Good job Chuck. This is exactly what we all need to keep things fresh.
Tell me, what functionality does one need to implement that kind of
lock-down control of a Cisco router? Are you using some kind of RADUIS or
TACACS+ software or the built in features of the 12.X IOS ?
Keep up the good work.
----- Original Message -----
From: Chuck Larrieu <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, August 06, 2000 5:41 PM
Subject: Follies Answers
> Thanks everyone for joining in. Hope you all had fun.
>
> The first thing all of you who telnetted in found is that show version did
> not work for some reason ;->
> One of my points is that there are alternatives to finding information.
And
> there are ways to find a lot of things through indirection, even in locked
> down production environments, even when one has only limited privileges in
a
> router.
>
> The only commands I permitted were:
>
> Router_1>?
> Exec commands:
> <1-99> Session number to resume
> disable Turn off privileged commands
> exit Exit from the EXEC
> help Description of the interactive help system
> logout Exit from the EXEC
> show Show running system information
>
> Router_1>
>
> Of the show commands, the only ones I permitted were:
>
> Router_1>show ?
> cdp CDP information
> flash: display information about flash: file system
> frame-relay Frame-Relay information
> ip IP information
> ipx Novell IPX information
> protocols Active network routing protocols
> sscop SSCOP
>
> Router_1>
>
> Also, I want to thank a number of you who took this as an opportunity to
> share some experience and to offer a lesson or two yourselves. For
example,
> a couple of you did port scans on my router and reported to me what you
> found. You also repeated the process and reported after I re-applied the
> access-list. The differences between the two findings were interesting to
> me, and taught me a little bit more about security.
>
> Here are my answers, and the commands I used to find them:
>
>
> 1) what version of IOS is running?
>
> 12.1.2 show flash There is a bit of indirection here. The show flash
> command gives the image in flash. The IOS version is contained within the
> name of the image. c2500-jos56i-l.121-2.bin 121-2= 12.1.2
>
> 2) What is the name of the IOS image?
>
> c2500-jos56i-l.121-2.bin show flash
>
> 3) What routing protocols are running?
>
> Eigrp and ipx rip show protocols reveals that ip and ipx routing are
> enabled. Show ip route reveals eigrp and static routes. Show ipx route
> reveals ipx rip routing. Another bit of indirection.
>
> 4) Are there any other routers connected? If so, on what ports?
>
> One router revealed by show cdp neighbor. It is connected through serial
0.
> If this were a Cisco certification test, or one of the Boson practice
tests,
> you would also be expected to infer that there was another Cisco router in
> the mix acting as a frame relay switch. But I'm not as sneaky as some
people
> :->
>
> 5) If there are other routers connected, what IOS versions are they
running?
>
> 12.1.2 - same as the initial router. Show cdp neighbor detail
>
> What are the names of the flash images on those routers, if there are
> routers?
>
> Same as the first router - c2500-jos56i-l.121-2.bin show cdp neighbor
detail
>
> 6) Provide every detail you can about any WAN protocols running
>
> This is inferred based on the show commands available to you.
> Frame relay, DLCI 300
> Not a lot more you can determine, based on what you are allowed to see.
> Show frame-relay pvc
>
> 7) What is the privilege level password?
>
> Hard to tell, seeing as you can't get to privilege level, and you can't do
a
> show run command.
>
> 8) What model number router are you telneted into?
>
> 2500. show protocol this command reveals what interfaces are on the
device.
> In my case, you saw an ethernet port and two serial ports. This bit of
> indirection, in that you are only able to infer based on what you see.
This
> is of limited use with modular routers. One might also infer that if the
> connected router is a 2500, as revealed by the show cdp neighbor command,
> then it is likely that the first router is one as well. 2500's are
probably
> the most common members of any home lab set up. :->
>
> 9) What model number routers are connected, if there are any connected?
>
> 2500 ( 2501 ) show cdp neighbor
>
> 10) Who played the Cisco Kid? ( extra credit - how did you find that
> answer? )
>
> Router_1>sh cdp neighbor detail
> -------------------------
> Device ID: DuncanReynaldoPlayedCiscoKid
>
> Sorry - I couldn't resist :->
>
>
> 11) Extra Extra credit - identify all security enabled on the router
>
> Again, a bit of indirection here. The fact that there are very limited
> commands available should point to some kind of privilege level
limitations.
> In general, telnet sessions received a privilege level below normal, using
> the privilege level command. At that point those commands I wished to make
> available I did so explicitly, using the privilege exec level commands.
This
> is in line with good security practice, which calls for denying everything
> not specifically permitted by policy.
>
> Chuck
>
> P.S if there is interest, I would like to do more of these kinds of
things.
> Maybe put together some training sessions using the Cisco chat room as the
> means of communicating. Any thoughts?
>
>
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
