One of the corner stones of being a hacker, is being as versatile as possible and being able to navigate through a number of software packages. But first and foremost, one of the most important skills a hacker/IT professional etc can have, is the art of enumeration. This tutorial will concern enumeration of Cisco routers.
**disclaimer: In general, enumeration is non-malicious but do so at your own risk, and if its a router all remote IP connections are probably recorded on the router and off the router.
Lets say you find some random router and you telnet into it, and its not password protected or by some random *cough* password cracking *cough* you find yourself at a prompt. The Cisco IOS has two security levels, one's privileged and the other is not thus you have one of the two prompts below:
router>
router#
Where router is the name of the router. This tutorial will be only covering information that's of use at the unprivileged level. Unprivileged access can't change any router configuration, or view specific information, but has access to the majority of all the show commands, commands that are the most useful for enumeration.
The Cisco IOS has a healthy help function, if ever in doubt (and you have the time) gratuitous use of the ? key will give you ever possible command you can use. For example if you were to type s? you'd get all the possible command trees starting with s.
The three commands which will give you the most information, are the "show version" , "show interfaces" and "sh ip protocols" commands. The first will give you a general, although verbose, description of the router. The second will show you every interface on the router, those that are up and those that are down, along with IP information. The third option will give you information regarding the router protocol in use such as the protocol and the networks advertised.
Below i'll include output for each command and explain where the important information lies. Comments will be preceded by two hashes and captures from commands will be enclosed in double asterisks.
**output from Show version**
router_one>show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(3a), RELEASE SOFTWARE (fc2)
##Cisco 2600 Series Router
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Wed 15-Oct-03 06:38 by dchih
Image text-base: 0x80008098, data-base: 0x819AFDB8
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
router_one uptime is 58 minutes
System returned to ROM by power-on
System image file is "flash:c2600-ik9o3s3-mz.123-3a.bin"
##this is the version of the IOS running
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco 2611 (MPC860) processor (revision 0x203) with 61440K/4096K bytes of memory.
Processor board ID JAD05071DUH (815633573)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
##below it tells the amount of flash and the number and types of ports on the router.
2 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
2 Serial(sync/async) network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
##this "configuration register" configures the boot up procedure, more on this below.
**end Output from Show Version**
The show version command gives the most information of all the show commands. The configuration register affects how the system starts up, such as what it boots to and from where, the baud rate, and whether it'll accept interrupts (ctrl+break). 0x2102 configuration register is for normal operation, where it doesn't accept break key combinations at bootup, it boots from flash or the bootrom if that fails, and it has a baud rate of 9600. Alternatively, if you reset the router to configuration register 0x2142 it ignores NVRAM allowing you to bypass the passwords in place for configuration/password recovery, but requires a reboot of the router, and very possibly a physical connection as it'll reboot into an unconfigured router.
**output from Show interface**
router_one>show interface
Ethernet0/0 is up, line protocol is down
##Every interface has two parts, the physical portion (Physical layer) and the line protocol (layer 2)
Hardware is AmdP2, address is 0005.3253.f5c0 (bia 0005.3253.f5c0)
Internet address is 192.168.1.2/24
##obviously the IP address
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 128/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:06, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
352 packets output, 21377 bytes, 0 underruns
352 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
352 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Serial0/0 is down, line protocol is down
Hardware is PowerQUICC Serial
Internet address is 192.168.0.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=up DSR=up DTR=down RTS=down CTS=up
router_one>show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.2 YES NVRAM up down
Serial0/0 192.168.0.1 YES NVRAM down down
Ethernet0/1 unassigned YES NVRAM administratively down down
Serial0/1 unassigned YES NVRAM administratively down down
Serial0/2 unassigned YES NVRAM administratively down down
**end output show interface**
As you can see, the show ip interface brief is much more helpful, as it gives us the exact information we need in nice columns. The physical portion of each
interface is just if you have the two interfaces connected using the right cables, a correct electrical connection. The line protocol portion of the
interface is the lower Layer 2, meaning that it involves frame encoding, clock rate, etc.
**output from show ip protocols**
router_one>sh ip protocols
Routing Protocol is "rip"
##this is the routing protocol being used, Routing Information program
Sending updates every 30 seconds, next due in 15 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 1, receive any version
Interface Send Recv Triggered RIP Key-chain
Serial0/0 1 1 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
192.168.0.0
##this is a list of all advertised networks, some
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 120)
##The distance is a measure of how likely the router will use a certain gateway
**end all output captures**
There are a number of other commands that can give you information as far as directly connected routers, i.e. the show cdp neighbors command, which will identify nearby router/cisco devices with CDP (Cisco Discovery Protocol) running, which runs independent of Layer 3 connectivity (without an IP address) since it's a layer 2 protocol. CDP works will All cisco IOS enabled devices: PIX firewalls, routers, switches, etc.
Also a nice tidbit of information is the use of the show priviledge command which tells you the level of security you're in, all the above information can be gleamed in the first security level output will look as follows:
router_one>show privilege
Current privilege level is 1
There are fifteen security levels, and although all of them can be assigned usernames and passwords, usu only two are used, 1 and 15. In closing it's always crap to get into a system and not be able to discern it from an Avaya or Cisco, or even worse, a Layer 3 switch from a router.
Interesting Links/Bibliography
http://www.cisco.com/en/US/products/...8022493f.shtml
http://articles.techrepublic.com.com...1-5659259.html
http://www.repton.co.uk/library/cisco_router_guide.pdf
(caution, it’s a big a** pdf, if you’re browser is prone to seizing and going kerflooie when reading pdfs, be a pal and ctrl+click)