Vulnerability Development mailing list archives
Re: Cisco 2621
From: "Erick B." <erickbe () yahoo com>
Date: Fri, 8 Sep 2000 17:45:01 -0700
Hi, These ports are used for 'reverse telnet' on Cisco routers. If you do a 'show line' then take the line # and add 2000 to it you get the port # you can telnet to to redirect out that port (aux port, line interface, etc). The best way to protect against this would be to add ACLs to deny traffic to the routers IP address's on the port #s you don't people accessing. Then if you want to 'reverse telnet' you would need to telnet to router directly and telnet from the router, or set up a lock-n-key ACL to open up those port #s temp. -Erick --- Lincoln Yeoh <lyeoh () POP JARING MY> wrote:
On cisco 2500 I believe aux 0 is tcp port 2001 It's often 2000+line number or something. It looks like aux 0 is line 65 on your router and 1 on mine. There are also corresponding ports for other "lines" especially access servers - these are to allow you to control modems hooked to the router remotely. Not sure if there is a port for console for various cisco routers. I'm not sure if this is the best way to deal with it but in my cisco router config I have: access-list 102 deny ip any any log line aux 0 access-class 102 in transport input all This rejects and logs TCP connection attempts to the aux port of the router. Btw if you telnet to the finger port (79) some access servers give you a list of the accounts currently dialed into them. This sometimes helps get info on people who are scanning your networks. Of course most savvy ISPs disable this, but then savvy ISPs don't need help to track down people scanning your stuff ;). Unfortunately not so savvy ISPs don't discipline their customers for bad behaviour :(. Have a nice day, Link. At 02:22 PM 07-09-2000 +0100, Ollie Whitehouse wrote:All, During a recent attack & penetration test thefollowing was discovered,thought it might be interesting. Router : 2621 Software : Version 11.3(2)XA4, RELEASE SOFTWARE(fc1)The router's AUX line had been configured asfollows:line aux 0 no exec password 7 ********** login transport input all The NMAP scan of that network showed the following: Port State Service 23/tcp open telnet 2065/tcp open dlsrpn Doing a who on the router showed the following also(this is while aconnection is open on port 2065): 2621router>who Line User Host(s) IdleLocation65 aux 0 incoming00:00:32 192.168.0.1* 66 vty 0 idle00:00:00 192.168.11.87No exploitable, but just keep it in mind when yousee port 2065 listening;o). Rgds Ollie ----- Ollie Whitehouse Security Team Leader Delphis Consulting tel: +44 (0)20 79160200 mai: ollie () delphisplc com This e-mail and any files transmitted with it areintended solely for theaddressee and are confidential. They may also belegallyprivileged.Copyright in them is reserved by DelphisConsulting PLC["Delphis"] and they must not be disclosed to, orused by, anyone other thanthe addressee.If you have received this e-mail andany accompanying files inerror, you may not copy, publish or use them in anyway and you shoulddelete them from your system and notify usimmediately.E-mails are notsecure. Delphis does not accept responsibility forchanges to e-mails thatoccur after they have been sent. Any opinionsexpressed in this e-mail maybe personal to the author and may not necessarilyreflect the opinions ofDelphis
__________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/
Current thread:
- Cisco 2621 Ollie Whitehouse (Sep 07)
- <Possible follow-ups>
- Re: Cisco 2621 Lincoln Yeoh (Sep 08)
- Re: Cisco 2621 Erick B. (Sep 12)