Sunday, September 27, 2009

IP Routing - EIGRP

Right, first a bit about EIGRP from my notes.

EIGRP (Enhanced Interior Gateway Routing Protocol) a cisco proprietry hybrid routing protocol and uses the DUAL algorithm for selecting the best path to remote networks. It has both link state and distance vector characteristics. EIGRP has an administrative distance of 90.

EIGRP uses a multicast address of 224.0.0 to send updates as the topology changes. If the router does not receive a reply from a neighbor after sending the multicast update it will use unicast. A list of neighbors are maintained in the neighborship table. After the router has sent 16 unicasts and recieved no reply the neighbor will be declared dead and removed from the neighborship table.

EIGRP will only share routing information with it's neighbors if they share the same AS number. All updates that EIGRP receives are entered into it's topology table and the best routes are selected by DUAL and entered into the routing table.

EIGRP (unlike IGRP) includes the subnet mask in it's advertisements which allows it to utilise VLSM and summarisation and supports discontiguous networks. By default EIGRP uses bandwidth and delay to calculate the best route to a remote network. EIGRP can loadbalance across up to 6 equal or unequal cost links but the default is 4.


My Lab

I'll be using the same lab as in previous posts.


Router 1 (R1)
FastEthernet 0/0 - 192.168.1.1/24
loopback 0 - 172.16.10.0/24
loopback 1 - 10.1.1.0/24

Router 2 (R2)
FastEthernet 0/0 - 192.168.1.2/24
FastEthernet 1/0 - 192.168.2.1/24

Router 3 (R3)
FastEthernet 0/0 - 192.168.2.2/24


Configuring EIGRP

Below I'm going to remove OSPF which was set up in a previous lab and configure all of my routers with EIGRP.


R1
R1#sh ip protocols
Routing Protocol is "ospf 10"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 172.16.10.1
It is an autonomous system boundary router
Redistributing External Routes from,
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
172.16.10.0 0.0.0.255 area 0
192.168.1.0 0.0.0.255 area 0
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway Distance Last Update
192.168.2.2 110 00:01:01
Distance: (default is 110)


First I'll remove OSPF

R1#conf t
R1(config)#no router ospf 10
R1(config)#end


And now I'll configure EIGRP with an AS of 10. To configure EIGRP on all the routers in the diagram I use the following commands:

R1
R1#conf t
R1(config)#router eigrp 10
R1(config-router)#network 192.168.1.0 0.0.0.255
R1(config-router)#network 172.16.10.0 0.0.0.255
R1(config-router)#end



R2
R2#conf t
R2(config)#no router ospf 10
R2(config)#router eigrp 10
R2(config-router)#network 192.168.1.0 0.0.0.255
R2(config-router)#network 192.168.2.0 0.0.0.255
R2(config-router)#end



R3
R3#conf t
R3(config)#no router ospf 10
R3(config)#router eigrp 10
R3(config-router)#network 192.168.2.0 0.0.0.255
R3(config-router)#end


I now check my routing table on R3 to make sure I see the routes from R1.

R3#sh ip route
Gateway of last resort is not set
D 172.16.0.0/16 [90/158720] via 192.168.2.1, 00:00:14, FastEthernet0/0
D 192.168.1.0/24 [90/30720] via 192.168.2.1, 00:00:14, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/0

Routes starting with a D are EIGRP routes. Now I check I can ping one of the remote networks.

R3#ping 172.16.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/29/52 ms


I also need to set the default network so it gets advertised through EIGRP.

R1(config)#ip default-network 172.16.10.1
R1(config)#end


Now supposing I want to prevent one of the interfaces on a router from sending out or receiving advertisements.

R2(config)#router eigrp 10
R2(config-router)#passive-interface fastEthernet 1/0

The following message is displayed on the console screen to indicate that the interface will not be sending out EIGRP routes.

00:52:21: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.168.2.2 (FastEthernet1/0) is down: interface passive


And on R3 I get the following message:

00:52:27: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 192.168.2.1 (FastEthernet0/0) is down: Interface Goodbye received

On checking R3's routimg table I see that all the EIGRP routes are dropped.

R3#sh ip route
C 192.168.2.0/24 is directly connected, FastEthernet0/0


Troubleshooting and Debug Commands

R3#sh ip route summary


R1#sh ip protocols


R2#sh ip eigrp interfaces
R3#debug ip eigrp
R2#sh ip eigrp traffic 10
R2#sh ip eigrp neighbors detail



Saturday, September 26, 2009

Monitoring Traffic with Span Ports

This is just a quick post to detail the configuration of setting up a Span Port on a Cisco 2950 switch to monitor traffic.


Previously I had used either a hub or ARP poisoning to capture traffic in a switch environment. On my Cisco switch I can capture traffic by telling the switch to send a copy of all traffic destined for one port (or multiple ports) to another port.


