RE: Re[2]: [Full-Disclosure] cisco acl
From: Keith Pachulski (keithp_at_corp.ptd.net)
Date: 12/05/03
- Previous message: vb: "Re: Re[2]: [Full-Disclosure] cisco acl"
- Maybe in reply to: isa vaul: "Re[2]: [Full-Disclosure] cisco acl"
- Next in thread: Patrick Doyle: "RE: [Full-Disclosure] cisco acl"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "isa vaul" <nonleft@gmx.net>, "petard" <petard@freeshell.org> Date: Fri, 5 Dec 2003 11:36:09 -0500
Break System
Attach a console to the router.
Power down the router and then power on.
Within the first 30 seconds send a "break" to the router (different emulators may have different methods to do this).
You should now have either a ">" prompt or a "rommon 1>" prompt.
Confreg 0x2142
thep i
hit enter
Wait for the router to finish reloading. Do not enter the configuration dialog (i.e. answer no to enter or <ctrl-c>).
Enable
Show config
If enable and vty passwords are not encrypted:
config mem
conf t
config-register 0x2102
<ctrl-z>
reload
When prompted to save the configuration, say no.
Press enter to continue reloading.
If enable passwords are encrypted:
config mem
conf t
enable {secret | password} <password>
line vty 0 4
password <password2>
config-register 0x2102
<ctrl-z>
write mem
reload
press enter to continue reloading
-----Original Message-----
From: isa vaul [mailto:nonleft@gmx.net]
Sent: Friday, December 05, 2003 10:31 AM
To: petard
Cc: full-disclosure@lists.netsys.com
Subject: Re[2]: [Full-Disclosure] cisco acl
Hello petard,
Friday, December 5, 2003, 3:35:19 PM, you wrote:
p> On Fri, Dec 05, 2003 at 01:45:31PM +0100, isa vaul wrote:
>> Hello full-disclosure,
>>
>> I've got a little problem with a cisco router.
>> It has obviously been compromised. How do i know, well the password
>> has changed. So I want to retrieve the ACL from the RAM (not NVRAM)
>> to see what else maybe got compromised.
>> Does anyone know how this could be done?
>>
>> thanks for any suggestions in advance...
p> You'll probably get better answers if you:
p> 1. google for "cisco router forensics"
p> 2. ask this question to a cisco list
p> 3. ask this question to cisco tech support. they're quite good.
p> Assuming you've determined the changed password and the enable password, the command:
p> # show running-config
p> will display the current configuration from RAM, including any ACLs
p> IIRC.
p> HTH,
p> petard
p> --
p> If your message really might be confidential, download my PGP key here:
p> http://petard.freeshell.org/petard.asc
p> and encrypt it. Otherwise, save bandwidth and lose the disclaimer.
thanks for all the replies.
and i am aware of the 3 given possibilities.
but i thought maybe someone on the list has some quick answer as
well?!? and as it is a little urgent i just wanted to give it a try!
Unfortunately I do not know the new password! otherwise there wouldn't
be a problem at all.
and more unfortunately it is not my network and had nothing to do with
the setup. or else i would have, as Mort pointed out, a tftp in
place.
-- Best regards, nonleft mailto:nonleft@gmx.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: vb: "Re: Re[2]: [Full-Disclosure] cisco acl"
- Maybe in reply to: isa vaul: "Re[2]: [Full-Disclosure] cisco acl"
- Next in thread: Patrick Doyle: "RE: [Full-Disclosure] cisco acl"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
