-
July 22nd, 2007, 07:46 AM
#1
Cisco Router Enumeration
One of the corner stones of being a hacker, is being as versatile as possible and being able to navigate through a number of software packages. But first and foremost, one of the most important skills a hacker/IT professional etc can have, is the art of enumeration. This tutorial will concern enumeration of Cisco routers.
**disclaimer: In general, enumeration is non-malicious but do so at your own risk, and if its a router all remote IP connections are probably recorded on the router and off the router.
Lets say you find some random router and you telnet into it, and its not password protected or by some random *cough* password cracking *cough* you find yourself at a prompt. The Cisco IOS has two security levels, one's privileged and the other is not thus you have one of the two prompts below:
router>
router#
Where router is the name of the router. This tutorial will be only covering information that's of use at the unprivileged level. Unprivileged access can't change any router configuration, or view specific information, but has access to the majority of all the show commands, commands that are the most useful for enumeration.
The Cisco IOS has a healthy help function, if ever in doubt (and you have the time) gratuitous use of the ? key will give you ever possible command you can use. For example if you were to type s? you'd get all the possible command trees starting with s.
The three commands which will give you the most information, are the "show version" , "show interfaces" and "sh ip protocols" commands. The first will give you a general, although verbose, description of the router. The second will show you every interface on the router, those that are up and those that are down, along with IP information. The third option will give you information regarding the router protocol in use such as the protocol and the networks advertised.
Below i'll include output for each command and explain where the important information lies. Comments will be preceded by two hashes and captures from commands will be enclosed in double asterisks.
**output from Show version**
router_one>show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(3a), RELEASE SOFTWARE (fc2)
##Cisco 2600 Series Router
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Wed 15-Oct-03 06:38 by dchih
Image text-base: 0x80008098, data-base: 0x819AFDB8
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
router_one uptime is 58 minutes
System returned to ROM by power-on
System image file is "flash:c2600-ik9o3s3-mz.123-3a.bin"
##this is the version of the IOS running
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco 2611 (MPC860) processor (revision 0x203) with 61440K/4096K bytes of memory.
Processor board ID JAD05071DUH (815633573)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
##below it tells the amount of flash and the number and types of ports on the router.
2 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
2 Serial(sync/async) network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
##this "configuration register" configures the boot up procedure, more on this below.
**end Output from Show Version**
The show version command gives the most information of all the show commands. The configuration register affects how the system starts up, such as what it boots to and from where, the baud rate, and whether it'll accept interrupts (ctrl+break). 0x2102 configuration register is for normal operation, where it doesn't accept break key combinations at bootup, it boots from flash or the bootrom if that fails, and it has a baud rate of 9600. Alternatively, if you reset the router to configuration register 0x2142 it ignores NVRAM allowing you to bypass the passwords in place for configuration/password recovery, but requires a reboot of the router, and very possibly a physical connection as it'll reboot into an unconfigured router.
**output from Show interface**
router_one>show interface
Ethernet0/0 is up, line protocol is down
##Every interface has two parts, the physical portion (Physical layer) and the line protocol (layer 2)
Hardware is AmdP2, address is 0005.3253.f5c0 (bia 0005.3253.f5c0)
Internet address is 192.168.1.2/24
##obviously the IP address
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 128/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:06, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
352 packets output, 21377 bytes, 0 underruns
352 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
352 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Serial0/0 is down, line protocol is down
Hardware is PowerQUICC Serial
Internet address is 192.168.0.1/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=up DSR=up DTR=down RTS=down CTS=up
router_one>show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.2 YES NVRAM up down
Serial0/0 192.168.0.1 YES NVRAM down down
Ethernet0/1 unassigned YES NVRAM administratively down down
Serial0/1 unassigned YES NVRAM administratively down down
Serial0/2 unassigned YES NVRAM administratively down down
**end output show interface**
As you can see, the show ip interface brief is much more helpful, as it gives us the exact information we need in nice columns. The physical portion of each
interface is just if you have the two interfaces connected using the right cables, a correct electrical connection. The line protocol portion of the
interface is the lower Layer 2, meaning that it involves frame encoding, clock rate, etc.
**output from show ip protocols**
router_one>sh ip protocols
Routing Protocol is "rip"
##this is the routing protocol being used, Routing Information program
Sending updates every 30 seconds, next due in 15 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 1, receive any version
Interface Send Recv Triggered RIP Key-chain
Serial0/0 1 1 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
192.168.0.0
##this is a list of all advertised networks, some
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 120)
##The distance is a measure of how likely the router will use a certain gateway
**end all output captures**
There are a number of other commands that can give you information as far as directly connected routers, i.e. the show cdp neighbors command, which will identify nearby router/cisco devices with CDP (Cisco Discovery Protocol) running, which runs independent of Layer 3 connectivity (without an IP address) since it's a layer 2 protocol. CDP works will All cisco IOS enabled devices: PIX firewalls, routers, switches, etc.
