Thanks everyone for joining in. Hope you all had fun.
The first thing all of you who telnetted in found is that show version did
not work for some reason ;->
One of my points is that there are alternatives to finding information. And
there are ways to find a lot of things through indirection, even in locked
down production environments, even when one has only limited privileges in a
router.
The only commands I permitted were:
Router_1>?
Exec commands:
<1-99> Session number to resume
disable Turn off privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC
show Show running system information
Router_1>
Of the show commands, the only ones I permitted were:
Router_1>show ?
cdp CDP information
flash: display information about flash: file system
frame-relay Frame-Relay information
ip IP information
ipx Novell IPX information
protocols Active network routing protocols
sscop SSCOP
Router_1>
Also, I want to thank a number of you who took this as an opportunity to
share some experience and to offer a lesson or two yourselves. For example,
a couple of you did port scans on my router and reported to me what you
found. You also repeated the process and reported after I re-applied the
access-list. The differences between the two findings were interesting to
me, and taught me a little bit more about security.
Here are my answers, and the commands I used to find them:
1) what version of IOS is running?
12.1.2 show flash There is a bit of indirection here. The show flash
command gives the image in flash. The IOS version is contained within the
name of the image. c2500-jos56i-l.121-2.bin 121-2= 12.1.2
2) What is the name of the IOS image?
c2500-jos56i-l.121-2.bin show flash
3) What routing protocols are running?
Eigrp and ipx rip show protocols reveals that ip and ipx routing are
enabled. Show ip route reveals eigrp and static routes. Show ipx route
reveals ipx rip routing. Another bit of indirection.
4) Are there any other routers connected? If so, on what ports?
One router revealed by show cdp neighbor. It is connected through serial 0.
If this were a Cisco certification test, or one of the Boson practice tests,
you would also be expected to infer that there was another Cisco router in
the mix acting as a frame relay switch. But I'm not as sneaky as some people
:->
5) If there are other routers connected, what IOS versions are they running?
12.1.2 - same as the initial router. Show cdp neighbor detail
What are the names of the flash images on those routers, if there are
routers?
Same as the first router - c2500-jos56i-l.121-2.bin show cdp neighbor detail
6) Provide every detail you can about any WAN protocols running
This is inferred based on the show commands available to you.
Frame relay, DLCI 300
Not a lot more you can determine, based on what you are allowed to see.
Show frame-relay pvc
7) What is the privilege level password?
Hard to tell, seeing as you can't get to privilege level, and you can't do a
show run command.
8) What model number router are you telneted into?
2500. show protocol this command reveals what interfaces are on the device.
In my case, you saw an ethernet port and two serial ports. This bit of
indirection, in that you are only able to infer based on what you see. This
is of limited use with modular routers. One might also infer that if the
connected router is a 2500, as revealed by the show cdp neighbor command,
then it is likely that the first router is one as well. 2500's are probably
the most common members of any home lab set up. :->
9) What model number routers are connected, if there are any connected?
2500 ( 2501 ) show cdp neighbor
10) Who played the Cisco Kid? ( extra credit - how did you find that
answer? )
Router_1>sh cdp neighbor detail
-------------------------
Device ID: DuncanReynaldoPlayedCiscoKid
Sorry - I couldn't resist :->
11) Extra Extra credit - identify all security enabled on the router
Again, a bit of indirection here. The fact that there are very limited
commands available should point to some kind of privilege level limitations.
In general, telnet sessions received a privilege level below normal, using
the privilege level command. At that point those commands I wished to make
available I did so explicitly, using the privilege exec level commands. This
is in line with good security practice, which calls for denying everything
not specifically permitted by policy.
Chuck
P.S if there is interest, I would like to do more of these kinds of things.
Maybe put together some training sessions using the Cisco chat room as the
means of communicating. Any thoughts?
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]