1. About This Report
1.1.
Organisation
1.2.
Conventions
2. Security Audit
2.1.
Introduction
2.2.
Software Version
2.3.
Weak Passwords / Keys
2.4.
Inbound TCP Connection Keep Alives
2.5.
Connection Timeout
2.6.
Auxiliary Port
2.7.
IP Source Routing
2.8.
Logging
2.9.
Cisco Discovery Protocol
2.10.
Classless Routing
2.11.
Minimum Password Length
2.12.
BOOTP
2.13.
Enable Secret
2.14.
Login Banner
2.15.
Domain Lookups
2.16.
Packet Assembler / Disassembler
2.17.
Conclusions
3. Device Configuration
3.1.
Introduction
3.2.
General
3.3.
Services
3.4.
Domain Name Settings
3.5.
Time Zone Settings
3.6.
User Accounts and Privilages
3.7.
HyperText Transfer Protocol
3.8.
Routing
3.9.
Lines
3.10.
Interfaces
4. Appendix
4.1.
Abbreviations
4.2.
Common Ports
4.3.
Logging Severity Levels
4.4.
Time Zones
4.5.
Nipper Details
1. About This Report
This Cisco Router HatSecurity-router1 report was produced by Nipper on Tuesday 1st July 2008. The report contains the following sections:
- a security audit report section that details any identified security-related issues. Each security issue includes a description of the issue, its impact, how easy it would be to exploit and a recommendation. The recommendations include, where appropriate, the command(s) to resolve the issue;
- a configuration report section that details the configuration settings;
- an abbreviations appendix section that expands any abbreviations used within the report;
- a common ports appendix section that details the TCP and UDP port numbers for the common services outlined within the report;
- an appendix section detailing the logging severity levels used by the logging facility;
- a time zones appendix section that details a number of the most commonly used time zones;
- an appendix section detailing the software used to produce this report.
This report makes use of the text conventions outlined in Table 1.
Table 1: Report text conventions
| Convention |
Description |
command | This text style represents the Cisco Router command text that has to be entered literally. |
string | This text style represents the Cisco Router command text that the you have to enter. |
[ ] | Used to enclose a Cisco Router command option. |
{ } | Used to enclose a Cisco Router command requirement. |
| | Divides command option or requirement choices. |
Nipper performed a security audit of the Cisco Router HatSecurity-router1 on Tuesday 1st July 2008. This section details the findings of the security audit together with the impact and recommendations.
Observation: It is critically important that software be regularly maintained with patches and upgrades in order to help mitigate the risk of an attacker exploiting a known software vulnerability. Furthermore, additional security features and other functionality are normally added or extended with each software revision.
Nipper determined that the Cisco Router HatSecurity-router1 was running the out of date software Internet Operating System (IOS) version 12.3. Some of the known vulnerabilities for this software version are listed in Table 2.
Table 2: Potential software vulnerabilities
| Description |
CVE Reference |
Bugtraq ID |
| Telnet remote denial of service | CVE-2004-1464 | 11060 |
| IPv4 TCP listener denial of service | CVE-2007-0479 | 22208 |
It is worth noting that Nipper used the version number detailed in the device configuration to identify the potential vulnerabilities, and patches may have already been applied. Additionally, a specific device configuration may be required in order for the device to become vulnerable.
Impact: The vulnerabilities listed in Table 2 could allow an attacker to perform a Denial of Service (DoS) attack.
Ease: Exploit code is widely available on the Internet for known Cisco Router vulnerabilities.
Recommendation: Nipper strongly recommends that the software be updated and patched to the latest software version. Furthermore, Nipper recommends that the current patch policy be reviewed.
Observation: Strong passwords tend to contain a number of different types of character, such as uppercase and lowercase letters, numbers and punctuation characters. Weaker passwords tend not to contain a mixture of character types. Additionally, weaker passwords tend to be short in length.
Nipper identified two passwords / keys that did not meet the minimum password complexity requirements. These are listed in Table 3.
Table 3: Weak passwords / keys
| Type |
Service |
Username |
Password |
| Password | Enable | Level 15 | terminal |
| Password | Line | VTY lines 0 - 4 | terminal |
Impact: If an attacker were able to gain a password or key, either through dictionary-based guessing techniques or by a brute-force method, the attacker could gain a level of access to HatSecurity-router1.