Span Port Configuration

In the configuration below I have told the switch to send a copy of all data sent or received from the port range 3 - 5 to port 23

S1(config)#monitor session 1 source interface fastEthernet 0/3 - 5 both
S1(config)#monitor session 1 destination interface fastEthernet 0/23


The configuration can be verified with the following command:

S1#sh monitor session 1



This works across VLANs too, as port 23 is configured into a separate VLAN from ports 3 to 5.

This should emphasise the need to secure your switch (passwords, SSH, lock down ports etc..) as it is obviously great for monitoring traffic but can also be used by an attacker to capture traffic.


Links
Here is a great Cisco article on all things Span Port!

Friday, September 25, 2009

IP Routing - OSPF

In this post I'm going to describe a few benefits of OSPF and how to configure it.

OSPF stands for Open Shortest Path First and and is a link state, non-proprietary, classless routing protocol. OSPF uses the dijkstra algorithm to calculate routes and has an administrative distance of 110.

The main advantages of OSPF are the fast convergence time and the low bandwidth use. Unlike RIP which is a flat network OSPF networks can be structured. Areas are used to structure the network and each router needs to have an interface in area 0 which is the backbone network. For the CCNA exam only area 0 is used. OSPF can also be configured to use authentication on it's routing updates.



Configuring OSPF

Below is a diagram of the routers I'll be referring to in this post.

Router 1 (R1)
FastEthernet 0/0 - 192.168.1.1/24
loopback 0 - 172.16.10.0/24
loopback 1 - 10.1.1.0/24

Router 2 (R2)
FastEthernet 0/0 - 192.168.1.2/24
FastEthernet 1/0 - 192.168.2.1/24

Router 3 (R3)
FastEthernet 0/0 - 192.168.2.2/24


Okay, lets get started.

I'll remove RIP so router 3 doesn't know about the 172.16.10.0 subnet on router 1.

R3#conf t
R3(config)#no router rip
R3(config)#exit

R3#sh ip route
Gateway of last resort is not set
C 192.168.2.0/24 is directly connected, FastEthernet0/0
R3#


Below I'll remove RIP from Routers 1, 2 and 3, configure them with OSPF and verify routes propagated.

R1#conf t
R1(config)#no router rip
R1(config)#router ospf 10
R1(config-router)#network 192.168.1.0 0.0.0.255 area 0
R1(config-router)#network 172.16.10.0 0.0.0.255 area 0
R1(config-router)#end

I also have an network 10.1.1.0 that I dont want published so I leave this out.


R2#conf t
R2(config)#no router rip
R2(config)#router ospf 10
R2(config-router)#network 192.168.1.0 0.0.0.255 area 0
R2(config-router)#network 192.168.2.0 0.0.0.255 area 0
R2(config-router)#end


R3#conf t
R3(config)#router ospf 10
R3(config-router)#network 192.168.2.0 0.0.0.255 area 0


Notice, I just create the routes that I want advertised and place them into Area 0. All routers must have at least one interface in Area 0. I have used 10 as the OSPF process ID. this could be different on each router but its easier to remember if it is all the same.

Great. Now I verify that the routes have been propagated.

R3#sh ip route
Gateway of last resort is not set
172.16.0.0/32 is subnetted, 1 subnets
O 172.16.10.1 [110/3] via 192.168.2.1, 00:06:53, FastEthernet0/0
O 192.168.1.0/24 [110/2] via 192.168.2.1, 00:06:53, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/0

And can I ping the 172.16.10.1 interface?

R3#ping 172.16.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/72/96 ms


Ok this is all good but I can see on the routing table of R3 (shown above) that I have no gateway of last resort set. I want to set this to go to loopback 0 on R1.

To fix this I'll go back to R1, tell OSPF to advertise the gateway route and then create a static route to set the gateway of last resort. Here's how:

R1(config)#router ospf 10
R1(config-router)#default-information originate
R1(config-router)#exit

R1(config)#ip route 0.0.0.0 0.0.0.0 loopback 0
R1(config)#exit

R1#sh ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.10.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Loopback1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
O 192.168.2.0/24 [110/2] via 192.168.1.2, 00:20:59, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, Loopback0


And I have another look on R3 to make sure it has got to that network.

R3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

172.16.0.0/32 is subnetted, 1 subnets
O 172.16.10.1 [110/3] via 192.168.2.1, 00:23:59, FastEthernet0/0
O 192.168.1.0/24 [110/2] via 192.168.2.1, 00:23:59, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/0
O*E2 0.0.0.0/0 [110/1] via 192.168.2.1, 00:04:23, FastEthernet0/0
R3#

Bingo! All done.

Links
Here is a link to a great article on OSPF
Here is a link to some great OSPF videos

Tuesday, September 22, 2009

CDP - What Switch Am I Connected To?

I'm sitting here on my day off, I've mowed the lawn and I had a few minutes to spare so I thought I would have a closer look at a CDP packet.


