Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

It is currently Fri Jun 02, 2023 4:14 am

Message body:
Enter your message here, it may contain no more than 60000 characters. 

:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:
Font size:
Font colour
BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON
Disable BBCode
Disable smilies
Do not automatically parse URLs
Confirmation code
Confirmation code:
In an effort to prevent automatic submissions, we require that you enter both of the words displayed into the text field underneath.

Topic review - How to recover a branch SRX root password \w protected console (insecure)
Author Message
Post subject: How to recover a branch SRX root password \w protected console (insecure)  |  Post Posted: Tue Jan 27, 2015 6:37 pm
Some SRX firewalls need to be deployed in insecure environments, thus forcing administrators to protect the console from being accessed by non-root users. This complicates things when root password is lost and no way to login to the box to overwrite it.

Trying to recover a lost root password in SRX when the console is protected against non-root access:

(press space at the second prompt “Hit [Enter] to boot immediately, or space bar for command prompt.”)
Checking datalines... OK
Checking address lines... OK
Checking 512K memory for U-Boot... OK.
Running U-Boot CRC Test... OK.
Flash:  4 MB
USB:   scanning bus for devices... 3 USB Device(s) found
       scanning bus for storage devices... 1 Storage Device(s) found
Clearing DRAM....... done
BIST check passed.
Boot Media: nand-flash usb
Net:   pic init done (err = 0)octeth0
POST Passed
Press SPACE to abort autoboot in 1 seconds

Loading /boot/defaults/loader.conf
/kernel data=0xb03b68+0x1344a8 syms=[0x4+0x8a940+0x4+0xc8eb0]
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [/kernel] in 1 second...
loader> boot -s
Kernel entry at 0x801000e0 ...
init regular console
Primary ICache: Sets 64 Size 128 Asso 4
Primary DCache: Sets 1 Size 128 Asso 64

clean, 74552 free (32 frags, 9315 blocks, 0.0% fragmentation)
System watchdog timer disabled
Enter root password, or ^D to go multi-user
At this point, either root password is remembered, or the device can boot in multi-user (normal) mode and continue it's operations once the configuration is loaded.

How to recover Juniper SRX root password when the console is protected:

The procedure requires a bootable USB stick containing a Junos snapshot (on a different device).
Creating SRX bootable USB with a snapshot.
> request system snapshot media usb partition

Juniper uses uBoot as boot loader so it needs to be to configured to boot from usb.

To change uBoot boot settings, press SPACE at the first prompt:
Clearing DRAM....... done
   BIST check passed.
   Boot Media: nand-flash usb
   Net:   pic init done (err = 0)octeth0
   POST Passed
   Press SPACE to abort autoboot in 1 seconds
=> setenv boot.devlist usb
=> saveenv
Saving Environment to Flash...
Un-Protected 1 sectors
Erasing Flash...
. done
Erased 1 sectors
Writing to Flash... writing to flash...
Protected 1 sectors
=> reset

At this point, the firewall will reboot and automatically boot from the USB containing a bootable snapshot. Once it booted up, the flash partition can be mounted and the root password can be changed.

Revert the boot sequence to flash again.
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list

Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]