Wednesday, February 28, 2007
Monday, February 26, 2007
Don'ts for Cisco router p1
Just compiled a list of services i used to check when i audit a Cisco router. Of course, there are lots more, but for now, i will just provide the basics. Enjoy and email me if there are any questions.
no cdp enable (Disbale cdp. It is susceptible to spoofing and DoS. Need Proof of Concept? Email me)
no ip unreachables (Disables ICMP unreachable messages)
no ip source-route (Disables source routing)
no service finger (Disables the finger daemon on the router. Finger has always been a problem source; it lets attackers know who is logged in and provides the user's real username)
no service udp-small-servers ( Disables all small UDP and TCP services on your router (echo, chargen, and some others))
no service tcp-small-servers (Same as udp-small-servers)
no snmp-server (Disable SNMP if not in use. SNMP provides lotsa juicy info when being enumerated)
no ip http server (Disable the internal http web server of the Cisco devices)
no service config (Disables the loading of remote configs files)
no ip bootp server (Disables the bootp server)
no tftp-server (Only enable this if you absolutely need the service, else disable it)
no ip directed-broadcast (Direct broadcasts allow smurf attacks)
no ip proxy-arp (Disable proxy-arp to prevent extending a LAN to multiple segments)
no cdp enable (Disbale cdp. It is susceptible to spoofing and DoS. Need Proof of Concept? Email me)
no ip unreachables (Disables ICMP unreachable messages)
no ip source-route (Disables source routing)
no service finger (Disables the finger daemon on the router. Finger has always been a problem source; it lets attackers know who is logged in and provides the user's real username)
no service udp-small-servers ( Disables all small UDP and TCP services on your router (echo, chargen, and some others))
no service tcp-small-servers (Same as udp-small-servers)
no snmp-server (Disable SNMP if not in use. SNMP provides lotsa juicy info when being enumerated)
no ip http server (Disable the internal http web server of the Cisco devices)
no service config (Disables the loading of remote configs files)
no ip bootp server (Disables the bootp server)
no tftp-server (Only enable this if you absolutely need the service, else disable it)
no ip directed-broadcast (Direct broadcasts allow smurf attacks)
no ip proxy-arp (Disable proxy-arp to prevent extending a LAN to multiple segments)
Saturday, February 24, 2007
Cisco Street Commands p1
Basic Cisco IOS Router Management
[ To save the current running configuration to the startup configuration in NVRAM, issue
cisco#copy running-config to startup-config
Alternatively, you can also issue
cisco#write memory
The router's configuration information is stored in a device called the Nonvolatile RAM (NVRAM), and the IOS images are stored in a device called the flash. It's important to keep these names straight because all flash memory is nonvolatile RAM. Most routers use Flash technology for their nonvolatile RAM. So it's easy to get confused by the terms. ]
cisco#copy tftp://192.168.1.1/myconfig running-config
cisco#end
This will load the configuration file myconfig from TFTP server 192.168.1.1 to the running-config of the Router. ]
[ To backup copy of your router's config file to TFTP server
If you are using a Unix system, please follow the steps below
1. touch /tftpboot/configfilefolder (create a configfilefolder)
2. chmod 666 /tftpboot/router1-confg (change the permission settings to read and write)
3. telnet or ssh into the router
4. enter into the enable mode
5. cisco#copy running-config tftp://192.168.1.1/configfilefolder ]
[ Store files larger than NVRAM. You can compress your router's configuration file before saving it to NVRAM to allow you to save more configuration information. The command service compress-config will compress the configuration information when the router saves the file, and uncompress it when it is required
cisco#configure t
cisco(config)#service compress-config
cisco(config)#end
Turning on compression roughly doubles the size of the configuration file you can store. You have to put the command service compress-config into the configuration with a configure terminal. Then, for this command to take effect, you need to copy the running configuration file to NVRAM.
cisco#copy running-config startup-config
Issue the show version command to check how much total NVRAM storage is available on the router. ]
[ To reset the router to factory default state
cisco#erase nvram:
cisco#reload
or
cisco#erase startup-config
cisco#reload
Issue the show startup-config to check the settings. At this point, the router's configuration has been returned to the factory defaults. ]
[ To download a new IOS version into the router's flash memory
cisco#copy tftp://192.168.1.1/newFlashImage.bin flash:
Once the router had verified the checksum, reboot the router as follow:
cisco# reload
Use the show version command to see the new settings.
Make sure that the router has available free space in the flash before loading the new IOS image. You can use the show flash command to see how much flash memory is available. ]
[ To specify which IOS image the router should load next time it reboots, use the boot system command
cisco#configure terminal
cisco(config)#boot system flash:image1.bin
cisco(config)#boot system flash:image2.bin
cisco(config)#boot system slot0:image3.bin (PCMCIA flash card in slot0)
cisco(config)#boot system rom (Load the image from ROM)
cisco(config)#end
To locate boot system commands, issue:
cisco#show running-config include ^boot ]
[ You can partition a router's flash memory by issueing:
cisco#configure terminal
cisco(config)#partition slot1: 2 8 8
cisco(config)#end ]
[ You can configure your router to act as a tftp server by issueing the following commands:
cisco#configure terminal
cisco(config)#access-list 23 permit 192.168.1.0 0.0.0.255
cisco(config)#access-list 23 deny any
cisco(config)#tftp-server flash:image1.bin 23
Router1(config)#end
The ability to use a router as a TFTP server can be quite useful. We have often used this feature to upgrade several routers that are separated from the TFTP server by slow WAN connections. In situations like this, you can upgrade one of the remote routers by using TFTP over the slow WAN connection. Then you can configure the first router to act as a TFTP server, and use it to upgrade the remaining routers over high-speed local links. ]
[ Using FTP from the router
cisco#configure terminal
cisco(config)#ip ftp username cisco
cisco(config)#ip ftp password cisco123
cisco(config)#end
cisco#copy ftp: running-config ]
[ Reload the router with minimal service interruption, to enable warm reload, issue the command as follows:
cisco#configure terminal
cisco(config)#warm-reboot
cisco(config)#end
To view the configuration status of the warm reboot feature
cisco#show warm-reboot
To perform a manual warm reboot of the router
cisco#reload warm ]
[ To prevent multiple concurrent users from making configuration changes at the same time.
cisco#configure terminal
cisco(config)#configuration mode exclusive auto
cisco(config)#end
Show the status of the configuration lock by issuing the following command
Router1#show configuration lock ]
Friday, February 23, 2007
Cisco Headquarters
Cisco Headquarters. This blog will incorporate most of the core technology and their respective IOS commands to get the job done. I dedicate this blog to anyone who never had a chance to go to the University, yet hardworking and continue to strive.
My First Post
My first official post. I not going to write exploits nor post vulnerabilities on this blog. Instead, i am going to post Cisco IOS commands that are frequently used to perform tasks. This will save network administrators going through the hassle of reading loads and loads of bulky documents. At times, i will also post free books and all of you can send request to my email to receive a copy. I will try my best to keep this blog updated with new commands and topics. Feel free to give comments.
Lets take network security to the streets....
Lets take network security to the streets....
Subscribe to:
Posts (Atom)