Ease: A number of dictionary-based password guessing and password brute-force tools are available on the Internet.
Recommendation: Nipper strongly recommends that the weak passwords be immediately changed to ones that are stronger. Nipper recommends that passwords be made up of at least eight characters in length and contain either uppercase or lowercase characters and numbers.
Observation: Connections to a Cisco Router device could become orphaned if a connection becomes disrupted. An attacker could attempt a DoS attack against a Cisco Router by exhausting the number of possible connections. Transmission Control Protocol (TCP) keep alive messages can be configured to confirm that a remote connection is valid and then terminate any orphaned connections.
Nipper determined that TCP keep alive messages are not sent for connections from remote hosts.
Impact: An attacker could attempt a DoS by exhausting the number of possible connections.
Ease: Tools are available on the Internet that can open large numbers of TCP connections without correctly terminating them.
Recommendation: Nipper recommends that TCP keep alive messages be sent to detect and drop orphaned connections from remote systems. TCP keep alive messages can be enabled for connections from remote systems using the following command:
service tcp-keepalives-in
Observation: Connection timeouts can be configured for a number of the device services. If a timeout were configured on an administrative service, an administrator that did not correctly terminate the connection would have it automatically closed after the timeout expires. However, if a timeout is not configured, or is configured to be a long timeout, an unauthorised user may be able to gain access using the administrator's previously logged-in connection.
Nipper identified three connection settings that were not configured to timeout within ten minutes, these are listed in Table 4.
Table 4: Connections with inadequate timeout periods
| Connection |
Timeout |
| Console line 0 | No Timeout |
| Auxiliary line 0 | No Timeout |
| VTY lines 0 to 4 | No Timeout |
Impact: An attacker who was able to gain access to a connection that had not expired, would be able to continue using that connection. A connection could be a console port on the device that was not correctly terminated or a remote administrative connection.
Ease: The attacker would have to gain physical access to the device to use the console port, or gain remote access to an administration machine that is attached to the port. To gain access to remote connections, an attacker would have to be able to intercept network traffic between the client and HatSecurity-router1. The attacker would then have to take over the connection, which could be very difficult with some services. Tools are available on the Internet that would facilitate the monitoring of network connections.
Recommendation: Nipper recommends that a timeout period of ten minutes be configured for connections to the device HatSecurity-router1.
Observation: The auxiliary port's primary purpose is to provide a remote administration capability. It can allow a remote administrator to use a modem to dial into the Cisco device.
Nipper determined that the auxiliary port on the Cisco device HatSecurity-router1 allowed exec connections and did not appear to have the callback feature configured.
Impact: An attacker may discover the modem number for the device during a war-dial. If an attacker were able to connect to the device remotely, then they may be able to brute-force the login to gain access to the device.
Ease: The attacker would have to first identify the telephone number of the device, probably through a war-dial. A modem attached to a telephone line would have to be attached directly to the Cisco device's auxiliary port. Then the attacker would be able to attach to the device in order to perform a brute-force of the login.
Recommendation: Nipper recommends that, if not required, the auxiliary port exec be disabled. Exec can be disabled on the aux port with the following command:
no exec
If the auxiliary port is required for remote administration, the callback feature can be configured to dial a specific preconfigured telephone number.
Observation: IP source routing is a feature whereby a network packet can specify how it should be routed through the network. Cisco routers normally accept and process source routes specified by a packet, unless the feature has been disabled.
Nipper determined that IP source routing was not disabled.
Impact: IP source routing can allow an attacker to specify a route for a network packet to follow, possibly to bypass a Firewall device or an Intruder Detection System (IDS). An attacker could also use source routing to capture network traffic by routing it through a system controlled by the attacker.
Ease: An attacker would have to control either a routing device or an end point device in order to modify a packets route through the network. However, tools are available on the Internet that would allow an attacker to specify source routes. Tools are also available to modify network routing using vulnerabilities in some routing protocols.
Recommendation: Nipper recommends that, if not required, IP source routing be disabled. IP source routing can be disabled by issuing the following IOS command:
no ip source routing
Observation: Logging is an essential component of a secure network configuration. Logging not only assists network administrators to identify issues when troubleshooting, but enables network administrators to react to intrusion attempts or Denial-of-Service attacks. It is therefore critical that logs be monitored, allowing administrators to take immediate action when an attack has been identified. Furthermore, system logs are a key component of a forensic investigation into past intrusions or service disruptions.