CPD stands for Cisco Discovery Protocol and it's a packet that is sent out of every interface of my switch by default. Now I'll be covering CDP in more detail in another post but I wanted to just quickly get this down because it's so cool.

How many times have you had a PC that you need to figure out which switch and which port its plugged into? Probably loads right. Me too. Well a simple packet capture for a minute or so will give you all the information to go to the right switch and the right port.

As can be seen in the screenshot below, I have Wireshark set to filter on CDP and in the first packet that comes through I can see that my PC is connect to switch S1 (Device ID: S1) and is on port FastEthernet 0/3 (Port ID: FastEthernet 0/3). How cool is that! My days of tracing cables are now over (maybe!).


Now there's some other useful information in there too like the IP Address of the switch, the Switch model and IOS version.

Just thought I would share that useful tip (well I thought it was pretty useful anyway).

Saturday, September 19, 2009

IP Routing - RIP

In this post i'm going to describe how to configure RIP as a routing protocol. I'll be using the network layout as shown below.


Router 1 (R1)
FastEthernet 0/0 - 192.168.1.1/24
loopback 0 - 172.16.10.0/24

Router 2 (R2)
FastEthernet 0/0 - 192.168.1.2/24
FastEthernet 1/0 - 192.168.2.1/24

Router 3 (R3)
FastEthernet 0/0 - 192.168.2.2/24



About RIP

First a bit about RIP. RIP is a distance vector dynamic routing protocol. That means it populates its routing table based on the routing updates its recieves from it's neighbors and it calculates the best path based on distance (or hops).
RIP comes in 2 versions, version 1 and version 2. RIP V1 has been around since the late 60's, is classless meaning it doesnt send subnet information, it has no authentication and it works by broadcasting the routes it knows about every 30 seconds. RIP V2 is classfull, supports authentication and uses multicast (224.0.0.9). RIP is non-proprietry so it is supported on a range of equipment and not just cisco. RIP (V1 and V2) both have an administrative distance of 120.



Configuring RIP

Okay, now the fun part. I'll be setting up RIP V2 in this post.
The way RIP works is I enable it on my router, tell it to use version 2, and tell it what networks to advertise.

To start with lets see what routes R1 knows already:

R1#show ip route
C 172.16.10.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, FastEthernet0/0

Okay, so it knows about the directly connrected routes. What about R3?


R3#show ip route
C 192.168.2.0/24 is directly connected, FastEthernet0/0

Great. No chance of pinging the 172.16.10.1 interface on R1 then. For this pinging business to be sucessfull I need to enable RIP V2 on all the routers. I then need to list all the networks that each router knows about. Like this.

Router 1 (R1)
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#network 192.168.1.0 255.255.255.0
R1(config-router)#network 172.16.10.0 255.255.255.0

Router 2 (R2)
R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#network 192.168.1.0 255.255.255.0
R2(config-router)#network 192.168.2.0 255.255.255.0

Router 3 (R3)
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#network 192.168.2.0 255.255.255.0


Great. Now i'll check R3 routing table.

R3#show ip route
Gateway of last resort is not set
R 172.16.0.0/16 [120/1] via 192.168.2.1, 00:00:17, FastEthernet0/0
R 192.168.1.0/24 [120/1] via 192.168.2.1, 00:00:17, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/0

Brilliant. I can now see the routes to 172.16.0.0 network. And can I ping it?

R3#ping 172.16.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/72/92 ms


So remember, you have to tell the router which networks you want to advertise and if you dont list the network which an interface is configured for, RIP won't advertise out of that interface.
Lastly in this section I will cover how to turn off RIP propogating out of an Interface. This could be because you have RIP enabled but on of your interfaces is connected to a untrusted network for example. To prevent the propogation you wolud make the interface passive. You will still recieve RIP updates onthe interface bt will not send them.

In the example below I'll prevent Router 2 from sending updates to Router 3.

R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#network 192.168.1.0 255.255.255.0
R2(config-router)#network 192.168.2.0 255.255.255.0
R2(config-router)#passive-interface fastethernet 1/0



Configuring Authentication

Below I am going to configure authentication on my RIP updates. What I noticed in my lab was as soon as I set this up on a router the remote routers lost all routes until they too were configured for authentication. So it seems that this is an all or nothing thing.

Below I enter global config mode, create a keychain called homelab, a key, and I give the key a password of cisco.

R1#configure terminal
R1(config)#key chain homelab
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string cisco


Now I enter the interface configuration and, tell it what key chain I'm using and tell it to use MD5. This has to be done on each interface that RIP will be sent or received on. Also, each neighboring router needs to use the same key (cisco) as set up in the steps above.

R1#configure terminal
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip rip authentication key-chain homelab
R1(config-if)#ip rip authentication mode md5
R1(config-if)#end


Running a show ip protocols lists what the router knows about the authentication you have configured.

R2#show ip protocols
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 3 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2 homelab
FastEthernet1/0 2 2 homelab
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
172.16.0.0
192.168.1.0
192.168.2.0
Routing Information Sources:
Gateway Distance Last Update
192.168.2.2 120 00:08:39
192.168.1.1 120 00:00:03
Distance: (default is 120)



Troubleshooting RIP

The commands that I have found useful in helping to troubleshoot RIP are:


R1#show ip protocols
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 25 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2
Loopback0 2 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
172.16.0.0
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
192.168.1.2 120 00:00:20
Distance: (default is 120)

In the output above there are a bunch of timers (Update, Invalid, Holddown and Flush). These need to be the same on each router.


R2#show ip rip database
172.16.0.0/16 auto-summary
172.16.0.0/16
[1] via 192.168.1.1, 00:00:00, FastEthernet0/0
192.168.1.0/24 auto-summary
192.168.1.0/24 directly connected, FastEthernet0/0
192.168.2.0/24 auto-summary
192.168.2.0/24 directly connected, FastEthernet1/0


R2#show ip route rip
R 172.16.0.0/16 [120/1] via 192.168.1.1, 00:00:16, FastEthernet0/0


R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
R 172.16.0.0/16 [120/1] via 192.168.1.1, 00:00:02, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet1/0

R2#debug ip rip events
RIP event debugging is on
R2#
01:30:43: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.1.2)
01:30:43: RIP: Update contains 1 routes
01:30:43: RIP: Update queued
01:30:43: RIP: Update sent via FastEthernet0/0

The command above will turn on debugging for RIP updates.


Okay. That's about all I have on RIP.

Friday, September 18, 2009

IP Routing - Static Routes

In this post i'm going to detail what static routes are and how to set them up.

A packet needs to know howto get from one network to another. To achieve this you can either use static or dynamic routes.

One of the benifits of using static routes is it gives you complete control over where the packets go which is great from a security point of view. The downside is that as your network grows, so does the administrative overhead.

Below I'm just going to detail how to set up routing between 2 networks.


Router 1 (R1)
FastEthernet 0/0 - 192.168.1.1/24

Router 2 (R2)
FastEthernet 0/0 - 192.168.1.2/24
FastEthernet 0/1 - 192.168.2.1/24

Router 3 (R3)
FastEthernet 0/0 - 192.168.2.2/24

Looking at my routing table on R3 I can see that I just have the connected network of 192.168.2.0

Router3#show ip route

Gateway of last resort is not set
C 192.168.2.0/24 is directly connected, FastEthernet0/0


I'll set up a new static route to the network 192.168.1.0 . I use the IP ROUTE command, list the network I want to get to and either the interface i'll be going out of or the next hop address.

Router3#configure terminal
Router3(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1
Router3(config)#end

Router3#show ip route

Gateway of last resort is not set
S 192.168.1.0/24 [1/0] via 192.168.2.1
C 192.168.2.0/24 is directly connected, FastEthernet0/0


I'll talk here a bit about administrative distances. Administrative distances are importantant in routing as each route will have one and that will be the router that the router places in the routing table.

As shown above we have 2 routes. One a Static (preceeded with a S) and the other a directly connected route (preceeded with a C)

By default, connected routes will have an administrative distance of 0 and static routes will be 1.
I could override the defaults by adding an administrative distance at the end of the command. This would be useful in creating static routes with values that are higher than those used by dynamic routing protocols. Then if a dynamic routing protocol is implimeted is will be entered into the routing table and used instead of the static route.

Now I try to ping the remote network and as long as that network knows how to get back to me my ping succeeds.

Router3#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/77/140 ms


Another option that can be appended to the end of the static route is PERMANENT. If this is used the route will stay in the routing table no matter what. Below is an example:

Router3#configure terminal
Router3(config)#ip route 192.168.1.0 255.255.255.0 fastethernet 0/0 permanent
Router3(config)#end

Here endeth my static routing post!

Thursday, September 17, 2009

Switch Port Security

I've been having loads of fun playing with port security today and in this post I'll share that fun with you.


Port Security is a feature thats on all Cisco switches and it allows you to control what devices access which ports on a switch. The way Port Security works is it ties MAC Addresses (this is layer 2 remember) to switch ports. These MAC addresses can either be assigned statically or dynamically by the switch taking the first device connected and remembering it's address (this is called making the port sticky). Also the port can be configured to remember more than one address.

Depending on your appetite for security you can set ports to either do nothing, log an event or shutdown when an unauthorised device is connected to a port. As I'll describe below, using the "Protect" feature you can also restrict which ports can talk to each other. This feature could be useful in malware containment.

I'll be selecting a range of ports on my switch (9 - 16) and setting them up to be access ports and to be protected, this means they will not be able to talk to each other. Protected ports can only talk to unprotected ports (which would be my server and router). I'll also configure the ports to shutdown if they are accessed by any other devices other than the first device connected to them.

S1(config)#interface range fastEthernet 0/9 - 16
S1(config-if-range)#switchport mode access
S1(config-if-range)#switchport protected
S1(config-if-range)#switchport port-security violation shutdown
S1(config-if-range)#switchport port-security mac-address sticky
S1(config-if-range)#switchport port-security

Note, although setting ports as protected can be useful in helping stop the spread of malware, it can also be a pain in the arse for remote administration if not planned properly. Another thing that is a pain in the arse is waiting for interfaces to come back up after plugging devices in and out which is due to spanning tree protocol. To save me about 50 seconds of waiting round i'll enable portfast so the interfaces come up straight away.

S1(config-if-range)#spanning-tree portfast
S1(config-if-range)#exit

As I've set up port security to shutdown ports if unauthorised access occures I'll configure the switch to automatically re-enable the ports after 10 minutes. This will save me having to manually issue the no shutdown command on the ports.

S1(config)#errdisable recovery cause psecure-violation
S1(config)#errdisable recovery interval 600

After configuring the switch I look at the running-config and I see the MAC address of the host connected to port 9 is shown.

!
interface FastEthernet0/9
switchport mode access
switchport protected
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0018.8bce.5855
no ip address
spanning-tree portfast
!



Okay set lets put it into pactice. I check that I cant communicate between hosts that have protected ports. My pings between the hosts on protected ports fail, and my pings to my router are fine. So far so good!

Now I swap over network cables of 2 hosts to make sure that the ports go into shutdown.

S1#show port-security interface fastethernet 0/9
Port Security : Enabled
Port status : Err-Disabled
Violation mode : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Aging time : 0 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation count : 1


After 10 mins the port gets re-enabled. However, unless the device that was origionally connected and has it's MAC address associated with the port is re-connected the port goes stright back into shutdown and clocks up another violation. Whats more, that device cannot be used on any other switch port because it's address is tied to the port it bacame sticky with.

Once the device is connected to it's origional port and the errdisable recovery interval has expired (or we issue a shut - no shut on the port) were happily pinging the router again and I can see the violation is logged.

S1#show port-security int fa 0/9
Port Security : Enabled
Port status : SecureUp
Violation mode : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Aging time : 0 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation count : 1

Or to see all interfaces that have had exceptions I could use:

S1#show port-security


Supposing I want to be able to connect another device to a port that I have configured for port-security or change the port of a device that has became sticky with a port? Well I would issue the following:

S1#clear port-security sticky interface fastEthernet 0/9

And then I could use that device on another port or use port 9 for a different device.

To see a list of ports that have devices tied to them either by statically assigning them by making the port sticky you can either issue:

S1#show port-security address


Or simply:

S1#show running-config


And that brings me to the end of another successful cisco adventure!

Tuesday, September 15, 2009

Initial Switch Configuration

In this post I'm just going to detail how to get a 2950 switch up with a very basic configuration. I'll build upon this config in later posts.



I start off by giving my switch a name (S1) and enabling a secret password (okay, I know its crap but this is a lab). I'll turn off domain lookups as they are very annoying every time I mistype something and give it a default gateway.

Switch>enable
Switch#configure terminal
Switch(config)#hostname S1
S1(config)#enable secret cisco
S1(config)#no ip domain-lookup
S1(config)#ip default-gateway 10.0.1.1


Now I'll set up the console port with a 30 minute time-out and a password of cisco.

S1(config)#line console 0
S1(config-line)#logging synchronous
S1(config-line)#exec-timeout 30 0
S1(config-line)#password cisco
S1(config-line)#login


I do the same for the VTY ports.

S1(config-line)#line vty 0 4
S1(config-line)#logging synchronous
S1(config-line)#exec-timeout 30 0
S1(config-line)#password cisco
S1(config-line)#login
S1(config-line)#exit


Theres no aux port on the switch so we can move on to VLAN 1. VLAN 1 is the default VLAN and in a later post I'll move everything out of this VLAN and just use it for administration but for now I'll set it up with an IP address so it's accessible by telnet. I also turn on password encryption and show the running-config so the password encryption service can works it's magic.

S1(config)#interface vlan 1
S1(config-if)#ip address 10.0.1.210 255.255.255.0
S1(config-if)#no shutdown
S1(config-if)#exit
S1(config)#service password-encryption
S1(config)#do show running-config



Building configuration...
Current configuration : 1658 bytes
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname S1
!
enable secret 5 $1$AqOD$ifdJ30Bwn.bJuBXRFov4O/
!
ip subnet-zero
no ip domain-lookup
!
spanning-tree extend system-id
!
!
interface FastEthernet0/1
no ip address
!
<-------------Cut------------------>
!
interface FastEthernet0/24
no ip address
!
interface Vlan1
ip address 10.0.1.210 255.255.255.0
no ip route-cache
!
ip default-gateway 10.0.1.1
ip http server
!
!
line con 0
exec-timeout 30 0
password 7 0822455D0A16
logging synchronous
login
line vty 0 4
exec-timeout 30 0
password 7 0822455D0A16
logging synchronous
login
line vty 5 15
login
!
end


Finally I set up a host entry for my router (R1), turn off the web server that I saw was on in the running-config, save the config to startup-config and reload.

