Re: Remote Telnet access via dial-up
I still think it's funny how much folks have hyper-spazed on this thread. I think I've said it at least twice that only one telnet session is allowed into the MS Telnet Server. Further, I can see the IP that does connect, plus I'm talking to the Cisco engineer the whole time, and lastly, as soon as Cisco was done I disabled the account on my laptop. The routers weren't online in any other fashion. End of access remotely, end of story. Don't feel too secure with ssh either. How would Cisco get my public key securely? If I sent it to them, it'd be vulnerable to a man-in-the-middle attack. Unless you physically copy your public key to your box from your access server, someone could have snatched it on the wire and tossed you another, which they could easily talk to your spoofed ssh client with, and then relay the commands to the real ssh server with the public key it intercepted, and you'd never know it. I've got CDPD in my car. Slower than mud, especially for telnet. It's fine if I just need to pop in and check status on a router. The best method seems to be to ssh into my Linux box which I run screen on (allowed for multiple bash sessions to be kept active, even when I disconnect). I often have a few dozen screens open to customer sites and can easily pop on remotely even with CDPD's slowness to get status on something or make a minor change. The speed is only 14.4K, but it's really the latency that's horrid. 700-2000ms delay is pretty normal, if not more. It is nice for getting traffic status while on the road, but the following page takes 3-5 minutes to load (watch the wrap): http://www.mapquest.com/cgi-bin/traffic?from=indexevent=overviewlink=btwn/ twn-traffic_overviewtraffic_city=sfo:gcd:San+Francisco:CA:377750:-1224183u id=u18ah4oao6gcscze:bl14a0uwt Outlook Webaccess can take 10 minutes to load. But if you're bored and stuck in traffic, what else can you do? Heh. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ "John Nemeth" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Jun 10, 11:13am, Priscilla Oppenheimer wrote: Yes. I would have the head of anybody that tried that stunt. At the very least, he should have been using ssh. However, even that would have been dicey. As far as the lack of an analogue phone line, that problem is easily solved (depending on your point of view) by using CDPD (Cellular D? Packet Data). I have a friend in Canada that has a CDPD modem in his laptop. The service is $50/month for unlimited usage from Telus Mobility. It doesn't matter where he is, his laptop is always on-line. Add an ethernet card in the second PCMCIA slot, and you've got a roaming router that could create a back door into any network. }-- End of excerpt from Priscilla Oppenheimer _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
On Jun 10, 11:13am, Priscilla Oppenheimer wrote: Yes. I would have the head of anybody that tried that stunt. At the very least, he should have been using ssh. However, even that would have been dicey. As far as the lack of an analogue phone line, that problem is easily solved (depending on your point of view) by using CDPD (Cellular D? Packet Data). I have a friend in Canada that has a CDPD modem in his laptop. The service is $50/month for unlimited usage from Telus Mobility. It doesn't matter where he is, his laptop is always on-line. Add an ethernet card in the second PCMCIA slot, and you've got a roaming router that could create a back door into any network. }-- End of excerpt from Priscilla Oppenheimer _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
Irregardless of the security implications this was still pretty cool. Thx for the information. it may come in handy one day. "John Nemeth" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Jun 10, 11:13am, Priscilla Oppenheimer wrote: Yes. I would have the head of anybody that tried that stunt. At the very least, he should have been using ssh. However, even that would have been dicey. As far as the lack of an analogue phone line, that problem is easily solved (depending on your point of view) by using CDPD (Cellular D? Packet Data). I have a friend in Canada that has a CDPD modem in his laptop. The service is $50/month for unlimited usage from Telus Mobility. It doesn't matter where he is, his laptop is always on-line. Add an ethernet card in the second PCMCIA slot, and you've got a roaming router that could create a back door into any network. }-- End of excerpt from Priscilla Oppenheimer _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Remote Telnet access via dial-up
I have to agree... Security concerns (in my opinion) can get toned down (and from the original post it would seem to be a pretty small hole) when you have a business affecting issue... Allowing TAC engineers access to the equipment can dramatically lessen done time Like any other issue, there is always a trade off in security and convenience Unfortunately I've had many TAC cases involving IOS bugs that could not have been solved via normal "secure" methods... Bob Johnson -Original Message- From: James Haynes [mailto:[EMAIL PROTECTED]] Sent: Friday, January 19, 2001 9:07 AM To: [EMAIL PROTECTED] Subject: Re: Remote Telnet access via dial-up Irregardless of the security implications this was still pretty cool. Thx for the information. it may come in handy one day. "John Nemeth" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Jun 10, 11:13am, Priscilla Oppenheimer wrote: Yes. I would have the head of anybody that tried that stunt. At the very least, he should have been using ssh. However, even that would have been dicey. As far as the lack of an analogue phone line, that problem is easily solved (depending on your point of view) by using CDPD (Cellular D? Packet Data). I have a friend in Canada that has a CDPD modem in his laptop. The service is $50/month for unlimited usage from Telus Mobility. It doesn't matter where he is, his laptop is always on-line. Add an ethernet card in the second PCMCIA slot, and you've got a roaming router that could create a back door into any network. }-- End of excerpt from Priscilla Oppenheimer _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: [RE: Remote Telnet access via dial-up]
