Full Disclosure mailing list archives

RE: Re[2]: cisco acl

From: "Keith Pachulski" <keithp () corp ptd net>
Date: Fri, 5 Dec 2003 11:36:09 -0500

Break System
Attach a console to the router.
Power down the router and then power on.
Within the first 30 seconds send a "break" to the router (different emulators may have different methods to do this).
You should now have either a ">" prompt or a "rommon 1>" prompt.
Confreg  0x2142
thep i
hit enter

 Wait for the router to finish reloading. Do not enter the configuration dialog (i.e. answer no to enter or <ctrl-c>).
 Enable
 Show config

If enable and vty passwords are not encrypted:
 config mem
 conf t
 config-register 0x2102
 <ctrl-z>
 reload

When prompted to save the configuration, say no.
Press enter to continue reloading.

If enable passwords are encrypted:
config mem
conf t
enable {secret  |  password}  <password>
line vty 0 4
password <password2>
config-register  0x2102
<ctrl-z>
write mem
reload
press enter to continue reloading
  
        

-----Original Message-----
From: isa vaul [mailto:nonleft () gmx net]
Sent: Friday, December 05, 2003 10:31 AM
To: petard
Cc: full-disclosure () lists netsys com
Subject: Re[2]: [Full-disclosure] cisco acl


Hello petard,

Friday, December 5, 2003, 3:35:19 PM, you wrote:

p> On Fri, Dec 05, 2003 at 01:45:31PM +0100, isa vaul wrote:

Hello full-disclosure,

  I've got a little problem with a cisco router.
  It has obviously been compromised. How do i know, well the password
  has changed. So I want to retrieve the ACL from the RAM (not NVRAM)
  to see what else maybe got compromised.
  Does anyone know how this could be done?

  thanks for any suggestions in advance...

p> You'll probably get better answers if you:

p> 1. google for "cisco router forensics"
p> 2. ask this question to a cisco list
p> 3. ask this question to cisco tech support. they're quite good.

p> Assuming you've determined the changed password and the enable password, the command:
p> # show running-config
p> will display the current configuration from RAM, including any ACLs
p> IIRC.

p> HTH,
p> petard

p> --
p> If your message really might be confidential, download my PGP key here:
p> http://petard.freeshell.org/petard.asc
p> and encrypt it. Otherwise, save bandwidth and lose the disclaimer.

thanks for all the replies.
and i am aware of the 3 given possibilities.
but i thought maybe someone on the list has some quick answer as
well?!? and as it is a little urgent i just wanted to give it a try!

Unfortunately I do not know the new password! otherwise there wouldn't
be a problem at all.
and more unfortunately it is not my network and had nothing to do with
the setup.  or else i would have, as Mort pointed out, a tftp in
place.

-- 
Best regards,
 nonleft                            mailto:nonleft () gmx net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re[2]: cisco acl, (continued)
- - Re[2]: cisco acl isa vaul (Dec 05)
    - Re: cisco acl Cael Abal (Dec 05)
    - Re: Re[2]: cisco acl vb (Dec 05)
    - Re: cisco acl Anton Ivanov (Dec 05)
- Re: cisco acl vb (Dec 05)
- Re: cisco acl Paulo Pereira (Dec 05)
- Re: cisco acl Alexandru Balan (Dec 08)
- RE: cisco acl Patrick Doyle (Dec 05)
- RE: cisco acl Noren, Bill (Dec 05)
- RE: Re[2]: cisco acl Anthony Clendenen (Dec 05)
- RE: Re[2]: cisco acl Keith Pachulski (Dec 05)
- RE: cisco acl Clint Bodungen (Dec 05)
- RE: cisco acl Tonneson, Thomas (Dec 05)