Full Disclosure mailing list archives

Re: cisco acl

From: petard <petard () freeshell org>
Date: Fri, 5 Dec 2003 14:35:19 +0000

On Fri, Dec 05, 2003 at 01:45:31PM +0100, isa vaul wrote:

Hello full-disclosure,

  I've got a little problem with a cisco router.
  It has obviously been compromised. How do i know, well the password
  has changed. So I want to retrieve the ACL from the RAM (not NVRAM)
  to see what else maybe got compromised.
  Does anyone know how this could be done?

  thanks for any suggestions in advance...

You'll probably get better answers if you:

1. google for "cisco router forensics"
2. ask this question to a cisco list
3. ask this question to cisco tech support. they're quite good.

Assuming you've determined the changed password and the enable password, the command:
# show running-config
will display the current configuration from RAM, including any ACLs
IIRC.

HTH,
petard

--
If your message really might be confidential, download my PGP key here:
http://petard.freeshell.org/petard.asc
and encrypt it. Otherwise, save bandwidth and lose the disclaimer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

cisco acl isa vaul (Dec 05)
- Re: cisco acl petard (Dec 05)
  - Re[2]: cisco acl isa vaul (Dec 05)
    - Re: cisco acl Cael Abal (Dec 05)
    - Re: Re[2]: cisco acl vb (Dec 05)
    - Re: cisco acl Anton Ivanov (Dec 05)
- Re: cisco acl vb (Dec 05)
- Re: cisco acl Paulo Pereira (Dec 05)
- Re: cisco acl Alexandru Balan (Dec 08)
- <Possible follow-ups>
- RE: cisco acl Patrick Doyle (Dec 05)
- RE: cisco acl Noren, Bill (Dec 05)
- RE: Re[2]: cisco acl Anthony Clendenen (Dec 05)

(Thread continues...)