Nipper determined that logging had not been configured on HatSecurity-router1.
Impact: An attacker could attempt to map and bypass any configured Access Control List (ACL) or to gain access to the Cisco Router without network administrators being alerted to the attempts. Furthermore, after an unauthorised intrusion into the network had been detected, it would be more difficult for an investigation to identify the source of the attack or the entry point without access to logs.
Ease: N/A
Recommendation: Nipper recommends that Syslog and Buffered logging be configured on HatSecurity-router1. Logging can be enabled with the following command:
logging on
To configure Syslog logging, four things need to be set; a source interface for the Syslog messages to be sent from, one or more Syslog hosts to send messages to, the Syslog logging message severity level and the Syslog facility. The following commands can be used to configure Syslog logging:
logging source-interface {Interface}
logging host {Syslog IP address or hostname}
logging trap {Logging message severity level}
logging facility {Syslog facility}
Buffered logging can be configured with the following command:
logging buffered {Buffer Size} {Logging message severity level}
Observation: Cisco Discovery Protocol (CDP) is a proprietary protocol that is primarily used by Cisco, but has been used by others. CDP allows some network management applications and CDP aware devices to identify each other on a Local Area Network (LAN) segment. Cisco devices, including switches, bridges and routers are configured to broadcast CDP packets by default. The devices can be configured to disable the CDP service or disable CDP on individual network interfaces.
Nipper determined that even though CDP had been disabled on all active interfaces, the CDP service had not been disabled.
Impact: CDP packets contain information about the sender, such as hardware model information, operating system version and IP address details. This information would allow an attacker to gain information about the configuration of the network infrastructure.
Ease: CDP packets are broadcast to an entire network segment. An attacker could use one of the many publicly available tools to capture network traffic and view the leaked information.
Recommendation: Nipper recommends that, if not required, the CDP service be disabled on the Cisco device HatSecurity-router1. If CDP is required, Nipper recommends that CDP be disabled on all interfaces except those that are explicitly required.
The CDP service can be disabled by issuing the following Cisco IOS command:
no cdp run
CDP can be disabled on individual interfaces using the following command:
no cdp enable
In some configurations with IP phones, deployed using either Auto Discovery or Dynamic Host Configuration Protocol (DHCP), the CDP service may need to be enabled. In this situation CDP should be disabled on all network interfaces for which it is not required.
Observation: Classless routing is enabled by default on Cisco routers. If a router has classless routing enabled and it receives a network packet for which there is no configured route, the router will forward the packet to the best destination. With classless routing disabled, the router would discard any network traffic for which no route is defined.
Nipper determined that classless routing was enabled on HatSecurity-router1.
Impact: Network traffic that should not be routed by the router may be routed when classless routing is enabled.
Ease: N/A
Recommendation: Nipper recommends that, if possible, classless routing be disabled. Classless routing can be disabled with the following command:
no ip classless
Observation: Cisco introduced an option from IOS version 12.3(1) which forces user, enable, secret and line passwords to meet a minimum length. This setting was introduced to help prevent the use of short passwords such as "cisco".
Nipper determined that a minimum password length of six characters was configured.
Impact: With a small minimum password length configured, it would be possible for a short password to be used. If an attacker were able to gain a password through dictionary-based guessing techniques or by a brute-force method, the attacker could gain a level of access to HatSecurity-router1.
Ease: A number of dictionary-based password guessing and password brute-force tools are available on the Internet.
Recommendation: Nipper recommends that a minimum password length of at least eight characters be configured. The minimum password length can be configured with the following command:
security passwords min-length {length}
Observation: BOOTstrap Protocol (BOOTP) is a datagram protocol that allows compatible hosts to load their operating system over the network from a BOOTP server. Cisco routers are capable of acting as BOOTP servers for other Cisco devices and the service is enabled by default. However, BOOTP is rarely used and may represent a security risk.
Nipper determined that BOOTP was not disabled. However, it is worth noting that not all Cisco devices support BOOTP.
Impact: An attacker could use the BOOTP service to download a copy of the router's IOS software.
Ease: Tools are available on the Internet to access BOOTP servers.
