Cisco Router Enumeration
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Cisco Router Enumeration

Hybrid View

  1. #1
    Member n00bius's Avatar
    Join Date
    Mar 2005
    Location
    texas
    Posts
    86

    Cool Cisco Router Enumeration

    One of the corner stones of being a hacker, is being as versatile as possible and being able to navigate through a number of software packages. But first and foremost, one of the most important skills a hacker/IT professional etc can have, is the art of enumeration. This tutorial will concern enumeration of Cisco routers.

    **disclaimer: In general, enumeration is non-malicious but do so at your own risk, and if its a router all remote IP connections are probably recorded on the router and off the router.

    Lets say you find some random router and you telnet into it, and its not password protected or by some random *cough* password cracking *cough* you find yourself at a prompt. The Cisco IOS has two security levels, one's privileged and the other is not thus you have one of the two prompts below:

    router>
    router#

    Where router is the name of the router. This tutorial will be only covering information that's of use at the unprivileged level. Unprivileged access can't change any router configuration, or view specific information, but has access to the majority of all the show commands, commands that are the most useful for enumeration.

    The Cisco IOS has a healthy help function, if ever in doubt (and you have the time) gratuitous use of the ? key will give you ever possible command you can use. For example if you were to type s? you'd get all the possible command trees starting with s.

    The three commands which will give you the most information, are the "show version" , "show interfaces" and "sh ip protocols" commands. The first will give you a general, although verbose, description of the router. The second will show you every interface on the router, those that are up and those that are down, along with IP information. The third option will give you information regarding the router protocol in use such as the protocol and the networks advertised.

    Below i'll include output for each command and explain where the important information lies. Comments will be preceded by two hashes and captures from commands will be enclosed in double asterisks.

    **output from Show version**

    router_one>show version
    Cisco Internetwork Operating System Software
    IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(3a), RELEASE SOFTWARE (fc2)
    ##Cisco 2600 Series Router
    Copyright (c) 1986-2003 by cisco Systems, Inc.
    Compiled Wed 15-Oct-03 06:38 by dchih
    Image text-base: 0x80008098, data-base: 0x819AFDB8

    ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

    router_one uptime is 58 minutes
    System returned to ROM by power-on
    System image file is "flash:c2600-ik9o3s3-mz.123-3a.bin"
    ##this is the version of the IOS running

    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

    If you require further assistance please contact us by sending email to
    export@cisco.com.

    cisco 2611 (MPC860) processor (revision 0x203) with 61440K/4096K bytes of memory.
    Processor board ID JAD05071DUH (815633573)
    M860 processor: part number 0, mask 49
    Bridging software.
    X.25 software, Version 3.0.0.
    ##below it tells the amount of flash and the number and types of ports on the router.
    2 Ethernet/IEEE 802.3 interface(s)
    1 Serial network interface(s)
    2 Serial(sync/async) network interface(s)
    32K bytes of non-volatile configuration memory.
    16384K bytes of processor board System flash (Read/Write)

    Configuration register is 0x2102
    ##this "configuration register" configures the boot up procedure, more on this below.

    **end Output from Show Version**
    The show version command gives the most information of all the show commands. The configuration register affects how the system starts up, such as what it boots to and from where, the baud rate, and whether it'll accept interrupts (ctrl+break). 0x2102 configuration register is for normal operation, where it doesn't accept break key combinations at bootup, it boots from flash or the bootrom if that fails, and it has a baud rate of 9600. Alternatively, if you reset the router to configuration register 0x2142 it ignores NVRAM allowing you to bypass the passwords in place for configuration/password recovery, but requires a reboot of the router, and very possibly a physical connection as it'll reboot into an unconfigured router.

