Exploit the possiblities

sigscr100.htm

sigscr100.htm
Posted Feb 21, 2001
Authored by Data Wizard

Securing IGS Cisco Routers v1.00 - This paper will describe how you should obtain remote and local, information about an IGS Cisco Router. After we have collected some information that is useful to us, we'll try to secure the router as much as possible.

tags | paper, remote, local
systems | cisco
MD5 | f0010cc64dc3c641610c64ec68846d59

sigscr100.htm

Change Mirror Download
<html xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 9">
<meta name=Originator content="Microsoft Word 9">
<link rel=File-List
href="./Securing%20IGS%20Cisco%20Routers%20v%201.00_files/filelist.xml">
<link rel=Edit-Time-Data
href="./Securing%20IGS%20Cisco%20Routers%20v%201.00_files/editdata.mso">
<title>IGS Cisco Routers</title>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Author>-</o:Author>
<o:LastAuthor>-</o:LastAuthor>
<o:Revision>2</o:Revision>
<o:TotalTime>119</o:TotalTime>
<o:Created>2001-02-17T10:53:00Z</o:Created>
<o:LastSaved>2001-02-17T10:53:00Z</o:LastSaved>
<o:Pages>5</o:Pages>
<o:Words>1246</o:Words>
<o:Characters>7104</o:Characters>
<o:Lines>59</o:Lines>
<o:Paragraphs>14</o:Paragraphs>
<o:CharactersWithSpaces>8724</o:CharactersWithSpaces>
<o:Version>9.2720</o:Version>
</o:DocumentProperties>
</xml><![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"MS Mincho";
panose-1:0 0 0 0 0 0 0 0 0 0;
mso-font-alt:"\FF2D\FF33 \660E\671D";
mso-font-charset:128;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:fixed;
mso-font-signature:1 134676480 16 0 131072 0;}
@font-face
{font-family:"\@MS Mincho";
panose-1:0 0 0 0 0 0 0 0 0 0;
mso-font-charset:128;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:fixed;
mso-font-signature:1 134676480 16 0 131072 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
h1
{mso-style-next:Normal;
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
page-break-after:avoid;
mso-outline-level:1;
font-size:14.0pt;
mso-bidi-font-size:12.0pt;
font-family:"Times New Roman";
mso-font-kerning:0pt;}
p.MsoTitle, li.MsoTitle, div.MsoTitle
{margin:0cm;
margin-bottom:.0001pt;
text-align:center;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";
font-weight:bold;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;
text-underline:single;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Courier New";
mso-fareast-font-family:"Times New Roman";}
@page Section1
{size:595.3pt 841.9pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;
mso-header-margin:35.4pt;
mso-footer-margin:35.4pt;
mso-paper-source:0;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:888147212;
mso-list-type:hybrid;
mso-list-template-ids:1570780230 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="2050"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-GB link=blue vlink=purple style='tab-interval:36.0pt'>

<div class=Section1>

<p class=MsoTitle><span style='font-size:18.0pt;mso-bidi-font-size:12.0pt'>Securing
IGS Cisco Routers v 1.00<o:p></o:p></span></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>This paper will describe how you should obtain remote and
local, information about an IGS Cisco Router. It’s recommended if you have some
experience with configuring Cisco Routers before reading this paper, by the way
it doesn’t matter which model you own. And more important, you must own and
know how to use a Unix oriented operating system. After we have collected some
information that is useful to us, we’ll try to secure the router as good as
possible. And please note, this paper is for educational purposes only and I’m
not responsible in any way for your stupid actions if you’ll be caught.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>Because the probability you don’t have an IGS Cisco Router
but a newer model like the IOS, it could happen you get different outputs at
programs like “nmap”. Also while securing the router it’s possible you have to
use some other commands than I do. Grab your manual if you have one and try to
find the correct command.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b><span style='font-size:14.0pt;mso-bidi-font-size:12.0pt'>Getting
the information remote:<o:p></o:p></span></b></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>I assume you already have configured you Cisco Router and
your Unix box with the proper outfit. But because I know there still are people
who don’t know where to download the tools we’re going to use, I’ve placed some
links at the bottom of this paper which could be useful.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>I always start with an “nmap”-scan, we need to know first
which daemons are running at the remote host. Because I do own a couple of IGS
Cisco Routers myself, I’ll use the router with IP “169.254.0.10” for this
paper. A daemon can listen on various sockets, like UDP, TCP, IPX and SPX it
could take a long time before they all are scanned. And if you’re not at the
same segment as where the remote router is located, it’s completely useless to
scan sockets other than TCP and UDP. Protocols other than 802.3(Standard LLC, SNAP
LLC and RAW) & IP will standard not be rotated by any (internet)-router!</p>

