I'm not sure I ever answered this. Sorry. Below
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
whatshakin
Sent: Sunday, August 06, 2000 8:51 PM
To: [EMAIL PROTECTED]
Subject: Re: Follies Answers
Good job Chuck. This is exactly what we all need to keep things fresh.
Tell me, what functionality does one need to implement that kind of
lock-down control of a Cisco router? Are you using some kind of RADUIS or
TACACS+ software or the built in features of the 12.X IOS ?
CL: for this particular case, I used only the privilege exec functions of
the IOS. Telnet sessions were give a privilege level of 0
Line vty 0 4
Privilege level 0
Password whatever
Login
Then within the router configuration itself I specifically defined which
commands I would permit someone with level 0 privileges to see. Any command
not defined by privilege exec level will not be permitted.
Privilege exec level X WORD ( command )
E.g. privilege exec level 0 show frame-relay lmi will permit the level 0
user to use the show frame-relay lmi command, but not the show frame-relay
pvc command.
In general, the privilege level of a user in the privilege exec mode
enable mode ) is 15, and the privilege level of the user mode is 1. One can
set up privilege levels based on user login name. And yes, these can be
augmented by TACACS or RADIUS.
This is one way in which a NOC, for example, can allow technicians to do
some things on a router but not others. I also recall reading someplace that
one can even configure privilege exec in such a manner that users with a
certain privilege level can enter the configuration mode and be permitted to
configure some things but not others. For example, ethernet interfaces, but
not serial interfaces or other functions. I have not had a chance to try
this yet
http://www.cisco.com/univercd/cc/td/doc/product/software/ios112/112cg_cr/2cb
ook/2cauthen.htm
watch the wrap
for more information
Keep up the good work.
----- Original Message -----
From: Chuck Larrieu <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, August 06, 2000 5:41 PM
Subject: Follies Answers
> Thanks everyone for joining in. Hope you all had fun.
>
> The first thing all of you who telnetted in found is that show version did
> not work for some reason ;->
> One of my points is that there are alternatives to finding information.
And
> there are ways to find a lot of things through indirection, even in locked
> down production environments, even when one has only limited privileges in
a
> router.
>
> The only commands I permitted were:
>
> Router_1>?
> Exec commands:
> <1-99> Session number to resume
> disable Turn off privileged commands
> exit Exit from the EXEC
> help Description of the interactive help system
> logout Exit from the EXEC
> show Show running system information
>
> Router_1>
>
> Of the show commands, the only ones I permitted were:
>
> Router_1>show ?
> cdp CDP information
> flash: display information about flash: file system
> frame-relay Frame-Relay information
> ip IP information
> ipx Novell IPX information
> protocols Active network routing protocols
> sscop SSCOP
>
> Router_1>
>
> Also, I want to thank a number of you who took this as an opportunity to
> share some experience and to offer a lesson or two yourselves. For
example,
> a couple of you did port scans on my router and reported to me what you
> found. You also repeated the process and reported after I re-applied the
> access-list. The differences between the two findings were interesting to
> me, and taught me a little bit more about security.
>
> Here are my answers, and the commands I used to find them:
>
>
> 1) what version of IOS is running?
>
> 12.1.2 show flash There is a bit of indirection here. The show flash
> command gives the image in flash. The IOS version is contained within the
> name of the image. c2500-jos56i-l.121-2.bin 121-2= 12.1.2
>
> 2) What is the name of the IOS image?
>
> c2500-jos56i-l.121-2.bin show flash
>
> 3) What routing protocols are running?
>
> Eigrp and ipx rip show protocols reveals that ip and ipx routing are
> enabled. Show ip route reveals eigrp and static routes. Show ipx route
> reveals ipx rip routing. Another bit of indirection.
>
> 4) Are there any other routers connected? If so, on what ports?
>
> One router revealed by show cdp neighbor. It is connected through serial
0.
> If this were a Cisco certification test, or one of the Boson practice
tests,
> you would also be expected to infer that there was another Cisco router in
> the mix acting as a frame relay switch. But I'm not as sneaky as some
people
> :->
>
> 5) If there are other routers connected, what IOS versions are they
running?
>
> 12.1.2 - same as the initial router. Show cdp neighbor detail
>
> What are the names of the flash images on those routers, if there are
> routers?
>
> Same as the first router - c2500-jos56i-l.121-2.bin show cdp neighbor
detail
>
> 6) Provide every detail you can about any WAN protocols running
>
> This is inferred based on the show commands available to you.
> Frame relay, DLCI 300
> Not a lot more you can determine, based on what you are allowed to see.
> Show frame-relay pvc
>
> 7) What is the privilege level password?
>
> Hard to tell, seeing as you can't get to privilege level, and you can't do
a
> show run command.
>
> 8) What model number router are you telneted into?
>
> 2500. show protocol this command reveals what interfaces are on the
device.
> In my case, you saw an ethernet port and two serial ports. This bit of
> indirection, in that you are only able to infer based on what you see.
This
> is of limited use with modular routers. One might also infer that if the
> connected router is a 2500, as revealed by the show cdp neighbor command,
> then it is likely that the first router is one as well. 2500's are
probably
> the most common members of any home lab set up. :->
>
> 9) What model number routers are connected, if there are any connected?
>
> 2500 ( 2501 ) show cdp neighbor
>
> 10) Who played the Cisco Kid? ( extra credit - how did you find that
> answer? )
>
> Router_1>sh cdp neighbor detail
> -------------------------
> Device ID: DuncanReynaldoPlayedCiscoKid
>
> Sorry - I couldn't resist :->
>
>
> 11) Extra Extra credit - identify all security enabled on the router
>
> Again, a bit of indirection here. The fact that there are very limited
> commands available should point to some kind of privilege level
limitations.
> In general, telnet sessions received a privilege level below normal, using
> the privilege level command. At that point those commands I wished to make
> available I did so explicitly, using the privilege exec level commands.
This
> is in line with good security practice, which calls for denying everything
> not specifically permitted by policy.
>
> Chuck
>
> P.S if there is interest, I would like to do more of these kinds of
things.
> Maybe put together some training sessions using the Cisco chat room as the
> means of communicating. Any thoughts?
>
>
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