S1(config)#ip host R1 10.0.1.220
S1(config)#no ip http server
S1(config)#exit
S1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
S1#reload


Thats it, the boring stuff is all over!



Monday, September 14, 2009

Password Recovery on a Cisco Router

In this post I'll demonstrate how to perform password recovery on a Cisco router, and I'll also show you how to prevent password recovery.

Password recovery might be necessary for legtimate needs or it could be used by an attacker for nefarious purposes such as to gain access to router or switch configurations. Physical access is required for password recovery so if your routers (or switches) are in an accessible area and cannot be physically secured you may want to use the command listed below for preventing password recovery (if your router supports it that is).



Password Recovery

The process is quite simple.

  • Enter ROMMON mode and change the configuration register to bypass the startup-configuration (0x2142) & restart the router.
  • Log into the router which now has no configuration and copy the startup-config to running-config.
  • Change the enable password, any user passwords or anything else that needs changing.
  • Set the configuration register to boot back from the startup-config (0x2102).
  • Save the running-config back to startup-config and reload.
  • Access the router with your updated credentials.

So here's how this sort of looks on the router. I've cut some of the router output to save on text but it's pretty easy to follow.

To start with I connect up to the console port and reboot the router. During the very first part of boot up I press Ctrl+Break. This brings me to ROM monitor mode.


System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 2002 by cisco Systems, Inc.
C800/SOHO series (Board ID: 29-129) platform with 49152 Kbytes of main memory

rommon 1 > confreg 0x2142
You must reset or power cycle for new config to take effect
rommon 2 > reset

Cisco C831 (MPC857DSL) processor (revision 0x300) with 44237K/4915K bytes of memory.
Processor board ID AMB07430HLJ (3718955443), with hardware revision 0000
Chassis serial number AMB07430HLJ
CPU rev number 7
3 Ethernet interfaces
4 FastEthernet interfaces
128K bytes of NVRAM.
16384K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started!

Router>enable
Router#copy startup-config running-config
Destination filename [running-config]?

1477 bytes copied in 2.252 secs (656 bytes/sec)

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#username syn password letmein
R1(config)#enable secret letmein
R1(config)#config-register 0x2102
R1(config)#exit
R1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
R1#reload
Proceed with reload? [confirm]

User Access Verification
Username: syn
Password:
R1>enable
Password:
R1#


So we can see that I was able to log in and access privileged mode with my new credentials.


Password Recovery Prevention

Okay, so how do we prevent this password recovery business? Before using this method you should be warned (and IOS will warn you!) that if you forget the password you cannot recovery the password in any way and you will have to go to Cisco with your tail between your legs! So only use this if absolutely necessary and use with caution.

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no service password-recovery
R1(config)#exit


What IOS is basically doing after setting this option is enabling ROMMON security which prevents you going into ROMMON mode and telling the router to bypass the Startup-config.

ROMMON security can be turned off from with IOS by issuing the following:

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#service password-recovery
R(config)#exit



Useful Links
Cisco Password Recovery
Cisco ROMMON Security

Sunday, September 13, 2009

Password Auditing with Fgdump, John the Ripper & PowerShell

As a break from my Cisco studying I thought I'd post how I perform a password audit in a Windows 2003 environment using freely available tools and a PowerShell script.


fgdump

I dump the password hashes from AD using fgdump and the command below. Password history is also dumped out. Checking out users password history can be very useful at predicting future password choice as it will reveal patterns in password selection.

fgdump.exe -h Server01 -u home\administrator -p MySuperPassword -T 5

In the command above -h is the host I'm grabbing the passwords from. The -u and -p are valid username and password. -T 5 is running 5 threads to speed things up a bit.

The passwords are dumped out to Server01.pwdump in the same directory as where fgdump is located. From there I open the PWDump file with notepad and remove all the computer accounts from the bottom of the file so I am just left with usernames and password hashes.



John The Ripper

Now I use JTR to crack the Lan Manager hashes. I could use bruteforce or dictionary attacks againast the hashes but in the command below I'm just going to use bruteforce. All LM hashes cracked will display in uppercase, but the actual passwords will like be of mixed case depending on the security policy. Passwords over 14 characters long will display as "No Password" as these are stored as NTLM Hashes.

john --incremental=lanman --session=September Server01.pwdump

Pressing the spacebar whilst JTR is cracking will give you an update on the progress. If I need to abort the session (Ctrl-C) I can restore it later using:

john --restore=September

I can view the cracked passwords and output them to a file using:

john --show Server01.pwdump >Server01-Sept-Cracked.txt

The above command will output a list of all the accounts including those not cracked (password will be ???????). If I just wanted the passwords I would just pipe Johns output to the find command.

john --show Server01.pwdump >Server01-Sept-Cracked.txt | find /i /v "?????" >Server01-Sept-CrackedOnly.txt



PowerShell

Ok. So I have my cracked password file and I'm good to go. I've created a script that I run which prompts me for my cracked password file and gives me the following options:

  • Find a users password
  • Find a users password with history
  • View top 20 popular passwords
  • Search for occurrences of a particular password
  • Password count (not including history)


Password-Audit.ps1

#This Section Imports Passwords from JTR file
Cls
"`n"
$result = New-Object System.Collections.ArrayList;
get-content (read-host "Enter path to JTR export file. Large files may take a few minutes to import") |
Foreach-object {
$arr = $_.Split("/:");
$temp = ('' | Select-Object Name,Password);
$temp.Name=$arr[0];
$temp.Password=$arr[1];
$result.Add($temp) | Out-Null
}

#This is the Menu Section

Function Menu {
"`n"
Write-Host "Press 1 to find a users password" -ForegroundColor Yellow
Write-Host "Press 2 to see a users password with history" -ForegroundColor Yellow
Write-Host "Press 3 to see top 20 popular passwords. This may take a few minutes" -ForegroundColor Yellow
Write-Host "Press 4 to search for occurrances of a particular password" -ForegroundColor Yellow
Write-Host "Press 5 for Password count (not including history)" -ForegroundColor Yellow
Write-Host "Press any other key to quit" -ForegroundColor Yellow
"`n"

$Number = Read-Host "Select an Option"

switch ($Number) {
1 {
Write-Host "Users Password" -ForegroundColor Red
$Name = read-host "UserName?"
$Result | where { $_.Name -match "$Name" }| where { $_.Name -notmatch "_history_" }
Menu
}

2 {
Write-Host "Users Password with history" -ForegroundColor Red
$HistoryName = read-host "UserName?"
$Result | where { $_.Name -match "$HistoryName" }
Menu
}

3 {
Write-Host "Top 20 Passwords" -ForegroundColor Red
$result | group password | sort count -Descending | select Count,Name -First 20
Menu
}

4 {
Write-Host "Weak Passwords" -ForegroundColor Red
$Password = read-host "Password?"
$Result | where { $_.Password -match "$Password" }
Menu
}

5 {
Write-Host "Total Passwords (Not including History)" -ForegroundColor Red
($Result | where { $_.Name -notmatch "_history_" }).count
Menu
}

default {
"You pressed something else. Goodbye"
}
}}
#Runs the menu
Menu


From here I can educate particular users regarding password choice or tailor user education to focus on problem areas.


I may well extend the script to look for other useful information when I have more time. The only thing I don't like is the output format if I choose option 3 (top 20 passwords) first.

Thanks to EBGreen in the Powershell Community forums for his help with some of the script.

Wednesday, September 9, 2009

Using RADIUS to Authenticate Logins

In this post i'll detail how to set up a Windows IAS RADIUS server to authenticate user login on a router.


Windows IAS Server Setup
  1. Create a Windows Security group with the users you want to allow access to the routers
  2. Enable the user accounts to have Dial-in Access.
  3. Install IAS on the server (from Add Remove programs).
  4. Create a new cisco RADIUS Client, point it to the Router and supply a shared key. Set the Grant Remote Access.

5. Create a new Remote Access Policy with the following settings:
  • Windows Group (point this to the group you created)
  • Edit the profile and set the autentication to PAP
  • Under the advanced tab set the service type value to login & remove Framed-Protocol.


Thats really it. A detailed tutorial on setting up your IAS server can be found here.


Router Setup

Here I am going to configure my router to use AAA Authorization to authorise access by looking at the user credentials in Active Directory (AD). Remember, only AD users in the group I created above will be able to login with their windows credentials.

First I'll talk you through what I'm doing in the following commands.

I'm creating a local user on the router called syn. This is so I can still get into the router if my RADIUS server fails.
I enable AAA and I create a new entry in AAA to point to my RADIUS server (using the default ports) and give it a the key "cisco" to match what we set up on the RADIUS server.
I then enable my ethernet interface on the same LAN as the RADIUS server as the RADIUS source interface and create a AAA authentication login method list called AuthList. This rule will first look to authenticate by RADIUS and then locally if the RADIUS server fails. I then apply the method list to my VTY (Telnet/SSH) ports.