    **output from Show interface**

    router_one>show interface
    Ethernet0/0 is up, line protocol is down
    ##Every interface has two parts, the physical portion (Physical layer) and the line protocol (layer 2)
    Hardware is AmdP2, address is 0005.3253.f5c0 (bia 0005.3253.f5c0)
    Internet address is 192.168.1.2/24
    ##obviously the IP address
    MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
    reliability 128/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive set (10 sec)
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input never, output 00:00:06, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
    0 input packets with dribble condition detected
    352 packets output, 21377 bytes, 0 underruns
    352 output errors, 0 collisions, 2 interface resets
    0 babbles, 0 late collision, 0 deferred
    352 lost carrier, 0 no carrier
    0 output buffer failures, 0 output buffers swapped out
    Serial0/0 is down, line protocol is down
    Hardware is PowerQUICC Serial
    Internet address is 192.168.0.1/24
    MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation HDLC, loopback not set
    Keepalive set (10 sec)
    Last input never, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: weighted fair
    Output queue: 0/1000/64/0 (size/max total/threshold/drops)
    Conversations 0/0/256 (active/max active/max total)
    Reserved Conversations 0/0 (allocated/max allocated)
    Available Bandwidth 1158 kilobits/sec
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 2 interface resets
    0 output buffer failures, 0 output buffers swapped out
    0 carrier transitions
    DCD=up DSR=up DTR=down RTS=down CTS=up

    router_one>show ip interface brief
    Interface IP-Address OK? Method Status Protocol
    Ethernet0/0 192.168.1.2 YES NVRAM up down
    Serial0/0 192.168.0.1 YES NVRAM down down
    Ethernet0/1 unassigned YES NVRAM administratively down down
    Serial0/1 unassigned YES NVRAM administratively down down
    Serial0/2 unassigned YES NVRAM administratively down down

    **end output show interface**

    As you can see, the show ip interface brief is much more helpful, as it gives us the exact information we need in nice columns. The physical portion of each
    interface is just if you have the two interfaces connected using the right cables, a correct electrical connection. The line protocol portion of the
    interface is the lower Layer 2, meaning that it involves frame encoding, clock rate, etc.

    **output from show ip protocols**

    router_one>sh ip protocols
    Routing Protocol is "rip"
    ##this is the routing protocol being used, Routing Information program
    Sending updates every 30 seconds, next due in 15 seconds
    Invalid after 180 seconds, hold down 180, flushed after 240
    Outgoing update filter list for all interfaces is not set
    Incoming update filter list for all interfaces is not set
    Redistributing: rip
    Default version control: send version 1, receive any version
    Interface Send Recv Triggered RIP Key-chain
    Serial0/0 1 1 2
    Automatic network summarization is in effect
    Maximum path: 4
    Routing for Networks:
    192.168.0.0
    ##this is a list of all advertised networks, some
    Routing Information Sources:
    Gateway Distance Last Update
    Distance: (default is 120)
    ##The distance is a measure of how likely the router will use a certain gateway

    **end all output captures**

    There are a number of other commands that can give you information as far as directly connected routers, i.e. the show cdp neighbors command, which will identify nearby router/cisco devices with CDP (Cisco Discovery Protocol) running, which runs independent of Layer 3 connectivity (without an IP address) since it's a layer 2 protocol. CDP works will All cisco IOS enabled devices: PIX firewalls, routers, switches, etc.

    Also a nice tidbit of information is the use of the show priviledge command which tells you the level of security you're in, all the above information can be gleamed in the first security level output will look as follows:

    router_one>show privilege
    Current privilege level is 1

    There are fifteen security levels, and although all of them can be assigned usernames and passwords, usu only two are used, 1 and 15. In closing it's always crap to get into a system and not be able to discern it from an Avaya or Cisco, or even worse, a Layer 3 switch from a router.


    Interesting Links/Bibliography

    http://www.cisco.com/en/US/products/...8022493f.shtml
    http://articles.techrepublic.com.com...1-5659259.html
    http://www.repton.co.uk/library/cisco_router_guide.pdf
    (caution, itís a big a** pdf, if youíre browser is prone to seizing and going kerflooie when reading pdfs, be a pal and ctrl+click)
    ...:::Pure Kn0wledge:::...

