort autoboot in 1 seconds

Loading /boot/defaults/loader.conf
/kernel data=0xb03b68+0x1344a8 syms=[0x4+0x8a940+0x4+0xc8eb0]
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [/kernel] in 1 second...
loader> boot -s
Kernel entry at 0x801000e0 ...
init regular console
Primary ICache: Sets 64 Size 128 Asso 4
Primary DCache: Sets 1 Size 128 Asso 64


clean, 74552 free (32 frags, 9315 blocks, 0.0% fragmentation)
System watchdog timer disabled
Enter root password, or ^D to go multi-user
Password:
At this point, either root password is remembered, or the device can boot in multi-user (normal) mode and continue it's operations once the configuration is loaded.

How to recover Juniper SRX root password when the console is protected:


The procedure requires a bootable USB stick containing a Junos snapshot (on a different device).
Creating SRX bootable USB with a snapshot.
Code:
> request system snapshot media usb partition

Juniper uses uBoot as boot loader so it needs to be to configured to boot from usb.

To change uBoot boot settings, press SPACE at the first prompt:
Code:
Clearing DRAM....... done
   BIST check passed.
   Boot Media: nand-flash usb
   Net:   pic init done (err = 0)octeth0
   POST Passed
   Press SPACE to abort autoboot in 1 seconds
=>
=> setenv boot.devlist usb
=> saveenv
Saving Environment to Flash...
Un-Protected 1 sectors
Erasing Flash...
. done
Erased 1 sectors
Writing to Flash... writing to flash...
done
Protected 1 sectors
=> reset

At this point, the firewall will reboot and automatically boot from the USB containing a bootable snapshot. Once it booted up, the flash partition can be mounted and the root password can be changed.

Revert the boot sequence to flash again.





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "How to recover a branch SRX root password \w protected console (insecure)"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. SRX300 - How to connect to serial console via USB port in MacOS

mandrei99

0

4394

Tue Mar 20, 2018 10:26 am

mandrei99 View the latest post

There are no new unread posts for this topic. How to monitor CPU usage and flow sessions via SNMP - Juniper SRX Branch - 12.1X44

mandrei99

0

14372

Tue Jun 18, 2013 6:13 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Attachment(s) Juniper SRX Branch - Blocking HTTPS websites using the AppFW (application-firewall) feature - Part 1

mandrei99

0

11021

Sat Jul 27, 2013 3:48 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX Branch - Blocking HTTPS websites using the AppFW (application-firewall) feature - Part 2

mandrei99

0

6797

Sat Jul 27, 2013 3:59 pm

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 1 guest
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO