This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
Tuesday
Jump to solution

Recovering lost admin shell password for management server

Hey guys,

Wondering if someone may have an idea how to fix this, if its possible at all. This is the situation...customer we manage sadly could not log into web UI or ssh into their mgmt server and when we tried our own account, it was not working either. I sure hope its someone on their end that did this and possibly forgot to tell the IT manager, but saving grace is that at least smart console access works fine.

I suppose below can be done, but trying to see if there is more simple (or less painful) way:

https://community.checkpoint.com/t5/Management/How-to-recovery-lost-admin-password/td-p/54311

My colleague and I tried some lab tests, such as create a script to set new user, but that failed as well to log in. We even copied the hash we found in /etc/shadow file, but no joy.

Any way to recover this password and keep in mind, its NOT expert password, its shell one that does not work for any of the accounts, either for ssh or web UI.

I know they will be "retiring" this server in about a month, but just to be on safe side, I would still like to see if there is any way to recover this.

Tx as always for the help!

Andy

0 Kudos
2 Solutions

Accepted Solutions
Duane_Toler
Advisor
Wednesday
In response to Duane_Toler
Jump to solution

Another item to add:  The pasword-hash you pasted is not a valid hash string.  The password hash must include the hash algorithm number, the salt, optional rounds (for SHA2 hashes), then the hash string.

 

This is the hash for "vpn123":

$5$WmMWnbdP4tkgqFYF$2K9uRm1mEssDwT6VuEbHDdCvXPWnyjYqOhLrgC22Wu7

 

So you'd use: 

clish -c 'set user admin password-hash $5$WmMWnbdP4tkgqFYF$2K9uRm1mEssDwT6VuEbHDdCvXPWnyjYqOhLrgC22Wu7'

 

NOTE: You MUST use single-quote characters here, NOT double-quotes!

(if i had a <blink> tag, i'd use that, too)

 

 

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

View solution in original post

(1)
the_rock
Legend
Legend
Wednesday
In response to Duane_Toler
Jump to solution

Man, it WORKED! I dont care what anyone says, you are a PURE GENIUS  @Duane_Toler 🙂

Andy

Below is script that worked, we will try in customer's smart console, but Im sure it will work fine.

clish -c "lock database override"
clish -c "add user checkpoint uid 0 homedir /home/checkpoint"
clish -c "add rba user checkpoint roles adminRole"
clish -c 'set user checkpoint password-hash '$6$UGiymvIAogW5wDme$tnELrqe67hT9mC.oumck2LxUedBswlPeWTp9a7yRdBu07abkv8vPZA/WQrlvV4wCirvzAp3ltwgoF7BpWRLwa0'
clish -c "save config"

 

If anyone ever encounters this issue, give this a try, works 100%. Right click on mgmt object in smart console, script repository and add a script using above, save and right click -> run

username -> checkpoint

password -> maxwe!!

Then you can change the pass later. Btw, no need to install policy or database, works without doing so, but does not hurt, just in case.

View solution in original post

35 Replies
G_W_Albrecht
Legend Legend
Legend
Wednesday
Jump to solution

As you can use SmartDashboard, you should be able to add a new user using Management API: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-user~v2 as you can type API commands from a dialog inside the SmartConsole GUI application, see https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v2

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend
Wednesday
In response to G_W_Albrecht
Jump to solution

Tx a lot brother, will try that in the lab!

Andy

0 Kudos
AkosBakos
Mentor Mentor
Mentor
Wednesday
In response to G_W_Albrecht
Jump to solution

Search for this:

image.png

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend
Wednesday
In response to AkosBakos
Jump to solution

Hey bud,

Thats exactly what we did yesterday, but no joy. Let me try what Guenther suggested in my lab and see what happens.

Andy

Script we tried:

clish -c "lock database override"
clish -c "add user testuser uid 0 homedir /home/testuser"
clish -c "add rba user testuser roles adminRole"
clish -c "set user testuser password p@55w0rd"
clish -c "set user testuser password-hash a4d90e2a36905c9b726b603bdac69ade1f2ef80d6ebc899079469fa75e18ef2f86897c3e116cb1f03273544ac30ee32efd9f59605788212a4ec09edd238028b6"
clish -c "save config"

0 Kudos
AkosBakos
Mentor Mentor
Mentor
Wednesday
In response to the_rock
Jump to solution

Hi Andy,

This will prompt for input -> and it's not ok in this case

clish -c "set user testuser password p@55w0rd"

Here the 0 for UID is OK?

clish -c "add user testuser uid 0 homedir /home/testuser"

I have done some test, but no succsess, something wrong.

And what if you want to put the HASH only? That does not work too?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend
Wednesday
In response to AkosBakos
Jump to solution

Hey Akos,

Funny thing is, script does run fine, but then when you check the config, though looks right, trying to log in, just keeps saying permission denied : - (

Andy

0 Kudos
AkosBakos
Mentor Mentor
Mentor
Wednesday
In response to the_rock
Jump to solution

Same here. No errors, and no changes 🙂

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend
Wednesday
In response to AkosBakos
Jump to solution

Thats it man 🙂

Let me do some more tests, Im super persistent dude, I do NOT give up easily. hehe...so lete see.

Andy

0 Kudos
Duane_Toler
Advisor
Wednesday
In response to the_rock
Jump to solution

Hey Andy,

 

You need this SK:

https://support.checkpoint.com/results/sk/sk106490

 

Oops.. Scratch that.  My first cup of coffee is still half-full; oops.  I didn't fully parse that you need the Management server's local admin user password.  I see that (more clearly) now.

One guess, as odd as it may sound, is that the server's disk space is full, which CAN block a remote (or even a local) login.

From SmartConsole, see if you can delete the oldest local log file then try your login again.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
the_rock
Legend
Legend
Wednesday
In response to Duane_Toler
Jump to solution

Hey Duane,

I dont think that would work, since Im not looking to reset the password on the fw, but actual management server.

Andy

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to Duane_Toler
Jump to solution

Hm, thats not a bad idea, let me call one of my colleagues and we can check via smart console.

Andy

0 Kudos
Duane_Toler
Advisor
Wednesday
In response to the_rock
Jump to solution

IF this SmartTask trick works, for this script you wouldn't need both 'set user password' AND 'set user password-hash'.  You'd only need password-hash here.  "set user <USER> password" does not accept a plain text password parameter.  Your script likely died on this line.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
the_rock
Legend
Legend
Wednesday
In response to Duane_Toler
Jump to solution

IF...thats the key word lol. Oddly enough, when you run a script, it shows all green and well, but then log in fails. Just trying what Val mentioned, lets see. If that fails again, will do what you suggested and update.

Andy

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to Duane_Toler
Jump to solution

Just tried that as well, no luck. Let me see if we can delete any older log files from smart console, though cant find any options for it : - (

Andy

0 Kudos
Duane_Toler
Advisor
Wednesday
In response to Duane_Toler
Jump to solution

Another item to add:  The pasword-hash you pasted is not a valid hash string.  The password hash must include the hash algorithm number, the salt, optional rounds (for SHA2 hashes), then the hash string.

 

This is the hash for "vpn123":

$5$WmMWnbdP4tkgqFYF$2K9uRm1mEssDwT6VuEbHDdCvXPWnyjYqOhLrgC22Wu7

 

So you'd use: 

clish -c 'set user admin password-hash $5$WmMWnbdP4tkgqFYF$2K9uRm1mEssDwT6VuEbHDdCvXPWnyjYqOhLrgC22Wu7'

 

NOTE: You MUST use single-quote characters here, NOT double-quotes!

(if i had a <blink> tag, i'd use that, too)

 

 

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
(1)
the_rock
Legend
Legend
Wednesday
In response to Duane_Toler
Jump to solution

You mean use single quote for all commands or just hash one? Btw, I copied hash from the config for admin user.

Andy

0 Kudos
Duane_Toler
Advisor
Wednesday
In response to the_rock
Jump to solution

At minimum, the password-hash, because it has  $ in the string that Bash will try to interpolate and expand if double-quoted.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
the_rock
Legend
Legend
Wednesday
In response to Duane_Toler
Jump to solution

Btw, since our account is not super user for smart console, we cant run the script, so I emailed the client and asked him if we can do this later on the remote with his account. Im pretty sure it will work, dont see the reason why it would not, since it did in my lab. Im fairly certain password-hash would be the same regardless of the environment.

Andy

0 Kudos
Duane_Toler
Advisor
Wednesday
In response to the_rock
Jump to solution

Yep.  Hash algo 5 is SHA-256, which works on (at least) R80.40 and up.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
the_rock
Legend
Legend
Wednesday
In response to Duane_Toler
Jump to solution

Thanks! Let me wait for him to respond and will update you. Tx again for everything.

Andy

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to Duane_Toler
Jump to solution

Man, it WORKED! I dont care what anyone says, you are a PURE GENIUS  @Duane_Toler 🙂

Andy

Below is script that worked, we will try in customer's smart console, but Im sure it will work fine.

clish -c "lock database override"
clish -c "add user checkpoint uid 0 homedir /home/checkpoint"
clish -c "add rba user checkpoint roles adminRole"
clish -c 'set user checkpoint password-hash '$6$UGiymvIAogW5wDme$tnELrqe67hT9mC.oumck2LxUedBswlPeWTp9a7yRdBu07abkv8vPZA/WQrlvV4wCirvzAp3ltwgoF7BpWRLwa0'
clish -c "save config"

 

If anyone ever encounters this issue, give this a try, works 100%. Right click on mgmt object in smart console, script repository and add a script using above, save and right click -> run

username -> checkpoint

password -> maxwe!!

Then you can change the pass later. Btw, no need to install policy or database, works without doing so, but does not hurt, just in case.

Duane_Toler
Advisor
Wednesday
In response to the_rock
Jump to solution

Oh cool.  This was via SmartTask, too?  What action did you attach that to?  This is a pretty cool trick to add to the notes.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
the_rock
Legend
Legend
Wednesday
In response to Duane_Toler
Jump to solution

Thats right!

Andy

0 Kudos
Duane_Toler
Advisor
Wednesday
In response to Duane_Toler
Jump to solution

Another option to skip a lot of steps is to just use 'dbset' directly:

dbset passwd:admin:passwd '$5$WmMWnbdP4tkgqFYF$2K9uRm1mEssDwT6VuEbHDdCvXPWnyjYqOhLrgC22Wu7'
dbset :save

That hash is for password "vpn123".

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
the_rock
Legend
Legend
Wednesday
In response to AkosBakos
Jump to solution

I know the example I gave you is what we need, BUT, sadly, I have no clue in the world what password hash should be. If I can figure that out, Im positive that method would actually work.

Andy

0 Kudos
_Val_
Admin
Admin
Wednesday
In response to the_rock
Jump to solution

Run any other Gaia where you know the user's credentials. See the password hash in the config output for that user. Copy/paste, case closed

 

the_rock
Legend
Legend
Wednesday
In response to _Val_
Jump to solution

Hey Val,

Thats what we actually tried in the lab last night, but no luck. Let me try it again, maybe I did not paste it right.

Andy

0 Kudos
_Val_
Admin
Admin
Wednesday
In response to the_rock
Jump to solution

Just to make sure, both machines have the default English keyboard locale, right? 

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to _Val_
Jump to solution

Yes sir 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events