CCNA

11/01/2015

Cisco PIX-515 PIX-515E Unrestricted (UR) License Keygen Algorithm

By dch1 in Just Notes, Life No Comments Tags: ASA, CCNA, Cisco, PIX

=====WARNING: This article is for Academic purposes ONLY and not with intention to make profits or resell.=====

As an engineer myself, I am always curious about how the things work. I could even remember when I was in high school, I used my pocket money to buy a book titled Applied Cryptography, of course it is a Chinese version. I was amazed by the encryption algorithm, such as MD5, RSA, SHA, etc. I bought a DLL plug-in to make my home-brewed software have registration functionality. (I should have studied IT security, shouldn’t I?)

Time flies, I choose Mechanical Engineering to be my major in University but it did not change my ambitious as well as my field of interest. I remembered the first few days I bought my Arduino kit, I was trying to dig some interesting protocols for encryptions using that microcontroller. Well, it’s a 8-bit MCU so it is not likely possible to implement strong algorithms like RSA and MD5. I found someone making CRC32 and SHA on that platform but it will take a few seconds to get the work done.

Anyway, I am talking too much about the past so let’s get into this topic.

Just a couple of days ago, I was given 3 Cisco PIX-515E firewall with Unrestricted (UR) License. To be honest, I had really no idea with these firewalls and only know about the Cisco ISR series during that time (Yes, I am studying CCNA at the moment and the PIX firewalls are unwanted free gift from one eBay seller.). Soon after, I found the ASA could be a very useful equipment in networking as they are capable of doing not only the fire fighters job, but also be NAT/PAT tasks.

I watched a youtube video and the instructor tried to use valid Serial Number and Activation Keys to activate the “virtual” PIX-515E in GNS3 software. As a result, I was getting much more interested in the activation key algorithms than ever! I had a brief look on the eBay.com.au, there were couple of sellers who were selling UR Licenses at a premium price and it looked like a must have (handy) bundle for CCNP students.

I was accidentally got an article on one Russia website, and one of the ‘hacker’ revealed the software algorithm for the UR license key so I would like to write an English version to make it clearer.

======Please ignore above paragraphs if you are above the CCNA level :-).======

I need to grab a working SN and Key to verify the process is all working. So I grabbed a victim on eBay:

Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
Serial Number: 809112952
Running Activation Key: 0x4b7c1873 0x54ce958f 0x7b74b95e 0x569def49

Firstly, we need to convert the Serial Number from DEC to HEX. Just use the calculator to conduct the conversion.

DEC(809112952)=HEX(0x 30 3A 15 78)

Secondly, we need to make the inversion of the digits.

30 3A 15 78 => 78 15 3A 30 => 78153A30

Refer to the original discussion, we need to put inverted value of the license type mark (AES+DES+UR = 0x00000039) to the beginning of the SN we have just converted.

“39000000” + “78153A30” = 3900000078153A30

Then we needs a MD5 conversion using a perl syntax:

If you are running or having a Mac or Linux based O/S, just using the following command:

perl -e ‘use Digest::MD5 qw(md5_hex); print md5_hex(pack(“H*”, “390000006C394E30“))’

If you cannot have access to the Linux or Unix based PC, you can use online compiler, such as: http://www.tutorialspoint.com/execute_perl_online.php. You need to remember that the command will be slightly different:

qw(md5_hex); print md5_hex(pack(“H*”, “390000006C394E30“))

You will get the following result:

73187c4b 8f95ce54 5eb9747b 49ef9d56

Last step, we need to separate the result to 4 groups (shown above), and make the inversion AGAIN to get the final result! You’ll get the same result with our victim’s answer:

0x4b7c1873 0x54ce958f 0x7b74b95e 0x569def49

Not that bad!

04/10/2014

Cisco C3550 C2950 Firmware / IOS Update and System Recovery

By dch1 in Life No Comments Tags: CCNA, Cisco

This is the first experiment since I received the Cisco switch. No much pre-requested knowledge is necessary so I just use the tftp server / client and putty software (Hyper-terminal from Windows is fine) to conduct the upgrading processes.

I know and understand that there is a guide on Cisco website but some of the command are not working due to the typos. I’ll write one myself.

This is a guide mainly for C3550 but it’s a similar procedure on C2950-EMI switch. The only difference is the IP settings.

1. Check the and backup the system image.

The red font displays the image that system currently in-use (It’s a SMI version of switch but with EMI installed).