One must have sufficient knowledge to be shocked. [EMAIL PROTECTED] wrote: I recently spent quite a bit of time working with the TAC to solve a problem. Yes, they wanted to dial into the network to 'have a look'. When I asked what they were looking for, they couldn't tell me. I am well aware that, when tracking down a problem, it can be very useful to just 'have a look', without really knowing what you are looking for. I do it all the time :-) However, since they couldn't (or wouldn't) even give me any hints on what they expected to be doing, they didn't get access. I could send them log output etc via email and they received it quickly enough that we could work together over the phone (the speed of incoming mail to me was another issue altogether but not really a problem). In any case, I've done a fair bit of troubleshooting over the phone, sometimes with completely non-technical people running the 'hands on'. Slower than telnetting in yourself? Sure. But it works, and sometimes it's the only option. And it's VERY good practice for remembering commands and what output they produce ;-) JMcL -- Forwarded by Jenny Mcleod/NSO/CSDA on 19/01/2001 04:38 pm --- "Chuck Larrieu" [EMAIL PROTECTED]@groupstudy.com on 19/01/2001 12:39:45 pm Please respond to "Chuck Larrieu" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] To: "Priscilla Oppenheimer" [EMAIL PROTECTED] [EMAIL PROTECTED] cc: Subject: RE: Remote Telnet access via dial-up Cisco TAC always wants to telnet in to troubleshoot when working a ticket. One alternative is to e-mail your configs to them, at which point maybe they will get back to you with some resolution in a time frame you can live with. Fact is that the internet makes things so damn convenient for us. Most time most people just don't consider the implications. While it may be true that some places have security policies, reasonable of otherwise, the fact is that most places don't, most managements don't want to be bothered, and most users don't want to be inconvenienced. Chuck BTW - nice to see you again, Priscilla. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Priscilla Oppenheimer Sent: Thursday, January 18, 2001 4:38 PM To: [EMAIL PROTECTED] Subject: Re: Remote Telnet access via dial-up At 11:11 AM 1/19/01, Tony van Ree wrote: Hi, As long as the appropriate security/passwords are set it is probably every bit as good as any other form of remote access. Remember that this wasn't CHAP or even PAP. It was Telnet. The Telnet password both to reach his PC and to reach the routers is unencrypted. How was the enable password sent? The characters were typed and sent unencrypted. Getting a Sniffer to the right place to catch this would be hard, but not impossible. Hopefully he will change the password used to reach his PC, but it's not likely he'll change the router VTY and enable passwords. So what did the Cisco engineers to when they Telnetted into this back door to configure the routers? Did they do show run by any chance? Yeah, I just got the complete configuration of the customer's routers. That is unencrypted also. And don't say, well it's Telnet so it's one character at a time which would make understanding it difficult. Responses in Telnet are not one character at a time. The output of show run would be send in TCP segments using the IP MTU. It would be very easy to understand. I don't think most customers would even let him do what he did. A lot of customers wouldn't have an analog phone line for him to use to dial up his ISP. Analog phone-line backdoors are an infamous no-no. I'd love to hear someone else's opinion too. Isn't anyone else as shocked as I am? Priscilla On Thursday, January 18, 2001 at 02:30:09 PM, Priscilla Oppenheimer wrote: Sounds like a helpful troubleshooting method but what were the security risks? Thoughts, anyone? Priscilla At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Microsoft (R) Windows (TM) Version 5.00 (Build 2195) Welcome to Microsoft Telnet Service Telnet Server Build 5.00.99201.1 login: cisco password: * Microsoft Windows Workstation allows only 1 Telnet Client License Server has
Re: Remote Telnet access via dial-up
I'm sorry I misjudged you, J. ;-) The security expert I consulted got me started thinking along the paranoia lines. I am still amazed that Cisco would go against everything in their own security dogma and Telnet in via a backdoor, though. I agree with the person that said security and convenience are tradeoffs, but if you have to get in via a backdoor, I think you have a good idea that this customer considers security more important. Well, I'll let it drop now. Some people got the message at least. Priscilla At 09:51 PM 1/18/01, J Roysdon wrote: If I was a saboteur, I don't think I'd even bother with TAC, I'd just crack the passwords and have my way, heh. Also, 95% of my TAC calls are opened with new router serial numbers and my CCO username given to jump me right into talking to a TAC engineer. Plus, you don't even need a CCO login to get to the Password Recovery pages: http://www.cisco.com/warp/public/474/index.shtml We were troubleshooting cas-group commands and replacing an AdTran Atlas 550 that was acting as a CSU/DSU splitting off DS0's between a frame relay connection and trunks to a long distance carrier. Cisco couldn't get why the command wasn't functioning right and one of their engineers wanted to get in and do some diagnostics. I think Priscilla has been watching too many X-Files episodes ;-p -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ ""Kevin Wigle"" [EMAIL PROTECTED] wrote in message 00b601c081d0$985ebc60$[EMAIL PROTECTED]">news:00b601c081d0$985ebc60$[EMAIL PROTECTED]... I don't think its so fishy and I don't think Cisco could be faulted in any way. My reading is that the "guy" was working with Cisco on a problem. Therefore this "guy" must have some responsibility for the network. Cisco would have to think that this guy knows what he's doing since he has the wherewithal