<p class=MsoNormal>Well we only will scan all listening TCP and UDP sockets and
we use the following command at the Unix shell: “nmap -sT -sU -p 1-65535
169.254.0.10”. For a complete overview of all possibilities type: “man nmap”.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>Port<span style="mso-spacerun: yes">       </span>State<span
style="mso-spacerun: yes">       </span>Service</p>

<p class=MsoNormal>7/tcp<span style="mso-spacerun: yes">      </span>open<span
style="mso-spacerun: yes">        </span>echo</p>

<p class=MsoNormal>7/udp<span style="mso-spacerun: yes">     </span>open<span
style="mso-spacerun: yes">        </span>echo</p>

<p class=MsoNormal>9/tcp<span style="mso-spacerun: yes">      </span>open<span
style="mso-spacerun: yes">        </span>discard</p>

<p class=MsoNormal>9/udp<span style="mso-spacerun: yes">     </span>open<span
style="mso-spacerun: yes">        </span>discard</p>

<p class=MsoNormal>23/tcp<span style="mso-spacerun: yes">     </span>open<span
style="mso-spacerun: yes">        </span>telnet</p>

<p class=MsoNormal>49/udp<span style="mso-spacerun: yes">    </span>open<span
style="mso-spacerun: yes">        </span>tacacs</p>

<p class=MsoNormal>67udp<span style="mso-spacerun: yes">     </span>open<span
style="mso-spacerun: yes">   </span><span style="mso-spacerun:
yes">     </span>bootps</p>

<p class=MsoNormal>79/tcp<span style="mso-spacerun: yes">     </span>open<span
style="mso-spacerun: yes">        </span>finger</p>

<p class=MsoNormal>161/udp<span style="mso-spacerun: yes">   </span>open<span
style="mso-spacerun: yes">       </span>snmp</p>

<p class=MsoNormal>1993/tcp<span style="mso-spacerun: yes">   </span>open<span
style="mso-spacerun: yes">        </span>snmp-tcp-port</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>Above you notice an output of nmap, now I try to describe
every daemon…</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>By default many FTP daemons will use 20/TCP and 21/TCP,
while many Gopher daemons will only listen on 70/TCP, every daemon uses it’s
standard port. Of course you can configure the daemon so it listens at a
different port. So it’s possible that ‘behind’ 79/TCP at the IGS Cisco Router
there is listening another daemon then a finger daemon. There are two ways to
discover what daemon will really listen on a socket, one search in your IGS
Cisco Router manual; two establish a telnet session to the daemon. I’m trying
to establish a telnet session to all daemons, most times you get enough information
from the ‘banner’.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b><span lang=NL style='mso-ansi-language:NL'>Echo
(7/TCP&UDP)<o:p></o:p></span></b></p>

<p class=MsoNormal><span lang=NL style='mso-ansi-language:NL'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal>SorNOT:~ # telnet 169.254.0.10 7</p>

<p class=MsoNormal>Trying 169.254.0.10...</p>

<p class=MsoNormal>Connected to 169.254.0.10.</p>

<p class=MsoNormal>Escape character is '^]'.</p>

<p class=MsoNormal>hu</p>

<p class=MsoNormal>hu</p>

<p class=MsoNormal>:)</p>

<p class=MsoNormal>:)</p>

<p class=MsoNormal>echo</p>

<p class=MsoNormal>echo</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>This daemon will echo all commands nicely… but will not be
really useful to us. So it’s recommended to kill the daemon. Unless you want to
have some digital chat friend if you’re feeling bored… :-P</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>Discard (9/TCP&UDP)<o:p></o:p></b></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>This daemon is kind of funny (check the RFC), but isn’t also
very useful, so kill it...</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>Telnet (23/TCP)<o:p></o:p></b></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><span lang=NL style='mso-ansi-language:NL'>lappie:~/IGS #
telnet 169.254.0.10 23<o:p></o:p></span></p>

<p class=MsoNormal>Trying 169.254.0.10...</p>

<p class=MsoNormal>Connected to 169.254.0.10.</p>

<p class=MsoNormal>Escape character is '^]'.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>User Access Verification</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>Password:</p>

<p class=MsoNormal>CiscoRouter></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>This is a well-known daemon… I suppose you are familiar with
it.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>Tacacs (49/UDP)<o:p></o:p></b></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>This (Terminal Access Controller Access Control System)
daemon has a function I will never use… this daemon control dial-up lines. This
option is being used (only?) by Internet Service Providers, where their
customers… well create a connection to the Internet perhaps?</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>Bootps (67/UDP)<o:p></o:p></b></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>With this protocol you can remote configure a Cisco Router…
because your router has already been configured it’s not necessary anymore to
keep the daemon alive.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>Finger (79/TCP)<o:p></o:p></b></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><span lang=NL style='mso-ansi-language:NL'>lappie:~/IGS #
telnet 169.254.0.10 79<o:p></o:p></span></p>

<p class=MsoNormal>Trying 169.254.0.10...</p>

<p class=MsoNormal>Connected to 169.254.0.10.</p>

<p class=MsoNormal>Escape character is '^]'.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><span style="mso-spacerun: yes">    </span>Line<span
style="mso-spacerun: yes">     </span>User<span style="mso-spacerun: yes">     
</span>Host(s)<span style="mso-spacerun: yes">               </span>Idle
Location</p>

<p class=MsoNormal>*<span style="mso-spacerun: yes">  </span>2 vty 0<span
style="mso-spacerun: yes">             </span>idle<span style="mso-spacerun:
yes">                     </span>0 169.254.0.3</p>

<p class=MsoNormal>Connection closed by foreign host.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>Here we get some pretty valuable information, about who has
established a connection to the IGS-CR and from where… this daemon can also
being used by a command within a shell. So if you want to kill the daemon
remember you cannot anymore use it from within a shell.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>SNMP (161/UDP)<o:p></o:p></b></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>This (Simple Network Management Protocol) daemon will come
in handy in some situations, but I don’t see any reason to let it ‘live’.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>SNMP-tcp-port (1993/tcp)<o:p></o:p></b></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>This is the tcp version of the SNMP at 161/udp… so if you
want to stop this daemon you have to check if the daemon behind 1993/tcp is
stopped too.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b><span style='font-size:14.0pt;mso-bidi-font-size:12.0pt'>Getting
the information local:</span></b><span style='font-size:14.0pt;mso-bidi-font-size:
12.0pt'><o:p></o:p></span></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>We also can request information about the IGS-CR locally,
you don’t need to have ‘enable’ privileges for this. With the command “show
processes” you’ll get the following output like below.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'>CiscoRouter#show processes<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">  
</span>CPU utilization for one minute: 15%; for five minutes: 15%<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">  
</span>PID Q T<span style="mso-spacerun: yes">      </span>PC Runtime (ms)<span
style="mso-spacerun: yes">    </span>Invoked<span style="mso-spacerun: yes">  
</span>uSecs<span style="mso-spacerun: yes">   </span>Stacks<span
style="mso-spacerun: yes">  </span>TTY Process<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">    
</span>1 M E 1019D28<span style="mso-spacerun: yes">        </span>49052<span
style="mso-spacerun: yes">       </span>5275<span style="mso-spacerun: yes">   
</span>9298<span style="mso-spacerun: yes">  </span>876/1000<span
style="mso-spacerun: yes">   </span>0 Net Background<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">    
</span>2 L E 102D2EC<span style="mso-spacerun: yes">            </span>0<span
style="mso-spacerun: yes">          </span>4<span style="mso-spacerun:
yes">       </span>0<span style="mso-spacerun: yes">  </span>880/1000<span
style="mso-spacerun: yes">   </span>0 Logger<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">   
</span>27 M *<span style="mso-spacerun: yes">     </span>F14<span
style="mso-spacerun: yes">          </span>548<span style="mso-spacerun:
yes">         </span>55<span style="mso-spacerun: yes">    </span>9963<span
style="mso-spacerun: yes">  </span>678/1200<span style="mso-spacerun: yes">  
</span>2 Virtual Exec<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">   
</span></span><span lang=NL style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho";mso-ansi-language:NL'>28 L E 10581C8<span
style="mso-spacerun: yes">           </span>28<span style="mso-spacerun:
yes">         </span>20<span style="mso-spacerun: yes">    </span>1400<span
style="mso-spacerun: yes">  </span>824/1000<span style="mso-spacerun: yes">  
</span>0 UDP Echo<o:p></o:p></span></p>

<p class=MsoPlainText><span lang=NL style='font-size:9.0pt;mso-bidi-font-size:
10.0pt;mso-fareast-font-family:"MS Mincho";mso-ansi-language:NL'><span
style="mso-spacerun: yes">     </span></span><span style='font-size:9.0pt;
mso-bidi-font-size:10.0pt;mso-fareast-font-family:"MS Mincho"'>5 M E
10581C8<span style="mso-spacerun: yes">            </span>0<span
style="mso-spacerun: yes">         </span>52<span style="mso-spacerun:
yes">       </span>0<span style="mso-spacerun: yes">  </span>898/1000<span
style="mso-spacerun: yes">   </span>0 BOOTP Server<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">    
</span>6 H E 1010ABA<span style="mso-spacerun: yes">       </span>485848<span
style="mso-spacerun: yes">      </span>74667<span style="mso-spacerun: yes">   
</span>6506<span style="mso-spacerun: yes">  </span>536/900<span
style="mso-spacerun: yes">    </span>0 IP Input<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">    
</span>7 M E 1062DA6<span style="mso-spacerun: yes">           </span>68<span
style="mso-spacerun: yes">      </span>21114<span style="mso-spacerun:
yes">       </span>3<span style="mso-spacerun: yes">  </span>804/1000<span
style="mso-spacerun: yes">   </span>0 TCP Timer<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">    
</span>8 L E 1063FA4<span style="mso-spacerun: yes">          </span>164<span
style="mso-spacerun: yes">        </span>161<span style="mso-spacerun: yes">   
</span>1018<span style="mso-spacerun: yes">  </span>766/1000<span
style="mso-spacerun: yes">   </span>0 TCP Protocols<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">    
</span>9 L E 101E646<span style="mso-spacerun: yes">         </span>1568<span
style="mso-spacerun: yes">       </span>2321<span style="mso-spacerun:
yes">     </span>675<span style="mso-spacerun: yes">  </span>854/1000<span
style="mso-spacerun: yes">   </span>0 ARP Input<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">   
</span>10 L E 1010ABA<span style="mso-spacerun: yes">            </span>0<span
style="mso-spacerun: yes">          </span>1<span style="mso-spacerun:
yes">       </span>0<span style="mso-spacerun: yes">  </span>938/1000<span
style="mso-spacerun: yes">   </span>0 Probe Input<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">   
</span></span><span lang=NL style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho";mso-ansi-language:NL'>29 L E 10581C8<span
style="mso-spacerun: yes">           </span>24<span style="mso-spacerun:
yes">         </span>20<span style="mso-spacerun: yes">    </span>1200<span
style="mso-spacerun: yes">  </span>824/1000<span style="mso-spacerun: yes">  
</span>0 UDP Echo<o:p></o:p></span></p>

<p class=MsoPlainText><span lang=NL style='font-size:9.0pt;mso-bidi-font-size:
10.0pt;mso-fareast-font-family:"MS Mincho";mso-ansi-language:NL'><span
style="mso-spacerun: yes">    </span></span><span style='font-size:9.0pt;
mso-bidi-font-size:10.0pt;mso-fareast-font-family:"MS Mincho"'>12 M E
1035092<span style="mso-spacerun: yes">  </span><span style="mso-spacerun:
yes">          </span>0<span style="mso-spacerun: yes">          </span>2<span
style="mso-spacerun: yes">       </span>0<span style="mso-spacerun: yes"> 
</span>968/1000<span style="mso-spacerun: yes">   </span>0 Timers<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">   
</span>13 H E 1010ABA<span style="mso-spacerun: yes">        </span>19472<span
style="mso-spacerun: yes">      </span>54616<span style="mso-spacerun:
yes">     </span>356<span style="mso-spacerun: yes">  </span>412/500<span
style="mso-spacerun: yes">    </span>0 Net Input<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">   
</span>14 M T 100E474<span style="mso-spacerun: yes">          </span>336<span
style="mso-spacerun: yes">     </span>104907<span style="mso-spacerun:
yes">       </span>3<span style="mso-spacerun: yes">  </span>790/1000<span
style="mso-spacerun: yes">   </span>0 TTY Background<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">   
</span>15 L E 10E2722<span style="mso-spacerun: yes">            </span>0<span
style="mso-spacerun: yes">          </span>1<span style="mso-spacerun:
yes">       </span>0<span style="mso-spacerun: yes">  </span>896/1000<span
style="mso-spacerun: yes">   </span>0 IP SNMP<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">   
</span>30 L E 10581C8<span style="mso-spacerun: yes">            </span>0<span
style="mso-spacerun: yes">         </span>20<span style="mso-spacerun:
yes">       </span>0<span style="mso-spacerun: yes">  </span>946/1000<span
style="mso-spacerun: yes">   </span>0 UDP Discard<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"'><span style="mso-spacerun: yes">   
</span>31 L E 10581C8<span style="mso-spacerun: yes">            </span>0<span
style="mso-spacerun: yes">         </span>20<span style="mso-spacerun:
yes">       </span>0<span style="mso-spacerun: yes">  </span>946/1000<span
style="mso-spacerun: yes">   </span>0 UDP Discard<o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-fareast-font-family:"MS Mincho"'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-fareast-font-family:"MS Mincho"'>With the
command “show stacks” you’ll get more information about the daemons.<o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-fareast-font-family:"MS Mincho"'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'>CiscoRouter#show
stacks<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'>Minimum
process stacks:<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'>Free/Size<span
style="mso-spacerun: yes">  </span>Name<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'><span
style="mso-spacerun: yes"> </span>734/1000<span style="mso-spacerun: yes"> 
</span>Init<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'><span
style="mso-spacerun: yes"> </span>970/1000<span style="mso-spacerun: yes"> 
</span>Pakmon Init<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'><span
style="mso-spacerun: yes"> </span>962/1000<span style="mso-spacerun: yes"> 
</span>MOP Protocols<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'><span
style="mso-spacerun: yes"> </span>934/1000<span style="mso-spacerun: yes"> 
</span>UDP Discard<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'><span
style="mso-spacerun: yes"> </span>678/1200<span style="mso-spacerun: yes"> 
</span>Virtual Exec<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'><span
style="mso-spacerun: yes"> </span>786/1000<span style="mso-spacerun: yes"> 
</span>TCP Discard<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'><span
style="mso-spacerun: yes"> </span>782/1000<span style="mso-spacerun: yes"> 
</span>TCP Echo<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'><span
style="mso-spacerun: yes"> </span>820/1000<span style="mso-spacerun: yes"> 
</span>UDP Echo<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'>Interrupt
level stacks:<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'>Level<span
style="mso-spacerun: yes">    </span>Called Free/Size<span style="mso-spacerun:
yes">  </span>Name<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'><span
style="mso-spacerun: yes">  </span>3<span style="mso-spacerun: yes">        
</span>417<span style="mso-spacerun: yes">  </span>964/1000<span
style="mso-spacerun: yes">  </span>Serial interface state change interrupt<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'><span
style="mso-spacerun: yes">  </span>4<span style="mso-spacerun: yes">     
</span>580538<span style="mso-spacerun: yes">  </span>886/1000<span
style="mso-spacerun: yes">  </span>Network interfaces<o:p></o:p></span></p>

