Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Packetlevel - Cisco Forensic

    Încărcat de

    al
    29 vizualizări4 pagini
    Packetlevel - Cisco Forensic

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    Packetlevel - Cisco Forensic

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    29 vizualizări4 pagini

    Packetlevel - Cisco Forensic

    Încărcat de

    al
    Packetlevel - Cisco Forensic

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 4

    Cisco IOS Forensic

    Incident
    If you think, your Cisco Device is hacked or missued, its nessasary, to collect all relevant informations and
    datas.
    But before starting to do "anything". it's inportend, that you slow down your heart rate, maybe drink a coffee,
    count slowy to 10 and now make a short list, what you want to do!
    Next Step is, to prepare your enviroment, to collect data and informations.!
    Importent:
    make sure, that all command you enter and any output of the commands ist logged in a file!!
    (turn on Logging on your terminal/console programm)
    write down in an Log file , what you are doing. (with time, etc..) see other Forensic Hints on the internet
    Connect:
    find out, how you can connect to the Device, first try to connect to the "Console" Port, thi is the best way, next
    is SSH or Telnet.
    If there is no way to connect to the Device, you can scan the Device, and find out, what is still going . (is the
    Router still routing, make traceroute to some targets). and then is the time come, to restart the Device.Make a
    Logfile from the boot sequence.
    If your Login with your Accounts/Password doesn't work, make a password reset/recovery, but Never overwrite
    the configs !!
    And now , if you have Level 15 Access, its time to execute some show commands
    Users and Configurations
    show
    show
    show
    show
    show
    show
    show
    show

    clock detail
    version
    startup-config
    running-config
    reload
    kron schedule
    users {all / all / summary }
    who

    Local logs, process , memmory


    show
    show
    show
    show
    show
    show
    show
    show

    log
    debug
    stacks
    tech-support password
    processes {cpu/memory/history}
    buffers
    memory
    environment /all

    Network and Rouing Infos


    show
    show
    show
    show
    show
    show
    show
    show
    show
    show
    show
    show
    show
    show
    show
    show
    show
    show

    ip route
    ip ospf {summary / neighbors / ...}
    ip bgp summary
    cdp neighbors
    ip arp
    interfaces
    ip interfaces
    tcp brief all
    ip sockets
    control-plane host open-ports
    connection detail
    ip inspect session detail
    control-plane host open-ports
    ip nat transaltions verbose
    ip cache flow :
    ip cef
    snmp {user/group/sessions/chassis/view}
    vlans

    show
    show
    show
    show
    show

    ipv6
    ipv6
    ipv6
    ipv6
    ipv6

    IPV6
    route
    ospf {summary / neighbors / ...}
    interface
    cef
    inspect sessions detail

    and if you have VRF's


    show ip vrf VRFNAME route
    show ip vrf ....

    File System

    show flash:
    show file descriptors
    show file information "filename"
    show file systems
    dir /recursive all-filesystems

    Hardware
    show
    show
    show
    show

    interfaces {status/summary}
    mac-adress-table
    hardware
    inventory

    ACL's
    show access-lists

    ACE and other Boards


    If you have additional Board, like ACE, you must change to every contex and collect all datas.
    Final Jobs
    Copy all files from Flash to a secure place (incl. IOS)
    And now, you must collect all informations from the external Logserver. TACACS Server,...
    Now, you can make a analysis of the colleced data.But remember, never work with the orginal files! Tips and
    hints
    watch out for following informations:
    - GRE Tunnels
    - TCL Scripts
    - Route Maps
    - additinals users
    - terminal length 0 -> for faster Display on the console
    show tech-support
    In a forensic case, you have to execute show tech-support password because, with only "show tech-support"
    the password's are replaced with <removed>
    Warning: If you send a "show tech-support" Output-File to someone other, check, if tht passwords are
    removed and all VPN Informations are removed.
    evil-router#sh
    cef
    ipmulticast
    isis
    mpls
    ospf
    page
    password
    rsvp
    |

    tech-support ?
    CEF related information
    IP multicast related information
    CLNS and ISIS related information
    MPLS forwarding and application related information
    OSPF related information
    Page through output
    Include passwords
    IP RSVP related information
    Output modifiers

    Open Ports
    The "netstat -nl" on a Cisco Devices are the following commands:
    not all commands are implementet on all IOS
    show
    show
    show
    show
    show

    ip sockets
    udp
    tcp brief
    tcp brief all
    control-plane host open-ports

    Sample Output:
    evil-router#show ip sockets
    Proto
    Remote
    Port
    Local
    Port In Out Stat TTY OutputIF
    17 0.0.0.0
    0 192.168.2.150
    67
    0
    0 2211
    0
    17
    --listen---any-123
    0
    0
    1
    0
    17 192.168.2.2
    514 192.168.2.150
    55838
    0
    0 210
    0
    evil-router#show tcp brief all
    TCB
    Local Address
    Foreign Address
    (state)
    84350F88 192.168.2.150.23
    192.168.2.100.55286
    ESTAB
    8434B4B0 *.1666
    *.*
    LISTEN
    845B97E8 *.443
    *.*
    LISTEN
    8438FF68 *.80
    *.*
    LISTEN
    evil-router#show control-plane host open-ports
    Active internet connections (servers and established)
    Prot
    Local Address
    Foreign Address
    Service
    State
    tcp
    *:22
    *:0
    SSH-Server
    LISTEN

    tcp
    tcp
    tcp
    tcp
    tcp
    udp

    *:23
    *:23
    *:80
    *:1666
    *:443
    *:67

    *:0
    192.168.2.100:55286
    *:0
    *:0
    *:0
    *:0

    Telnet
    LISTEN
    Telnet ESTABLIS
    HTTP CORE
    LISTEN
    XDSL WHIP
    LISTEN
    HTTP CORE
    LISTEN
    DHCPD Receive
    LISTEN

    MD5
    The exec command "verify" allows youto create MD5 hashes of the files in the flash: or nvram:. This is
    sometime usefull to verfy the version on the flash: with the original version.
    Or in the forensic view, to creat Hashes for Files.
    Waring:
    it verifys only Files on the flash: or other stored place, but not in the Memory!
    Command:
    verify /md5 filesystem:filename [md5-hash]

    Some Samples:
    R1#verify /md5 c2600-bin-mz.123-18.bin
    .......................................................
    .....Output truncated....
    ........................................................................................................Done!
    verify /md5 (flash:c2600-bin-mz.123-18.bin) = 924b54b97cd0f6372d70f29c116a3619

    Compare with MD% Hash from Cisco or other source.


    R1#verify /md5 c2600-bin-mz.123-18.bin 924b54b97cd0f6372d70f29c116a3691
    ........................................................ ......Output truncated.....
    ........................................................................................................Done! %Error verifying flash:c2600bin-mz.123-18.bin Computed signature = 924b54b97cd0f6372d70f29c116a3619 Submitted signature =
    924b54b97cd0f6372d70f29c116a3691 to verify MD5 Sum of a file on a Linux System use md5sum (on BSD md5
    od fsum -md5 on windows)
    Documents
    - Router Forencisc (Nicolas Fischbach)
    - Router Forencisc (Thomas Akin)
    (c) 2009 by packetlevel.ch / last update: 25.10.2009

    S-ar putea să vă placă și