This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RickHoppe
Advisor
‎2018-06-14 02:20 PM

How to recover Gaia Admin password on VMware

Today we ran into a situation we needed to recover the Gaia Admin password of a Logserver which was hosted on VMware. Therefore we could not use the procedure to create a EmergenDisk USB flash drive from sk92663. Problem is that we cannot boot from USB when using a VMware guest. We’ve also ignored sk106490 as this was not a Security Gateway.

We’ve used Google to find some answers on this particular subject. We found a few possible answers (here and here) with instructions that did not completely work on a lab machine (running on R80.10). Furthermore we liked the idea by fixing this nicely in the Gaia configuration database instead of manually editing OS files like /etc/passwd or /etc/shadow files.

So we used the best of aforementioned sites and successfully reset the admin password with this procedure on R80.10:

  1. Configure the Check Point VM to use a recent Ubuntu Desktop ISO and boot from CD-ROM. Select Try Ubuntu so you will have a Live environment without installing Ubuntu.
  2. Open the Terminal application.
  3. Enter the following command: sudo su –
  4. Create a mounting point: mkdir /mnt/cp
  5. Mount the Gaia filesystem: mount /dev/mapper/vg_splat-lv_current /mnt/cp
  6. Change the root directory to the Gaia root: chroot /mnt/cp
  7. Backup the current Gaia configuration database: cp /config/db/initial_db /config/db/initial_db_backup
  8. Connect to the Gaia configuration database: sqlite3 /config/db/initial_db
  9. Query the database using SQLite to locate the current admin password. The last line is the current password hash:

    SELECT * from revisions WHERE binding=”passwd:admin:passwd”;

  10. Update the database using SQLite to change the password to ‘admin’. Replace the text old-pw-hash below with the last hash from step 9:

    UPDATE revisions SET value=”$1$zIVyrIdj$1LBW7Pg6XOcXYIgFPTppY.” WHERE binding=”passwd:admin:passwd” AND VALUE=’old-pw-hash‘;

  11. Exit SQLite by entering the following command: .exit
  12. Exit chroot and go back to Ubuntu: exit
  13. Unmount the Gaia filesystem: umount /mnt/cp
  14. Reboot the Check Point VM by entering: reboot
  15. Login to the console, SSH or Gaia Portal using user admin and password admin.
  16. When in CLISH or Gaia Portal don’t forget to change the password for user admin (and document it!)

Thanks to the original authors from which this instruction is combined from.

Also posted to my blog: How to recover Gaia Admin password on VMware – checkpointengineer 

My blog: https://checkpoint.engineer
(2)
14 Replies
Maarten_Sjouw
Champion
Champion
‎2018-06-14 02:29 PM

if the system has a valid SIC, there is another easy way to do this from the management server. see SK106490 this method does not only work for the password but in principle you can run any command on the gateway from an expert level.

Regards, Maarten
RickHoppe
Advisor
‎2018-06-14 02:47 PM

sk106490 is stating that this is for resetting the password on a Security Gateway from a Management server. In this case it was a Logserver instead of a Security Gateway. Not sure if it works as the article does not apply for this case.


My blog: https://checkpoint.engineer
0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-06-14 11:01 PM

Hi Rick. It does as long as SIC is established it will work Smiley Happy

0 Kudos
RickHoppe
Advisor
‎2018-06-14 11:47 PM

That SK will save some time when we have a SIC. SK should also be updated that it also applies to connected management servers. This Howto can now be used when you have no SIC .


My blog: https://checkpoint.engineer
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-06-15 04:34 AM

Oh, this SK should be updated anyway, indeed as long as SIC is available you should be able to send commands this way, this even works fine for sending commands to the pesky embedded boxes.

But certainly when you do not have SIC this will be easier sometimes than re-imaging the VW.