Also a nice tidbit of information is the use of the show priviledge command which tells you the level of security you're in, all the above information can be gleamed in the first security level output will look as follows:
router_one>show privilege
Current privilege level is 1
There are fifteen security levels, and although all of them can be assigned usernames and passwords, usu only two are used, 1 and 15. In closing it's always crap to get into a system and not be able to discern it from an Avaya or Cisco, or even worse, a Layer 3 switch from a router.
Interesting Links/Bibliography
http://www.cisco.com/en/US/products/...8022493f.shtml
http://articles.techrepublic.com.com...1-5659259.html
http://www.repton.co.uk/library/cisco_router_guide.pdf
(caution, it’s a big a** pdf, if you’re browser is prone to seizing and going kerflooie when reading pdfs, be a pal and ctrl+click)
...:::Pure Kn0wledge:::...
-
July 23rd, 2007, 10:03 AM
#2
sh cdp neigh can be helpfull too.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
July 23rd, 2007, 12:41 PM
#3
Lets say you find some random router and you telnet into it, and its not password protected
This is not allowed by default, hence 99.9% of the time you won't ever be able to telnet/ssh to a router/switch etc that has no telenet password set.
-
July 24th, 2007, 04:24 AM
#4
Originally Posted by Nokia
This is not allowed by default, hence 99.9% of the time you won't ever be able to telnet/ssh to a router/switch etc that has no telenet password set.
Yes, but there are a lot of defaults, and by doing an OS detection and all that, couldn't you find the router, then search online for defaults? (yes, im asking this as a question, cause im new to this, but am reading a book on it without messing around too much, so the info is like all lose in my head )
-
July 24th, 2007, 08:46 AM
#5
Not with the corporate routers that the OP is using as the subject of the tutorial - they don't ship with a default password set, they ship with no telnet/SSH password set, but will not allow anyone to access them by these means until a password is in place.
It is possible to use a blank password but the router still needs to be configured to accept connections with no password set - configuring this is almost the same process as configuring a password, which is why you very very rarely find a corporate grade Cisco router with a blank RA password.
-
July 24th, 2007, 01:15 PM
#6
I remember a while back, i read an article about routers, when under a heavy load, or DOS, would maintain functionality at all costs, but would drop security. I don't think it was for Cisco routers specifically, but routers in General; any ideas about that Nokia as i've had little experience with cisco routers in an actual production environment.
...:::Pure Kn0wledge:::...
-
July 24th, 2007, 01:33 PM
#7
You may be thinking about switches; one of the earliest attacks against a switched network was to flood the switch with ARP responses, this would overwrite its MAC table and at the same time the clients would obviously be sending 'real' ARP responses, eventually the switch would be flooded to such an extent that it would turn into a hub and hence lose all the security a switch brings to a network.
This was easily patched by vendors and is not very common anymore - attackers have to use targeted ARP poisoning to circumvent a switch in most modern-ish networks.
I have never heard of a router being flooded and losing some of its security functionality, if anything a router would start dropping packets before it lets unsolicited ones through. At least to my knowledge anyway.
-
July 24th, 2007, 01:42 PM
#8
There are 2 ways equipment can 'fail'. The one you're describing is usually found on switches and is called "fail open". The other is used on firewalls et al and is called "fail close".
Oliver's Law:
Experience is something you don't get until just after you need it.
-
July 24th, 2007, 03:30 PM
#9
Originally Posted by Nokia
You may be thinking about switches; one of the earliest attacks against a switched network was to flood the switch with ARP responses, this would overwrite its MAC table and at the same time the clients would obviously be sending 'real' ARP responses, eventually the switch would be flooded to such an extent that it would turn into a hub and hence lose all the security a switch brings to a network.
This was easily patched by vendors and is not very common anymore - attackers have to use targeted ARP poisoning to circumvent a switch in most modern-ish networks.
I have never heard of a router being flooded and losing some of its security functionality, if anything a router would start dropping packets before it lets unsolicited ones through. At least to my knowledge anyway.
I've seen cases where under either high system load or under reduced free memory (ie, buggy release + memory leaks + extended up-time), things like ACL's will no longer be processed, various commands will fail (like sh run); however, the router will still pass traffic...Its been fairly rare, but I have seen it happen...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
July 24th, 2007, 03:41 PM
#10
I didn't know that - learn something everyday, cheers Neb.
//Was this on old equipment or new?
Similar Threads
-
By Spyder32 in forum Miscellaneous Security Discussions
Replies: 1
Last Post: May 27th, 2008, 01:17 PM
-
By ThePreacher in forum Miscellaneous Security Discussions
Replies: 17
Last Post: December 14th, 2006, 09:37 PM
-
By Simo in forum Miscellaneous Security Discussions
Replies: 7
Last Post: October 28th, 2003, 03:47 PM
-
By Ratman2 in forum Firewall & Honeypot Discussions
Replies: 0
Last Post: November 22nd, 2002, 03:17 PM
-
By NUKEM6 in forum Non-Security Archives
Replies: 1
Last Post: February 3rd, 2002, 11:28 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|