Network Devices in Software

Maker QR Code 2d barcode in Software Network Devices

19 22 23 2001 6001

To confirm our assumption about the vendor and the operating-system level, we ll want to use TCP fingerprinting (as discussed in 2) Also present with most Cisco devices are the typical User Access Verification prompts on the vty ports (23 and 2001) Just telnet to the router on these ports and you ll get this familiar banner:

User Access Verification Password:

Many Cisco devices are running SSH as a replacement for telnet Even with this secure replacement, a familiar banner can still be discovered:

root@ircexamplecom:~$ telnet 10142083 22 Trying 10142083 Connected to 10142083 Escape character is '^]' SSH-15-Cisco-125 Connection closed by foreign host root@ircexamplecom:~#

To counter the information disclosure that port scanners accomplish, a limited amount of tools have been developed Overall, the best policy is to completely deny all unwanted traffic at network borders Keeping limited visibility to the open Internet is primary Use of PortSentry is the second-best method of protection (http://sourceforgenet/projects/ sentrytools/); PortSentry listens to unused ports on a system and detects connection requests on these supposedly quiet ports Here s an example:

root# netstat Ipn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address tcp 0 0 0000:54320 0000:* tcp 0 0 0000:32774 0000:* tcp 0 0 0000:31337 0000:* tcp 0 0 0000:27665 0000:* tcp 0 0 0000:20034 0000:* tcp 0 0 0000:12346 0000:* tcp 0 0 0000:12345 0000:* tcp 0 0 0000:6667 0000:* tcp 0 0 0000:5742 0000:* tcp 0 0 0000:2000 0000:*

PID/Program name 1959/port sentry 1959/port sentry 1959/port sentry 1959/port sentry 1959/port sentry 1959/port sentry 1959/port sentry 1959/port sentry 1959/port sentry 1959/port sentry

TCP 21 (FTP) 23 (telnet) 22 (SSH) 79 ( nger) 80 (HTTP) 179 (BGP) 512 (exec) 513 (login) 514 (shell) 1993 (Cisco SNMP) 1999 (Cisco ident) 2001 4001 6001 9001 (XRemote service)

UDP 0 (tcpmux) 49 (domain) 67 (bootps) 69 (TFTP) 123 (NTP) 161 (SNMP)

23 (telnet)

0 (tcpmux) 123 (NTP) 161 (SNMP)

21 (FTP) 23 (telnet)

7 (echo) 9 (discard) 67 (bootps) 68 (bootpc) 69 (TFTP) 161 (SNMP) 520 (route)

23 (telnet)

7 (echo) 9 (discard)* 161 (SNMP) 162 (snmp-trap) 514 (shell) 520 (route)

The Ascend discard port accepts only a specially formatted packet (according to the McAfee, Inc, advisory), so your success with receiving a response to scanning this port will vary

Table 7-1

7:

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0

0000:635 0000:443 0000:143 0000:119 0000:25 0000:23 0000:22 0000:21

0000:* 0000:* 0000:* 0000:* 0000:* 0000:* 0000:* 0000:*

Specific ports can be selected through a configuration file:

# PortSentry Configuration # $Id: portsentryconf,v 123 2001/06/26 15:20:56 crowland Exp crowland $ # IMPORTANT NOTE: You CAN NOT put spaces between your port arguments # The default ports will catch a large number of common probes # All entries must be in quotes ######################## # Port Configurations # ######################## # Use these for just bare-bones TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771, 32772,32773,32774,49724,54320" UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337, 54321"

If an attacker runs a port scan, PortSentry detects the connection attempts to unused ports and drops all future connections from the destination IP via a null route command A null route will halt all communication to the attacker and keep him guessing and permanently locked out of your host:

After blocking is in place, your routing table should look similar to this:

root# route Kernel IP routing table Destination Gateway Iface 31337 localnet loopback default * * * 1921681254 255255255255 2552552550 255000 0000 UH U U UG 0 0 0 1 0 0 0 0 0 0 0 0 lo eth0 lo eth0

Before running PortSentry, be sure to go over the configuration file carefully; spoofed packets can be sent, leaving an attacker capable of selecting hosts to become unresponsive