Re: [Full-Disclosure] cisco acl

[Anton Ivanov <arivanov@sigsegv.cx>]

vb wrote:

> to change password:
> hook up console cable, establish session.
> boot router
> hit "break key" within 60 seconds of bootup
> at the > prompt, type:confreg 0x2142
> type "i" to reboot router
> router will boot up and not require a password
> type"enable"
> type"copy start run"
> type "conf te"
> type "enable secret <new password>"
> hit CNTRL-Z
> type "copy run start"
> reboot
> send me a check.
>
> that should do it.
>  

If I understood the poster correctly, he wanted the hits on the router 
ACLs and such. This information will not leave across a reboot.

I would suggest checking if the attacker has changed the SNMP 
communities. If these along with the SNMP views are configured to allow 
you access to the interesting parts of the MIB you can get around the 
fact that you do not have an enable password.

If not - all you can do is get your router back as described by vb (does 
not work on all cisco models especially the more dinozauric ones, check 
with cisco web site for instructions on your exact model).

Brgds,

A,

> ----- Original Message ----- 
> From: "isa vaul" <nonleft@gmx.net>
> To: "petard" <petard@freeshell.org>
> Cc: <full-disclosure@lists.netsys.com>
> Sent: Friday, December 05, 2003 10:30 AM
> Subject: Re[2]: [Full-Disclosure] cisco acl
>
>
>  
>
> > Hello petard,
> >
> > Friday, December 5, 2003, 3:35:19 PM, you wrote:
> >
> > p> On Fri, Dec 05, 2003 at 01:45:31PM +0100, isa vaul wrote:
> >    
> >
> > > > Hello full-disclosure,
> > > >
> > > >  I've got a little problem with a cisco router.
> > > >  It has obviously been compromised. How do i know, well the password
> > > >  has changed. So I want to retrieve the ACL from the RAM (not NVRAM)
> > > >  to see what else maybe got compromised.
> > > >  Does anyone know how this could be done?
> > > >
> > > >  thanks for any suggestions in advance...
> > > >        
> > p> You'll probably get better answers if you:
> >
> > p> 1. google for "cisco router forensics"
> > p> 2. ask this question to a cisco list
> > p> 3. ask this question to cisco tech support. they're quite good.
> >
> > p> Assuming you've determined the changed password and the enable
> >    
> password, the command:
>  
>
> > p> # show running-config
> > p> will display the current configuration from RAM, including any ACLs
> > p> IIRC.
> >
> > p> HTH,
> > p> petard
> >
> > p> --
> > p> If your message really might be confidential, download my PGP key here:
> > p> http://petard.freeshell.org/petard.asc
> > p> and encrypt it. Otherwise, save bandwidth and lose the disclaimer.
> >
> > thanks for all the replies.
> > and i am aware of the 3 given possibilities.
> > but i thought maybe someone on the list has some quick answer as
> > well?!? and as it is a little urgent i just wanted to give it a try!
> >
> > Unfortunately I do not know the new password! otherwise there wouldn't
> > be a problem at all.
> > and more unfortunately it is not my network and had nothing to do with
> > the setup.  or else i would have, as Mort pointed out, a tftp in
> > place.
> >
> > --
> > Best regards,
> > nonleft                            mailto:nonleft@gmx.net
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >    
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>  



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html