Switch>en
Switch#sh version
Cisco IOS Software, C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(25)SEE3, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 22-Feb-07 15:35 by myl
Image text-base: 0x00003000, data-base: 0x00DC116C

ROM: Bootstrap program is C3550 boot loader

Switch uptime is 1 minute
System returned to ROM by power-on
System image file is “flash:c3550-ipservicesk9-mz.122-25.SEE3/c3550-ipservicesk9-mz.122-25.SEE3.bin”

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

Cisco WS-C3550-48 (PowerPC) processor (revision G0) with 65526K/8192K bytes of memory.
Processor board ID CAT0*******
Last reset from warm-resetSE
Running Layer2/3 Switching Image

Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 3 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 4 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 5 has 1 Gigabit Ethernet/IEEE 802.3 interface
Ethernet-controller 6 has 1 Gigabit Ethernet/IEEE 802.3 interface

48 FastEthernet interfaces
2 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.
384K bytes of flash-simulated NVRAM.
Base ethernet MAC Address: 00:0B:5F:**:**:**
Motherboard assembly number: 73-5701-07
Power supply part number: 34-0967-01
Motherboard serial number: CAT0*******
Power supply serial number: DCA0*******
Model revision number: G0
Motherboard revision number: A0
Model number: WS-C3550-48-SMI
System serial number: CAT0*******
Configuration register is 0x10F

We need a basic IP settings to make a connection between PC and the switch. The basic IP settings can be referred to the Cisco official webpage: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3550-series-switches/41541-190.html

We need to change TCP/IP V4 settings on the PC with the subnet 255.255.2550.0 with the IP address: 20.20.20.2.

switch# configure terminal
switch(config)# interface vlan 1

!— A Fast Ethernet interface is in VLAN 1.

switch(config-if)# ip address 10.10.10.1 255.255.255.0 <-Cisco website missing a “.0” (typo)
switch(config-if)# no shut
switch(config-if)# exit
switch(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.129

!— Issue this command as one way to establish
!— connectivity to a TFTP server on a different subnet or network.

switch(config)# end
switch#
switch# ping 20.20.20.2

!— Ping the IP address of the TFTP server
!— from the switch to verify connectivity.

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/202/1000 ms

If we get the 100% success rate. We can run the tftp software and turn off the firewall settings, it will be a trouble maker. We can use the command line below to backup the original firmware:

archive tar /create tftp://20.20.20.2/c3550-ipservicesk9-mz.122-25.SEE3.tar flash:/c3550-ipservicesk9-mz.122-25.SEE3

Connection received from 10.10.10.1 on port 54669 [29/09 14:57:54.725]
Write request for file <c3550-ipservicesk9-mz.122-25.SEE3.tar>. Mode octet [29/09 14:57:54.725]
Using local port 59555 [29/09 14:57:54.726]
<c3550-ipservicesk9-mz.122-25.SEE3.tar>: rcvd 17645 blks, 9033728 bytes in 52 s. 0 blk resent [29/09 14:58:46.005]

If everything seems to be OK, it’s the time to have a FRESH INSTALL of the new firmware.

erase flash

========== System Recovery Process (optional reading) ==========

It is necessary to be patient as the system becomes unresponsive when the flash block is erasing. Mine just got stuck and I mistaken power-cycled the machine, which makes the system non-bootable.

Base ethernet MAC Address: 00:0b:**:**:**:**
Xmodem file system is available.
The password-recovery mechanism is enabled.
Initializing Flash…
flashfs[0]: 2 files, 3 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 15998976
flashfs[0]: Bytes used: 76800
flashfs[0]: Bytes available: 15922176
flashfs[0]: flashfs fsck took 15 seconds.
…done Initializing Flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Loading “”…: permission denied

Error loading “”

Interrupt within 5 seconds to abort boot process.
Boot process failed…

The system is unable to boot automatically. The BOOT
environment variable needs to be set to a bootable
image.

The file system has been corrupted as I power-cycled the machine during the erase flash operation.

We need a Hyper-Terminal software, which is included in most of older version of Windows so I used 9600, N, 8, 1 settings to connect the switch, and issue two commands:

flash_init
load_helper

I cannot even use dir flash command, but it doesn’t matter.

We need to set baud rate to as high as possible to save the transferring time. It’s not a big deal for me as I’ve learnt a lot during programming work. ( 9600<19200<38400<57600<115200 )

Mine used 57600 as this is the highest baud rate possible on my machine. The 115200 create a lot of IO error and the transferring could not be completed.I used the latest version of EMI image instead.

set BAUD 57600

copy xmodem: flash:c3550-ipservicesk9-mz.122-44.SE6.bin

Since we issue the Xmodem transferring command so we must use “transfer->Send File” command to send the proper bin file. (Please just ignore the Chinese characters in the image below)

File “xmodem:” successfully copied to “flash:c3550-ipservicesk9-mz.122-44.SE6.bin”

We can boot from this file directly after we received the red font message.

boot flash:c3550-ipservicesk9-mz.122-44.SE6.bin

The booting message is shown below:

Boot Sector Filesystem (bs:) installed, fsid: 3
Loading “flash:c3550-ipservicesk9-mz.122-44.SE6.bin”…#…#

File “flash:c3550-ipservicesk9-mz.122-44.SE6.bin” uncompressed and installed, entry point: 0x3000
executing…

So we can back to the upgrading processes. This is because I prefer the complete image (the file ending with tar) so I need to erase the flash again and upload the complete image.

====================

Issue the following command:

archive download-sw /overwrite tftp://20.20.20.2/
YOUR-FILE-NAME.tar

Wait until the process is finished.

switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# boot system flash:c3550-ipservicesk9-mz.122-44.SE6/c3550-ipservicesk9-mz.122-44.SE6.bin

!— Note: This command should be on one line.
!— You use the directory/file name to set the boot system statement.

switch(config)# end
switch# write memory

Building configuration…
[OK]
switch# reload
Proceed with reload? [confirm]

And, you are done, congratulations!