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    sh cdp neigh can be helpfull too.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Lets say you find some random router and you telnet into it, and its not password protected
    This is not allowed by default, hence 99.9% of the time you won't ever be able to telnet/ssh to a router/switch etc that has no telenet password set.
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  4. #4
    Senior Member
    Join Date
    Apr 2005
    Location
    USA
    Posts
    422
    Quote Originally Posted by Nokia
    This is not allowed by default, hence 99.9% of the time you won't ever be able to telnet/ssh to a router/switch etc that has no telenet password set.
    Yes, but there are a lot of defaults, and by doing an OS detection and all that, couldn't you find the router, then search online for defaults? (yes, im asking this as a question, cause im new to this, but am reading a book on it without messing around too much, so the info is like all lose in my head )

  5. #5
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Not with the corporate routers that the OP is using as the subject of the tutorial - they don't ship with a default password set, they ship with no telnet/SSH password set, but will not allow anyone to access them by these means until a password is in place.
    It is possible to use a blank password but the router still needs to be configured to accept connections with no password set - configuring this is almost the same process as configuring a password, which is why you very very rarely find a corporate grade Cisco router with a blank RA password.
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  6. #6
    Member n00bius's Avatar
    Join Date
    Mar 2005
    Location
    texas
    Posts
    86
    I remember a while back, i read an article about routers, when under a heavy load, or DOS, would maintain functionality at all costs, but would drop security. I don't think it was for Cisco routers specifically, but routers in General; any ideas about that Nokia as i've had little experience with cisco routers in an actual production environment.
    ...:::Pure Kn0wledge:::...

  7. #7
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    You may be thinking about switches; one of the earliest attacks against a switched network was to flood the switch with ARP responses, this would overwrite its MAC table and at the same time the clients would obviously be sending 'real' ARP responses, eventually the switch would be flooded to such an extent that it would turn into a hub and hence lose all the security a switch brings to a network.

    This was easily patched by vendors and is not very common anymore - attackers have to use targeted ARP poisoning to circumvent a switch in most modern-ish networks.

    I have never heard of a router being flooded and losing some of its security functionality, if anything a router would start dropping packets before it lets unsolicited ones through. At least to my knowledge anyway.
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  8. #8
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Quote Originally Posted by Nokia
    You may be thinking about switches; one of the earliest attacks against a switched network was to flood the switch with ARP responses, this would overwrite its MAC table and at the same time the clients would obviously be sending 'real' ARP responses, eventually the switch would be flooded to such an extent that it would turn into a hub and hence lose all the security a switch brings to a network.

    This was easily patched by vendors and is not very common anymore - attackers have to use targeted ARP poisoning to circumvent a switch in most modern-ish networks.

    I have never heard of a router being flooded and losing some of its security functionality, if anything a router would start dropping packets before it lets unsolicited ones through. At least to my knowledge anyway.

    I've seen cases where under either high system load or under reduced free memory (ie, buggy release + memory leaks + extended up-time), things like ACL's will no longer be processed, various commands will fail (like sh run); however, the router will still pass traffic...Its been fairly rare, but I have seen it happen...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    There are 2 ways equipment can 'fail'. The one you're describing is usually found on switches and is called "fail open". The other is used on firewalls et al and is called "fail close".
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    I didn't know that - learn something everyday, cheers Neb.

    //Was this on old equipment or new?
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

Similar Threads

  1. Cisco Security Advisory: Cisco Telnet Denial of Service Vulnerability
    By Spyder32 in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: May 27th, 2008, 01:17 PM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 08:37 PM
  3. anyone want to help me with some cisco hw?
    By Simo in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: October 28th, 2003, 02:47 PM
  4. Heads up for the Cisco PIX people
    By Ratman2 in forum Firewall & Honeypot Discussions
    Replies: 0
    Last Post: November 22nd, 2002, 02:17 PM
  5. how to hack cisco a router... wow
    By NUKEM6 in forum Non-Security Archives
    Replies: 1
    Last Post: February 3rd, 2002, 10:28 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides