One must have sufficient knowledge to be shocked. [EMAIL PROTECTED] wrote: > I recently spent quite a bit of time working with the TAC to solve a > problem. Yes, they wanted to dial into the network to 'have a look'. When > I asked what they were looking for, they couldn't tell me. > I am well aware that, when tracking down a problem, it can be very useful > to just 'have a look', without really knowing what you are looking for. I > do it all the time :-) However, since they couldn't (or wouldn't) even > give me any hints on what they expected to be doing, they didn't get > access. > I could send them log output etc via email and they received it quickly > enough that we could work together over the phone (the speed of incoming > mail to me was another issue altogether but not really a problem). > > In any case, I've done a fair bit of troubleshooting over the phone, > sometimes with completely non-technical people running the 'hands on'. > Slower than telnetting in yourself? Sure. But it works, and sometimes > it's the only option. And it's VERY good practice for remembering commands > and what output they produce ;-) > > JMcL > ---------------------- Forwarded by Jenny Mcleod/NSO/CSDA on 19/01/2001 > 04:38 pm --------------------------- > > > "Chuck Larrieu" <[EMAIL PROTECTED]>@groupstudy.com on 19/01/2001 12:39:45 > pm > > Please respond to "Chuck Larrieu" <[EMAIL PROTECTED]> > > Sent by: [EMAIL PROTECTED] > > > > To: "Priscilla Oppenheimer" <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > cc: > > > Subject: RE: Remote Telnet access via dial-up > > > Cisco TAC always wants to telnet in to troubleshoot when working a ticket. > One alternative is to e-mail your configs to them, at which point maybe > they > will get back to you with some resolution in a time frame you can live > with. > > Fact is that the internet makes things so damn convenient for us. Most time > most people just don't consider the implications. > > While it may be true that some places have security policies, reasonable of > otherwise, the fact is that most places don't, most managements don't want > to be bothered, and most users don't want to be inconvenienced. > > Chuck > > BTW - nice to see you again, Priscilla. > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > Priscilla Oppenheimer > Sent: Thursday, January 18, 2001 4:38 PM > To: [EMAIL PROTECTED] > Subject: Re: Remote Telnet access via dial-up > > At 11:11 AM 1/19/01, Tony van Ree wrote: > >Hi, > > > >As long as the appropriate security/passwords are set it is probably every > >bit as good as any other form of remote access. > > Remember that this wasn't CHAP or even PAP. It was Telnet. The Telnet > password both to reach his PC and to reach the routers is unencrypted. How > was the enable password sent? The characters were typed and sent > unencrypted. Getting a Sniffer to the right place to catch this would be > hard, but not impossible. Hopefully he will change the password used to > reach his PC, but it's not likely he'll change the router VTY and enable > passwords. > > So what did the Cisco engineers to when they Telnetted into this back door > to configure the routers? Did they do show run by any chance? Yeah, I just > got the complete configuration of the customer's routers. That is > unencrypted also. > > And don't say, well it's Telnet so it's one character at a time which would > make understanding it difficult. Responses in Telnet are not one character > at a time. The output of show run would be send in TCP segments using the > IP MTU. It would be very easy to understand. > > I don't think most customers would even let him do what he did. A lot of > customers wouldn't have an analog phone line for him to use to dial up his > ISP. Analog phone-line backdoors are an infamous no-no. > > I'd love to hear someone else's opinion too. Isn't anyone else as shocked > as I am? > > Priscilla > > > >On Thursday, January 18, 2001 at 02:30:09 PM, Priscilla Oppenheimer wrote: > > > > > Sounds like a helpful troubleshooting method but what were the security > > > risks? Thoughts, anyone? > > > > > > Priscilla > > > > > > At 10:31 PM 1/17/01, J Roysdon wrote: > > > >Today I was a site w/o internet access, but I needed to get Cisco into > > it to > > > >save time relaying commands and information. I had a dial-up > > connection out > > > >to my ISP, and then thought about the built-in Telnet server that > Windows > > > >2000 Professional has. I made a quick guest account for Cisco, and > told > > > >them my dial-up IP, which they could connect to, and then once > telnetted > > > >into my workstation, they were able to telnet out my NIC to the > > routers they > > > >needs to get to. Only catch is that you can only have one session up > > > >through it (enough for us): > > > > > > > >Microsoft (R) Windows (TM) Version 5.00 (Build 2195) > > > >Welcome to Microsoft Telnet Service > > > >Telnet Server Build 5.00.99201.1 > > > >login: cisco > > > >password: ***** > > > >Microsoft Windows Workstation allows only 1 Telnet Client License > > > >Server has closed connection > > > > > > > >When they were done, I just disabled the Cisco account. Rather handy > now > > > >that I have it. I've run into a lot of troubleshooting where it was a > > real > > > >pain not to have internet access for Cisco to get in (or I didn't > control > > > >the customer's firewall, etc.). > > > > > > > >After a successful telnet: > > > >*=============================================================== > > > >Welcome to Microsoft Telnet Server. > > > >*=============================================================== > > > >C:\>telnet 192.168.45.253 > > > >Connecting To 192.168.45.253... > > > > > > > > > > > > > > > >-- > > > >Jason Roysdon, CCNP/CCDP, MCSE, CNA, Network+, A+ > > > >List email: [EMAIL PROTECTED] > > > >Homepage: http://jason.artoo.net/ > > > > > > > > > > > > > > > >_________________________________ > > > >FAQ, list archives, and subscription info: > > > >http://www.groupstudy.com/list/cisco.html > > > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > > > > > ________________________ > > > > > > Priscilla Oppenheimer > > > http://www.priscilla.com > > > > > > _________________________________ > > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > > > > > > > >-- > >www.tasmail.com > > > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com > > _________________________________ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > _________________________________ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > _________________________________ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1 _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]