to get into the company's network and then get into routers to configure them. It depends I guess on how far your conspiracy feelings go, if the "guy" was bogus and had all the passwords etc, then how is Cisco to know? Doesn't TAC have to deal with a registered contact? Kevin Wigle - Original Message - From: "Priscilla Oppenheimer" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, 18 January, 2001 22:51 Subject: Re: Remote Telnet access via dial-up At 07:32 PM 1/18/01, Erick B. wrote: I don't understand how companys can have main network equipment (routers, etc) accessible over the internet with telnet (and other mgmt services) running *with* no passwords or filters. I see it on a regular occurance. That is amazing. But in this case the company had a lot of security, it sounds like. It was not possible to get into the routers until this guy opened up a backdoor and let Cisco engineers Telnet in over a dial-up line connected to his PC. I can't believe Cisco engineers would thwart their customer's security policy in that way. I think the story sounds fishy. Priscilla --- Priscilla Oppenheimer [EMAIL PROTECTED] wrote: At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Good thing! Can you imagine the issues if you had just opened up port 23 for the whole world? Good grief. I just asked a security expert at my company about this scenario and he took a sinister view. He wondered if the story was broadcast in order to incite damange. I don't think that's the case, but this message did come from the same guy that posted photographs of his site for some reason. See the message about patch panels. Priscilla __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archiv
Re: Remote Telnet access via dial-up
Sounds like a helpful troubleshooting method but what were the security risks? Thoughts, anyone? Priscilla At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Microsoft (R) Windows (TM) Version 5.00 (Build 2195) Welcome to Microsoft Telnet Service Telnet Server Build 5.00.99201.1 login: cisco password: * Microsoft Windows Workstation allows only 1 Telnet Client License Server has closed connection When they were done, I just disabled the Cisco account. Rather handy now that I have it. I've run into a lot of troubleshooting where it was a real pain not to have internet access for Cisco to get in (or I didn't control the customer's firewall, etc.). After a successful telnet: *=== Welcome to Microsoft Telnet Server. *=== C:\telnet 192.168.45.253 Connecting To 192.168.45.253... -- Jason Roysdon, CCNP/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
Hi, As long as the appropriate security/passwords are set it is probably every bit as good as any other form of remote access. Certainly safer than one I just worked on a few minutes ago where they had a person log in locally and went to the # prompt with little extra effort. Teunis, Hobart, Tasmania Australia On Thursday, January 18, 2001 at 02:30:09 PM, Priscilla Oppenheimer wrote: Sounds like a helpful troubleshooting method but what were the security risks? Thoughts, anyone? Priscilla At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Microsoft (R) Windows (TM) Version 5.00 (Build 2195) Welcome to Microsoft Telnet Service Telnet Server Build 5.00.99201.1 login: cisco password: * Microsoft Windows Workstation allows only 1 Telnet Client License Server has closed connection When they were done, I just disabled the Cisco account. Rather handy now that I have it. I've run into a lot of troubleshooting where it was a real pain not to have internet access for Cisco to get in (or I didn't control the customer's firewall, etc.). After a successful telnet: *=== Welcome to Microsoft Telnet Server. *=== C:\telnet 192.168.45.253 Connecting To 192.168.45.253... -- Jason Roysdon, CCNP/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- www.tasmail.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
My first thought when I read the mail was that while it is certainly a useful tip, I would want to be very clear on the site's security policy before doing this. If they are tight on security (which they may be if Internet access is not available), then opening up an unauthorised backdoor connection to the internal network, and inviting a third party to use it, could be a seriously career limiting move. JMcL -- Forwarded by Jenny Mcleod/NSO/CSDA on 19/01/2001 11:19 am --- Priscilla Oppenheimer [EMAIL PROTECTED]@groupstudy.com on 19/01/2001 09:30:09 am Please respond to Priscilla Oppenheimer [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] To: "J Roysdon" [EMAIL PROTECTED] [EMAIL PROTECTED] cc: Subject: Re: Remote Telnet access via dial-up Sounds like a helpful troubleshooting method but what were the security risks? Thoughts, anyone? Priscilla At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Microsoft (R) Windows (TM) Version 5.00 (Build 2195) Welcome to Microsoft Telnet Service Telnet Server Build 5.00.99201.1 login: cisco password: * Microsoft Windows Workstation allows only 1 Telnet Client License Server has closed connection When they were done, I just disabled the Cisco account. Rather handy now that I have it. I've run into a lot of troubleshooting where it was a real pain not to have internet access for Cisco to get in (or I didn't control the customer's firewall, etc.). After a successful telnet: *=== Welcome to Microsoft Telnet Server. *=== C:\telnet 192.168.45.253 Connecting To 192.168.45.253... -- Jason Roysdon, CCNP/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
