sigscr101.html

黑客培训教程

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0057)http://212.187.6.213/cgi-bin/down/down.cgi?sigscr101.html -->
<HTML><HEAD><TITLE>Securing IGS Cisco Routers v 1.01</TITLE>
<META content="text/html; charset=ISO-8859-1" http-equiv=content-type>
<META content="Data Wizard" name=author>
<META content="MSHTML 5.00.2614.3500" name=GENERATOR></HEAD>
<BODY>
<DIV align=center><BIG><BIG><BIG><B>Securing IGS Cisco Routers v 
1.01<BR></B></BIG></BIG></BIG></DIV><BR><BR>This paper will describe how you 
should obtain remote and local, information about an IGS Cisco Router. It&#8217;s 
recommended if you have some experience with configuring Cisco Routers before 
reading this paper, by the way it doesn&#8217;t matter which model you own. And more 
important, you must own and know how to use a Unix oriented operating system. 
After we have collected some information that is useful to us, we&#8217;ll try to 
secure the router as good as possible. And please note, this paper is for 
educational purposes only and I&#8217;m not responsible in any way for your stupid 
actions if you&#8217;ll be caught.<BR><BR>Because the probability you don&#8217;t have an 
IGS Cisco Router but a newer model like the IOS, it could happen you get 
different outputs at programs like &#8220;nmap&#8221;. Also while securing the router it&#8217;s 
possible you have to use some other commands than I do. Grab your manual if you 
have one and try to find the correct command.<BR><BIG><BR></BIG><BIG><B>Getting 
the information remote:</B></BIG><BR><BR>I assume you already have configured 
you Cisco Router and your Unix box with the proper outfit. But because I know 
there still are people who don&#8217;t know where to download the tools we&#8217;re going to 
use, I&#8217;ve placed some links at the bottom of this paper which could be 
useful.<BR><BR>I always start with an &#8220;nmap&#8221;-scan, we need to know first which 
daemons are running at the remote host. Because I do own a couple of IGS Cisco 
Routers myself, I&#8217;ll use the router with IP &#8220;169.254.0.10&#8221; for this paper. A 
daemon can listen on various sockets, like UDP, TCP, IPX and SPX it could take a 
long time before they all are scanned. And if you&#8217;re not at the same segment as 
where the remote router is located, it&#8217;s completely useless to scan sockets 
other than TCP and UDP. Protocols other than 802.3(Standard LLC, SNAP LLC and 
RAW) &amp; IP will standard not be rotated by any (internet)-router!<BR><BR>Well 
we only will scan all listening TCP and UDP sockets and we use the following 
command at the Unix shell: &#8220;nmap -sT -sU -p 1-65535 169.254.0.10&#8221;. For a 
complete overview of all possibilities type: &#8220;man nmap&#8221;.<BR><BR>Port &nbsp; 
&nbsp; &nbsp; State &nbsp; &nbsp; &nbsp; Service<BR><BR>7/tcp &nbsp;&nbsp; 
&nbsp; open &nbsp;&nbsp; &nbsp; &nbsp; echo<BR>7/udp &nbsp; &nbsp; open 
&nbsp;&nbsp; &nbsp; &nbsp; echo<BR>9/tcp &nbsp;&nbsp; &nbsp; open &nbsp;&nbsp; 
&nbsp; &nbsp; discard<BR>9/udp &nbsp; &nbsp; open &nbsp;&nbsp; &nbsp; &nbsp; 
discard<BR>23/tcp &nbsp; &nbsp; open &nbsp;&nbsp; &nbsp; &nbsp; telnet<BR>49/udp 
&nbsp;&nbsp; open &nbsp;&nbsp; &nbsp; &nbsp; tacacs<BR>67udp &nbsp; &nbsp; open 
&nbsp;&nbsp; &nbsp; &nbsp; bootps<BR>79/tcp &nbsp; &nbsp; open &nbsp;&nbsp; 
&nbsp; &nbsp; finger<BR>161/udp &nbsp; open &nbsp; &nbsp; &nbsp; 
snmp<BR>1993/tcp &nbsp; open &nbsp;&nbsp; &nbsp; &nbsp; 
snmp-tcp-port<BR><BR>Above you notice an output of nmap, now I try to describe 
every daemon&#8230;<BR><BR>By default many FTP daemons will use 20/TCP and 21/TCP, 
while many Gopher daemons will only listen on 70/TCP, every daemon uses it&#8217;s 
standard port. Of course you can configure the daemon so it listens at a 
different port. So it&#8217;s possible that &#8216;behind&#8217; 79/TCP at the IGS Cisco Router 
there is listening another daemon then a finger daemon. There are two ways to 
discover what daemon will really listen on a socket, one search in your IGS 
Cisco Router manual; two establish a telnet session to the daemon. I&#8217;m trying to 
establish a telnet session to all daemons, most times you get enough information 
from the &#8216;banner&#8217;.<BR><BR>Echo (7/TCP&amp;UDP)<BR><BR>SorNOT:~ # telnet 
169.254.0.10 7<BR>Trying 169.254.0.10...<BR>Connected to 169.254.0.10.<BR>Escape 
character is '^]'.<BR>hu<BR>hu<BR>:)<BR>:)<BR>echo<BR>echo<BR><BR>This daemon 
will echo all commands nicely&#8230; but will not be really useful to us. So it&#8217;s 
recommended to kill the daemon. Unless you want to have some digital chat friend 
if you&#8217;re feeling bored&#8230; :-P<BR><BR><BR>Discard (9/TCP&amp;UDP)<BR><BR>This 
daemon is kind of funny (check the RFC), but isn&#8217;t also very useful, so kill 
it...<BR><BR><BR>Telnet (23/TCP)<BR><BR>lappie:~/IGS # telnet 169.254.0.10 
23<BR>Trying 169.254.0.10...<BR>Connected to 169.254.0.10.<BR>Escape character 
is '^]'.<BR>User Access Verification<BR>Password:<BR>CiscoRouter&gt;<BR><BR>This 
is a well-known daemon&#8230; I suppose you are familiar with it.<BR><BR><BR>Tacacs 
(49/UDP)<BR><BR>This (Terminal Access Controller Access Control System) daemon 
has a function I will never use&#8230; this daemon control dial-up lines. This option 
is being used (only?) by Internet Service Providers, where their customers&#8230; well 
create a connection to the Internet perhaps?<BR><BR><BR>Bootps 
(67/UDP)<BR><BR>With this protocol you can remote configure a Cisco Router&#8230; 
because your router has already been configured it&#8217;s not necessary anymore to 
keep the daemon alive.<BR><BR><BR>Finger (79/TCP)<BR><BR>lappie:~/IGS # telnet 
169.254.0.10 79<BR>Trying 169.254.0.10...<BR>Connected to 
169.254.0.10.<BR>Escape character is '^]'.<BR><BR>&nbsp;&nbsp; Line &nbsp;&nbsp; 
User &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; Host(s) &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; Idle &nbsp; &nbsp; Location<BR>*&nbsp; 2 vty &nbsp; 0 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; idle &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0 &nbsp; &nbsp; 
169.254.0.3<BR><BR>Connection closed by foreign host.<BR><BR>Here we get some 
pretty valuable information, about who has established a connection to the 
IGS-CR and from where&#8230; this daemon can also being used by a command within a 
shell. So if you want to kill the daemon remember you cannot anymore use it from 
within a shell.<BR><BR><BR>SNMP (161/UDP)<BR><BR>This (Simple Network Management 
Protocol) daemon will come in handy in some situations, but I don&#8217;t see any 
reason to let it &#8216;live&#8217;.<BR><BR><BR>SNMP-tcp-port (1993/tcp)<BR><BR>This is the 
tcp version of the SNMP at 161/udp&#8230; so if you want to stop this daemon you have 
to check if the daemon behind 1993/tcp is stopped 
too.<BR><BR><BIG><BR></BIG><BIG><B>Getting the information 
local:</B></BIG><BR><BR>We also can request information about the IGS-CR 
locally, you don&#8217;t need to have &#8216;enable&#8217; privileges for this. With the command 
&#8220;show processes&#8221; you&#8217;ll get the following output like 
below.<BR><BR>CiscoRouter#show processes<BR><BR>&nbsp; CPU utilization for one 
minute: 15%; for five minutes: 15%<BR><BR>&nbsp; PID Q T &nbsp;&nbsp; &nbsp; PC 
Runtime (ms) &nbsp;&nbsp; Invoked &nbsp; uSecs &nbsp; Stacks&nbsp; TTY 
Process<BR><BR>&nbsp; &nbsp; 1 M E 1019D28 &nbsp;&nbsp; &nbsp; &nbsp; 49052 
&nbsp; &nbsp; &nbsp; 5275 &nbsp;&nbsp; 9298&nbsp; 876/1000 &nbsp; 0 Net 
Background<BR>&nbsp; &nbsp; 2 L E 102D2EC &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; 0 &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; 4 &nbsp; &nbsp; &nbsp; 0&nbsp; 
880/1000 &nbsp; 0 Logger<BR>&nbsp;&nbsp; 27 M * &nbsp; &nbsp; F14 &nbsp;&nbsp; 
&nbsp; &nbsp; &nbsp; 548 &nbsp; &nbsp; &nbsp; &nbsp; 55 &nbsp;&nbsp; 9963&nbsp;