Documente Academic
Documente Profesional
Documente Cultură
Incident
If you think, your Cisco Device is hacked or missued, its nessasary, to collect all relevant informations and
datas.
But before starting to do "anything". it's inportend, that you slow down your heart rate, maybe drink a coffee,
count slowy to 10 and now make a short list, what you want to do!
Next Step is, to prepare your enviroment, to collect data and informations.!
Importent:
make sure, that all command you enter and any output of the commands ist logged in a file!!
(turn on Logging on your terminal/console programm)
write down in an Log file , what you are doing. (with time, etc..) see other Forensic Hints on the internet
Connect:
find out, how you can connect to the Device, first try to connect to the "Console" Port, thi is the best way, next
is SSH or Telnet.
If there is no way to connect to the Device, you can scan the Device, and find out, what is still going . (is the
Router still routing, make traceroute to some targets). and then is the time come, to restart the Device.Make a
Logfile from the boot sequence.
If your Login with your Accounts/Password doesn't work, make a password reset/recovery, but Never overwrite
the configs !!
And now , if you have Level 15 Access, its time to execute some show commands
Users and Configurations
show
show
show
show
show
show
show
show
clock detail
version
startup-config
running-config
reload
kron schedule
users {all / all / summary }
who
log
debug
stacks
tech-support password
processes {cpu/memory/history}
buffers
memory
environment /all
ip route
ip ospf {summary / neighbors / ...}
ip bgp summary
cdp neighbors
ip arp
interfaces
ip interfaces
tcp brief all
ip sockets
control-plane host open-ports
connection detail
ip inspect session detail
control-plane host open-ports
ip nat transaltions verbose
ip cache flow :
ip cef
snmp {user/group/sessions/chassis/view}
vlans
show
show
show
show
show
ipv6
ipv6
ipv6
ipv6
ipv6
IPV6
route
ospf {summary / neighbors / ...}
interface
cef
inspect sessions detail
File System
show flash:
show file descriptors
show file information "filename"
show file systems
dir /recursive all-filesystems
Hardware
show
show
show
show
interfaces {status/summary}
mac-adress-table
hardware
inventory
ACL's
show access-lists
tech-support ?
CEF related information
IP multicast related information
CLNS and ISIS related information
MPLS forwarding and application related information
OSPF related information
Page through output
Include passwords
IP RSVP related information
Output modifiers
Open Ports
The "netstat -nl" on a Cisco Devices are the following commands:
not all commands are implementet on all IOS
show
show
show
show
show
ip sockets
udp
tcp brief
tcp brief all
control-plane host open-ports
Sample Output:
evil-router#show ip sockets
Proto
Remote
Port
Local
Port In Out Stat TTY OutputIF
17 0.0.0.0
0 192.168.2.150
67
0
0 2211
0
17
--listen---any-123
0
0
1
0
17 192.168.2.2
514 192.168.2.150
55838
0
0 210
0
evil-router#show tcp brief all
TCB
Local Address
Foreign Address
(state)
84350F88 192.168.2.150.23
192.168.2.100.55286
ESTAB
8434B4B0 *.1666
*.*
LISTEN
845B97E8 *.443
*.*
LISTEN
8438FF68 *.80
*.*
LISTEN
evil-router#show control-plane host open-ports
Active internet connections (servers and established)
Prot
Local Address
Foreign Address
Service
State
tcp
*:22
*:0
SSH-Server
LISTEN
tcp
tcp
tcp
tcp
tcp
udp
*:23
*:23
*:80
*:1666
*:443
*:67
*:0
192.168.2.100:55286
*:0
*:0
*:0
*:0
Telnet
LISTEN
Telnet ESTABLIS
HTTP CORE
LISTEN
XDSL WHIP
LISTEN
HTTP CORE
LISTEN
DHCPD Receive
LISTEN
MD5
The exec command "verify" allows youto create MD5 hashes of the files in the flash: or nvram:. This is
sometime usefull to verfy the version on the flash: with the original version.
Or in the forensic view, to creat Hashes for Files.
Waring:
it verifys only Files on the flash: or other stored place, but not in the Memory!
Command:
verify /md5 filesystem:filename [md5-hash]
Some Samples:
R1#verify /md5 c2600-bin-mz.123-18.bin
.......................................................
.....Output truncated....
........................................................................................................Done!
verify /md5 (flash:c2600-bin-mz.123-18.bin) = 924b54b97cd0f6372d70f29c116a3619