Jul 28, 2010

Easy Pinpoint method to crack a Cisco IOS password

Easy Pinpoint method to crack a Cisco IOS password 
Many administrators don't realize how easily someone could crack a Cisco IOS password. In fact, it's quite a simple process. Let's examine the different types of Cisco passwords and discuss how you can ensure they stay secret.
To begin, keep in mind that I'm not trying to teach anyone how to become a cracker. Rather, I believe it's important that administrators understand this process so they can better protect their routers' administrative passwords.
There are three types of Cisco passwords: clear-text passwords, type 7 encryption, and type 5 encryption. Let's take a look at the pros and cons of each.

Clear-text passwords

It should go without saying that clear-text passwords are completely insecure. Basically, if someone can view your router's configuration, then he or she can also see the password since it has no encryption at all. In other words, clear-text passwords offer almost no benefits.

Type 7 encryption

Type 7 encrypted passwords are weak, and it can be surprisingly easy to crack them. In fact, one could accomplish this using a six-line Perl script. (You can find this script and directions on the Tech FAQ Web site.)
In addition, Windows-based programs are available that allow you to enter a decrypted password, and the program will immediately return the clear-text password. (SolarWinds sells a password decryptor for this purpose.)
Finally, you can find a Java applet on the Web that decrypts Cisco passwords, and you can download an offline version for your own use.

Type 5 encryption

Encrypted with the MD5 algorithm, type 5 passwords are the most secure of the three. There is currently no known method for decrypting a type 5 password.
The only way to crack a type 5 password is by initiating a brute-force or dictionary attack. In addition, programs are available to do this on the Web. To learn how to protect your systems from such an attack, check out this article, "Protect your router from a dictionary DoS attack."

Protecting your passwords

With the exception of a brute-force dictionary attack, all of these password-cracking methods rely on the event that someone somehow gains access to your router's configuration files in the first place. Of course, the chance of this happening becomes less likely when you've stored the configuration on the router and made it mandatory to have administrator privileges to access the configuration.
However, that doesn't mean it can't happen. Here are some possible scenarios:
  •  Like a good administrator, you back up your configuration files to a TFTP server. However, the configuration file directory has NTFS or shared permissions for either everyone or all authenticated users. If someone can access the configuration file, he or she could easily decode a type 7 password and then gain access to the real router.
  •  Like some organizations, you provide a username and password to support personnel that has read-only access to the configuration file. However, if someone has permission to read the file, he or she could easily decode a type 7 password.
The almost foolproof way to gain access to a router's configuration file is from the console. If someone can access the router's console, he or she can also view the configuration file and—of course—perform password recovery. This is why physical security for routers is so important.

Locking down access with commands

Cisco has an IOS command called no service password-recovery. This command prevents anyone with console access from accessing the router configuration and clearing the password. (For documentation of this command, check out Cisco's Web site.)
In addition, you should always use the enable secret command rather than the enable password command. The enable password command uses the weaker type 7 encryption, whereas the enable secret command uses the stronger type 5 encryption.
Cisco also has the service password-encryption command. But even with this command, all other passwords on the router remain encrypted with only the weaker type 7 encryption. To encrypt any username passwords, use the command username secret instead of the normal username command. (For more information, see Cisco's documentation for this command.)

Lock down routers with these summarized steps

In summary, to protect your routers, take the following steps:
  •  Whenever possible, always use type 5 encryption, using commands such as enable secret and username secret.
  •  Whenever storing your router's configuration somewhere off the router itself, take steps to protect access to the configuration by setting the proper permissions.
  •  Use as much physical security as reasonably possible to protect access to the router's console.

Labels: , , , , , , , , , , , ,

Jun 21, 2010

Capture a Port on Cisco Switches using SPAN

SPANs on Cisco Switches

Believe me, Cisco’s SPAN may be something you were looking for. So lets see what it is.
The switched port analyzer (SPAN) is a mechanism on Cisco switches that allows you to take traffic on one port and copy it to another.  It’s generally used to get traffic to a sniffer or IDS for analysis, but it’s a great tool to use to sample traffic from a host for troubleshooting.
Let’s use a real-world example.  You suspect that somebody is downloading songs or some other restricted content from your office’s internet, and you just want to CONFIRM that he is really downloading that stuff before taking some appropriate actions. This is an example scenarion whare SPAN can help you. You can use a SPAN to copy his traffic to another switch interface (may be your own PC’s port in that Cisco switch) whare you have already installed a Sniffer software.
Let’s say you have a 2950, and that suspecious person is on port F0/1 of your switch. You have your own PC plugged into F0/24 ready to capture the traffic.  Here’s what you do. In global config mode, write ;