Last but by no means least, I issued a system reset after I have done all of these stuff.

erase startup-config

========== C2950 IP Settings (optional reading) ==========

Referred to the Cisco Website, the terminal configurations on C2950 is slightly different.

I also used the IP address 10.10.10.100 on PC because the 20.20.20.2 was not working (ping got timed out on mine switch)

2950#conf t
2950(config)#int vlan 1

!— This example uses a FastEthernet interface in management VLAN 1.

2950(config-if)#ip address 10.10.10.1 255.255.255.0

!— This IP address must ideally be in the same subnet as the
!— TFTP server. In this example, the 2950 and the TFTP server
!— are on different subnets.

2950(config-if)#no shut
2950(config-if)#exit
2950(config)#ip default-gateway 10.10.10.129

!— Issue this command as one way to establish connectivity
!— to a TFTP server on a different subnet or network.

2950(config)#end
2950#
2950#ping 10.10.10.100

!— Ping the IP address of the TFTP server from the switch
!— to verify connectivity.

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

====================

26/09/2014

Cisco WS-C2950G-48-EI

By dch1 in Just Notes, Life No Comments Tags: CCNA, Cisco, ICND1, ICND2

Once upon a time, this is a very start story of a CCNA exam preparation. Too early to tell them all but I am keen to take it apart – the ultimate destroyer would agree with me.

I do love Electronic Engineering, given that I had involved in quite a few of programming and Mechatronic projects. I am planning to study CCNA with attending ICND 1 and ICND 2 exams, which are the requirements to be qualified as an IT Engineer so I grabbed this Cisco switch.

Overall, C2950G gets a impressive built quality as well as the price. I wish I could get C3550 which is a L3 switch. Unfortunately, the seller on eBay informed me they were oversold the product but let me ‘upgrade’ to a lower level of the model for free(Yes, C2950 is not as good as 3550 but this one comes with more expensive EI version, stands for Enhanced Image) and I wanna give it a go.

I have got this switch for couple of days but I was quite busy so I made a decision to write this report on Saturday.

Now let’s have a look at the Cisco C2950 Switch with Enhanced Image firmware.

The C2950 is not as big as the 2821 router, with only half size of the router.

If we remove the screw on the back side and the rack, we can easily remove the top panel.

There are 2 large Broadcom chip with a Cisco logo on it. I cannot find much of the information (only says “24-PORT GBE SWITCH WITH 4-PORT GBE/2.5GBE HGL PORTS” on a few of websites) on the Internet so it most likely the special model manufactured for Cisco, and it is called BCM5628. I used a USB port to make a comparison with its size.

The PSU looks fairly simple but it must be reliable and durable. All of the capacitors were built in a very good quality. There is only one fan, kind of turbo fan, for the system and it’s powerful and noisy (especially during the few seconds on boot).

The model number of the RAM is K4S643232F-TC60. It is a 512K x 32bit x 4 Banks Synchronous DRAM LVTTL with the maximum frequency of 166MHz. It’s out of fashion these days but this switch could be dated back to 2003. It’s still useful for CCNA students, just like me 🙂

To my surprise, this switch uses a MAX3232 chip, the variation model of classical MAX232 (widely used for TTL to RS232 circuits, and I am very familiar with it. I could even find some ultrasonic distance sensing modules using MAX232 as a boost voltage source @~10V). It could be operated under 3.3V for a 3232 chip from my own experiences. My console cables have been arrived as well in another mail.

The last screenshot is about the console interface, and I am using putty with the COM1 port on the motherboard. I am planning to make a Raspberry Pi based Access Server by using USB to RS232 cable for remote access.

16/09/2014

Cisco 2821 and CCNA

By dch1 in Just Notes, Life No Comments Tags: CCNA, Cisco, ICND1, ICND2

It’s a remarkable day as the Cisco 2821 has been delivered in full today by TNT Australia. I am sure I would get more challenges in CCNA exam preparation. I’ve bought a complete course from Udemy and CCNA here I come!

I was quite familiar with the basic knowledge of networking equipment and CCNA preparation is a great chance for me to enrich my knowledge in IT.

======Quick Overview about the Router======

The Cisco 2821 is larger than I expected. It weights around 8KG at most. When I opened the case, there was a large green motherboard PCB and it looks like a powerful PC 🙂

The router I bought comes with a AIM-VPN/EPII-PLUS module, which supports high-speed encryptions and decryptions with VPN connections. Indeed, it is supposed that the DES and 3DES encryptions are embedded on board but I had no idea about the improvement of the performance.

2 Gigabyte NIC installed on board, the controller chips are manufactured by Broadcom. Well, I am at beginner level, is the 2 NIC enough for daily use?

The system is pre-configured with v15.1 of the IOS system which is stored on 256MB CF Card. It comes with 512MB memory.

The booting up is VERY noisy but it is getting silent after the system is fully booted up. I am also after a 2950 Switch from Ebay and it’s still OTW. I will post more photos if it is necessary 🙂

The Udemy Course: