Securing IGS Cisco Routers v 1.01
Some of the materials included in these guides can be used for illegal activities. We do not encourage such activities, and believe that such information should be made public because of the public's right to know and in order to help people defend themselves from computer criminals.
This paper will describe how you should obtain remote and local, information about an IGS Cisco Router. It?s recommended if you have some experience with configuring Cisco Routers before reading this paper, by the way it doesn?t matter which model you own. And more important, you must own and know how to use a Unix oriented operating system. After we have collected some information that is useful to us, we?ll try to secure the router as good as possible. And please note, this paper is for educational purposes only and I?m not responsible in any way for your stupid actions if you?ll be caught.
Because the probability you don?t have an IGS Cisco Router but a newer model like the IOS, it could happen you get different outputs at programs like ?nmap?. Also while securing the router it?s possible you have to use some other commands than I do. Grab your manual if you have one and try to find the correct command.
Getting the information remote:
I assume you already have configured you Cisco Router and your Unix box with the proper outfit. But because I know there still are people who don?t know where to download the tools we?re going to use, I?ve placed some links at the bottom of this paper which could be useful.
I always start with an ?nmap?-scan, we need to know first which daemons are running at the remote host. Because I do own a couple of IGS Cisco Routers myself, I?ll use the router with IP ?169.254.0.10? for this paper. A daemon can listen on various sockets, like UDP, TCP, IPX and SPX it could take a long time before they all are scanned. And if you?re not at the same segment as where the remote router is located, it?s completely useless to scan sockets other than TCP and UDP. Protocols other than 802.3(Standard LLC, SNAP LLC and RAW) & IP will standard not be rotated by any (internet)-router!
Well we only will scan all listening TCP and UDP sockets and we use the following command at the Unix shell: ?nmap -sT -sU -p 1-65535 169.254.0.10?. For a complete overview of all possibilities type: ?man nmap?.
Port State Service
7/tcp open echo
7/udp open echo
9/tcp open discard
9/udp open discard
23/tcp open telnet
49/udp open tacacs
67udp open bootps
79/tcp open finger
161/udp open snmp
1993/tcp open snmp-tcp-port
Above you notice an output of nmap, now I try to describe every daemon?
By default many FTP daemons will use 20/TCP and 21/TCP, while many Gopher daemons will only listen on 70/TCP, every daemon uses it?s standard port. Of course you can configure the daemon so it listens at a different port. So it?s possible that ?behind? 79/TCP at the IGS Cisco Router there is listening another daemon then a finger daemon. There are two ways to discover what daemon will really listen on a socket, one search in your IGS Cisco Router manual; two establish a telnet session to the daemon. I?m trying to establish a telnet session to all daemons, most times you get enough information from the ?banner?.
Echo (7/TCP&UDP)
SorNOT:~ # telnet 169.254.0.10 7
Trying 169.254.0.10...
Connected to 169.254.0.10.
Escape character is '^]'.
hu
hu
:)
:)
echo
echo
This daemon will echo all commands nicely? but will not be really useful to us. So it?s recommended to kill the daemon. Unless you want to have some digital chat friend if you?re feeling bored? :-P
Discard (9/TCP&UDP)
This daemon is kind of funny (check the RFC), but isn?t also very useful, so kill it...
Telnet (23/TCP)
lappie:~/IGS # telnet 169.254.0.10 23
Trying 169.254.0.10...
Connected to 169.254.0.10.
Escape character is '^]'.
User Access Verification
Password:
CiscoRouter>
This is a well-known daemon? I suppose you are familiar with it.
Tacacs (49/UDP)
This (Terminal Access Controller Access Control System) daemon has a function I will never use? this daemon control dial-up lines. This option is being used (only?) by Internet Service Providers, where their customers? well create a connection to the Internet perhaps?
Bootps (67/UDP)
With this protocol you can remote configure a Cisco Router? because your router has already been configured it?s not necessary anymore to keep the daemon alive.
Finger (79/TCP)
lappie:~/IGS # telnet 169.254.0.10 79
Trying 169.254.0.10...
Connected to 169.254.0.10.
Escape character is '^]'.
Line User Host(s) Idle Location
* 2 vty 0 idle 0 169.254.0.3
Connection closed by foreign host.
Here we get some pretty valuable information, about who has established a connection to the IGS-CR and from where? this daemon can also being used by a command within a shell. So if you want to kill the daemon remember you cannot anymore use it from within a shell.
SNMP (161/UDP)
This (Simple Network Management Protocol) daemon will come in handy in some situations, but I don?t see any reason to let it ?live?.
SNMP-tcp-port (1993/tcp)
This is the tcp version of the SNMP at 161/udp? so if you want to stop this daemon you have to check if the daemon behind 1993/tcp is stopped too.
Getting the information local:
We also can request information about the IGS-CR locally, you don?t need to have ?enable? privileges for this. With the command ?show processes? you?ll get the following output like below.
CiscoRouter#show processes
CPU utilization for one minute: 15%; for five minutes: 15%
PID Q T PC Runtime (ms) Invoked uSecs Stacks TTY Process
1 M E 1019D28 49052 5275 9298 876/1000 0 Net Background
2 L E 102D2EC 0 4 0 880/1000 0 Logger
27 M * F14 548 55 9963 678/1200 2 Virtual Exec
28 L E 10581C8 28 20 1400 824/1000 0 UDP Echo
5 M E 10581C8 0 52 0 898/1000 0 BOOTP Server
6 H E 1010ABA 485848 74667 6506 536/900 0 IP Input
7 M E 1062DA6 68 21114 3 804/1000 0 TCP Timer
8 L E 1063FA4 164 161 1018 766/1000 0 TCP Protocols
9 L E 101E646 1568 2321 675 854/1000 0 ARP Input
10 L E 1010ABA 0 1 0 938/1000 0 Probe Input
29 L E 10581C8 24 20 1200 824/1000 0 UDP Echo
12 M E 1035092 0 2 0 968/1000 0 Timers
13 H E 1010ABA 19472 54616 356 412/500 0 Net Input
14 M T 100E474 336 104907 3 790/1000 0 TTY Background
15 L E 10E2722 0 1 0 896/1000 0 IP SNMP
30 L E 10581C8 0 20 0 946/1000 0 UDP Discard
31 L E 10581C8 0 20 0 946/1000 0 UDP Discard
With the command ?show stacks? you?ll get more information about the daemons.
CiscoRouter#show stacks
Minimum process stacks:
Free/Size Name
734/1000 Init
970/1000 Pakmon Init
962/1000 MOP Protocols
934/1000 UDP Discard
678/1200 Virtual Exec
786/1000 TCP Discard
782/1000 TCP Echo
820/1000 UDP Echo
Interrupt level stacks:
Level Called Free/Size Name
3 417 964/1000 Serial interface state change interrupt
4 580538 886/1000 Network interfaces
5 46 968/1000 Console Uart
Securing IGS-CR
We need the combination of the remote and locally gathered information to stop the unnecessary daemons? We have several ways to do this:
The simplest way is to use the program ?setup?. Here we can say for example, do not load the SNMP daemon by simple entering ?yes or no? by the options.
I know not many people will try this way to unload the unnecessary daemons, because: one it?s not easy to find; and two you really have to know what you?re doing. But it?s possible to read out the whole memory stack and find the right offset of a daemon and rewrite the memory so the daemon will be killed.
As far I know the IGS series do not have an internal (network) firewall or such, properly the newer ones does have it. I will not discuss how to set-up the firewall, because simply said I don?t know how to do this right now. What I do want to mention is with this type of firewall you have the option to filter the daemons for unwanted connections. You can create rules like, 169.254.0.11 may connect to the telnet daemon but 169.254.0.20 may not. Well you get the idea, don?t you?
To completely secure the IGS-CR we have to use the first two ways, first we use way one and if then not all unnecessary daemons are stopped we?re using way two too. It?s possible that you want to kill different daemons then I?m going to do? most likely were talking about daemons who can?t be stopped with the ?setup? menu. And daemons that can?t be stopped with way one have to be stopped with way two, and that requires a lot of search-time by yourself.
Way one is rather simple, just type in ?setup? and walk through the menu. To verify afterwards you have stopped some unnecessary daemons type, ?show processes? before and after you have walked through the setup. Compare both outputs with each other, and see for yourself if something has changed.
I know that you cannot stop all unnecessary daemons with this setup program, but I try to show you how to stop them ?the second way??
I?m going try to stop the daemon listed below?
?15 L E 10E2722 0 1 0 896/1000 0 IP SNMP?
With the command ?show memory?, you?ll get a stack dump from the whole memory. This could come in handy if we want to overwrite a specific location of the memory? We can (re)-write the memory with the command ?write memory or erase [start stack - end stack] [new data]?.
Address Bytes Prev. Next Ref PrevF NextF Alloc PC What
58850 112 587E0 588C0 1 * * 1057FA8 IP SNMP
PID Q T PC Runtime (ms) Invoked uSecs Stacks TTY Process
15 L E 10E2722 0 1 0 896/1000 0 IP SNMP
We could also kill the so called PID address, because this depends which router you?re have I?m not going to explain this any further. Just find the appropriate command in your Cisco Router manual.
After you have killed some daemons check if they are really stopped. I know that rewriting the stack is a tricky operation, and it could be that your Cisco Router will stop functioning. To reset all data in the NVRAM (where all configuration is being stored) type in the enabled mode ?erase startup config? and ?reload?. Remember while doing so, you loose all your configuration and such. The first time the Cisco Router is booting from flash memory, consult your Cisco Router manual for specific information.
