Vulnerability Development mailing list archives
Re: news story and router passwords
From: bugtraq () EXORSUS NET
Date: Sat, 14 Oct 2000 13:53:05 +1100
Most routers are administered by telnet, which is, of course, plain text. Fine and dandy: we can sniff it and see passwords. Most routers also have password recovery procedures, and these generally involve having physical access to the device. You can avoid having this happen to you by administering your routers prudently. For a Cisco, you have many options: use AAA and a 1-time password scheme (like SecureID and a RADIUS or TACACS+ server), put an access-list on the VTY port so the router can only be administered from a trusted host (like a UNIX box to which you can SSH) so even if I know the password I can't use it, or use SSH on the router itself (not an option under older IOS images). Also, try not to administer your core infrastructure devices from networks where people are running sniffers and trying to hack you, when you can avoid it.
Just a quick addition there, IP based authentication cannot secure the machine on a compromised network, since if the intruder can sniff the passwords from a session, he can also sniff the TCP sequence numbers and therefore successfully spoof a connection from the same location. If you're going to use IP limited authentication, you must ensure that the connection between that IP and the router you're admining is not sniffable...of course, this defeats the entire point of worrying about your password being sniffed :) Phi.
Current thread:
- Re: news story and router passwords Vachon, Scott (Oct 12)
- Re: news story and router passwords Richard Johnson (Oct 14)
- Re: news story and router passwords Mark Teicher (Oct 15)
- Re: news story and router passwords Talisker (Oct 16)
- Re: news story and router passwords Mark Teicher (Oct 16)
- Re: news story and router passwords Mark Teicher (Oct 15)
- Re: news story and router passwords Richard Johnson (Oct 14)
- <Possible follow-ups>
- Re: news story and router passwords none none (Oct 12)
- Re: news story and router passwords Mr Rufus Faloofus (Oct 12)
- Re: news story and router passwords Vitaly McLain (Oct 13)
- Re: news story and router passwords bugtraq (Oct 13)
- Re: news story and router passwords antirez (Oct 14)
- Re: news story and router passwords Bluefish (P.Magnusson) (Oct 14)
- Re: news story and router passwords bug tracker (Oct 14)
- Re: news story and router passwords Mark Teicher (Oct 14)
- Re: news story and router passwords Lincoln Yeoh (Oct 15)
- Re: news story and router passwords Mark Teicher (Oct 14)