Tcpdump data collection
Hello, I want to collect data on a network and map the data flow and system/port traffic. There are 2 scenarios of data collection here. The first is to collect IP traffic only. In this method I do not want the data portion of the IP packet (need IP address, source/destination ports etc). The second is to collect traffic that will show all the routing protocols (non-IP) used on this network. Today while collecting the data, I saw several HSRP packets. I don't know what portion of the packet is sufficient to capture for this purpose. I used the "-s 0" option on tcpdump which captures the whole packet. That is making the dump file large. Any help with the filters is appreciated to capture the non-data portion of the packets. Thank you in advance. Subba Rao
Cisco Audit Tool?
For auditing, is there any Cisco Router/Switch configuration analysis tool? Thank you in advance. Subba Rao
Nipper and Cisco configuration results
I am using Nipper for verifying my Cisco configuration. Nipper is finding the "rlogin" service that is not in the configuration. I have searched the access lists and do not see it anywhere. The explanation by Nipper about this finding, "Telnet protocol implemented by this service" is confusing. Here is the Nipper's output: __ Rlogin Service Settings The Rlogin service enables remote administrative access to a CLI on Cisco Router Devices. The Telnet protocol implemented by th service is simple and provides no encryption of the network communications between client and the server. This section details the Rlogin settings. Description Setting Rlogin Service Enabled Service TCP Port 513 __ I have checked a few other routers where SSH was not enabled with the same results. Can someone explain why Nipper is saying "Rlogin is enabled" when I do not see it in the configuration file? Is there something else that I need to be looking at? Thank you in advance for any help. Subba Rao
RE: Nipper and Cisco configuration results
I did not scan the routers yet with nmap. These results are from Nipper analysis. None of the access lists are showing "port 513" as Nipper is complaining about. The IOS version is 12.4 Subba Rao --- On Thu, 4/2/09, Jo¢ wrote: From: Jo¢ Subject: RE: Nipper and Cisco configuration results To: castellan2004-...@yahoo.com, nanog@nanog.org Date: Thursday, April 2, 2009, 8:18 PM What IOS version are you using? I don't see that behavior (rlogin/rsh) by default, but I'm a few revisions behind on the latest. @ 12.2 I do see from the router: RCMD-4-RSHPORTATTEMPT Attempted to connect to RSHELL from 192.168.1.52 from nmaps, but theres no response to the SYN packet of the attempting IP. I think this has been the case since w-a-y earlier versions of IOS for logging levels but not sure at which level. Looks to only be logging an attempt, no session is made, sort of like a firewall just letting you know there was an attempt. The router gets the request but it falls on deaf ears, no one home. Unless perhaps theres some other sort of flag/bit that can be presented to open that connection(extremely doubtful) I don't believe theres any way to connect. Perhaps turning down your logging will prevent your testing program from reporting a false positive? I'd snoop/sniff the traffic and see if your router is SYN/ACK-ing the request of rlogin/rsh to be sure. And make sure their not to close to one another, incase their using undocumented internal wireless units as a means to complete the connection, those Cisco guys you know.. Regards Joe Blanchard > -----Original Message- > From: Subba Rao [mailto:castellan2004-...@yahoo.com] > Sent: Thursday, April 02, 2009 6:33 PM > To: nanog@nanog.org > Subject: Nipper and Cisco configuration results > > I am using Nipper for verifying my Cisco configuration. > Nipper is finding the "rlogin" service that is not in the > configuration. I have searched the access lists and do not > see it anywhere. The explanation by Nipper about this > finding, "Telnet protocol implemented by this > service" is confusing. Here is the Nipper's output: > > __ > Rlogin Service Settings > > The Rlogin service enables remote administrative access to a > CLI on Cisco Router Devices. The Telnet protocol implemented > by th service is simple and provides no encryption of the > network communications between client and the server. This > section details the Rlogin settings. > > Description Setting > Rlogin Service Enabled > Service TCP Port 513 > __ > > I have checked a few other routers where SSH was not enabled > with the same results. > > Can someone explain why Nipper is saying "Rlogin is enabled" > when I do not see it in the configuration file? Is there > something else that I need to be looking at? > > Thank you in advance for any help. > > Subba Rao
RE: Nipper and Cisco configuration results