Switch(config)#monitor session 1 source interface F0/1 both
Switch(config)#monitor session 1 destination interface F0/24

This will create a new monitor session (that is, a SPAN session) that copies traffic from port F0/1 in both directions (simply saying, downloads and uploads) to port F0/24.  Now, when you run tcpdump on your Linux box or some nice sniffer (easily available on the web) on your PC, you see all the traffic coming in and going out of that person’s port.
That’s pretty easy, right?  You can have multiple sources ports by just adding more source lines or using ranges of ports.  You can also just copy received or transmitted traffic from a source.  Check out the contextual help for a little more info.
To see what’s going on, you can do a show monitor or a show monitor session 1 (depending on the IOS version).  You’ll see something like this.
switch#sh monitor
Session 1
---------
Type              : Local Session
Source Ports      :
Both          : Fa0/1
Destination Ports : Fa0/24
Encapsulation : Native
Ingress : Disabled
If you take a look at the destination port when the SPAN is running, you’ll see it’s in a state of up/down (monitoring).  I think you can figure out that this means we’re monitoring some traffic to this port.  Here’s what you’ll see if you look at the port.
switch#sh int f0/24
FastEthernet0/24 is up, line protocol is down (monitoring)
...
There are two big things to keep in mind when doing SPANs.  The first is that monitoring a port can drive CPU utilization way up (depending on the platform and traffic volume), so you may run into problems if you have a bunch of SPANs going at the same time.  Related to this is the fact that, if your switch has to decide between switching and copying traffic, it will stop copying until there’s enough CPU headroom to do that safely, and you’ll lose packets in the meantime.  It’s a switch — not a copier.
The second thing to keep in mind involves those little voices in your head called ethics.  What if you see a VOIP phone call from your boss to the HR department?  How about if you find someone in upper management copying a spreadsheet of people to be fired tomorrow?  How about if you find an engineer’s telnet password to a key system?  These are things that you probably shouldn’t see, so be careful when looking at the packets.  I would suggest you tell someone in your security when you’re going to do a packet capture to make sure someone knows you’re not up to no good.
No comments:
Labels:

Jun 18, 2010

Easy Pinpoint method to Protect your router from a dictionary DoS attack

Easy Pinpoint method to Protect your router from a dictionary DoS attack
You may not realize it, but a dictionary denial of service (DoS) attack on Telnet, SSH, or HTTP ports could hit your Cisco router. In fact, I bet most network administrators have at least one, if not more, of these ports open for router management.
Of course, having these ports open to a public network is much more dangerous than leaving them open on a private network. But either way, you need to do whatever you can to protect your routers from a dictionary DoS attack, which attackers could use to gain access to your router or simply create a service outage on your network.
Thanks to login enhancements in IOS 12.3(4)T and later, you can provide your routers with additional protection. These new login enhancements offer the following benefits:
  •  Create delays between successive login attempts.
  •  Disallow login if there are too many failed login attempts.
  •  Create messages in the system log or send SNMP traps that alert/record additional information about the failed and disallowed logins.
How do you know if your router contains the appropriate code? The simplest way to find out is to go to Global Configuration Mode and enter login ? This command returns a list of choices, as shown below:
block-for         Set quiet-mode active time period
delay               Set delay between successive fail login
on-failure        Set options for failed login attempt
on-success      Set options for successful login attempt
quiet-mode     Set quiet-mode options
If you don't have this code in your IOS, it will return an "Unrecognized command" error.
If you don't have the feature, use the Cisco IOS Feature Navigator to find the code for your router that has this feature. (Look for Cisco IOS Login Enhancements.) You can also use this tool to search for other features that you need. Keep in mind that a Cisco maintenance contract is necessary to download IOS code and access the Feature Navigator.
The only command required to configure the most basic form of these features is the login block-for command. Once you've enabled this command, there's a default login delay of one second. The system will deny all logins for a specified number of seconds if the maximum number of tries occurs within the time you indicate.
In global configuration mode, execute the following:
login block-for attempts within
number of seconds>
Here's an example:
login block-for 120 attempts 5 within 60
This command configures the system to deny all logins to the router if there are five failed login attempts within 60 seconds. Then, if you enter show login, you'll receive the following output:
A default login delay of 1 second is applied.
No Quiet-Mode access list has been configured.

