Cisco TAC always wants to telnet in to troubleshoot when working a ticket.
One alternative is to e-mail your configs to them, at which point maybe they
will get back to you with some resolution in a time frame you can live with.
Fact is that the internet makes things so damn convenient for us. Most time
most people just don't consider the implications.
While it may be true that some places have security policies, reasonable of
otherwise, the fact is that most places don't, most managements don't want
to be bothered, and most users don't want to be inconvenienced.
Chuck
BTW - nice to see you again, Priscilla.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Priscilla Oppenheimer
Sent: Thursday, January 18, 2001 4:38 PM
To: [EMAIL PROTECTED]
Subject: Re: Remote Telnet access via dial-up
At 11:11 AM 1/19/01, Tony van Ree wrote:
>Hi,
>
>As long as the appropriate security/passwords are set it is probably every
>bit as good as any other form of remote access.
Remember that this wasn't CHAP or even PAP. It was Telnet. The Telnet
password both to reach his PC and to reach the routers is unencrypted. How
was the enable password sent? The characters were typed and sent
unencrypted. Getting a Sniffer to the right place to catch this would be
hard, but not impossible. Hopefully he will change the password used to
reach his PC, but it's not likely he'll change the router VTY and enable
passwords.
So what did the Cisco engineers to when they Telnetted into this back door
to configure the routers? Did they do show run by any chance? Yeah, I just
got the complete configuration of the customer's routers. That is
unencrypted also.
And don't say, well it's Telnet so it's one character at a time which would
make understanding it difficult. Responses in Telnet are not one character
at a time. The output of show run would be send in TCP segments using the
IP MTU. It would be very easy to understand.
I don't think most customers would even let him do what he did. A lot of
customers wouldn't have an analog phone line for him to use to dial up his
ISP. Analog phone-line backdoors are an infamous no-no.
I'd love to hear someone else's opinion too. Isn't anyone else as shocked
as I am?
Priscilla
>On Thursday, January 18, 2001 at 02:30:09 PM, Priscilla Oppenheimer wrote:
>
> > Sounds like a helpful troubleshooting method but what were the security
> > risks? Thoughts, anyone?
> >
> > Priscilla
> >
> > At 10:31 PM 1/17/01, J Roysdon wrote:
> > >Today I was a site w/o internet access, but I needed to get Cisco into
> it to
> > >save time relaying commands and information. I had a dial-up
> connection out
> > >to my ISP, and then thought about the built-in Telnet server that
Windows
> > >2000 Professional has. I made a quick guest account for Cisco, and
told
> > >them my dial-up IP, which they could connect to, and then once
telnetted
> > >into my workstation, they were able to telnet out my NIC to the
> routers they
> > >needs to get to. Only catch is that you can only have one session up
> > >through it (enough for us):
> > >
> > >Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
> > >Welcome to Microsoft Telnet Service
> > >Telnet Server Build 5.00.99201.1
> > >login: cisco
> > >password: *****
> > >Microsoft Windows Workstation allows only 1 Telnet Client License
> > >Server has closed connection
> > >
> > >When they were done, I just disabled the Cisco account. Rather handy
now
> > >that I have it. I've run into a lot of troubleshooting where it was a
> real
> > >pain not to have internet access for Cisco to get in (or I didn't
control
> > >the customer's firewall, etc.).
> > >
> > >After a successful telnet:
> > >*===============================================================
> > >Welcome to Microsoft Telnet Server.
> > >*===============================================================
> > >C:\>telnet 192.168.45.253
> > >Connecting To 192.168.45.253...
> > >
> > >
> > >
> > >--
> > >Jason Roysdon, CCNP/CCDP, MCSE, CNA, Network+, A+
> > >List email: [EMAIL PROTECTED]
> > >Homepage: http://jason.artoo.net/
> > >
> > >
> > >
> > >_________________________________
> > >FAQ, list archives, and subscription info:
> > >http://www.groupstudy.com/list/cisco.html
> > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
> >
> > ________________________
> >
> > Priscilla Oppenheimer
> > http://www.priscilla.com
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
> >
>
>
>--
>www.tasmail.com
________________________
Priscilla Oppenheimer
http://www.priscilla.com
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