Joe, Thank you for replying. I am asking about the Nipper complaint. Why is Nipper report saying "Rlogin" is enabled when I don't see any ACL in the config? Using IOS 12.4 Cheers, Subba Rao --- On Thu, 4/2/09, Jo¢ wrote: From: Jo¢ Subject: RE: Nipper and Cisco configuration results To: castellan2004-...@yahoo.com, nanog@nanog.org Date: Thursday, April 2, 2009, 9:09 PM Subba, Sorry, perhaps I am confussed about the nature of your question? Did you have acls up for logging these attempts and they weren't logged? or are you asking for help from the Nipper portion of this as to why its reporting this item. With my logging turned up to debug I do see entries about RSHPORTATTEMPTs, but I suspect theres a lesser logging for that based on facility. At 12.3 I don't see any sort of problem with an open Rlogin/Rsh, and I have tested this on a router running a very minimal configuration. Hands out DHCP and does OSPF, but that's about it. Can you clarify your problem a bit? -Joe ________ From: Subba Rao [mailto:castellan2004-...@yahoo.com] Sent: Thursday, April 02, 2009 8:25 PM To: nanog@nanog.org; Jo¢ Subject: RE: Nipper and Cisco configuration results I did not scan the routers yet with nmap. These results are from Nipper analysis. None of the access lists are showing "port 513" as Nipper is complaining about. The IOS version is 12.4 Subba Rao --- On Thu, 4/2/09, Jo¢ wrote: From: Jo¢ Subject: RE: Nipper and Cisco configuration results To: castellan2004-...@yahoo.com, nanog@nanog.org Date: Thursday, April 2, 2009, 8:18 PM What IOS version are you using? I don't see that behavior (rlogin/rsh) by default, but I'm a few revisions behind on the latest. @ 12.2 I do see from the router: RCMD-4-RSHPORTATTEMPT Attempted to connect to RSHELL from 192.168.1.52 from nmaps, but theres no response to the SYN packet of the attempting IP. I think this has been the case since w-a-y earlier versions of IOS for logging levels but not sure at which level. Looks to only be logging an attempt, no session is made, sort of like a firewall just letting you know there was an attempt. The router gets the request but it falls on deaf ears, no one home. Unless perhaps theres some other sort of flag/bit that can be presented to open that connection(extremely doubtful) I don't believe theres any way to connect. Perhaps turning down your logging will prevent your testing program from reporting a false positive? I'd snoop/sniff the traffic and see if your router is SYN/ACK-ing the request of rlogin/rsh to be sure. And make sure their not to close to one another, incase their using undocumented internal wireless units as a means to complete the connection, those Cisco guys you know.. Regards Joe Blanchard > -Original Message- > From: Subba Rao [mailto:castellan2004-...@yahoo.com] > Sent: Thursday, April 02, 2009 6:33 PM > To: nanog@nanog.org > Subject: Nipper and Cisco configuration results > > I am using Nipper for verifying my Cisco configuration. > Nipper is finding the "rlogin" service that is not in the > configuration. I have searched the access lists and do not > see it anywhere. The explanation by Nipper about this > finding, "Telnet protocol implemented by this > service" is confusing. Here is the Nipper's output: > > __ > Rlogin Service Settings > > The Rlogin service enables remote administrative access to a > CLI on Cisco Router Devices. The Telnet protocol implemented > by th service is simple and provides no encryption of the > network communications between client and the server. This > section details the Rlogin settings. > > Description Setting > Rlogin Service Enabled > Service TCP Port 513 > __ > > I have checked a few other routers where SSH was not enabled > with the same results. > > Can someone explain why Nipper is saying "Rlogin is enabled" > when I do not see it in the configuration file? Is there > something else that I need to be looking at? > > Thank you in advance for any help. > > Subba Rao
Re: Nipper and Cisco configuration results
I will check this as soon as I go to work this morning. One thing I noticed was about the Nipper results is that any router where SSH was disabled/Rlogin was enabled and vice versa. I will go thru the configuration file once again. Thank you very much for checking this out! Subba Rao --- On Thu, 4/2/09, Lee wrote: From: Lee Subject: Re: Nipper and Cisco configuration results To: castellan2004-...@yahoo.com Cc: nanog@nanog.org Date: Thursday, April 2, 2009, 11:31 PM On 4/2/09, Subba Rao wrote: > I am using Nipper for verifying my Cisco configuration. Nipper is finding > the "rlogin" service that is not in the configuration. I have searched the > access lists and do not see it anywhere. The explanation by Nipper about > this finding, "Telnet protocol implemented by this service" is > confusing. Here is the Nipper's output: <..snip ..> > Can someone explain why Nipper is saying "Rlogin is enabled" when I do not > see it in the configuration file? Is there something else that I need to be > looking at? I played with it a bit - removing the "transport input telnet" on a vty line got me the rlogin service is enabled. Add it back & nipper says it's disabled... Do you have a "transport input telnet" on each vty? If not, does adding it fix the nipper report? Regards, Lee
Re: Nipper and Cisco configuration results
I did see a few false positives too with Nipper. What do you think about
Router Audit Tool (RAT) instead? I downloaded ncat (aka RAT), but it does not
have a global configuration file which I can use for all the routers and
switches I have. Any tips on ncat/RAT configuration? I could not find any
examples on using ncat.