Router enabled to watch for login attacks.
If more than 5 login failures occur in 60 seconds or less,
logins will be disabled for 120 seconds.

Router presently in Normal-Mode.
Current Watch Window remaining time 54 seconds.
Present login failure count 0.
This shows you the setting you've configured, including the default login delay of one second, along with additional information. It also tells you that the router is in Normal Mode, which means that the router is currently allowing logins.
The router goes into Quiet Mode when it believes something has attacked it, and it begins denying all logins. You can also configure an ACL that will serve as an exclusion list of hosts/networks that the router will allow, regardless of whether it's in Quiet Mode.
Here are some options to configure some of these other commands:
  •  login delay : Add the number of seconds of delay between failed logins. You can choose one to 10 seconds.
  •  login on-failure and login on-success: This allows you to choose the type of logging/SNMP alerts when there are failed and successful logins.
  •  login quiet-mode access-class : Add the ACL number, and this allows you to enter an exclusion list of hosts/networks allowed to log in to the router, regardless of whether the router is in Quiet or Normal Mode.
In general, I suggest enabling login block-for on all routers for security purposes. These new features will help better secure your routers.
And while you're at it--if you haven't already--consider enabling only SSH on your routers and only allowing access to that from the internal network. SSH encrypts all traffic between a PC and a router (including usernames and passwords).
For the complete command reference on these new features, check out the Cisco IOS Login Enhancements Documentation.

No comments:
Labels:

May 29, 2010

OSPF Basic Config

Easy Pinpoint OSPF configurations on Cisco Routers
OSPF, as we all know is one of the most widely used IGPs today. Having knowledge of OSPF configurations is very important for any Network Engineer. Below are the steps given for OSPF configuration in your network.
NOTE:  Bofore starting OSPF configuration on your Router, you must have at least 1 "UP" and active interface.
A major part of OSPF routing configuration in Cisco IOS is specifying the interfaces on which you want to run OSPF and the OSPF areas to which these interfaces belong. IOS gives you two configuration mechanisms:
  1. 1. The first mechanism is using "network" command within in the OSPF routing process configuration. The "network" command allows you to specify an ACL-like filter that can match multiple interfaces with a single command, significantly reducing the configuration complexity.
              Router # configure terminal
              Router(config) # router ospf [process-id]
        Router(config-router) #network [ip-address] [wildcard-mask] area [area]
 EXAMPLE:
        Router # configure terminal
              Router(config) # router ospf 555
        Router(config-router) #network 10.0.0.0 0.255.255.255 area 0
2. The easiest, but less known method of configuring OSPF is via using interface-mode command for enabling OSPF. Syntax for using this command is explained below:
        Router # configure terminal
        Router(config) # interface [interface-type]  [interface-number]
        Router(config-if) # ip ospf [process-id] area [area-id]
 EXAMPLE:
        Router # configure terminal
        Router(config) # interface serial 1/0
        Router(config-if) # ip ospf 555 area 0
Both methods would accomplish exactly same task, i.e enabling OSPF on Serial 1/0 with OSPF process-id 555 (before using "network" command, you must have the ip address configured on Serial 1/0 within 10.0.0.0 network range).
Other useful OSPF commands are explained in next post. Hope it helped.
No comments:
Labels:

Feb 12, 2010

Enabling Static Routing on Cisco Devices

Easy Static Routing configuration on Cisco Router / Switches

Static routing occurs when you manually add routes in each router’s routing table. The advantages of static routing are mentioned below:

1) It puts no overhead on the router CPU (dynamic routing protocols eg OSPF, EIGRP, RIP are CPU intensive).
2) There is no bandwidth usage between routers for routing managenent traffic (as for “Routing Updates” in dynamic routing protocols).
3) It adds security because the administrator can choose to allow routing access to certain networks only and can define a specific path for specific traffic etc.

But Static routing also has the following disadvantages:
1) The administrator must really understand the internetwork and how each router is connected in order to configure routes correctly (more responsibility on administrator).
2) If a single network is added to the internetwork, the administrator has to add a route to it on all routers by hand (this can be a lengthy job if you have many routers in your network).
3) If one network or next-hop has gone down, you will have to manually edit the routing entries in all affected routers.

The command syntax to configuring a static route in cisco router’s routing table is:

Router#configure terminal
Router(config)#ip route [destination_network] [destination_mask]  
     [next-hop_address or exit interface]


An example of configuring a static route is mentioned below:

Router#configure terminal
Router(config)#ip route 10.0.0.0 255.0.0.0 15.0.0.2

Where 10.0.0.0 / 255.0.0.0 is destination network and 15.0.0.2 is the next-hop address of far-end router.


No comments:
Labels:

How OSPF Router ID is selected?

OSPF Router ID selection algorithm

Every OSPF process running in Cisco IOS requires a router-wide unique router ID. An IP address of an active interface is commonly used as the OSPF router ID; you can also use the router-id address router configuration command to ensure the OSPF router ID does not change even when the interface IP addresses change.
OSPF router ID should not be changed after the OSPF process has been started. OSPF router ID change resets all OSPF adjacencies, resulting in temporary router outage. The router also has to originate new copies of all its LSAs with the new router ID. Stale copies of the LSAs originated by the “old” OSPF process remain in the OSPF topology databases of all routers until they expire (their age increases beyond max-age).

Router ID selection algorithm

If the router-id is specified in the OSPF configuration, the specified IP address is used. If the IP address configured with the router-id command overlaps with the router ID of another already active OSPF process, the router-id command fails.
If OSPF router ID was not set with the router-id configuration command (router-id command was not used in the OSPF configuration or there was a router ID overlap with another OSPF process), OSPF uses an interface IP address as its router ID.
The following algorithm is used to select an interface IP address as the OSPF router ID:
  • IP addresses of all applicable loopback interfaces are collected. Addresses already used as OSPF router ID of other OSPF processes are removed. If any addresses are left, the highest IP address is used as the OSPF router ID.
Applicable interfaces are operational (line protocol is up) interfaces in the IP routing table as the OSPF process.
  • If the OSPF router ID has not been selected in the first step, IP addresses of all other applicable interfaces are collected. OSPF router IDs of active OSPF processes are removed from the list and the highest IP address is used.
  • If the router was still not able to select an OSPF router ID, an error message is logged and the OSPF process does not start.
An OSPF process that failed to select a router ID retries the selection process every time an IP address becomes available (an applicable interface changes its state to up or an IP address is configured on an applicable interface).

Changing the OSPF router ID

Once an OSPF router ID is selected, it is not changed even if the interface that was used to select it changes its operational state or its IP address. Earlier IOS releases changed the OSPF router ID when the underlying interface state changed, resulting in unnecessary network instabilities.
To change the OSPF router ID, you have to reset the OSPF process with the clear ip ospf process command (even when the new router ID was requested with the router-id router configuration command).

No comments:

Feb 3, 2010

AN EXCELLENT CISCO IOS COMMAND


AN EXCELLENT IOS COMMAND


           I just found and amazing Cisco IOS command, that i should have learned years ago. This IOS command is very handy, specially when making lengthy configurations on a large number of routers.

 The said command works as a macro and can actually assigns a "keyword" (which can be a single alphabet) for a lengthy IOS command. This command is issued from global config mode and the syntax of this command is;

          Router(config)# alias (config mode) (your keyword) (complete command)


where,
 config mode:    It is the mode from which the actual command (or keyword) will be issued. This mode can be EXEC, CONFIG, INTERFACE mode etc.
 your keyword: It is your keyword that you want to use in-place of lengthy command.
 complete command: It is the complete command that the router will assume instead of the keyword.



Example 1, To assign keyword "SII" for command "Show Ip Interface" (which in entered in exec mode), you can use following command;



          Router(config)# alias exec SII Show Ip Interface

          Now, when keyword "SII" will be typed in exec-mode (# mode), it will be treated by router as complete command "Show Ip Interface" were entered. 


Example 2, To assign keyword "NS" for command "No Shut" for enabling an interface, we can use this as;

         Router(config)# alias interface NS No Shut


         After that, whenever keyword NS will be entered in any interface configuration mode, it will be treated as complete command "No Shutdown" were entered.


          As a general guideline, I am also showing some most commonly used aliases. You just copy them in the global config mode of your Router / Switch.

          Router(config)# alias configure sir show ip route
          Router(config)# alias configure siib show ip interface brief
          Router(config)# alias exec sir show ip route
          Router(config)# alias exec siib show ip interface brief
          Router(config)# alias exec s sh run
          Router(config)# alias exec c conf t
          Router(config)# alias exec map show frame map
          Router(config)# alias exec pvc show frame pvc
          Router(config)# alias interface ns no shutdown
          Router(config)# alias interface sa switchport mode access
          Router(config)# alias exec w write memory
No comments:
Labels:
Subscribe to: Posts (Atom)