Regards, Maarten
f5de199a-8ab8-4
Explorer
‎2018-10-31 05:07 AM

This method works. I performed it on two checkpoint VMs running r80.M20 using Ubuntu extended support release (18.04.1 L)

RickHoppe
Advisor
‎2018-10-31 06:28 AM

Great to hear the article helped you.

My blog: https://checkpoint.engineer
Daniel_Lopez
Explorer
‎2019-02-19 01:09 PM

Hi Rick just a quick question I tried it , but it didnt worked I think my issue is on step 10 the first hash here:

UPDATE revisions SET value=”$1$zIVyrIdj$1LBW7Pg6XOcXYIgFPTppY.” WHERE binding=”passwd:admin:passwd” AND VALUE=’old-pw-hash‘;

 

Should be exactly the same? also the old-pw-hash is the last one right cause I got 3 of them while doing the querry.

Thanks!!

RickHoppe
Advisor
‎2019-02-20 02:35 AM

Hi Daniel,

Yes, the first hash value in the UPDATE statement should be exactly the same. You only need to replace old-pw-hash with the last one you see in step 9. According to my information you should see all previous password hashes too and the last one is the current one which would normally also be visible in /etc/shadow.

Since you performed step 10....when you now perform step 9 again, do you see the same hash ($1$zIVyrIdj$1LBW7Pg6XOcXYIgFPTppY.) from step 10 listed as last in the output of the query?

My blog: https://checkpoint.engineer
0 Kudos
Daniel_Lopez
Explorer
‎2019-02-20 07:08 AM

Hi Rick,

Thanks for your help it does change an im able to see the hash thats stated there on the update statement, but when I type in admin , admin it does not work. On old-pw-hash I used the last of the 3 displayed hashs.

I know it does the change cause im able to see it, but unfortunately the login still does not work. That /etc/shadow displays the current password?

thanks for your help.

regards,

Daniel 

Sarm_Chanatip
Collaborator
‎2019-03-24 03:01 AM

Hi Rick

 

What Ubuntu Desktop ISO version Did you perform?

 

Thank you

Sarm

0 Kudos
Sarm_Chanatip
Collaborator
‎2019-03-25 12:25 AM

Hi Rick

 

I'm getting stuck at step 1, in regards to Configure the Check Point VM to use a recent Ubuntu Desktop ISO and boot from CD-ROM. Select Try Ubuntu so you will have a Live environment without installing Ubuntu. 

At this point, should I change from Check Point ISO to Ubuntu Desktop ISO, or just create a new CD/DVD drive and add Ubuntu ISO to it?

password.jpg

0 Kudos
Christopher__C2
Employee
Employee
‎2019-07-24 05:33 PM
In response to Sarm_Chanatip

I've done this successfully using using CentOS minimal install ISO instead of Ubuntu (cause that's what was readily available).
The repair option on CentOS automatically found and mounted the partition for me, but I had to use chroot due to a SQlite error locating a library file.
And, instead of using some other password hash, I set it blank. There's a risk leaving the admin account with no password, but changing it immediate after it reboots makes that pretty minimal. (and using the VMware console, I couldn't paste!!!)


[Expert@fwmgmt:0]# sqlite3 initial_db
SQLite version 3.7.14
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> SELECT * from revisions WHERE binding="passwd:admin:passwd";
passwd:admin:passwd|0|||||2019-05-14 14:37:14|1
passwd:admin:passwd|1|**PASSWORD**HASH**||||2019-05-14 14:37:14|0
sqlite> UPDATE revisions SET value="" WHERE binding="passwd:admin:passwd" AND VALUE='**PASSWORD**HASH**';
sqlite> SELECT * from revisions WHERE binding="passwd:admin:passwd";
passwd:admin:passwd|0|||||2019-05-14 14:37:14|1
passwd:admin:passwd|1|||||2019-05-14 14:37:14|0
DoubleSleep
Explorer
‎2023-03-02 01:26 AM
In response to Sarm_Chanatip

I was also wondering how to enter the ubuntu live environment. Any advice?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events