R1>en
Password:
R1#
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#user syn password cisco
R1(config)#aaa new-model
R1(config)#radius-server host 10.0.1.230 auth-port 1645 acct-port 1646 key cisco
R1(config)#ip radius source-interface ethernet 1
R1(config)#aaa authentication login AuthList group radius local
R1(config)#line vty 0 4
R1(config-line)#login authentication AuthList
R1(config-line)#exit
R1(config)#exit
R1#

A detailed tutorial can be found here. Just remember to enable the user account for Dial-in access in the AD account properties.


After setting this up I also needed to configure RADIUS authentication on my Console port and Aux port using the following for each port:

R1(config)#line console 0
R1(config-line)#login authentication AuthList
R1(config-line)#exit
R1(config)#line aux 0
R1(config-line)#login authentication AuthList
R1(config-line)#exit
R1(config)#exit
R1#


Troubleshooting

Debugging on the router can be achieved with the following commands:

R1# terminal monitor

R1# debug aaa authentication

The command below will test a login from the router. You should be able to check your event logs and IAS logs on the RADIUS server to see this account authenticate.

R1# test aaa group radius syn SuperStrongPassword port 1645 new-code

And of course on the RADIUS server check the IAS logs (C:\windows\System32\Logfiles) and also the Event logs when troubleshooting. I hit a real issue after setting up which after a good google session turned up nothing, the event log told me the answer straight off (allow Dial-Up on the user account BTW).




Tuesday, September 8, 2009

Setting Up SSH on a Cisco Router

In this post I'll demonstrate how to configure SSH on a cisco router.


Below are the commands I used to name the router and provide a domain name. These details are required rior to generating the key. I then generate a 2048 bit RSA key (this took abolut 10 minutes, I should have done 1024). Following the key creation I configure SSH to have a 60 minute timeout, to use SSH version 2 and to exit after 3 failed login attempts. Finally I assign SSH and Telnet (for backup) to my VTY ports and create a user called Bob.


Router>enable
Password:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#ip domain-name home.local
R1(config)#crypto key generate rsa general-keys modulus 2048
The name for the keys will be: R1.home.local
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#ip ssh time-out 60
R1(config)#ip ssh authentication-retries 3
R1(config)#ip ssh version 2
R1(config)#line vty 0 4
R1(config-line)#transport input ssh telnet
R1(config-line)#exit
R1(config)#aaa new-model
R1(config)#username bob password 0 cisco
R1(config)#exit



I use Putty to connect with SSH and I'm presented with a dialogue to accept the certificate as shown below.



I then log in with my bob credentials.



And a quick packet capture shows me that I am encrypting my traffic with SSH.


Friday, September 4, 2009

Backup & Restore IOS and Configs

As with any aspect of computer data, the IOS and the router configs need backing up. This is pretty simple and in this post post I'll show a few different ways of doing this.



Backing Up

First the easy way. Copy and Paste.

Using the show commands you can output the running-config or the startup-config to screen. This config can be copied and pasted directly into a text file. In Windows use Wordpad as it keeps the formatting better.

Router#show running-config


You need to copy everything from and including the exclamation mark under the line "Current Configuration" to the last line (and including) which starts with "end".

And when you are restoring it just get yourself into configure mode (Configure Terminal) and paste it back in. Simple!


Now using TFTP.

Get yourself something running a TFTP Server. A nice free one is TFTPd32.
From your router make sure you have connectivity to your TFTP Server by pinging it. Then we use the Dir command to check the IOS name and the copy command to copy the IOS and the config to our TFTP Server.

Router#dir flash:
Router#copy flash:c831-k9o3y6-mz.124-4.T1.bin tftp
Address or name of remote host []? 10.0.1.11
Destination filename [c831-k9o3y6-mz.124-4.T1.bin]?
Router#copy startup-config tftp://10.0.1.11/startup-config
Address or name of remote host [10.0.1.11]?
Destination filename [startup-config]?


So in the example above, for the IOS i just specify I want to copy the file to TFTP. I then get prompted for an IP Address and asked to confirm the filename by pressing enter.

For the Startup-Config I specify the TFTP server and filename after the copy command. This way I only get asked to press enter to confirm both the IP and the filename.

And below I can see the progress of my copy to the TFTP Server.




One final note on backing up. Recently I was having an issue with the NVRAM holding my startup-config and I got tired of hooking up my TFTP Server. So I copied it to flash and simply restored it to running-config from there using the following command:

Router#copy flash:startup-confg running-config


Restoring

Restoring is just really the oposite. To grab the config from a TFTP server I would use:
copy tftp://10.0.1.3/startup-config running-config
or for the IOS:

copy tftp://10.0.1.3/ios-file-name.bin flash:ios-file-name.bin

The only points here are:
  • If your IOS is larger than the free space in flash it will overwrite the existing IOS in flash. But be sure not to reboot a router between deleting an IOS file from flash and restoring the new one.
  • After restoring a config all interfaces are placed in a shutdown state.
  • Restored configs merge into existing configs so if this isn't what you want use the erase command before restoring.