At 11:11 AM 1/19/01, Tony van Ree wrote: Hi, As long as the appropriate security/passwords are set it is probably every bit as good as any other form of remote access. Remember that this wasn't CHAP or even PAP. It was Telnet. The Telnet password both to reach his PC and to reach the routers is unencrypted. How was the enable password sent? The characters were typed and sent unencrypted. Getting a Sniffer to the right place to catch this would be hard, but not impossible. Hopefully he will change the password used to reach his PC, but it's not likely he'll change the router VTY and enable passwords. So what did the Cisco engineers to when they Telnetted into this back door to configure the routers? Did they do show run by any chance? Yeah, I just got the complete configuration of the customer's routers. That is unencrypted also. And don't say, well it's Telnet so it's one character at a time which would make understanding it difficult. Responses in Telnet are not one character at a time. The output of show run would be send in TCP segments using the IP MTU. It would be very easy to understand. I don't think most customers would even let him do what he did. A lot of customers wouldn't have an analog phone line for him to use to dial up his ISP. Analog phone-line backdoors are an infamous no-no. I'd love to hear someone else's opinion too. Isn't anyone else as shocked as I am? Priscilla On Thursday, January 18, 2001 at 02:30:09 PM, Priscilla Oppenheimer wrote: Sounds like a helpful troubleshooting method but what were the security risks? Thoughts, anyone? Priscilla At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Microsoft (R) Windows (TM) Version 5.00 (Build 2195) Welcome to Microsoft Telnet Service Telnet Server Build 5.00.99201.1 login: cisco password: * Microsoft Windows Workstation allows only 1 Telnet Client License Server has closed connection When they were done, I just disabled the Cisco account. Rather handy now that I have it. I've run into a lot of troubleshooting where it was a real pain not to have internet access for Cisco to get in (or I didn't control the customer's firewall, etc.). After a successful telnet: *=== Welcome to Microsoft Telnet Server. *=== C:\telnet 192.168.45.253 Connecting To 192.168.45.253... -- Jason Roysdon, CCNP/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- www.tasmail.com Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Good thing! Can you imagine the issues if you had just opened up port 23 for the whole world? Good grief. I just asked a security expert at my company about this scenario and he took a sinister view. He wondered if the story was broadcast in order to incite damange. I don't think that's the case, but this message did come from the same guy that posted photographs of his site for some reason. See the message about patch panels. Priscilla Microsoft (R) Windows (TM) Version 5.00 (Build 2195) Welcome to Microsoft Telnet Service Telnet Server Build 5.00.99201.1 login: cisco password: * Microsoft Windows Workstation allows only 1 Telnet Client License Server has closed connection When they were done, I just disabled the Cisco account. Rather handy now that I have it. I've run into a lot of troubleshooting where it was a real pain not to have internet access for Cisco to get in (or I didn't control the customer's firewall, etc.). After a successful telnet: *=== Welcome to Microsoft Telnet Server. *=== C:\telnet 192.168.45.253 Connecting To 192.168.45.253... -- Jason Roysdon, CCNP/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Remote Telnet access via dial-up
Cisco TAC always wants to telnet in to troubleshoot when working a ticket. One alternative is to e-mail your configs to them, at which point maybe they will get back to you with some resolution in a time frame you can live with. Fact is that the internet makes things so damn convenient for us. Most time most people just don't consider the implications. While it may be true that some places have security policies, reasonable of otherwise, the fact is that most places don't, most managements don't want to be bothered, and most users don't want to be inconvenienced. Chuck BTW - nice to see you again, Priscilla. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Priscilla Oppenheimer Sent: Thursday, January 18, 2001 4:38 PM To: [EMAIL PROTECTED] Subject:Re: Remote Telnet access via dial-up At 11:11 AM 1/19/01, Tony van Ree wrote: Hi, As long as the appropriate security/passwords are set it is probably every bit as good as any other form of remote access. Remember that this wasn't CHAP or even PAP. It was Telnet. The Telnet password both to reach his PC and to reach the routers is unencrypted. How was the enable password sent? The characters were typed and sent unencrypted. Getting a Sniffer to the right place to catch this would be hard, but not impossible. Hopefully he will change the password used to reach his PC, but it's not likely he'll change the router VTY and enable passwords. So what did the Cisco engineers to when they Telnetted into this back door to configure the routers? Did they do show run by any chance? Yeah, I just got the complete configuration of the customer's routers. That is unencrypted also. And don't say, well it's Telnet so it's one character at a time which would make understanding it difficult. Responses in Telnet are not one character at a time. The output of show run would be send in TCP segments using the IP MTU. It would be very easy to understand. I don't think most customers would even let him do what he did. A lot of customers wouldn't have an analog phone line for him to use to dial up his ISP. Analog phone-line backdoors are an infamous no-no. I'd love to hear someone else's opinion too. Isn't anyone else as shocked as I am? Priscilla On Thursday, January 18, 2001 at 02:30:09 PM, Priscilla Oppenheimer wrote: Sounds like a helpful troubleshooting method but what were the security risks? Thoughts, anyone? Priscilla At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Microsoft (R) Windows (TM) Version 5.00 (Build 2195) Welcome to Microsoft Telnet Service Telnet Server Build 5.00.99201.1 login: cisco password: * Microsoft Windows Workstation allows only 1 Telnet Client License Server has closed connection When they were done, I just disabled the Cisco account. Rather handy now that I have it. I've run into a lot of troubleshooting where it was a real pain not to have internet access for Cisco to get in (or I didn't control the customer's firewall, etc.). After a successful telnet: *=== Welcome to Microsoft Telnet Server. *=== C:\telnet 192.168.45.253 Connecting To 192.168.45.253... -- Jason Roysdon, CCNP/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- www.tasmail.com Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
I don't understand how companys can have main network equipment (routers, etc) accessible over the internet with telnet (and other mgmt services) running *with* no passwords or filters. I see it on a regular occurance. --- Priscilla Oppenheimer [EMAIL PROTECTED] wrote: At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Good thing! Can you imagine the issues if you had just opened up port 23 for the whole world? Good grief. I just asked a security expert at my company about this scenario and he took a sinister view. He wondered if the story was broadcast in order to incite damange. I don't think that's the case, but this message did come from the same guy that posted photographs of his site for some reason. See the message about patch panels. Priscilla __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
At 07:32 PM 1/18/01, Erick B. wrote: I don't understand how companys can have main network equipment (routers, etc) accessible over the internet with telnet (and other mgmt services) running *with* no passwords or filters. I see it on a regular occurance. That is amazing. But in this case the company had a lot of security, it sounds like. It was not possible to get into the routers until this guy opened up a backdoor and let Cisco engineers Telnet in over a dial-up line connected to his PC. I can't believe Cisco engineers would thwart their customer's security policy in that way. I think the story sounds fishy. Priscilla --- Priscilla Oppenheimer [EMAIL PROTECTED] wrote: At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Good thing! Can you imagine the issues if you had just opened up port 23 for the whole world? Good grief. I just asked a security expert at my company about this scenario and he took a sinister view. He wondered if the story was broadcast in order to incite damange. I don't think that's the case, but this message did come from the same guy that posted photographs of his site for some reason. See the message about patch panels. Priscilla __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
Hi, Easy. But it's always fun when you accidently find yourself in client equipment and don't know how to get out. Doing a ping from a router furiously typing oops no ping just the ip address and get a new prompt. Teunis, Hobart, Tasmania Australia On Thursday, January 18, 2001 at 07:32:13 PM, Erick B. wrote: I don't understand how companys can have main network equipment (routers, etc) accessible over the internet with telnet (and other mgmt services) running *with* no passwords or filters. I see it on a regular occurance. --- Priscilla Oppenheimer [EMAIL PROTECTED] wrote: At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Good thing! Can you imagine the issues if you had just opened up port 23 for the whole world? Good grief. I just asked a security expert at my company about this scenario and he took a sinister view. He wondered if the story was broadcast in order to incite damange. I don't think that's the case, but this message did come from the same guy that posted photographs of his site for some reason. See the message about patch panels. Priscilla __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- www.tasmail.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
Nearly every time I have dealt with TAC they have asked if there was remote access so they could get into the routers and look around on their own. After a couple times of doing this I started configuring separate logins and one-time passwords just for TAC, and only when needed. Granted this doesn't stop the clear text mode of Telnet, but with the combination of encrypted passwords I think it was adequate for what that company was trying to secure. Jim Priscilla Oppenheimer wrote: At 07:32 PM 1/18/01, Erick B. wrote: I don't understand how companys can have main network equipment (routers, etc) accessible over the internet with telnet (and other mgmt services) running *with* no passwords or filters. I see it on a regular occurance. That is amazing. But in this case the company had a lot of security, it sounds like. It was not possible to get into the routers until this guy opened up a backdoor and let Cisco engineers Telnet in over a dial-up line connected to his PC. I can't believe Cisco engineers would thwart their customer's security policy in that way. I think the story sounds fishy. Priscilla --- Priscilla Oppenheimer [EMAIL PROTECTED] wrote: At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Good thing! Can you imagine the issues if you had just opened up port 23 for the whole world? Good grief. I just asked a security expert at my company about this scenario and he took a sinister view. He wondered if the story was broadcast in order to incite damange. I don't think that's the case, but this message did come from the same guy that posted photographs of his site for some reason. See the message about patch panels. Priscilla __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
I don't think its so fishy and I don't think Cisco could be faulted in any way. My reading is that the "guy" was working with Cisco on a problem. Therefore this "guy" must have some responsibility for the network. Cisco would have to think that this guy knows what he's doing since he has the wherewithal to get into the company's network and then get into routers to configure them. It depends I guess on how far your conspiracy feelings go, if the "guy" was bogus and had all the passwords etc, then how is Cisco to know? Doesn't TAC have to deal with a registered contact? Kevin Wigle - Original Message - From: "Priscilla Oppenheimer" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, 18 January, 2001 22:51 Subject: Re: Remote Telnet access via dial-up At 07:32 PM 1/18/01, Erick B. wrote: I don't understand how companys can have main network equipment (routers, etc) accessible over the internet with telnet (and other mgmt services) running *with* no passwords or filters. I see it on a regular occurance. That is amazing. But in this case the company had a lot of security, it sounds like. It was not possible to get into the routers until this guy opened up a backdoor and let Cisco engineers Telnet in over a dial-up line connected to his PC. I can't believe Cisco engineers would thwart their customer's security policy in that way. I think the story sounds fishy. Priscilla --- Priscilla Oppenheimer [EMAIL PROTECTED] wrote: At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Good thing! Can you imagine the issues if you had just opened up port 23 for the whole world? Good grief. I just asked a security expert at my company about this scenario and he took a sinister view. He wondered if the story was broadcast in order to incite damange. I don't think that's the case, but this message did come from the same guy that posted photographs of his site for some reason. See the message about patch panels. Priscilla __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
It depends. Anyone can get in and speak to a TAC engineer depending on who they get, their social engineering skills, etc. I work in a similar role but not for cisco. Depending on the organization, contract-type, etc they may require certain things such as remote access. The customers would sign so contract and it's stated in the contract that remote access has to be made available if needed, liabilities, etc. Some contracts may allow for certain people to only call in. Thats why theirs ticketing systems, case numbers, and why it's important to keep good notes/logs on what is done/said. Erick --- Kevin Wigle [EMAIL PROTECTED] wrote: I don't think its so fishy and I don't think Cisco could be faulted in any way. My reading is that the "guy" was working with Cisco on a problem. Therefore this "guy" must have some responsibility for the network. Cisco would have to think that this guy knows what he's doing since he has the wherewithal to get into the company's network and then get into routers to configure them. It depends I guess on how far your conspiracy feelings go, if the "guy" was bogus and had all the passwords etc, then how is Cisco to know? Doesn't TAC have to deal with a registered contact? Kevin Wigle - Original Message - From: "Priscilla Oppenheimer" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, 18 January, 2001 22:51 Subject: Re: Remote Telnet access via dial-up That is amazing. But in this case the company had a lot of security, it sounds like. It was not possible to get into the routers until this guy opened up a backdoor and let Cisco engineers Telnet in over a dial-up line connected to his PC. I can't believe Cisco engineers would thwart their customer's security policy in that way. I think the story sounds fishy. Priscilla __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
That is amazing. But in this case the company had a lot of security, it sounds like. It was not possible to get into the routers until this guy opened up a backdoor and let Cisco engineers Telnet in over a dial-up line connected to his PC. I can't believe Cisco engineers would thwart their customer's security policy in that way. I think the story sounds fishy. It depends. I work in a phone support role very similar to Cisco TAC but supporting multiple vendors. Vendors and other support groups often need some access to the customers networks if it calls for it. A majority is PPP dialup into customers own infrastructure, sometimes setting up temporary accounts, over the public internet (telnet, vpn, ssh). I've seen heavily secure networks (no access at all) to networks with no security. On the ones with no security I defiantly make the customer aware of it and have them correct it. Priscilla Erick __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
One thing I didn't mention is that all passwords one the routers are always changed to 'cisco' beforehand, and then changed back when done. The dial-up connection is only there so long as my laptop is, plus I can see what IP connects, and it's limited to only that single connection. It's not just an open connection sitting around all the time, although these are important security considerations for someone else who might put up a permanent connection. For any permanent connections, we always use SSH tunnels and/or encrypted Citrix clients. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ ""Erick B."" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... That is amazing. But in this case the company had a lot of security, it sounds like. It was not possible to get into the routers until this guy opened up a backdoor and let Cisco engineers Telnet in over a dial-up line connected to his PC. I can't believe Cisco engineers would thwart their customer's security policy in that way. I think the story sounds fishy. It depends. I work in a phone support role very similar to Cisco TAC but supporting multiple vendors. Vendors and other support groups often need some access to the customers networks if it calls for it. A majority is PPP dialup into customers own infrastructure, sometimes setting up temporary accounts, over the public internet (telnet, vpn, ssh). I've seen heavily secure networks (no access at all) to networks with no security. On the ones with no security I defiantly make the customer aware of it and have them correct it. Priscilla Erick __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
If I was a saboteur, I don't think I'd even bother with TAC, I'd just crack the passwords and have my way, heh. Also, 95% of my TAC calls are opened with new router serial numbers and my CCO username given to jump me right into talking to a TAC engineer. Plus, you don't even need a CCO login to get to the Password Recovery pages: http://www.cisco.com/warp/public/474/index.shtml We were troubleshooting cas-group commands and replacing an AdTran Atlas 550 that was acting as a CSU/DSU splitting off DS0's between a frame relay connection and trunks to a long distance carrier. Cisco couldn't get why the command wasn't functioning right and one of their engineers wanted to get in and do some diagnostics. I think Priscilla has been watching too many X-Files episodes ;-p -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ ""Kevin Wigle"" [EMAIL PROTECTED] wrote in message 00b601c081d0$985ebc60$[EMAIL PROTECTED]">news:00b601c081d0$985ebc60$[EMAIL PROTECTED]... I don't think its so fishy and I don't think Cisco could be faulted in any way. My reading is that the "guy" was working with Cisco on a problem. Therefore this "guy" must have some responsibility for the network. Cisco would have to think that this guy knows what he's doing since he has the wherewithal to get into the company's network and then get into routers to configure them. It depends I guess on how far your conspiracy feelings go, if the "guy" was bogus and had all the passwords etc, then how is Cisco to know? Doesn't TAC have to deal with a registered contact? Kevin Wigle - Original Message - From: "Priscilla Oppenheimer" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, 18 January, 2001 22:51 Subject: Re: Remote Telnet access via dial-up At 07:32 PM 1/18/01, Erick B. wrote: I don't understand how companys can have main network equipment (routers, etc) accessible over the internet with telnet (and other mgmt services) running *with* no passwords or filters. I see it on a regular occurance. That is amazing. But in this case the company had a lot of security, it sounds like. It was not possible to get into the routers until this guy opened up a backdoor and let Cisco engineers Telnet in over a dial-up line connected to his PC. I can't believe Cisco engineers would thwart their customer's security policy in that way. I think the story sounds fishy. Priscilla --- Priscilla Oppenheimer [EMAIL PROTECTED] wrote: At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Good thing! Can you imagine the issues if you had just opened up port 23 for the whole world? Good grief. I just asked a security expert at my company about this scenario and he took a sinister view. He wondered if the story was broadcast in order to incite damange. I don't think that's the case, but this message did come from the same guy that posted photographs of his site for some reason. See the message about patch panels. Priscilla __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Remote Telnet access via dial-up
I recently spent quite a bit of time working with the TAC to solve a problem. Yes, they wanted to dial into the network to 'have a look'. When I asked what they were looking for, they couldn't tell me. I am well aware that, when tracking down a problem, it can be very useful to just 'have a look', without really knowing what you are looking for. I do it all the time :-) However, since they couldn't (or wouldn't) even give me any hints on what they expected to be doing, they didn't get access. I could send them log output etc via email and they received it quickly enough that we could work together over the phone (the speed of incoming mail to me was another issue altogether but not really a problem). In any case, I've done a fair bit of troubleshooting over the phone, sometimes with completely non-technical people running the 'hands on'. Slower than telnetting in yourself? Sure. But it works, and sometimes it's the only option. And it's VERY good practice for remembering commands and what output they produce ;-) JMcL -- Forwarded by Jenny Mcleod/NSO/CSDA on 19/01/2001 04:38 pm --- "Chuck Larrieu" [EMAIL PROTECTED]@groupstudy.com on 19/01/2001 12:39:45 pm Please respond to "Chuck Larrieu" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] To: "Priscilla Oppenheimer" [EMAIL PROTECTED] [EMAIL PROTECTED] cc: Subject: RE: Remote Telnet access via dial-up Cisco TAC always wants to telnet in to troubleshoot when working a ticket. One alternative is to e-mail your configs to them, at which point maybe they will get back to you with some resolution in a time frame you can live with. Fact is that the internet makes things so damn convenient for us. Most time most people just don't consider the implications. While it may be true that some places have security policies, reasonable of otherwise, the fact is that most places don't, most managements don't want to be bothered, and most users don't want to be inconvenienced. Chuck BTW - nice to see you again, Priscilla. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Priscilla Oppenheimer Sent: Thursday, January 18, 2001 4:38 PM To: [EMAIL PROTECTED] Subject: Re: Remote Telnet access via dial-up At 11:11 AM 1/19/01, Tony van Ree wrote: Hi, As long as the appropriate security/passwords are set it is probably every bit as good as any other form of remote access. Remember that this wasn't CHAP or even PAP. It was Telnet. The Telnet password both to reach his PC and to reach the routers is unencrypted. How was the enable password sent? The characters were typed and sent unencrypted. Getting a Sniffer to the right place to catch this would be hard, but not impossible. Hopefully he will change the password used to reach his PC, but it's not likely he'll change the router VTY and enable passwords. So what did the Cisco engineers to when they Telnetted into this back door to configure the routers? Did they do show run by any chance? Yeah, I just got the complete configuration of the customer's routers. That is unencrypted also. And don't say, well it's Telnet so it's one character at a time which would make understanding it difficult. Responses in Telnet are not one character at a time. The output of show run would be send in TCP segments using the IP MTU. It would be very easy to understand. I don't think most customers would even let him do what he did. A lot of customers wouldn't have an analog phone line for him to use to dial up his ISP. Analog phone-line backdoors are an infamous no-no. I'd love to hear someone else's opinion too. Isn't anyone else as shocked as I am? Priscilla On Thursday, January 18, 2001 at 02:30:09 PM, Priscilla Oppenheimer wrote: Sounds like a helpful troubleshooting method but what were the security risks? Thoughts, anyone? Priscilla At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Microsoft (R) Windows (TM) Version 5.00 (Build 2195) Welcome to Microsoft Telnet Service Telnet Server Build 5.00.99201.1 login: cisco password: * Microsoft Windows Workstation allows only 1 Telnet Client License Server has closed connection When they were done, I just disabled the Cisco account. Rather handy now that I have it. I've run into a lot of troubleshooting where it was a real pain not to have internet ac
