[redewan] Vulnerabilidade

Tue, 20 Mar 2001 10:50:04 -0800

Date: Sep 15 2000 06:27:43 EDT
From: Marcelo Aziz Issahak <[EMAIL PROTECTED]>
Subject: [redewan] Vulnerabilidade 

All,
 
 During a recent attack & penetration test the following was discovered, thought it might be interesting.
 
 Router : 2621
 Software : Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
 
 The router's AUX line had been configured as follows:
 
 line aux 0
 no exec
 password 7 **********
 login
 transport input all
 
 The NMAP scan of that network showed the following:
 Port State Service
 23/tcp open telnet
 2065/tcp open dlsrpn
 
Doing a who on the router showed the following also (this is while a connection is open on port 2065): 
 
2621router# who
 
 Line User Host(s) Idle
 Location
 65 aux 0 incoming
 00:00:32 192.168.0.1
 * 66 vty 0 idle
 00:00:00 192.168.11.87
 
 No exploitable, but just keep it in mind when you see port 2065 listening
 ;o).
 
 Rgds
 
 


 



 
On cisco 2500 I believe aux 0 is tcp port 2001
 
It's often 2000+line number or something. It looks like aux 0 is line 65 on your router and 1 on mine.
 
There are also corresponding ports for other "lines" especially access servers - these are to allow you to control modems hooked to the router remotely. Not sure if there is a port for console for various cisco routers.
 
I'm not sure if this is the best way to deal with it but in my cisco router config I have:
 
access-list 102 deny ip any any log
 
 line aux 0
 access-class 102 in
 transport input all
 
 This rejects and logs TCP connection attempts to the aux port of the router.
 
Btw if you telnet to the finger port (79) some access servers give you a list of the accounts currently dialed into them.
This sometimes helps get info on people who are scanning your networks. Of course most savvy ISPs disable this, but then savvy ISPs don't need help to track down people scanning your stuff ;). Unfortunately not so savvy ISPs don't discipline their customers for bad behaviour.
:(.
 
 Have a nice day,
 
 Link.



 



 
Hi,
 
These ports are used for 'reverse telnet' on Cisco routers. 
 
If you do a 'show line' then take the line # and add 2000 to it you get the port # you can telnet to redirect out that port (aux port, line interface, etc).
 
The best way to protect against this would be to add ACLs to deny traffic to the routers IP address's on
the port #s you don't people accessing. 
Then if you want to 'reverse telnet' you would need to telnet to router directly and telnet from the router, or set up a lock-n-key ACL to open up those port #s temp.
 
-Erick
 



 



 



Atenciosamente,



 



Marcelo Aziz Issahak



[EMAIL PROTECTED]



Phone: +55 11 3347 3230 ramal 2241



Fax: +55 11
3347 3233

Responder a