<p class=MsoPlainText><span style='font-size:9.0pt;mso-bidi-font-size:10.0pt'><span
style="mso-spacerun: yes">  </span>5<span style="mso-spacerun: yes">         
</span>46<span style="mso-spacerun: yes">  </span>968/1000<span
style="mso-spacerun: yes">  </span>Console Uart<o:p></o:p></span></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<h1>Securing IGS-CR</h1>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>We need the combination of the remote and locally gathered
information to stop the unnecessary daemons… We have several ways to do this:</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<ol style='margin-top:0cm' start=1 type=1>
<li class=MsoNormal style='mso-list:l0 level1 lfo1;tab-stops:list 36.0pt'>The
simplest way is to use the program ‘setup’. Here we can say for example,
do not load the SNMP daemon by simple entering ‘yes or no’ by the options.</li>
<li class=MsoNormal style='mso-list:l0 level1 lfo1;tab-stops:list 36.0pt'>I
know not many people will try this way to unload the unnecessary daemons,
because: one it’s not easy to find; and two you really have to know what
you’re doing. But it’s possible to read out the whole memory stack and
find the right offset of a daemon and rewrite the memory so the daemon
will be killed.</li>
<li class=MsoNormal style='mso-list:l0 level1 lfo1;tab-stops:list 36.0pt'>As
far I know the IGS series do not have an internal (network) firewall or
such, properly the newer ones do have it. I will not discuss how to set-up
the firewall, because simply said I don’t know how to do this (yes). What
I do want to say is with this type of firewall you have the option to
filter the daemons for unwanted connections. You can create rules like,
169.254.0.11 may connect to the telnet daemon but 169.254.0.20 may not.
Well you get the idea, don’t you?</li>
</ol>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>To completely secure the IGS-CR we have to use the first two
ways, first we use way one and if then not all unnecessary daemons are stopped
we’re using way two too. It’s possible that you want to kill different daemons
then I’m going to do… most likely were talking about daemons who can’t be
stopped with the ‘setup’ menu. And daemons that can’t be stopped with way one
have to be stopped with way two, and that requires a lot of search-time by
yourself.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>Way one is rather simple, just type in “setup” and walk
through the menu. To verify afterwards you have stopped some unnecessary
daemons type, “show processes” before and after you have walked through the
setup. Compare both outputs with each other, and see for yourself if something
has changed.</p>

<p class=MsoNormal>I know that you cannot stop all unnecessary daemons with
this setup program, but I try to show you how to stop them ‘the second way’…</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>I’m going try to stop the daemon listed below…</p>

