Penetration Testing mailing list archives
Re: [PEN-TEST] Port 2001 question
From: c0ncept <c0ncept () HUSHMAIL COM>
Date: Tue, 6 Mar 2001 13:50:44 -0800
[relevent] It's not a cisco router. Take a look at the results of the scan: ... TCP Sequence Prediction: Class=random positive increments Difficulty=93083 (Worthy challenge) ... If this is a router, it's been patched *very* recently. Cisco just released an advisory + patch for there TCP Sequence Prediction. *If* is was a cisco router, well...you'd probably get something else... [/relevent] Somebody said earlier in the thread that ports should be filtered on rotuers as well on routers, even if there is a firewall right behind it -- this isn't necesarrily cost effectice, just like it's not necessarily practical to do NAT on a router, even though they have the capability build in. Cisco recomments that policy is applied at the access layer [ I won't digress into network archetecture on this list -- I'm sure we all agree that hiearchial models scale well, and this has worked so far ]. Now consider that Access Layer routers are at the lower end of the price/performance spectrum [ there are exceptions to this; and seperate layers of the model may be performed by the same device, *but*] in terms of CPU Power and Memory per dollar, cisco hardware is expensive. A 680x0 with a few megs of RAM will cost you thousands of dollars. I commidy PC can apply a list of rules to a packet too, for a fraction of the cost, in edition to giving you access to a wide variety of tools for viewing / manipulating your log-files...you can even import them into a RDBMS on the same box, and do a variety of statistical analysis on them, archive them, etc., etc.. By filtering ports on your router, you lose a chunk of information from your firewall logs. If you allow port 80 through, your webserver is compramised, you won't know that you were scanned for netbios 5 times the day before by the same dial-up in Korea or what-have-you. [ I know it's possible to log to a syslog server, but then you have two seperate sets of logs looking at different parts of the same event; it introduces the problems of log correlation, and basically opens up a can of worms for any bussiness that can afford a T1 but not a Security Administrator. In addition, you are also opening up the possibility of a DoS on the router do to resource consumption, without need. I'm in favor of layering security, but never introduce a single point of failure when it can be avoided. Telnet run's on the standard port on cisco routers; my understanding of the purpose of the AUX port is to provide a backup ways of administering a router via dialing into it, should the network connection go down. You dial-up to the AUX port via a modem ( ISDN..whatever you hook up to do). You would get a session by dialing the AUX port, or telneting to the router *if* you couldn't telnet to the router, I'd imagine you'd have little reason to dial the AUX port). --c0ncept [snip] * Port 2001 is commonly open on Cisco routers, connected to the AUX port. If the router has a modem on AUX, for whatever reason, you could get a terminal session on it by telnetting to port 2001. (I think - I've never done this. Well, never found any routers with modems on the AUX port, anyway) Check if 4001, 6001 and 9001 are also open. If so, this is almost conclusively a Cisco, unless someone is screwing with you :-) [snip]
Current thread:
- [PEN-TEST] Port 2001 question Oliver Petruzel (Mar 06)
- Re: [PEN-TEST] Port 2001 question Fab Siciliano (Mar 06)
- <Possible follow-ups>
- Re: [PEN-TEST] Port 2001 question Brown, Matt (Mar 06)
- Re: [PEN-TEST] Port 2001 question Dawes, Rogan (ZA - Johannesburg) (Mar 06)
- Re: [PEN-TEST] Port 2001 question c0ncept (Mar 06)
- Re: [PEN-TEST] Port 2001 question -Reply Oliver Petruzel (Mar 06)
- Re: [PEN-TEST] Port 2001 question Porter, Bryce (Mar 06)
- Re: [PEN-TEST] Port 2001 question Block, Edward (Mar 07)