Subba Rao
--- On Fri, 4/3/09, Christopher wrote:
From: Christopher
Subject: Re: Nipper and Cisco configuration results
To: "nanog"
Date: Friday, April 3, 2009, 12:36 PM
On Thu, 2009-04-02 at 15:33 -0700, Subba Rao wrote:
> I am using Nipper for verifying my Cisco configuration. Nipper is
> finding the "rlogin" service that is not in the configuration. I have
> searched the access lists and do not see it anywhere. The explanation
> by Nipper about this finding, "Telnet protocol implemented by this
> service" is confusing.
The problem, IMHO, is nipper. You might or might not have the rlogin
service enabled, but nipper has so many false positives I find is almost
useless. In my case, it caught some obvious things I had forgotten to
do, but everything else was useless. For instance from the nipper
source code:
struct vulnerability report_vuln_ios11 = {9, 0, 0, 12, 4, 0,
"CVE-2007-0479", "22208",
"IPv4 TCP listener denial of service",
true, false,
vuln_req_none, false, &report_vuln_ios12};
What the above means to nipper is any IOS version 12.0.x, 12.1.x,
12.2.x, 12.3.x is vulnerable, while every 12.4.x version is OK. This is
obviously false on *both* counts.
http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb0e4.shtml
I spent a lot of time trying to explain this to $corporate audit guy
that had never even logged into a router, let alone had to choose a
stable IOS version for 6500/7600 class hardware.
> Here is the Nipper's output:
>
> Thank you in advance for any help.
>
> Subba Rao
--
Christopher McCrory
"The guy that keeps the servers running"
chris...@pricegrabber.com
http://www.pricegrabber.com
To the optimist, the glass is half full.
To the pessimist, the glass is half empty.
To the engineer, the glass is twice as big as it needs to be.
Re: Nipper and Cisco configuration results
I looked at the configurations yesterday on the routers. The vty line does not have any "transport" line below it. All the routers showing "Rlogin enabled" have similar configuration. What are the default services that are enabled for vty on IOS 12.4? I know there are only telnet, SSH and Rlogin. Is there any particular sequence that IOS processes the vty access? Subba Rao --- On Thu, 4/2/09, Lee wrote: From: Lee Subject: Re: Nipper and Cisco configuration results To: castellan2004-...@yahoo.com Cc: nanog@nanog.org Date: Thursday, April 2, 2009, 11:31 PM On 4/2/09, Subba Rao wrote: > I am using Nipper for verifying my Cisco configuration. Nipper is finding > the "rlogin" service that is not in the configuration. I have searched the > access lists and do not see it anywhere. The explanation by Nipper about > this finding, "Telnet protocol implemented by this service" is > confusing. Here is the Nipper's output: <..snip ..> > Can someone explain why Nipper is saying "Rlogin is enabled" when I do not > see it in the configuration file? Is there something else that I need to be > looking at? I played with it a bit - removing the "transport input telnet" on a vty line got me the rlogin service is enabled. Add it back & nipper says it's disabled... Do you have a "transport input telnet" on each vty? If not, does adding it fix the nipper report? Regards, Lee
Configuration Compliance tools??
Hi, I am tasked to analyze the configuration of several Layer 2 Switches for compliance. Most of these switches are from Foundry (now Brocade). What tools are available to perform this task? I could write up a Perl script to parse thru the configuration files. I was wondering if there are some already out there for use. Any information appreciated. Thank you in advance. Subba Rao
