Securing IGS Cisco Routers v
1.01
This paper will describe how you
should obtain remote and local, information about an IGS Cisco Router. It’s
recommended if you have some experience with configuring Cisco Routers before
reading this paper, by the way it doesn’t matter which model you own. And more
important, you must own and know how to use a Unix oriented operating system.
After we have collected some information that is useful to us, we’ll try to
secure the router as good as possible. And please note, this paper is for
educational purposes only and I’m not responsible in any way for your stupid
actions if you’ll be caught.
Because the probability you don’t have an
IGS Cisco Router but a newer model like the IOS, it could happen you get
different outputs at programs like “nmap”. Also while securing the router it’s
possible you have to use some other commands than I do. Grab your manual if you
have one and try to find the correct command.
Getting
the information remote:
I assume you already have configured
you Cisco Router and your Unix box with the proper outfit. But because I know
there still are people who don’t know where to download the tools we’re going to
use, I’ve placed some links at the bottom of this paper which could be
useful.
I always start with an “nmap”-scan, we need to know first which
daemons are running at the remote host. Because I do own a couple of IGS Cisco
Routers myself, I’ll use the router with IP “169.254.0.10” for this paper. A
daemon can listen on various sockets, like UDP, TCP, IPX and SPX it could take a
long time before they all are scanned. And if you’re not at the same segment as
where the remote router is located, it’s completely useless to scan sockets
other than TCP and UDP. Protocols other than 802.3(Standard LLC, SNAP LLC and
RAW) & IP will standard not be rotated by any (internet)-router!
Well
we only will scan all listening TCP and UDP sockets and we use the following
command at the Unix shell: “nmap -sT -sU -p 1-65535 169.254.0.10”. For a
complete overview of all possibilities type: “man nmap”.
Port
State Service
7/tcp
open echo
7/udp open
echo
9/tcp open
discard
9/udp open
discard
23/tcp open telnet
49/udp
open tacacs
67udp open
bootps
79/tcp open
finger
161/udp open
snmp
1993/tcp open
snmp-tcp-port
Above you notice an output of nmap, now I try to describe
every daemon…
By default many FTP daemons will use 20/TCP and 21/TCP,
while many Gopher daemons will only listen on 70/TCP, every daemon uses it’s
standard port. Of course you can configure the daemon so it listens at a
different port. So it’s possible that ‘behind’ 79/TCP at the IGS Cisco Router
there is listening another daemon then a finger daemon. There are two ways to
discover what daemon will really listen on a socket, one search in your IGS
Cisco Router manual; two establish a telnet session to the daemon. I’m trying to
establish a telnet session to all daemons, most times you get enough information
from the ‘banner’.
Echo (7/TCP&UDP)
SorNOT:~ # telnet
169.254.0.10 7
Trying 169.254.0.10...
Connected to 169.254.0.10.
Escape
character is '^]'.
hu
hu
:)
:)
echo
echo
This daemon
will echo all commands nicely… but will not be really useful to us. So it’s
recommended to kill the daemon. Unless you want to have some digital chat friend
if you’re feeling bored… :-P
Discard (9/TCP&UDP)
This
daemon is kind of funny (check the RFC), but isn’t also very useful, so kill
it...
Telnet (23/TCP)
lappie:~/IGS # telnet 169.254.0.10
23
Trying 169.254.0.10...
Connected to 169.254.0.10.
Escape character
is '^]'.
User Access Verification
Password:
CiscoRouter>
This
is a well-known daemon… I suppose you are familiar with it.
Tacacs
(49/UDP)
This (Terminal Access Controller Access Control System) daemon
has a function I will never use… this daemon control dial-up lines. This option
is being used (only?) by Internet Service Providers, where their customers… well
create a connection to the Internet perhaps?
Bootps
(67/UDP)
With this protocol you can remote configure a Cisco Router…
because your router has already been configured it’s not necessary anymore to
keep the daemon alive.
Finger (79/TCP)
lappie:~/IGS # telnet
169.254.0.10 79
Trying 169.254.0.10...
Connected to
169.254.0.10.
Escape character is '^]'.
Line
User Host(s)
Idle Location
* 2 vty 0
idle
0
169.254.0.3
Connection closed by foreign host.
Here we get some
pretty valuable information, about who has established a connection to the
IGS-CR and from where… this daemon can also being used by a command within a
shell. So if you want to kill the daemon remember you cannot anymore use it from
within a shell.
SNMP (161/UDP)
This (Simple Network Management
Protocol) daemon will come in handy in some situations, but I don’t see any
reason to let it ‘live’.
SNMP-tcp-port (1993/tcp)
This is the
tcp version of the SNMP at 161/udp… so if you want to stop this daemon you have
to check if the daemon behind 1993/tcp is stopped
too.
Getting the information
local:
We also can request information about the IGS-CR
locally, you don’t need to have ‘enable’ privileges for this. With the command
“show processes” you’ll get the following output like
below.
CiscoRouter#show processes
CPU utilization for one
minute: 15%; for five minutes: 15%
PID Q T PC
Runtime (ms) Invoked uSecs Stacks TTY
Process
1 M E 1019D28 49052
5275 9298 876/1000 0 Net
Background
2 L E 102D2EC
0 4 0
880/1000 0 Logger
27 M * F14
548 55 9963
678/1200 2 Virtual Exec
28 L E 10581C8
28 20 1400
824/1000 0 UDP Echo
5 M E 10581C8
0 52
0 898/1000 0 BOOTP Server
6 H E 1010ABA
485848 74667 6506 536/900
0 IP Input
7 M E 1062DA6
68 21114 3 804/1000
0 TCP Timer
8 L E 1063FA4
164 161 1018 766/1000
0 TCP Protocols
9 L E 101E646
1568 2321 675 854/1000 0
ARP Input
10 L E 1010ABA
0 1 0
938/1000 0 Probe Input
29 L E 10581C8
24 20 1200
824/1000 0 UDP Echo
12 M E 1035092
0 2
0 968/1000 0 Timers
13 H E 1010ABA
19472 54616 356 412/500
0 Net Input
14 M T 100E474
336 104907 3 790/1000
0 TTY Background
15 L E 10E2722
0 1
0 896/1000 0 IP SNMP
30 L E 10581C8
0 20
0 946/1000 0 UDP Discard
31 L E 10581C8
0 20
0 946/1000 0 UDP Discard
With the command
“show stacks” you’ll get more information about the
daemons.
CiscoRouter#show stacks
Minimum process
stacks:
Free/Size Name
734/1000 Init
970/1000 Pakmon
Init
962/1000 MOP Protocols
934/1000 UDP
Discard
678/1200 Virtual Exec
786/1000 TCP
Discard
782/1000 TCP Echo
820/1000 UDP Echo
Interrupt
level stacks:
Level Called Free/Size Name
3
417 964/1000 Serial interface state
change interrupt
4 580538 886/1000
Network interfaces
5 46
968/1000 Console Uart
Securing IGS-CR
We need the
combination of the remote and locally gathered information to stop the
unnecessary daemons… We have several ways to do this:
The simplest way is
to use the program ‘setup’. Here we can say for example, do not load the SNMP
daemon by simple entering ‘yes or no’ by the options.
I know not many people
will try this way to unload the unnecessary daemons, because: one it’s not easy
to find; and two you really have to know what you’re doing. But it’s possible to
read out the whole memory stack and find the right offset of a daemon and
rewrite the memory so the daemon will be killed.
As far I know the IGS
series do not have an internal (network) firewall or such, properly the newer
ones does have it. I will not discuss how to set-up the firewall, because simply
said I don’t know how to do this right now. What I do want to mention is with
this type of firewall you have the option to filter the daemons for unwanted
connections. You can create rules like, 169.254.0.11 may connect to the telnet
daemon but 169.254.0.20 may not. Well you get the idea, don’t you?
To
completely secure the IGS-CR we have to use the first two ways, first we use way
one and if then not all unnecessary daemons are stopped we’re using way two too.
It’s possible that you want to kill different daemons then I’m going to do… most
likely were talking about daemons who can’t be stopped with the ‘setup’ menu.
And daemons that can’t be stopped with way one have to be stopped with way two,
and that requires a lot of search-time by yourself.
Way one is rather
simple, just type in “setup” and walk through the menu. To verify afterwards you
have stopped some unnecessary daemons type, “show processes” before and after
you have walked through the setup. Compare both outputs with each other, and see
for yourself if something has changed.
I know that you cannot stop all
unnecessary daemons with this setup program, but I try to show you how to stop
them ‘the second way’…
I’m going try to stop the daemon listed
below…
“15 L E 10E2722
0 1 0
896/1000 0 IP SNMP”
With the command “show memory”, you’ll get a
stack dump from the whole memory. This could come in handy if we want to
overwrite a specific location of the memory… We can (re)-write the memory with
the command “write memory or erase [start stack – end stack] [new
data]”.
Address Bytes Prev. Next
Ref PrevF NextF Alloc PC
What
58850 112 587E0 588C0
1 *
* 1057FA8 IP SNMP
PID Q T PC Runtime (ms) Invoked uSecs
Stacks TTY Process
15 L
E 10E2722 0
1 0
896/1000 0 IP SNMP
We could also kill
the so called PID address, because this depends which router you’re have I’m not
going to explain this any further. Just find the appropriate command in your
Cisco Router manual.
After you have killed some daemons check if they are
really stopped. I know that rewriting the stack is a tricky operation, and it
could be that your Cisco Router will stop functioning. To reset all data in the
NVRAM (where all configuration is being stored) type in the enabled mode “erase
startup config” and “reload”. Remember while doing so, you loose all your
configuration and such. The first time the Cisco Router is booting from flash
memory, consult your Cisco Router manual for specific
information.
Ok, so far for this time… I have to spend my other hours
at learning myself more about Cisco Systems products.
Some
links:
http://freshmeat.net/projects/nmap/
http://www.cisco.com/
http://www.netterm.com/
If
you have any questions or other comment related to this paper you can drop a
mail at mailpop3@crosswinds.net
Copyright (C) 2001, Data Wizard, The
Netherlands.