RE: hacking challenge [7:66720]
Many thanks to all who replied. I've got some good verbage now. In particular the multi-layer defense. -Original Message- From: Evans, TJ (BearingPoint) [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 12:36 PM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] So ... doesn't that give them enough supporting evidence all by itself? If not, maybe it is a lost cause? As an aside - a pix, if it was permitting the offending port through as well, may not have stopped the worm either. Think Defense in Depth. A firewall, while a necessity for -everyone- (IMHO) is not a cure-all; it is a piece of a very large, very complex puzzle (even for a small network!). .. Have someone in a Decision-making position there read Hacking __(pick an os - Windows2k, Linux, etc.), or attend a SANS course (or just visit their reading room - TONS of articles). Read Eric Cole's or Ed Skoudis's books. .. or, teach him/her to use google ... Thanks! TJ -Original Message- From: Wilmes, Rusty [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 2:05 PM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] there's an access list on the ethernet interface thats directly connected to a dsl modem. they're allowing telnet and smpt to basically, any any plus various other protocols from/to specific addresses. There're only two outside addresses that are natted but its really hideous and the access list is the only thing resembling a layer of security between the internet and their server farm. I was just hoping to hear some really good verbage about how vulnerable they are. I've told them for 3 months to get a pix but it just aint sinking in. Now they've got a worm loose on their mail server thats bringing down their main host system and their internet line (but thats another story). -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 8:46 AM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] Wilmes, Rusty wrote: this is a general question for the security specialists. Im trying to convince a client that they need a firewall so hypothetically, if you had telnet via the internet open to a router (with an access list that allowed smtp and telnet) (assuming you didn't know the telnet password or the enable password)that had a bunch of nt servers on another interface, Do you actually mean that you are allowing Telnet and SMTP to go through the router? You said to above which is confusing. Allowing Telnet to the router unrestricted would be a horrible security hole, even for people who don't know the password because passwords are often guessable. But I don't think that's what you meant... Allowing Telnet and SMTP through the router is more common, especially SMTP. You have to allow SMTP if you have an e-mail server that gets mail from the outside world. Avoid Telnet, though, if you can. It sends all text as clear text, including passwords. The question is really how vulnerable is the operating system that the SMTP server is running on? It's probably horribly vulnerable if your client hasn't kept up with the latest patches, and it sounds like your client is the type that hasn't? In fact, the server is probably busy attacking the rest of us right now! ;-0 So, as far as convicing your customer The best way may be to put a free firewall, like Zone Alarm, on the decision maker's computer and show her/him all the attacks happening all the time. Or if she already has a firewall, walk her through the log. Good luck. I have a good book to recommend on this topic: Greenberg, Eric. Mission-Critical Security Planner. New York, New York, Wiley Publishing, Inc., 2003. Here's an Amazon link: http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetw inc/104-9901005-4572707 Priscilla how long would it take a determined hacker a) cause some kind of network downtime and b) to map a network drive to a share on a file server over the internet. Thanks, Rusty -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: VLAN loop problem [7:66656] Yes, it prevents loops in spanning tree on layer 2 switches from causing a loop by disabling the port on a cisco switch... Larry Letterman Network Engineer Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas N. Sent: Wednesday, April 02, 2003 12:18 PM To: [EMAIL PROTECTED] Subject: Re: VLAN loop problem [7
Re: hacking challenge [7:66720]
Depending on the servers you could do it in 5 min. There is an annonamys account that runs over netbios in the 130's port area. If there isn't a firewall in place to filer this port you can use the net use command and have access to the box. After this you can download the backup copy of the SAM off the server run a crack program like lophtcrack and BLING BLING. You have every user name and password on the system. All to easy. I would recommend the Hacking Exposed book. If you want to protect your system from cracker / hackers. You need to know what they can and will do to get what they want. However don't let a firewall be your end all do all solution. Look into hardening you Server OS, if its Win2k try learning about group policy's they are a wonderful addition. If it's Novell or Linux, sorry I can't be much help. But the rule applies Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66753t=66720 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hacking challenge [7:66720]
Wilmes, Rusty wrote: this is a general question for the security specialists. Im trying to convince a client that they need a firewall so hypothetically, if you had telnet via the internet open to a router (with an access list that allowed smtp and telnet) (assuming you didn't know the telnet password or the enable password)that had a bunch of nt servers on another interface, Do you actually mean that you are allowing Telnet and SMTP to go through the router? You said to above which is confusing. Allowing Telnet to the router unrestricted would be a horrible security hole, even for people who don't know the password because passwords are often guessable. But I don't think that's what you meant... Allowing Telnet and SMTP through the router is more common, especially SMTP. You have to allow SMTP if you have an e-mail server that gets mail from the outside world. Avoid Telnet, though, if you can. It sends all text as clear text, including passwords. The question is really how vulnerable is the operating system that the SMTP server is running on? It's probably horribly vulnerable if your client hasn't kept up with the latest patches, and it sounds like your client is the type that hasn't? In fact, the server is probably busy attacking the rest of us right now! ;-0 So, as far as convicing your customer The best way may be to put a free firewall, like Zone Alarm, on the decision maker's computer and show her/him all the attacks happening all the time. Or if she already has a firewall, walk her through the log. Good luck. I have a good book to recommend on this topic: Greenberg, Eric. Mission-Critical Security Planner. New York, New York, Wiley Publishing, Inc., 2003. Here's an Amazon link: http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetwinc/104-9901005-4572707 Priscilla how long would it take a determined hacker a) cause some kind of network downtime and b) to map a network drive to a share on a file server over the internet. Thanks, Rusty -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: VLAN loop problem [7:66656] Yes, it prevents loops in spanning tree on layer 2 switches from causing a loop by disabling the port on a cisco switch... Larry Letterman Network Engineer Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas N. Sent: Wednesday, April 02, 2003 12:18 PM To: [EMAIL PROTECTED] Subject: Re: VLAN loop problem [7:66656] What does portfast bpdu-guard do? Does it prevent interfaces with portfast enabled from causing the loop in my scenario? Larry Letterman wrote in message news:[EMAIL PROTECTED] port mac address security might work, altho its a lot of admin overhead..are you running portfast bpdu-guard on the access ports? Larry Letterman Network Engineer Cisco Systems - Original Message - From: Thomas N. To: [EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 8:14 PM Subject: VLAN loop problem [7:66656] Hi All, I got a problem in the production campus LAN here between VLANs. Please help me out! Below is the scenario: We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) subnets. Routing is enable/allowed between the two subnets using MSFC of the 6500. Each subnet has a DHCP server to assign IP address to devices on its subnet. Spanning-tree is enable; however, portfast is turned on on all non-trunking/uplink ports. Recently, devices on VLAN 10 got assigned an IP address of 10.20.x.x , which is from the DHCP on the other scope and also from 10.10.x.x scope, and vice versa. It seems that we a loop somewhere between the 2 subnets but we don't know where. I noticed lots of end users have a little unmanged hub/switch hang off the network jacks in their cubicals and potentially cause loop. Is there any way that we can block the loop on the Cisco switches without visiting cubicals taking those little umanaged hubs/switches? Thanks! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66758t=66720 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hacking challenge [7:66720]
However don't let a firewall be your end all do all solution. Look into hardening you Server OS, if its Win2k try learning about group policy's they are a wonderful addition. If it's Novell or Linux, sorry I can't be much help. But the rule applies If you're looking for security on Win2k then here's some advice. Close it off to the world. Completely. Run a PIX of PF firewall in front of your networks behind a router. If you want a secure OS then move to a Linux or xBSD. This is getting off topic. -Karsten On Thursday 03 April 2003 07:29 am, Steven Aiello wrote: Depending on the servers you could do it in 5 min. There is an annonamys account that runs over netbios in the 130's port area. If there isn't a firewall in place to filer this port you can use the net use command and have access to the box. After this you can download the backup copy of the SAM off the server run a crack program like lophtcrack and BLING BLING. You have every user name and password on the system. All to easy. I would recommend the Hacking Exposed book. If you want to protect your system from cracker / hackers. You need to know what they can and will do to get what they want. However don't let a firewall be your end all do all solution. Look into hardening you Server OS, if its Win2k try learning about group policy's they are a wonderful addition. If it's Novell or Linux, sorry I can't be much help. But the rule applies Steve Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66763t=66720 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hacking challenge [7:66720]
Rusty, I'm not clear from your question if there is an acl blocking everything inbound to the nt servers except smtp and telnet or if the acl is for inbound to the router itself. In the former case, unless your client is forcing their users to use good passwords, it's likely that a brute force telnet attempt would succeed in anywhere from a few hours to a few days, ditto for brute force on the router. If they're not logging failed login attempts, they would never know this was occurring. If they have no filtering if any kind inbound to their servers, there are many netbios/nt vulnerabilities that they could be susceptible to, without knowing more specifics about the patches applied and the services being run I can't give you anything more specific. You can search on securityfocus.com to see what might be applicable to your client. One thing to keep in mind, for a small site the Cisco firewall feature set may be adequate. At the very least, a correctly configured access-list provides some rudimentary protection. See the cisco site or Phrack issue 52 for info on Cisco router security. (phrack.com) Also, security works best when applied in layers. It's not enough to have a firewall, enabling centralized logging, patching and hardening servers, backup procedures and implementing change control procedures are just a few of the things that need to be done as well. A firewall is just the beginning. HTH, Kent PS If your trying to get your client to take security seriously, you should probably begin by asking business questions like: What is the worth of the information contained on your servers? How long could you operate without that information? If you lost all of the information on your servers, could your business operate? Are you aware of how much money businesses lost last year due to security breaches according to the FBI/CSI annual report? Are you aware of the potential legal issues related to not following due care practices for securing your information infrastructure, etc. etc. On Wed, 2003-04-02 at 19:09, Wilmes, Rusty wrote: this is a general question for the security specialists. Im trying to convince a client that they need a firewall so hypothetically, if you had telnet via the internet open to a router (with an access list that allowed smtp and telnet) (assuming you didn't know the telnet password or the enable password)that had a bunch of nt servers on another interface, how long would it take a determined hacker a) cause some kind of network downtime and b) to map a network drive to a share on a file server over the internet. Thanks, Rusty -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: VLAN loop problem [7:66656] Yes, it prevents loops in spanning tree on layer 2 switches from causing a loop by disabling the port on a cisco switch... Larry Letterman Network Engineer Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas N. Sent: Wednesday, April 02, 2003 12:18 PM To: [EMAIL PROTECTED] Subject: Re: VLAN loop problem [7:66656] What does portfast bpdu-guard do? Does it prevent interfaces with portfast enabled from causing the loop in my scenario? Larry Letterman wrote in message news:[EMAIL PROTECTED] port mac address security might work, altho its a lot of admin overhead..are you running portfast bpdu-guard on the access ports? Larry Letterman Network Engineer Cisco Systems - Original Message - From: Thomas N. To: [EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 8:14 PM Subject: VLAN loop problem [7:66656] Hi All, I got a problem in the production campus LAN here between VLANs. Please help me out! Below is the scenario: We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) subnets. Routing is enable/allowed between the two subnets using MSFC of the 6500. Each subnet has a DHCP server to assign IP address to devices on its subnet. Spanning-tree is enable; however, portfast is turned on on all non-trunking/uplink ports. Recently, devices on VLAN 10 got assigned an IP address of 10.20.x.x , which is from the DHCP on the other scope and also from 10.10.x.x scope, and vice versa. It seems that we a loop somewhere between the 2 subnets but we don't know where. I noticed lots of end users have a little unmanged hub/switch hang off the network jacks in their cubicals and potentially cause loop. Is there any way that we can block the loop on the Cisco switches without visiting cubicals taking those little umanaged hubs/switches? Thanks! Thomas Message Posted at:
RE: hacking challenge [7:66720]
Easy, show them RFC 3514 and let them know you would need a firewall to block the Evil bit...cash, check or charge? -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 11:46 AM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] Wilmes, Rusty wrote: this is a general question for the security specialists. Im trying to convince a client that they need a firewall so hypothetically, if you had telnet via the internet open to a router (with an access list that allowed smtp and telnet) (assuming you didn't know the telnet password or the enable password)that had a bunch of nt servers on another interface, Do you actually mean that you are allowing Telnet and SMTP to go through the router? You said to above which is confusing. Allowing Telnet to the router unrestricted would be a horrible security hole, even for people who don't know the password because passwords are often guessable. But I don't think that's what you meant... Allowing Telnet and SMTP through the router is more common, especially SMTP. You have to allow SMTP if you have an e-mail server that gets mail from the outside world. Avoid Telnet, though, if you can. It sends all text as clear text, including passwords. The question is really how vulnerable is the operating system that the SMTP server is running on? It's probably horribly vulnerable if your client hasn't kept up with the latest patches, and it sounds like your client is the type that hasn't? In fact, the server is probably busy attacking the rest of us right now! ;-0 So, as far as convicing your customer The best way may be to put a free firewall, like Zone Alarm, on the decision maker's computer and show her/him all the attacks happening all the time. Or if she already has a firewall, walk her through the log. Good luck. I have a good book to recommend on this topic: Greenberg, Eric. Mission-Critical Security Planner. New York, New York, Wiley Publishing, Inc., 2003. Here's an Amazon link: http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetwinc/104-99 01005-4572707 Priscilla how long would it take a determined hacker a) cause some kind of network downtime and b) to map a network drive to a share on a file server over the internet. Thanks, Rusty -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: VLAN loop problem [7:66656] Yes, it prevents loops in spanning tree on layer 2 switches from causing a loop by disabling the port on a cisco switch... Larry Letterman Network Engineer Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas N. Sent: Wednesday, April 02, 2003 12:18 PM To: [EMAIL PROTECTED] Subject: Re: VLAN loop problem [7:66656] What does portfast bpdu-guard do? Does it prevent interfaces with portfast enabled from causing the loop in my scenario? Larry Letterman wrote in message news:[EMAIL PROTECTED] port mac address security might work, altho its a lot of admin overhead..are you running portfast bpdu-guard on the access ports? Larry Letterman Network Engineer Cisco Systems - Original Message - From: Thomas N. To: [EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 8:14 PM Subject: VLAN loop problem [7:66656] Hi All, I got a problem in the production campus LAN here between VLANs. Please help me out! Below is the scenario: We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) subnets. Routing is enable/allowed between the two subnets using MSFC of the 6500. Each subnet has a DHCP server to assign IP address to devices on its subnet. Spanning-tree is enable; however, portfast is turned on on all non-trunking/uplink ports. Recently, devices on VLAN 10 got assigned an IP address of 10.20.x.x , which is from the DHCP on the other scope and also from 10.10.x.x scope, and vice versa. It seems that we a loop somewhere between the 2 subnets but we don't know where. I noticed lots of end users have a little unmanged hub/switch hang off the network jacks in their cubicals and potentially cause loop. Is there any way that we can block the loop on the Cisco switches without visiting cubicals taking those little umanaged hubs/switches? Thanks! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66770t=66720 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hacking challenge [7:66720]
there's an access list on the ethernet interface thats directly connected to a dsl modem. they're allowing telnet and smpt to basically, any any plus various other protocols from/to specific addresses. There're only two outside addresses that are natted but its really hideous and the access list is the only thing resembling a layer of security between the internet and their server farm. I was just hoping to hear some really good verbage about how vulnerable they are. I've told them for 3 months to get a pix but it just aint sinking in. Now they've got a worm loose on their mail server thats bringing down their main host system and their internet line (but thats another story). -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 8:46 AM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] Wilmes, Rusty wrote: this is a general question for the security specialists. Im trying to convince a client that they need a firewall so hypothetically, if you had telnet via the internet open to a router (with an access list that allowed smtp and telnet) (assuming you didn't know the telnet password or the enable password)that had a bunch of nt servers on another interface, Do you actually mean that you are allowing Telnet and SMTP to go through the router? You said to above which is confusing. Allowing Telnet to the router unrestricted would be a horrible security hole, even for people who don't know the password because passwords are often guessable. But I don't think that's what you meant... Allowing Telnet and SMTP through the router is more common, especially SMTP. You have to allow SMTP if you have an e-mail server that gets mail from the outside world. Avoid Telnet, though, if you can. It sends all text as clear text, including passwords. The question is really how vulnerable is the operating system that the SMTP server is running on? It's probably horribly vulnerable if your client hasn't kept up with the latest patches, and it sounds like your client is the type that hasn't? In fact, the server is probably busy attacking the rest of us right now! ;-0 So, as far as convicing your customer The best way may be to put a free firewall, like Zone Alarm, on the decision maker's computer and show her/him all the attacks happening all the time. Or if she already has a firewall, walk her through the log. Good luck. I have a good book to recommend on this topic: Greenberg, Eric. Mission-Critical Security Planner. New York, New York, Wiley Publishing, Inc., 2003. Here's an Amazon link: http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetw inc/104-9901005-4572707 Priscilla how long would it take a determined hacker a) cause some kind of network downtime and b) to map a network drive to a share on a file server over the internet. Thanks, Rusty -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: VLAN loop problem [7:66656] Yes, it prevents loops in spanning tree on layer 2 switches from causing a loop by disabling the port on a cisco switch... Larry Letterman Network Engineer Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas N. Sent: Wednesday, April 02, 2003 12:18 PM To: [EMAIL PROTECTED] Subject: Re: VLAN loop problem [7:66656] What does portfast bpdu-guard do? Does it prevent interfaces with portfast enabled from causing the loop in my scenario? Larry Letterman wrote in message news:[EMAIL PROTECTED] port mac address security might work, altho its a lot of admin overhead..are you running portfast bpdu-guard on the access ports? Larry Letterman Network Engineer Cisco Systems - Original Message - From: Thomas N. To: [EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 8:14 PM Subject: VLAN loop problem [7:66656] Hi All, I got a problem in the production campus LAN here between VLANs. Please help me out! Below is the scenario: We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) subnets. Routing is enable/allowed between the two subnets using MSFC of the 6500. Each subnet has a DHCP server to assign IP address to devices on its subnet. Spanning-tree is enable; however, portfast is turned on on all non-trunking/uplink ports. Recently, devices on VLAN 10 got assigned an IP address of 10.20.x.x , which is from the DHCP on the other scope and also from 10.10.x.x scope, and vice versa. It seems
RE: hacking challenge [7:66720]
This prompts me to say something about a comment from a previous poster about how vulnerable Windows is compared to Linux/xBSD etc I see many, many vulnerability alerts weekly for *nix based systems. Probably just as many as you see for Windows. You should of course harden any Internet facing network device, however the point is not really the type of server OS you run, or the Apps on it, but how good you are at proactively keeping them patched. I suggest that you go to some firewall vendor sites and plagiarise a bit of marketing guff if you want to sell the firewall idea to a sceptic, although just plonking a firewall in front of your unpatched sendmail server won't achieve a great deal. My 2c, YMMV Symon -Original Message- From: Wilmes, Rusty [mailto:[EMAIL PROTECTED] Sent: 03 April 2003 20:05 To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] there's an access list on the ethernet interface thats directly connected to a dsl modem. they're allowing telnet and smpt to basically, any any plus various other protocols from/to specific addresses. There're only two outside addresses that are natted but its really hideous and the access list is the only thing resembling a layer of security between the internet and their server farm. I was just hoping to hear some really good verbage about how vulnerable they are. I've told them for 3 months to get a pix but it just aint sinking in. Now they've got a worm loose on their mail server thats bringing down their main host system and their internet line (but thats another story). -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 8:46 AM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] Wilmes, Rusty wrote: this is a general question for the security specialists. Im trying to convince a client that they need a firewall so hypothetically, if you had telnet via the internet open to a router (with an access list that allowed smtp and telnet) (assuming you didn't know the telnet password or the enable password)that had a bunch of nt servers on another interface, Do you actually mean that you are allowing Telnet and SMTP to go through the router? You said to above which is confusing. Allowing Telnet to the router unrestricted would be a horrible security hole, even for people who don't know the password because passwords are often guessable. But I don't think that's what you meant... Allowing Telnet and SMTP through the router is more common, especially SMTP. You have to allow SMTP if you have an e-mail server that gets mail from the outside world. Avoid Telnet, though, if you can. It sends all text as clear text, including passwords. The question is really how vulnerable is the operating system that the SMTP server is running on? It's probably horribly vulnerable if your client hasn't kept up with the latest patches, and it sounds like your client is the type that hasn't? In fact, the server is probably busy attacking the rest of us right now! ;-0 So, as far as convicing your customer The best way may be to put a free firewall, like Zone Alarm, on the decision maker's computer and show her/him all the attacks happening all the time. Or if she already has a firewall, walk her through the log. Good luck. I have a good book to recommend on this topic: Greenberg, Eric. Mission-Critical Security Planner. New York, New York, Wiley Publishing, Inc., 2003. Here's an Amazon link: http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetw inc/104-9901005-4572707 Priscilla how long would it take a determined hacker a) cause some kind of network downtime and b) to map a network drive to a share on a file server over the internet. Thanks, Rusty -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: VLAN loop problem [7:66656] Yes, it prevents loops in spanning tree on layer 2 switches from causing a loop by disabling the port on a cisco switch... Larry Letterman Network Engineer Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas N. Sent: Wednesday, April 02, 2003 12:18 PM To: [EMAIL PROTECTED] Subject: Re: VLAN loop problem [7:66656] What does portfast bpdu-guard do? Does it prevent interfaces with portfast enabled from causing the loop in my scenario? Larry Letterman wrote in message news:[EMAIL PROTECTED] port mac address security might work, altho its a lot of admin overhead..are you running portfast bpdu-guard on the access ports? Larry Letterman Network Engineer Cisco Systems - Original
RE: hacking challenge [7:66720]
So ... doesn't that give them enough supporting evidence all by itself? If not, maybe it is a lost cause? As an aside - a pix, if it was permitting the offending port through as well, may not have stopped the worm either. Think Defense in Depth. A firewall, while a necessity for -everyone- (IMHO) is not a cure-all; it is a piece of a very large, very complex puzzle (even for a small network!). .. Have someone in a Decision-making position there read Hacking __(pick an os - Windows2k, Linux, etc.), or attend a SANS course (or just visit their reading room - TONS of articles). Read Eric Cole's or Ed Skoudis's books. .. or, teach him/her to use google ... Thanks! TJ -Original Message- From: Wilmes, Rusty [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 2:05 PM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] there's an access list on the ethernet interface thats directly connected to a dsl modem. they're allowing telnet and smpt to basically, any any plus various other protocols from/to specific addresses. There're only two outside addresses that are natted but its really hideous and the access list is the only thing resembling a layer of security between the internet and their server farm. I was just hoping to hear some really good verbage about how vulnerable they are. I've told them for 3 months to get a pix but it just aint sinking in. Now they've got a worm loose on their mail server thats bringing down their main host system and their internet line (but thats another story). -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 8:46 AM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] Wilmes, Rusty wrote: this is a general question for the security specialists. Im trying to convince a client that they need a firewall so hypothetically, if you had telnet via the internet open to a router (with an access list that allowed smtp and telnet) (assuming you didn't know the telnet password or the enable password)that had a bunch of nt servers on another interface, Do you actually mean that you are allowing Telnet and SMTP to go through the router? You said to above which is confusing. Allowing Telnet to the router unrestricted would be a horrible security hole, even for people who don't know the password because passwords are often guessable. But I don't think that's what you meant... Allowing Telnet and SMTP through the router is more common, especially SMTP. You have to allow SMTP if you have an e-mail server that gets mail from the outside world. Avoid Telnet, though, if you can. It sends all text as clear text, including passwords. The question is really how vulnerable is the operating system that the SMTP server is running on? It's probably horribly vulnerable if your client hasn't kept up with the latest patches, and it sounds like your client is the type that hasn't? In fact, the server is probably busy attacking the rest of us right now! ;-0 So, as far as convicing your customer The best way may be to put a free firewall, like Zone Alarm, on the decision maker's computer and show her/him all the attacks happening all the time. Or if she already has a firewall, walk her through the log. Good luck. I have a good book to recommend on this topic: Greenberg, Eric. Mission-Critical Security Planner. New York, New York, Wiley Publishing, Inc., 2003. Here's an Amazon link: http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetw inc/104-9901005-4572707 Priscilla how long would it take a determined hacker a) cause some kind of network downtime and b) to map a network drive to a share on a file server over the internet. Thanks, Rusty -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: VLAN loop problem [7:66656] Yes, it prevents loops in spanning tree on layer 2 switches from causing a loop by disabling the port on a cisco switch... Larry Letterman Network Engineer Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas N. Sent: Wednesday, April 02, 2003 12:18 PM To: [EMAIL PROTECTED] Subject: Re: VLAN loop problem [7:66656] What does portfast bpdu-guard do? Does it prevent interfaces with portfast enabled from causing the loop in my scenario? Larry Letterman wrote in message news:[EMAIL PROTECTED] port mac address security might work, altho its a lot of admin overhead..are you running portfast bpdu-guard on the access ports? Larry Letterman Network Engineer Cisco Systems - Original Message
Re: hacking challenge [7:66720]
my company does a lot of firewall consulting and I run into this question all the time. frankly I don't have a great answer for it though. packet filters (i.e. access-lists) are technically first generation firewalls, so they do have a firewall in place already. the sell really comes into play when you state that first generation firewalls aren't as robust and up-to-date as the latest third generation firewalls and are open to concerted attacks. this usually they can understand. trying to explain multilayer stateful inspection to them is pointless, so don't even try. probably the best thing you can do (as already sugeested), is make sure your acl is complete and anytime a security issue comes up point out the problem as relates to no firewall. after about a year of you doing this, they'll catch on and will budget it in eventually. scott Wilmes, Rusty wrote in message news:[EMAIL PROTECTED] there's an access list on the ethernet interface thats directly connected to a dsl modem. they're allowing telnet and smpt to basically, any any plus various other protocols from/to specific addresses. There're only two outside addresses that are natted but its really hideous and the access list is the only thing resembling a layer of security between the internet and their server farm. I was just hoping to hear some really good verbage about how vulnerable they are. I've told them for 3 months to get a pix but it just aint sinking in. Now they've got a worm loose on their mail server thats bringing down their main host system and their internet line (but thats another story). -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 8:46 AM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] Wilmes, Rusty wrote: this is a general question for the security specialists. Im trying to convince a client that they need a firewall so hypothetically, if you had telnet via the internet open to a router (with an access list that allowed smtp and telnet) (assuming you didn't know the telnet password or the enable password)that had a bunch of nt servers on another interface, Do you actually mean that you are allowing Telnet and SMTP to go through the router? You said to above which is confusing. Allowing Telnet to the router unrestricted would be a horrible security hole, even for people who don't know the password because passwords are often guessable. But I don't think that's what you meant... Allowing Telnet and SMTP through the router is more common, especially SMTP. You have to allow SMTP if you have an e-mail server that gets mail from the outside world. Avoid Telnet, though, if you can. It sends all text as clear text, including passwords. The question is really how vulnerable is the operating system that the SMTP server is running on? It's probably horribly vulnerable if your client hasn't kept up with the latest patches, and it sounds like your client is the type that hasn't? In fact, the server is probably busy attacking the rest of us right now! ;-0 So, as far as convicing your customer The best way may be to put a free firewall, like Zone Alarm, on the decision maker's computer and show her/him all the attacks happening all the time. Or if she already has a firewall, walk her through the log. Good luck. I have a good book to recommend on this topic: Greenberg, Eric. Mission-Critical Security Planner. New York, New York, Wiley Publishing, Inc., 2003. Here's an Amazon link: http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetw inc/104-9901005-4572707 Priscilla how long would it take a determined hacker a) cause some kind of network downtime and b) to map a network drive to a share on a file server over the internet. Thanks, Rusty -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: VLAN loop problem [7:66656] Yes, it prevents loops in spanning tree on layer 2 switches from causing a loop by disabling the port on a cisco switch... Larry Letterman Network Engineer Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas N. Sent: Wednesday, April 02, 2003 12:18 PM To: [EMAIL PROTECTED] Subject: Re: VLAN loop problem [7:66656] What does portfast bpdu-guard do? Does it prevent interfaces with portfast enabled from causing the loop in my scenario? Larry Letterman wrote in message news:[EMAIL PROTECTED] port mac address security might work, altho its a lot of admin overhead..are you running portfast bpdu-guard
RE: hacking challenge [7:66720]
I would have to take issue with the following statement: You should of course harden any Internet facing network device, however the point is not really the type of server OS you run, or the Apps on it, but how good you are at proactively keeping them patched. -MANY- so-called vulnerabilities are actually by design, we usually call them features. This is where the quality of the original coding, the quality/details of the installation/configuration, and the layers wrapped around all of this come together. Typically, we as users have no control over the coding aspect, aside from auditing the application in question before deploying it and choosing your vendor accordingly. The installation / config is *very* important. Nearly every vulnerability would be bypassed if we could just disable all of the services, or leave the machine without a network connection :). Code Red and Slammer, to site two VERY BIG examples, would never have been an issue if the recommended best practices from the vendor (MS, in this case) had been followed. Patching, of course, is not to be underrated. This *REALLY* comes into play when the vulnerability exists in the services you offer - web services or SQL, for ex. I hate to sound repetitive, but the key lies in knowing how to address all applicable layers and do maintain vigilance in doing so. Defense in Depth Thanks! TJ -Original Message- From: Symon Thurlow [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 4:09 PM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] This prompts me to say something about a comment from a previous poster about how vulnerable Windows is compared to Linux/xBSD etc I see many, many vulnerability alerts weekly for *nix based systems. Probably just as many as you see for Windows. You should of course harden any Internet facing network device, however the point is not really the type of server OS you run, or the Apps on it, but how good you are at proactively keeping them patched. I suggest that you go to some firewall vendor sites and plagiarise a bit of marketing guff if you want to sell the firewall idea to a sceptic, although just plonking a firewall in front of your unpatched sendmail server won't achieve a great deal. My 2c, YMMV Symon -Original Message- From: Wilmes, Rusty [mailto:[EMAIL PROTECTED] Sent: 03 April 2003 20:05 To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] there's an access list on the ethernet interface thats directly connected to a dsl modem. they're allowing telnet and smpt to basically, any any plus various other protocols from/to specific addresses. There're only two outside addresses that are natted but its really hideous and the access list is the only thing resembling a layer of security between the internet and their server farm. I was just hoping to hear some really good verbage about how vulnerable they are. I've told them for 3 months to get a pix but it just aint sinking in. Now they've got a worm loose on their mail server thats bringing down their main host system and their internet line (but thats another story). -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 8:46 AM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] Wilmes, Rusty wrote: this is a general question for the security specialists. Im trying to convince a client that they need a firewall so hypothetically, if you had telnet via the internet open to a router (with an access list that allowed smtp and telnet) (assuming you didn't know the telnet password or the enable password)that had a bunch of nt servers on another interface, Do you actually mean that you are allowing Telnet and SMTP to go through the router? You said to above which is confusing. Allowing Telnet to the router unrestricted would be a horrible security hole, even for people who don't know the password because passwords are often guessable. But I don't think that's what you meant... Allowing Telnet and SMTP through the router is more common, especially SMTP. You have to allow SMTP if you have an e-mail server that gets mail from the outside world. Avoid Telnet, though, if you can. It sends all text as clear text, including passwords. The question is really how vulnerable is the operating system that the SMTP server is running on? It's probably horribly vulnerable if your client hasn't kept up with the latest patches, and it sounds like your client is the type that hasn't? In fact, the server is probably busy attacking the rest of us right now! ;-0 So, as far as convicing your customer The best way may be to put a free firewall, like Zone Alarm, on the decision maker's computer and show her/him all the attacks happening all the time. Or if she already has a firewall, walk her through the log. Good luck. I have a good book to recommend
hacking challenge [7:66720]
this is a general question for the security specialists. Im trying to convince a client that they need a firewall so hypothetically, if you had telnet via the internet open to a router (with an access list that allowed smtp and telnet) (assuming you didn't know the telnet password or the enable password)that had a bunch of nt servers on another interface, how long would it take a determined hacker a) cause some kind of network downtime and b) to map a network drive to a share on a file server over the internet. Thanks, Rusty -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: VLAN loop problem [7:66656] Yes, it prevents loops in spanning tree on layer 2 switches from causing a loop by disabling the port on a cisco switch... Larry Letterman Network Engineer Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas N. Sent: Wednesday, April 02, 2003 12:18 PM To: [EMAIL PROTECTED] Subject: Re: VLAN loop problem [7:66656] What does portfast bpdu-guard do? Does it prevent interfaces with portfast enabled from causing the loop in my scenario? Larry Letterman wrote in message news:[EMAIL PROTECTED] port mac address security might work, altho its a lot of admin overhead..are you running portfast bpdu-guard on the access ports? Larry Letterman Network Engineer Cisco Systems - Original Message - From: Thomas N. To: [EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 8:14 PM Subject: VLAN loop problem [7:66656] Hi All, I got a problem in the production campus LAN here between VLANs. Please help me out! Below is the scenario: We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) subnets. Routing is enable/allowed between the two subnets using MSFC of the 6500. Each subnet has a DHCP server to assign IP address to devices on its subnet. Spanning-tree is enable; however, portfast is turned on on all non-trunking/uplink ports. Recently, devices on VLAN 10 got assigned an IP address of 10.20.x.x , which is from the DHCP on the other scope and also from 10.10.x.x scope, and vice versa. It seems that we a loop somewhere between the 2 subnets but we don't know where. I noticed lots of end users have a little unmanged hub/switch hang off the network jacks in their cubicals and potentially cause loop. Is there any way that we can block the loop on the Cisco switches without visiting cubicals taking those little umanaged hubs/switches? Thanks! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66720t=66720 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hacking a firewall [7:34978]
look to some sites as : www.cert.org www.packetstormattack.com www.securityfocus.com to get some procedures for testing firewall installations , otherwise you must get in touch with experts to evaluate your configuration and the vulnirability degree of your firewall. there are also some remote scanning tools , in internet from security websites. sami natour a icrit dans le message news: [EMAIL PROTECTED] Hi , I am trying to test how secure BigFire firewall.I need to run some tests in other words I want to find if I can hack it or not.It is very important to our company to know how secure it is . Best Regards , sami , __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35759t=34978 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hacking a firewall [7:34978]
Your best bet is to look up specs reviews online from other experts not depend on your own tests based on limited information about the firewall. Remembera firewall is only as good as it's configuration. They DO allow mistakes in configuration. Search on google.com you will probably find what you're looking for. Also...hacking a firewall can mean several things. Do you mean telnet or ssh accessibility? Or are you talking about gaining access to servers from outside passing through the firewall? One last thing...don't depend on a firewall to be all the security you need. It's only the first line of defense. Servers of all OS types having the vulnerability is the reason ports need to be blocked in the first place. Research securing the servers keep yourself informed with security mailing lists. I did a little research and either this page is outdated or they haven't implemented IPSec/IKE on that thing yet. It still says 3rd Quarter 2001 it will be addedbut doesn't say it has yet anywhere else on their home page. Also...I'm a little weary of advertising claiming to be infinitely more secure than other firewalls ;) http://www.biodata.com/us/products/bigfire/biodata_bigfire.cphtml sami natour wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi , I am trying to test how secure BigFire firewall.I need to run some tests in other words I want to find if I can hack it or not.It is very important to our company to know how secure it is . Best Regards , sami , __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35030t=34978 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
hacking a firewall [7:34978]
Hi , I am trying to test how secure BigFire firewall.I need to run some tests in other words I want to find if I can hack it or not.It is very important to our company to know how secure it is . Best Regards , sami , __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34978t=34978 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hacking a firewall [7:34978]
O boy user Network Scanner na? Regards. - Original Message - From: sami natour To: Sent: Saturday, February 09, 2002 12:13 PM Subject: hacking a firewall [7:34978] Hi , I am trying to test how secure BigFire firewall.I need to run some tests in other words I want to find if I can hack it or not.It is very important to our company to know how secure it is . Best Regards , sami , __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35003t=34978 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Enable secret hacking [7:23670]
The reason I asked was to see if other peoples impression was the same as mine. I've got the tools for the level 7 passwords, but was under the impression that the enable secret was almost impossible. This is a dangerous assumption. Nothing is impossible, and this has little to do with the method used to secure the password. If your admins choose a simple password, than the process to break it is simple. If they select a strong password, then the process is longer, but not ever impossible. If the attacker can gain a copy of your config, via SNMP for example, and actually see the encrypted output, you should not consider any password secure, no matter how complex it is. Personally, I have a very nice RS/6000 B50 sitting in my lab rack at home, and would have no problem commiting all its cycles to a task like password cracking. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23780t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AW: OT: Enable secret hacking [7:23670]
You were thinking along my lines with parallel processing. I have a feeling it's not too difficult anymore to set up the killer cluster.. more then likely using virtual connections.. But then again, if someone wants in that badly.. I would worry more about social engineering which is always a one of the weakest links in any security program. MikeS Carroll Kong wrote: It has to do brute force strength. Against an MD5, it does pretty poorly, benching about 440 Cracks per second on a K6-200 with 160 megs of ram. (ram is irrelevant to be honest). I am guessing that say a gigahertz processor might do a linear increase to about ~2000 Cracks per second. This is pretty slow and has almost no chance to stop a good 8 character password. With about 92 or so character choices for a password, 8^92 == 121.416E81. Or, a heck of a lot for a simple 8 character password. Yes, with this number, it is impossible for one machine to do this in a life time. Note, few people put up good, strong passwords. If there is any level of efficiency, we can cut this number down a lot. On the side, Microsoft's Mighty NT Lan Man DES gets hit by an astounding 90K cracks per second on a K6-200. Forget that, I believe L0phtcrack lets you do 300-400K cracks per second on your slightly below average processor of today and can do them in parallel. Maybe that is why Microsoft is quickly dropping their Lanman Hash as they introduce Win2k as the champion server OS? However, I wonder if one can use programs like john the ripper in parallel with other machines. With a cracking Athlon box running for maybe $400 bucks, you can probably setup one nasty cluster to cut this down to size. Although this may seem like a lot of trouble a hacker has to go through, it is and it is not. If you give ANYONE an encrypted hash guarding something really important, you can assume it will be cracked within a life time and be used against you. (Another good reason why you should rotate your passwords over a certain amount of time, but that of course has other possible problems). Heck, it seems fairly reasonable for a hacker to have a small cluster of Athlon boxes. I have quite a few PCs at home. As for practicality, one could argue most script kiddies are unable to fathom even what I just wrote. However, a mere amateur or professional hacker could easily wreck do this. Be careful if you have sensitive information or enemies! At 02:59 PM 10/21/01 -0400, Maissen Sacha wrote: Anh, Sorry for my question about your test below. This program john the ripper, is it working with dictionaries or not? Because my question is, if I use passwords like 12eldkvi, which are not in any dics, how long you need then to crack a MD5-password? Regards Sacha -Urspr|ngliche Nachricht- Von: Anh Lam [mailto:[EMAIL PROTECTED]] Gesendet: Sonntag, 21. Oktober 2001 20:46 An: [EMAIL PROTECTED] Betreff: Re: OT: Enable secret hacking [7:23670] Gareth, I create an enable secret password on a Cisco router 2610 with the password as you mentioned kittens. Remember this is an MD5 encrypted string ($1$Em47$DEsFfXv/Px6y/cEmjMwfE0). You know what, I take this string and use the program called john the ripper running on my linux box to crack it. This linux is a pentium 200MHz with 64MB of RAM. It takes exactly 5 minutes to crack this password. I would imagine for longer enable secret password, it takes longer but not as difficult as it sounds. Regards, -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23769t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Enable secret hacking [7:23670]
Hi all, I'm asking this as a matter of interest after something I saw this week: Given the following line of config: enable secret 5 $1$32Pc$uq7Tr7gq4v22PqEG4WFF90 What are the chances of cracking the enable secret? (Without raising suspicicion by having 40 million attempts on the box itself.) Lets say the password is an 8 character string of letters only, not necessarily a dictionary word. What's everybody's view, could it be easily hacked or not? Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23670t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Enable secret hacking [7:23670]
There are several tools available to reverse the standard cisco password encryption. However, the output that you show for enable secret isn't the standard encrypted password; rather, it's the output of a one-way hash on the password (the whole point of enable secret). So, I'd say that the chances of cracking the enable secret without some serious horsepower are rather slim. Craig At 09:13 AM 10/21/2001 -0400, you wrote: Hi all, I'm asking this as a matter of interest after something I saw this week: Given the following line of config: enable secret 5 $1$32Pc$uq7Tr7gq4v22PqEG4WFF90 What are the chances of cracking the enable secret? (Without raising suspicicion by having 40 million attempts on the box itself.) Lets say the password is an 8 character string of letters only, not necessarily a dictionary word. What's everybody's view, could it be easily hacked or not? Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23678t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Enable secret hacking [7:23670]
The enable secret would not be an easy thing to crack. The enable password, however, can be cracked easily with a number of utilities available for free on the internet. If you have hackers attacking your network who have the capability to crack the enable secret then you have much bigger problems. As I recall, the enable secret displayed when you do a show run is a one-way hash, so the original cannot be determined from the encrypted version. I'll have to check into that. A good hacker would spend his time elsewhere. Sitting at the login prompt trying to guess passwords for a few years probably isn't a wise way to spend one's time. Hackers tend to go for the low-hanging fruit. Regards, John On Sun, 21 Oct 2001 09:13:35 -0400, Gareth Hinton wrote: | Hi all, | | I'm asking this as a matter of interest after something I saw this week: | Given the following line of config: | | enable secret 5 $1$32Pc$uq7Tr7gq4v22PqEG4WFF90 | | What are the chances of cracking the enable secret? (Without raising | suspicicion by having 40 million attempts on the box itself.) | Lets say the password is an 8 character string of letters only, not | necessarily a dictionary word. | | What's everybody's view, could it be easily hacked or not? | | | Thanks, | | Gaz | | | | ___ http://inbox.excite.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23689t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Enable secret hacking [7:23670]
From what I understand, the enable secret is MD5 encrypted. If my memory serves me right, the password file on Linux system (/etc/shadow)is also md5 encrypted. If that is the case, there are utilities on the Internet that can be used to crack this baby. Granted that it is going to require memory and CPU power but it is not as difficult as it sounds. That's the reason why the /etc/shadow file on unix system is read/writable only by root. From: John Neiberger Reply-To: John Neiberger To: [EMAIL PROTECTED] Subject: Re: OT: Enable secret hacking [7:23670] Date: Sun, 21 Oct 2001 12:45:19 -0400 The enable secret would not be an easy thing to crack. The enable password, however, can be cracked easily with a number of utilities available for free on the internet. If you have hackers attacking your network who have the capability to crack the enable secret then you have much bigger problems. As I recall, the enable secret displayed when you do a show run is a one-way hash, so the original cannot be determined from the encrypted version. I'll have to check into that. A good hacker would spend his time elsewhere. Sitting at the login prompt trying to guess passwords for a few years probably isn't a wise way to spend one's time. Hackers tend to go for the low-hanging fruit. Regards, John On Sun, 21 Oct 2001 09:13:35 -0400, Gareth Hinton wrote: | Hi all, | | I'm asking this as a matter of interest after something I saw this week: | Given the following line of config: | | enable secret 5 $1$32Pc$uq7Tr7gq4v22PqEG4WFF90 | | What are the chances of cracking the enable secret? (Without raising | suspicicion by having 40 million attempts on the box itself.) | Lets say the password is an 8 character string of letters only, not | necessarily a dictionary word. | | What's everybody's view, could it be easily hacked or not? | | | Thanks, | | Gaz | | | | ___ http://inbox.excite.com _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23694t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Enable secret hacking [7:23670]
The reason I asked was to see if other peoples impression was the same as mine. I've got the tools for the level 7 passwords, but was under the impression that the enable secret was almost impossible. I do some work for a fairly large company that had some penetration testing done this week by a government agency. One of the hackers told me that depending on the length and complexity of the password he could crack the enable password from the MD5 hash pretty quickly. The passwords we normally use for enable secrets are over 8 character random alphanumeric strings, so it was taking some time. Not believing him entirely, I suggested that I simplify the password a little to a dictionary word of 7 characters. I changed it to kittens and it took his unix box around 5 seconds to go through the dictionary performing MD5 hash on every word, then comparing the result with the real hash. I was quite surprised at how quick it was. Admittedly they need to see the MD5 hash somehow, but I've never gone over the top to cover these up before now. We also (a little carelessly) got caught out with a few switches with IP HTTP SERVER on as default, so the weakness with http allowed level 15 access to the switches. Oops. Just thought I'd bring it up anyway. I think no ip http server and more complex passwords are in order. Regards, Gareth John Neiberger wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The enable secret would not be an easy thing to crack. The enable password, however, can be cracked easily with a number of utilities available for free on the internet. If you have hackers attacking your network who have the capability to crack the enable secret then you have much bigger problems. As I recall, the enable secret displayed when you do a show run is a one-way hash, so the original cannot be determined from the encrypted version. I'll have to check into that. A good hacker would spend his time elsewhere. Sitting at the login prompt trying to guess passwords for a few years probably isn't a wise way to spend one's time. Hackers tend to go for the low-hanging fruit. Regards, John On Sun, 21 Oct 2001 09:13:35 -0400, Gareth Hinton wrote: | Hi all, | | I'm asking this as a matter of interest after something I saw this week: | Given the following line of config: | | enable secret 5 $1$32Pc$uq7Tr7gq4v22PqEG4WFF90 | | What are the chances of cracking the enable secret? (Without raising | suspicicion by having 40 million attempts on the box itself.) | Lets say the password is an 8 character string of letters only, not | necessarily a dictionary word. | | What's everybody's view, could it be easily hacked or not? | | | Thanks, | | Gaz | | | | ___ http://inbox.excite.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23696t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Enable secret hacking [7:23670]
Gareth, I create an enable secret password on a Cisco router 2610 with the password as you mentioned kittens. Remember this is an MD5 encrypted string ($1$Em47$DEsFfXv/Px6y/cEmjMwfE0). You know what, I take this string and use the program called john the ripper running on my linux box to crack it. This linux is a pentium 200MHz with 64MB of RAM. It takes exactly 5 minutes to crack this password. I would imagine for longer enable secret password, it takes longer but not as difficult as it sounds. Regards, From: Gareth Hinton Reply-To: Gareth Hinton To: [EMAIL PROTECTED] Subject: Re: OT: Enable secret hacking [7:23670] Date: Sun, 21 Oct 2001 13:34:19 -0400 The reason I asked was to see if other peoples impression was the same as mine. I've got the tools for the level 7 passwords, but was under the impression that the enable secret was almost impossible. I do some work for a fairly large company that had some penetration testing done this week by a government agency. One of the hackers told me that depending on the length and complexity of the password he could crack the enable password from the MD5 hash pretty quickly. The passwords we normally use for enable secrets are over 8 character random alphanumeric strings, so it was taking some time. Not believing him entirely, I suggested that I simplify the password a little to a dictionary word of 7 characters. I changed it to kittens and it took his unix box around 5 seconds to go through the dictionary performing MD5 hash on every word, then comparing the result with the real hash. I was quite surprised at how quick it was. Admittedly they need to see the MD5 hash somehow, but I've never gone over the top to cover these up before now. We also (a little carelessly) got caught out with a few switches with IP HTTP SERVER on as default, so the weakness with http allowed level 15 access to the switches. Oops. Just thought I'd bring it up anyway. I think no ip http server and more complex passwords are in order. Regards, Gareth John Neiberger wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The enable secret would not be an easy thing to crack. The enable password, however, can be cracked easily with a number of utilities available for free on the internet. If you have hackers attacking your network who have the capability to crack the enable secret then you have much bigger problems. As I recall, the enable secret displayed when you do a show run is a one-way hash, so the original cannot be determined from the encrypted version. I'll have to check into that. A good hacker would spend his time elsewhere. Sitting at the login prompt trying to guess passwords for a few years probably isn't a wise way to spend one's time. Hackers tend to go for the low-hanging fruit. Regards, John On Sun, 21 Oct 2001 09:13:35 -0400, Gareth Hinton wrote: | Hi all, | | I'm asking this as a matter of interest after something I saw this week: | Given the following line of config: | | enable secret 5 $1$32Pc$uq7Tr7gq4v22PqEG4WFF90 | | What are the chances of cracking the enable secret? (Without raising | suspicicion by having 40 million attempts on the box itself.) | Lets say the password is an 8 character string of letters only, not | necessarily a dictionary word. | | What's everybody's view, could it be easily hacked or not? | | | Thanks, | | Gaz | | | | ___ http://inbox.excite.com _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23704t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Enable secret hacking [7:23670]
I would imagine that if using a-z and 0 to 9, with 8 characters there would be 8 to the power 36 combinations (I think). Trouble is those numbers are getting too large for me to have any concept of how long it would take to hack. We'd need to get an idea of how long each attempt takes. Looking back at the original password it was very similar to yours. His unix box had been going for 4 hours when we stopped it to do those tests, so much harder to crack. I'm going to set one off later to see how long it takes. This is not scare mongering by the way. To accomplish this you already need to have the MD5 hash. I think it's just better to avoid complacency - make the passwords longer and use special characters if possible. I didn't realise the amount of difference between dictionary passwords and the alternative. I suppose something as simple as kittens/1 would cut out the dictionary searches. Gareth Maissen Sacha wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Anh, Sorry for my question about your test below. This program john the ripper, is it working with dictionaries or not? Because my question is, if I use passwords like 12eldkvi, which are not in any dics, how long you need then to crack a MD5-password? Regards Sacha -Urspr|ngliche Nachricht- Von: Anh Lam [mailto:[EMAIL PROTECTED]] Gesendet: Sonntag, 21. Oktober 2001 20:46 An: [EMAIL PROTECTED] Betreff: Re: OT: Enable secret hacking [7:23670] Gareth, I create an enable secret password on a Cisco router 2610 with the password as you mentioned kittens. Remember this is an MD5 encrypted string ($1$Em47$DEsFfXv/Px6y/cEmjMwfE0). You know what, I take this string and use the program called john the ripper running on my linux box to crack it. This linux is a pentium 200MHz with 64MB of RAM. It takes exactly 5 minutes to crack this password. I would imagine for longer enable secret password, it takes longer but not as difficult as it sounds. Regards, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23707t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AW: OT: Enable secret hacking [7:23670]
If the password is NOT in the dictionary, then it would take considerable amount of time to crack it. I've not tried it yet so I can't tell you; however, given the power of PC's these days, I wouldn't be suprised that it will not take very long. Furthermore, if someone really want to crack the password, he/she would use this application on clustering technology to increase the CPU and memory. From: Maissen Sacha Reply-To: Maissen Sacha To: [EMAIL PROTECTED] Subject: AW: OT: Enable secret hacking [7:23670] Date: Sun, 21 Oct 2001 14:59:51 -0400 Anh, Sorry for my question about your test below. This program john the ripper, is it working with dictionaries or not? Because my question is, if I use passwords like 12eldkvi, which are not in any dics, how long you need then to crack a MD5-password? Regards Sacha -Urspr|ngliche Nachricht- Von: Anh Lam [mailto:[EMAIL PROTECTED]] Gesendet: Sonntag, 21. Oktober 2001 20:46 An: [EMAIL PROTECTED] Betreff: Re: OT: Enable secret hacking [7:23670] Gareth, I create an enable secret password on a Cisco router 2610 with the password as you mentioned kittens. Remember this is an MD5 encrypted string ($1$Em47$DEsFfXv/Px6y/cEmjMwfE0). You know what, I take this string and use the program called john the ripper running on my linux box to crack it. This linux is a pentium 200MHz with 64MB of RAM. It takes exactly 5 minutes to crack this password. I would imagine for longer enable secret password, it takes longer but not as difficult as it sounds. Regards, _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23709t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Enable secret hacking [7:23670]
perhaps this is why sho run and sho conf are not level 1 commands?? Brian Sonic Whalen Success = Preparation + Opportunity On Sun, 21 Oct 2001, Gareth Hinton wrote: The reason I asked was to see if other peoples impression was the same as mine. I've got the tools for the level 7 passwords, but was under the impression that the enable secret was almost impossible. I do some work for a fairly large company that had some penetration testing done this week by a government agency. One of the hackers told me that depending on the length and complexity of the password he could crack the enable password from the MD5 hash pretty quickly. The passwords we normally use for enable secrets are over 8 character random alphanumeric strings, so it was taking some time. Not believing him entirely, I suggested that I simplify the password a little to a dictionary word of 7 characters. I changed it to kittens and it took his unix box around 5 seconds to go through the dictionary performing MD5 hash on every word, then comparing the result with the real hash. I was quite surprised at how quick it was. Admittedly they need to see the MD5 hash somehow, but I've never gone over the top to cover these up before now. We also (a little carelessly) got caught out with a few switches with IP HTTP SERVER on as default, so the weakness with http allowed level 15 access to the switches. Oops. Just thought I'd bring it up anyway. I think no ip http server and more complex passwords are in order. Regards, Gareth John Neiberger wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The enable secret would not be an easy thing to crack. The enable password, however, can be cracked easily with a number of utilities available for free on the internet. If you have hackers attacking your network who have the capability to crack the enable secret then you have much bigger problems. As I recall, the enable secret displayed when you do a show run is a one-way hash, so the original cannot be determined from the encrypted version. I'll have to check into that. A good hacker would spend his time elsewhere. Sitting at the login prompt trying to guess passwords for a few years probably isn't a wise way to spend one's time. Hackers tend to go for the low-hanging fruit. Regards, John On Sun, 21 Oct 2001 09:13:35 -0400, Gareth Hinton wrote: | Hi all, | | I'm asking this as a matter of interest after something I saw this week: | Given the following line of config: | | enable secret 5 $1$32Pc$uq7Tr7gq4v22PqEG4WFF90 | | What are the chances of cracking the enable secret? (Without raising | suspicicion by having 40 million attempts on the box itself.) | Lets say the password is an 8 character string of letters only, not | necessarily a dictionary word. | | What's everybody's view, could it be easily hacked or not? | | | Thanks, | | Gaz | | | | ___ http://inbox.excite.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23708t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Enable secret hacking [7:23670]
If routers and switches are configured to use TACACS then both the EXEC (level7) and enable secret password are pretty much useless. For some hackers to get onto a router or a switch with EXEC and enable secret, the TACACS server must not be reachable by the router and switch. Only at that point, one would have to log onto Cisco devices with local account and go into privilege mode with enable secret password. Authentication and Authorization and Accounting will be taking place at the TACACS server under normal condition. Frankly, I wouldn't be too worry about it anyway. From: Brian Whalen Reply-To: Brian Whalen To: [EMAIL PROTECTED] Subject: Re: OT: Enable secret hacking [7:23670] Date: Sun, 21 Oct 2001 15:38:37 -0400 perhaps this is why sho run and sho conf are not level 1 commands?? Brian Sonic Whalen Success = Preparation + Opportunity On Sun, 21 Oct 2001, Gareth Hinton wrote: The reason I asked was to see if other peoples impression was the same as mine. I've got the tools for the level 7 passwords, but was under the impression that the enable secret was almost impossible. I do some work for a fairly large company that had some penetration testing done this week by a government agency. One of the hackers told me that depending on the length and complexity of the password he could crack the enable password from the MD5 hash pretty quickly. The passwords we normally use for enable secrets are over 8 character random alphanumeric strings, so it was taking some time. Not believing him entirely, I suggested that I simplify the password a little to a dictionary word of 7 characters. I changed it to kittens and it took his unix box around 5 seconds to go through the dictionary performing MD5 hash on every word, then comparing the result with the real hash. I was quite surprised at how quick it was. Admittedly they need to see the MD5 hash somehow, but I've never gone over the top to cover these up before now. We also (a little carelessly) got caught out with a few switches with IP HTTP SERVER on as default, so the weakness with http allowed level 15 access to the switches. Oops. Just thought I'd bring it up anyway. I think no ip http server and more complex passwords are in order. Regards, Gareth John Neiberger wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The enable secret would not be an easy thing to crack. The enable password, however, can be cracked easily with a number of utilities available for free on the internet. If you have hackers attacking your network who have the capability to crack the enable secret then you have much bigger problems. As I recall, the enable secret displayed when you do a show run is a one-way hash, so the original cannot be determined from the encrypted version. I'll have to check into that. A good hacker would spend his time elsewhere. Sitting at the login prompt trying to guess passwords for a few years probably isn't a wise way to spend one's time. Hackers tend to go for the low-hanging fruit. Regards, John On Sun, 21 Oct 2001 09:13:35 -0400, Gareth Hinton wrote: | Hi all, | | I'm asking this as a matter of interest after something I saw this week: | Given the following line of config: | | enable secret 5 $1$32Pc$uq7Tr7gq4v22PqEG4WFF90 | | What are the chances of cracking the enable secret? (Without raising | suspicicion by having 40 million attempts on the box itself.) | Lets say the password is an 8 character string of letters only, not | necessarily a dictionary word. | | What's everybody's view, could it be easily hacked or not? | | | Thanks, | | Gaz | | | | ___ http://inbox.excite.com _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23711t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Enable secret hacking [7:23670]
You are correct, assuming fully random values. Let us not assume that 4 hours is a long time. If they have the hash, they have all the time in the world and you will never know they are cracking away at it. The hash MUST be and SHOULD be guarded at all costs. This definitely stops the neophytes, but you really do not want the pros getting their hands on it. Each attempt varies, for MD5, john in particular runs 440 Cracks per second on a k6-200. This is very slow. As for kittens/1, no, it would not help much. If you have ANY string that is within a dictionary, you just gave up that entire subsection. There are lot of clever combinations that can be used and done. If you do not believe me, just take a look at some regular expressions that perl programmers use. You can catch a LOT of combinations and do lots of tricks. 1) Do not use ANYTHING remotely related to you personally or in a dictionary for a password. 2) Do not use clever combinations like KiTtEnS/134, it is just as easy to crack. 3) Do not use password generators. Why? Write a program that does password generation. You did it? Great. You did an algorithm based on some random seed. Does not matter, you now have a pattern which you can write your hacking program to work with. Now it will know your pattern if it can reverse engineer the algorithm (should not be too hard), and you can kiss every single password that you used with that good bye, like in 5 seconds each. ;) (if you use open source software to generate, they got the algorithm, if you used closed source, you can delude yourself in that security through obscurity works. well, it does not). At 03:19 PM 10/21/01 -0400, Gareth Hinton wrote: I would imagine that if using a-z and 0 to 9, with 8 characters there would be 8 to the power 36 combinations (I think). Trouble is those numbers are getting too large for me to have any concept of how long it would take to hack. We'd need to get an idea of how long each attempt takes. Looking back at the original password it was very similar to yours. His unix box had been going for 4 hours when we stopped it to do those tests, so much harder to crack. I'm going to set one off later to see how long it takes. This is not scare mongering by the way. To accomplish this you already need to have the MD5 hash. I think it's just better to avoid complacency - make the passwords longer and use special characters if possible. I didn't realise the amount of difference between dictionary passwords and the alternative. I suppose something as simple as kittens/1 would cut out the dictionary searches. Gareth Maissen Sacha wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Anh, Sorry for my question about your test below. This program john the ripper, is it working with dictionaries or not? Because my question is, if I use passwords like 12eldkvi, which are not in any dics, how long you need then to crack a MD5-password? Regards Sacha -Urspr|ngliche Nachricht- Von: Anh Lam [mailto:[EMAIL PROTECTED]] Gesendet: Sonntag, 21. Oktober 2001 20:46 An: [EMAIL PROTECTED] Betreff: Re: OT: Enable secret hacking [7:23670] Gareth, I create an enable secret password on a Cisco router 2610 with the password as you mentioned kittens. Remember this is an MD5 encrypted string ($1$Em47$DEsFfXv/Px6y/cEmjMwfE0). You know what, I take this string and use the program called john the ripper running on my linux box to crack it. This linux is a pentium 200MHz with 64MB of RAM. It takes exactly 5 minutes to crack this password. I would imagine for longer enable secret password, it takes longer but not as difficult as it sounds. Regards, -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23717t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AW: OT: Enable secret hacking [7:23670]
It has to do brute force strength. Against an MD5, it does pretty poorly, benching about 440 Cracks per second on a K6-200 with 160 megs of ram. (ram is irrelevant to be honest). I am guessing that say a gigahertz processor might do a linear increase to about ~2000 Cracks per second. This is pretty slow and has almost no chance to stop a good 8 character password. With about 92 or so character choices for a password, 8^92 == 121.416E81. Or, a heck of a lot for a simple 8 character password. Yes, with this number, it is impossible for one machine to do this in a life time. Note, few people put up good, strong passwords. If there is any level of efficiency, we can cut this number down a lot. On the side, Microsoft's Mighty NT Lan Man DES gets hit by an astounding 90K cracks per second on a K6-200. Forget that, I believe L0phtcrack lets you do 300-400K cracks per second on your slightly below average processor of today and can do them in parallel. Maybe that is why Microsoft is quickly dropping their Lanman Hash as they introduce Win2k as the champion server OS? However, I wonder if one can use programs like john the ripper in parallel with other machines. With a cracking Athlon box running for maybe $400 bucks, you can probably setup one nasty cluster to cut this down to size. Although this may seem like a lot of trouble a hacker has to go through, it is and it is not. If you give ANYONE an encrypted hash guarding something really important, you can assume it will be cracked within a life time and be used against you. (Another good reason why you should rotate your passwords over a certain amount of time, but that of course has other possible problems). Heck, it seems fairly reasonable for a hacker to have a small cluster of Athlon boxes. I have quite a few PCs at home. As for practicality, one could argue most script kiddies are unable to fathom even what I just wrote. However, a mere amateur or professional hacker could easily wreck do this. Be careful if you have sensitive information or enemies! At 02:59 PM 10/21/01 -0400, Maissen Sacha wrote: Anh, Sorry for my question about your test below. This program john the ripper, is it working with dictionaries or not? Because my question is, if I use passwords like 12eldkvi, which are not in any dics, how long you need then to crack a MD5-password? Regards Sacha -Urspr|ngliche Nachricht- Von: Anh Lam [mailto:[EMAIL PROTECTED]] Gesendet: Sonntag, 21. Oktober 2001 20:46 An: [EMAIL PROTECTED] Betreff: Re: OT: Enable secret hacking [7:23670] Gareth, I create an enable secret password on a Cisco router 2610 with the password as you mentioned kittens. Remember this is an MD5 encrypted string ($1$Em47$DEsFfXv/Px6y/cEmjMwfE0). You know what, I take this string and use the program called john the ripper running on my linux box to crack it. This linux is a pentium 200MHz with 64MB of RAM. It takes exactly 5 minutes to crack this password. I would imagine for longer enable secret password, it takes longer but not as difficult as it sounds. Regards, -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23716t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Hacking subject-DDOS [7:6817]
Excellent article about IRC Bots... For those that ACLs the hell out of your routers... Read up on this... http://grc.com/dos/grcdos.htm Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6817t=6817 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Hacking!!!!!!!!!!!!!!!!!!!!!
htmlDIVHi Friends,/DIV DIVnbsp;/DIV DIVI need some information on hacking which is surely to gain knowledge and secure my corporate n/w. My office has Cisco 3600 Router for internet connaction. /DIV DIVnbsp;/DIV DIV1. How can someone hack the Router./DIV DIV2. If internet uses is trying to hack webserver using a hacking tool which is usingnbsp;port 80, how the administrator can block this action still allowing the trusted users to access the webserver./DIV DIVnbsp;/DIV DIVThanks and Regards/DIV DIVnbsp;/DIV DIVimran/DIV DIVnbsp;/DIV DIVnbsp;/DIVbr clear=allhrGet Your Private, Free E-mail from MSN Hotmail at a href="http://www.hotmail.com"http://www.hotmail.com/a.br/p/html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Hacking!!!!!!!!!!!!!!!!!!!!!
Read the book Hacking Exposed 2nd edition. "imran obaidullah" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... htmlDIVHi Friends,/DIV DIVnbsp;/DIV DIVI need some information on hacking which is surely to gain knowledge and secure my corporate n/w. My office has Cisco 3600 Router for internet connaction. /DIV DIVnbsp;/DIV DIV1. How can someone hack the Router./DIV DIV2. If internet uses is trying to hack webserver using a hacking tool which is usingnbsp;port 80, how the administrator can block this action still allowing the trusted users to access the webserver./DIV DIVnbsp;/DIV DIVThanks and Regards/DIV DIVnbsp;/DIV DIVimran/DIV DIVnbsp;/DIV DIVnbsp;/DIVbr clear=allhrGet Your Private, Free E-mail from MSN Hotmail at a href="http://www.hotmail.com"http://www.hotmail.com/a.br/p/html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Hacking!!!!!!!!!!!!!!!!!!!!!
Can you say NIDS? A must have for a multilayer security posture. Security does not start, or end for that matter with just a firewall..!! -Original Message- From: JCoyne [mailto:[EMAIL PROTECTED]] Sent: Friday, February 09, 2001 7:55 AM To: [EMAIL PROTECTED] Subject: Re: Hacking! Read the book Hacking Exposed 2nd edition. "imran obaidullah" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... htmlDIVHi Friends,/DIV DIVnbsp;/DIV DIVI need some information on hacking which is surely to gain knowledge and secure my corporate n/w. My office has Cisco 3600 Router for internet connaction. /DIV DIVnbsp;/DIV DIV1. How can someone hack the Router./DIV DIV2. If internet uses is trying to hack webserver using a hacking tool which is usingnbsp;port 80, how the administrator can block this action still allowing the trusted users to access the webserver./DIV DIVnbsp;/DIV DIVThanks and Regards/DIV DIVnbsp;/DIV DIVimran/DIV DIVnbsp;/DIV DIVnbsp;/DIVbr clear=allhrGet Your Private, Free E-mail from MSN Hotmail at a href="http://www.hotmail.com"http://www.hotmail.com/a.br/p/html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Hacking!!!!!!!!!!!!!!!!!!!!!
Rick, PMI (pardon my ignorance), I can say it as well as spell it but what the hell is it and where can I get some. TIA. ""Watson, Rick, CTR, OUSDC"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Can you say NIDS? A must have for a multilayer security posture. Security does not start, or end for that matter with just a firewall..!! -Original Message- From: JCoyne [mailto:[EMAIL PROTECTED]] Sent: Friday, February 09, 2001 7:55 AM To: [EMAIL PROTECTED] Subject: Re: Hacking!!!!!!!!! Read the book Hacking Exposed 2nd edition. "imran obaidullah" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... htmlDIVHi Friends,/DIV DIVnbsp;/DIV DIVI need some information on hacking which is surely to gain knowledge and secure my corporate n/w. My office has Cisco 3600 Router for internet connaction. /DIV DIVnbsp;/DIV DIV1. How can someone hack the Router./DIV DIV2. If internet uses is trying to hack webserver using a hacking tool which is usingnbsp;port 80, how the administrator can block this action still allowing the trusted users to access the webserver./DIV DIVnbsp;/DIV DIVThanks and Regards/DIV DIVnbsp;/DIV DIVimran/DIV DIVnbsp;/DIV DIVnbsp;/DIVbr clear=allhrGet Your Private, Free E-mail from MSN Hotmail at a href="http://www.hotmail.com"http://www.hotmail.com/a.br/p/html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Hacking!!!!!!!!!!!!!!!!!!!!!
Network Intrusion Detection Systems Available most anywhere security solutions are sold. Brad Stanfield CCNA/CCDA Network/Integration Engineer [EMAIL PROTECTED] Government Micro Resources Network Operations Control Center Norfolk Naval Shipyard Bldg 33 NAVSEA NCOE 757-393-9526 1-800-626-6622 -Original Message- From: Luke [mailto:[EMAIL PROTECTED]] Sent: Friday, February 09, 2001 10:43 AM To: [EMAIL PROTECTED] Subject: Re: Hacking! Rick, PMI (pardon my ignorance), I can say it as well as spell it but what the hell is it and where can I get some. TIA. ""Watson, Rick, CTR, OUSDC"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Can you say NIDS? A must have for a multilayer security posture. Security does not start, or end for that matter with just a firewall..!! -Original Message- From: JCoyne [mailto:[EMAIL PROTECTED]] Sent: Friday, February 09, 2001 7:55 AM To: [EMAIL PROTECTED] Subject: Re: Hacking!!!!!!!!! Read the book Hacking Exposed 2nd edition. "imran obaidullah" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... htmlDIVHi Friends,/DIV DIVnbsp;/DIV DIVI need some information on hacking which is surely to gain knowledge and secure my corporate n/w. My office has Cisco 3600 Router for internet connaction. /DIV DIVnbsp;/DIV DIV1. How can someone hack the Router./DIV DIV2. If internet uses is trying to hack webserver using a hacking tool which is usingnbsp;port 80, how the administrator can block this action still allowing the trusted users to access the webserver./DIV DIVnbsp;/DIV DIVThanks and Regards/DIV DIVnbsp;/DIV DIVimran/DIV DIVnbsp;/DIV DIVnbsp;/DIVbr clear=allhrGet Your Private, Free E-mail from MSN Hotmail at a href="http://www.hotmail.com"http://www.hotmail.com/a.br/p/html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Hacking!!!!!!!!!!!!!!!!!!!!!
Network Intrusion Detection System - when looking to evaluate a product look at both host-based and network-based solutions. Each type compliments one another. I can remember only one product that is a "quasi-hybrid" mix of both host and network-based. I think it is from ISS (Internet Security Systems). -Original Message- From: Luke [mailto:[EMAIL PROTECTED]] Sent: Friday, February 09, 2001 10:43 AM To: [EMAIL PROTECTED] Subject: Re: Hacking! Rick, PMI (pardon my ignorance), I can say it as well as spell it but what the hell is it and where can I get some. TIA. ""Watson, Rick, CTR, OUSDC"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Can you say NIDS? A must have for a multilayer security posture. Security does not start, or end for that matter with just a firewall..!! -Original Message- From: JCoyne [mailto:[EMAIL PROTECTED]] Sent: Friday, February 09, 2001 7:55 AM To: [EMAIL PROTECTED] Subject: Re: Hacking!!!!! Read the book Hacking Exposed 2nd edition. "imran obaidullah" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... htmlDIVHi Friends,/DIV DIVnbsp;/DIV DIVI need some information on hacking which is surely to gain knowledge and secure my corporate n/w. My office has Cisco 3600 Router for internet connaction. /DIV DIVnbsp;/DIV DIV1. How can someone hack the Router./DIV DIV2. If internet uses is trying to hack webserver using a hacking tool which is usingnbsp;port 80, how the administrator can block this action still allowing the trusted users to access the webserver./DIV DIVnbsp;/DIV DIVThanks and Regards/DIV DIVnbsp;/DIV DIVimran/DIV DIVnbsp;/DIV DIVnbsp;/DIVbr clear=allhrGet Your Private, Free E-mail from MSN Hotmail at a href="http://www.hotmail.com"http://www.hotmail.com/a.br/p/html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Hacking (header omitted)
Hello all, Question for you, does Cisco support TCP Rate Control or TCP Flow Control? MGR _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Hacking
David Binder wrote, I think Hacking is a very interesting topic but there is something I want to mention. I think Haking and Hackers have a positive aspect too, if they dont want do harm you (otherwise they would be called crackers). If a Hacker broke into your system and shows you that your security system is not good, you will have to work on it. So you will have a better security system and this protects you from people who really want to harm you. Software engineers and producers of firewalls will also have to work on it. So the Internet will get more safe. I agree with you when you say that it is a vicious circle but that is the same in real life too. Consider the following scenario, that takes place in a country without universal and unlimited health care. Someone walking on a public street is stopped by a wild-eyed, stethoscope-wielding person in a white coat. The white-coated one screams that he has observed that the passerby has yellow eyes, spider-shaped blood vessels under the skin, fluid retention in the legs, is trembling and seems to be itching intolerably. "You have innumerable symptoms of advanced liver disease. That is not good. Your liver wishes to harm you and must immediately be replaced with a transplant." And the innocent one says "I have no money for food. If I do not eat, the state of my liver will be irrelevant." Let me try to put this into philosophical rather than metaphorical terms. The doctor, in my metaphor, regards the state of one's liver as an absolute good. Those hackers that claim they are doing a favor for individuals and organizations, by probing every aspect of their security, base their claims on that security against active probes is an absolute good, and that the target of their probe can guard against the attacks. Assume that one of the targets of the probe is a community health center in a remote rural area. That center has limited funds. Due to its remote location, electrical power is not reliable. With finite resources, the center may make a decision that it is more important to buy a backup electrical generator than to allocate those resources to install a firewall. In the clinic example, I will assume that its system administrator is infinitely knowledgeable in security and security tradeoffs, and has made a conscious decision that the risks of not having electricity are more severe than the risks of breakins. Does that administrator have an obligation to tell the hackers why he implemented a certain policy? What responsibility do the hackers--and I will assumed they are well intentioned--have to the system administrator? That administrator may have detected a breakin, and not know if it is malicious or not. Under such circumstances, a reasonable administrator is forced to spend resources to restore potentially damaged files. He cannot trust the word of the hacker, because they are anonymous and unsolicited. No relationship of trust exists between hacker and organization being hacked. For sake of argument, the clinic administrator is assumed to be a security expert. In the real world, only larger enterprises will have in-house security staff. Properly supporting a firewall is not a trivial task--I've done it, and simply staying aware of published new threats and installing protections against them requires significant effort. To me, there is a significant ethical difference between: a hacker that experiments on her own machines that run Microsoft software, finds a vulnerability, and notifies both Microsoft and independent organizations (i.e., http://www.cert.org) of the vulnerability and how to protect against it a hacker who invades a small business system and leaves a note saying "I am an Elite Hacker D00D who got in through your lousy security. Fix it. I could have left a bomb, but trust me, I didn't." _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Hacking (header omitted)
Accidentally posted to groupstudy rather than cyberphil, but perhaps of interest. I think Hacking is a very interesting topic but there is something I want to mention. I think Haking and Hackers have a positive aspect too, if they dont want do harm you (otherwise they would be called crackers). If a Hacker broke into your system and shows you that your security system is not good, you will have to work on it. So you will have a better security system and this protects you from people who really want to harm you. Software engineers and producers of firewalls will also have to work on it. So the Internet will get more safe. I agree with you when you say that it is a vicious circle but that is the same in real life too. Consider the following scenario, that takes place in a country without universal and unlimited health care. Someone walking on a public street is stopped by a wild-eyed, stethoscope-wielding person in a white coat. The white-coated one screams that he has observed that the passerby has yellow eyes, spider-shaped blood vessels under the skin, fluid retention in the legs, is trembling and seems to be itching intolerably. "You have innumerable symptoms of advanced liver disease. That is not good. Your liver wishes to harm you and must immediately be replaced with a transplant." And the innocent one says "I have no money for food. If I do not eat, the state of my liver will be irrelevant." Let me try to put this into philosophical rather than metaphorical terms. The doctor, in my metaphor, regards the state of one's liver as an absolute good. Those hackers that claim they are doing a favor for individuals and organizations, by probing every aspect of their security, base their claims on that security against active probes is an absolute good, and that the target of their probe can guard against the attacks. Assume that one of the targets of the probe is a community health center in a remote rural area. That center has limited funds. Due to its remote location, electrical power is not reliable. With finite resources, the center may make a decision that it is more important to buy a backup electrical generator than to allocate those resources to install a firewall. In the clinic example, I will assume that its system administrator is infinitely knowledgeable in security and security tradeoffs, and has made a conscious decision that the risks of not having electricity are more severe than the risks of breakins. Does that administrator have an obligation to tell the hackers why he implemented a certain policy? What responsibility do the hackers--and I will assumed they are well intentioned--have to the system administrator? That administrator may have detected a breakin, and not know if it is malicious or not. Under such circumstances, a reasonable administrator is forced to spend resources to restore potentially damaged files. He cannot trust the word of the hacker, because they are anonymous and unsolicited. No relationship of trust exists between hacker and organization being hacked. For sake of argument, the clinic administrator is assumed to be a security expert. In the real world, only larger enterprises will have in-house security staff. Properly supporting a firewall is not a trivial task--I've done it, and simply staying aware of published new threats and installing protections against them requires significant effort. To me, there is a significant ethical difference between: a hacker that experiments on her own machines that run Microsoft software, finds a vulnerability, and notifies both Microsoft and independent organizations (i.e., http://www.cert.org) of the vulnerability and how to protect against it a hacker who invades a small business system and leaves a note saying "I am an Elite Hacker D00D who got in through your lousy security. Fix it. I could have left a bomb, but trust me, I didn't." _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Restricting Hacking/User Hacking on AS5300 ?
Hi all, I need to restrict access to an AS5300 in terms of the users should not be able to see a login prompt. I've tried "no exec" on the tty lines 1 - 60, but this stopped all users being able to logon. Survived getting shot but I don't want to make the same mistake again. I'm wondering now about putting an access list in to deny any telnet/rlogin attempts and sticking it on the async interface. Has anyone got a config example, or any advice ? tried "http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/dial_c/dcmodem.htm but it is a little bit wanting in terms of example details. Phil. Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