<p class=MsoNormal><span style='mso-fareast-font-family:"MS Mincho"'><span
style="mso-spacerun: yes">    </span>“15 L E 10E2722<span style="mso-spacerun:
yes">            </span>0<span style="mso-spacerun: yes">         
</span>1<span style="mso-spacerun: yes">       </span>0<span
style="mso-spacerun: yes">  </span>896/1000<span style="mso-spacerun: yes">  
</span>0 IP SNMP”</span></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>With the command “show memory”, you’ll get a stack dump from
the whole memory. This could come in handy if we want to overwrite a specific
location of the memory… We can (re)-write the memory with the command “write
memory or erase [start stack – end stack] [new data]”.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>Address<span style="mso-spacerun: yes">   </span>Bytes
Prev.<span style="mso-spacerun: yes">     </span>Next<span style="mso-spacerun:
yes">       </span>Ref<span style="mso-spacerun: yes">  </span>PrevF<span
style="mso-spacerun: yes">   </span>NextF<span style="mso-spacerun: yes">   
</span>Alloc PC<span style="mso-spacerun: yes">   </span>What</p>

<p class=MsoNormal>58850<span style="mso-spacerun: yes">      </span>112<span
style="mso-spacerun: yes">    </span>587E0<span style="mso-spacerun: yes">  
</span>588C0<span style="mso-spacerun: yes">      </span>1<span
style="mso-spacerun: yes">        </span>*<span style="mso-spacerun:
yes">          </span>*<span style="mso-spacerun: yes">       
</span>1057FA8<span style="mso-spacerun: yes">    </span>IP SNMP</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><span style='mso-fareast-font-family:"MS Mincho"'><span
style="mso-spacerun: yes">   </span>PID Q T<span style="mso-spacerun:
yes">      </span>PC Runtime (ms)<span style="mso-spacerun: yes">   
</span>Invoked<span style="mso-spacerun: yes">   </span>uSecs<span
style="mso-spacerun: yes">    </span>Stacks<span style="mso-spacerun: yes">    
</span>TTY<span style="mso-spacerun: yes">   </span>Process</span></p>

<p class=MsoNormal><span style='mso-fareast-font-family:"MS Mincho"'><span
style="mso-spacerun: yes">   </span>15<span style="mso-spacerun: yes">  
</span><span style="mso-spacerun: yes"> </span>L E<span style="mso-spacerun:
yes">      </span>10E2722<span style="mso-spacerun: yes">         </span>0<span
style="mso-spacerun: yes">           </span>1<span style="mso-spacerun:
yes">              </span>0<span style="mso-spacerun: yes">    
</span>896/1000<span style="mso-spacerun: yes">      </span>0<span
style="mso-spacerun: yes">     </span>IP SNMP</span></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>We could also kill the so called PID address, because this
depends which router you’re have I’m not going to explain this any further.
Just find the appropriate command in your Cisco Router manual.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>After you have killed some daemons check if they are really
stopped. I know that rewriting the stack is a tricky operation, and it could be
that your Cisco Router will stop functioning. To reset all data in the NVRAM
(where all configuration is being stored) type in the enabled mode “erase
startup config” and “reload”. Remember while doing so, you loose all your
configuration and such. The first time the Cisco Router is booting from flash
memory, consult your Cisco Router manual for specific information.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>Ok, so far for this time… I have to spend my other hours at
learning myself more about Cisco.</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><b>Some links:<o:p></o:p></b></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><a href="http://freshmeat.net/projects/nmap/">http://freshmeat.net/projects/nmap/</a></p>

<p class=MsoNormal><a href="http://www.cisco.com/">http://www.cisco.com/</a></p>

<p class=MsoNormal><a href="http://www.netterm.com/">http://www.netterm.com/</a></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal>If you have any questions or other comment related to this
paper you can drop a mail at mailpop3@crosswinds.net</p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=MsoNormal align=center style='text-align:center'>Copyright (C) 2001,
Data Wizard, The Netherlands.</p>

</div>

</body>

</html>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    13 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close