Monday, February 26, 2007

Don'ts for Cisco router p1

Just compiled a list of services i used to check when i audit a Cisco router. Of course, there are lots more, but for now, i will just provide the basics. Enjoy and email me if there are any questions.

no cdp enable (Disbale cdp. It is susceptible to spoofing and DoS. Need Proof of Concept? Email me)

no ip unreachables (Disables ICMP unreachable messages)

no ip source-route (Disables source routing)

no service finger (Disables the finger daemon on the router. Finger has always been a problem source; it lets attackers know who is logged in and provides the user's real username)

no service udp-small-servers ( Disables all small UDP and TCP services on your router (echo, chargen, and some others))

no service tcp-small-servers (Same as udp-small-servers)

no snmp-server (Disable SNMP if not in use. SNMP provides lotsa juicy info when being enumerated)

no ip http server (Disable the internal http web server of the Cisco devices)

no service config (Disables the loading of remote configs files)

no ip bootp server (Disables the bootp server)

no tftp-server (Only enable this if you absolutely need the service, else disable it)

no ip directed-broadcast (Direct broadcasts allow smurf attacks)

no ip proxy-arp (Disable proxy-arp to prevent extending a LAN to multiple segments)

8 comments:

Anonymous said...

Hi, i understand the vulnerabilites for no cdp run. But if the router is not facing the internet, would you consider it high risk too? We do maintain cdp run, so that we can do a discover and see if there are any rogue systems plugged in. as in, unknown/unauthorised systems. Are there work arounds without the use of cdp?

i would like your comment on syslog levels too. Sys log 4 or 5? 5 consumes a lot of space, but it may have info that is useful for audit trail and forensics. The standard is level 6 i believe but it is unnecessary.

Anonymous said...

Well, cdp v1 is considered high risk to me if i were to setup a router. CDP is known to DoS attack and i had tested it before. As for workaround, try CDP v2. Personaly, i had not tested it, but you can give it a try.

For syslog, i personally use 6 or 7. But if you would prefer to use 4 or 5, and if you think it consumes a lot of space, make sure there is a constant monitoring of space and archieving is performed.

Hackathology

Anonymous said...

I forgot to add something for cdp, i know it is not facing the internet, but if i compromise your external router, i can know what are your neighbors by issuing the show cdp neighbors. Refer to my previous post for the images, i managed to hacked the routers and firewall, and what if i issue those commands?

Hackathology

Anonymous said...

agree that if it is compromised.

but cdp neighbours is a command needed by my network guys. is there another way they can discover without using cdp? the issues with cdp have long been documented, and company policy does call for it to be turned off. but the impact of turning it off affects their work.

i have to measure up the risk the functionality of it to decide if it should be approved or not.

as for syslogging, it is not about monitoring. these are monitored for sure, however the decision not to log at a certain level means if there is a need to do forensics or security audit due to an incident, the information may not be complete due to lack of details in the log.

Anonymous said...

Unfortunately, i dont know any other commands other than cdp. you can try show ip route, but you need to figure out manually.

Hackathology

javieth said...

In addressing the router enables wireless networking connection, really amazing what Technology has changed these days. I like meeting new things. This is why i have come to this blog, I find it very interesting.This is like
costa rica investment opportunities really interesting too.

gaohui said...

The holidays are a time ed hardy of getting together with friends ed hardy shoes and family, attending elaborate ed hardy clothing parties, and other exciting events ed hardy clothes that involves dressing up in stunning ed hardy store wardrobes. If you ed hardy Bikini are pregnant during ed hardy swimsuits the holidays, it does not ed hardy Caps mean that you are unable buy ed hardy to look fabulous and ed hardy swimwear stylish. Now, an expectant ed hardy sale mother has many styles of chic ed hardy glasses maternity clothing that allows cheap ed hardy her to show off her baby bump Christian audigier while looking spectacular.

chunxue said...

During the World War II, Art Deco jewellery was ugg sale a very popular style among women. The females started ugg boots wearing short dresses and cut their hair short. And uggs such boyish style was accessorized with Art Deco jewellery. They used cheap ugg boots long dangling earrings and necklaces, multiple bracelets and bold ugg boots uk rings.Art Deco jewellery has harshly geometric and symmetrical theme instead disocunt ugg boots of free flowing curves and naturalistic motifs. Art Deco Jewelry buy ugg boots today displays designs that consist of arcs, circles, rectangles, squares, and ugg outlet triangles. Bracelets, earrings, necklaces and rings are added with long ugg boots outlet lines and curves.One example of Art Deco jewelry is the Art Deco ring. Art Deco rings have ugg mall sophisticated sparkle and bold styles. These rings are not intended for a subtle look, they are meant to be noticed. Hence, these are perfect for people with bold styles.