Re: Remote Telnet access via dial-up
Or default passwords that are easily obtained once your fingerprint the hardware with nmap and research it on the hardware vendor's site. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ ""Erick B."" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I don't understand how companys can have main network equipment (routers, etc) accessible over the internet with telnet (and other mgmt services) running *with* no passwords or filters. I see it on a regular occurance. --- Priscilla Oppenheimer [EMAIL PROTECTED] wrote: At 10:31 PM 1/17/01, J Roysdon wrote: Today I was a site w/o internet access, but I needed to get Cisco into it to save time relaying commands and information. I had a dial-up connection out to my ISP, and then thought about the built-in Telnet server that Windows 2000 Professional has. I made a quick guest account for Cisco, and told them my dial-up IP, which they could connect to, and then once telnetted into my workstation, they were able to telnet out my NIC to the routers they needs to get to. Only catch is that you can only have one session up through it (enough for us): Good thing! Can you imagine the issues if you had just opened up port 23 for the whole world? Good grief. I just asked a security expert at my company about this scenario and he took a sinister view. He wondered if the story was broadcast in order to incite damange. I don't think that's the case, but this message did come from the same guy that posted photographs of his site for some reason. See the message about patch panels. Priscilla __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
Hi, You don't have all the addresses by any chance? Teunis On Thursday, January 18, 2001 at 09:44:21 PM, J Roysdon wrote: One thing I didn't mention is that all passwords one the routers are always changed to 'cisco' beforehand, and then changed back when done. The dial-up connection is only there so long as my laptop is, plus I can see what IP connects, and it's limited to only that single connection. It's not just an open connection sitting around all the time, although these are important security considerations for someone else who might put up a permanent connection. For any permanent connections, we always use SSH tunnels and/or encrypted Citrix clients. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ ""Erick B."" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... That is amazing. But in this case the company had a lot of security, it sounds like. It was not possible to get into the routers until this guy opened up a backdoor and let Cisco engineers Telnet in over a dial-up line connected to his PC. I can't believe Cisco engineers would thwart their customer's security policy in that way. I think the story sounds fishy. It depends. I work in a phone support role very similar to Cisco TAC but supporting multiple vendors. Vendors and other support groups often need some access to the customers networks if it calls for it. A majority is PPP dialup into customers own infrastructure, sometimes setting up temporary accounts, over the public internet (telnet, vpn, ssh). I've seen heavily secure networks (no access at all) to networks with no security. On the ones with no security I defiantly make the customer aware of it and have them correct it. Priscilla Erick __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- www.tasmail.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Remote Telnet access via dial-up
Sure. 172.16.13.1 172.16.15.1. Like I said, nothing was attached to the internet except my laptop on a dial-up (random IP), with only a single telnet session allowed in (and reverse nslookup showed it was Cisco). -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ ""Tony van Ree"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, You don't have all the addresses by any chance? Teunis On Thursday, January 18, 2001 at 09:44:21 PM, J Roysdon wrote: One thing I didn't mention is that all passwords one the routers are always changed to 'cisco' beforehand, and then changed back when done. The dial-up connection is only there so long as my laptop is, plus I can see what IP connects, and it's limited to only that single connection. It's not just an open connection sitting around all the time, although these are important security considerations for someone else who might put up a permanent connection. For any permanent connections, we always use SSH tunnels and/or encrypted Citrix clients. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ ""Erick B."" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... That is amazing. But in this case the company had a lot of security, it sounds like. It was not possible to get into the routers until this guy opened up a backdoor and let Cisco engineers Telnet in over a dial-up line connected to his PC. I can't believe Cisco engineers would thwart their customer's security policy in that way. I think the story sounds fishy. It depends. I work in a phone support role very similar to Cisco TAC but supporting multiple vendors. Vendors and other support groups often need some access to the customers networks if it calls for it. A majority is PPP dialup into customers own infrastructure, sometimes setting up temporary accounts, over the public internet (telnet, vpn, ssh). I've seen heavily secure networks (no access at all) to networks with no security. On the ones with no security I defiantly make the customer aware of it and have them correct it. Priscilla Erick __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- www.tasmail.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