Recommendation: Nipper recommends that, if not required, the BOOTP service be disabled. The following command can be used to disable BOOTP:
no ip bootp server
Observation: Cisco IOS-based device enable passwords can be stored using an iterated MD5 hash, which is far stronger than the easily reversible Cisco type-7 encryption.
Nipper identified one enable password that was not stored using the MD5 hash.
Impact: An attacker could use an enable password from a Cisco device to access the device and possibly modify its configuration.
Ease: An attacker who had access to the Cisco configuration file would easily be able to retrieve passwords that are stored in clear-text or using the Cisco type-7 encryption. However, an attacker who had access to a Cisco configuration file could brute-force any stronger MD5 passwords.
Recommendation: Nipper recommends that all enable passwords be stored using the MD5 hash. Enable passwords can be stored using the MD5 hash with the following Cisco IOS command:
enable secret
Observation: A banner message can be shown to users who connect to one of the remote management services, such as Telnet. Typically banner messages will include information on the law with regard to unauthorised access to the device, warning users who do not have the authority to access the device about the consequences.
Nipper determined that no login banner was configured.
Impact: Attackers who have gained access to a device could avoid legal action if no banner is configured to warn against unauthorised access.
Ease: N/A
Recommendation: Nipper recommends that a banner be configured that warns against unauthorised access. Banners are configured on Cisco devices using a delimiter character. A delimiter character is specified in the banner command and is used again to mark the end of the banner. The Cisco command to add a login banner, that is presented to users prior to authentication, is:
banner login {delimiter} The banner text {delimiter}
Observation: Cisco IOS-based devices support name lookups using the Domain Name System (DNS). However, if a DNS server has not been configured, then the DNS request is broadcast.
Nipper determined that name lookups had not been disabled and no DNS servers had been configured.
Impact: An attacker who was able to capture network traffic could monitor DNS queries from the Cisco Router. Furthermore, Cisco devices can connect to Telnet servers by supplying only the hostname or IP address of the server. A mistyped Cisco command could be interpreted as an attempt to connect to a Telnet server and broadcast on the network.
Ease: It would be trivial for an attacker to capture network traffic broadcast from a Cisco Router. Furthermore, network traffic capture tools are widely available on the Internet.
Recommendation: Nipper recommends that domain lookups be disabled. Domain lookups can be disabled with the following command:
no ip domain-lookup
If domain lookups are required, Nipper recommends that DNS be configured. DNS can be configured with the following command:
ip name-server {IP address}
Observation: The Packet Assembler / Disassembler (PAD) service enables X.25 connections between network systems. The PAD service is enabled by default on most Cisco IOS devices but it is only required if support for X.25 links is necessary.
Nipper determined that the PAD service had not been disabled.
Impact: Running unused services increases the chances of an attacker finding a security hole or fingerprinting a device.
Ease: N/A
Recommendation: Nipper recommends that, if not required, the PAD service be disabled. Use the following command to disable the PAD service:
no service pad
Nipper performed a security audit of the Cisco Router device HatSecurity-router1 on Tuesday 1st July 2008 and identified 15 security-related issues. Nipper determined that:
- the software version was out of date;
- weak passwords / keys were identified;
- TCP keep alive messages are not configured for inbound connections;
- all connections were not configured with secure connection timeout periods;
- the AUX port was configured to allow EXEC connections without the callback functionality;
- IP source routing was enabled;
- insufficient logging was configured;
- CDP was not disabled;
- classless routing was enabled;
- an inadequate minimum password length was configured;
- BootP was enabled;
- the enable password is not stored using the MD5 hash;
- no login banner has been configured;
- domain lookups were enabled;
- the PAD service was enabled.
This section details the configuration settings of the Cisco Router device HatSecurity-router1.
Table 5: General device settings
| Description |
Setting |
| Hostname | HatSecurity-router1 |
| IOS Version | 12.3 |
| Service Password Encryption | Enabled |
| Minimum Password Length | 6 characters |
| IP Source Routing | Enabled |
| BOOTP | Enabled |
| Service Config | Disabled |
| TCP Keep Alives (In) | Disabled |
| TCP Keep Alives (Out) | Disabled |
| Cisco Express Forwarding | Enabled |
| Gratuitous ARPs | Disabled |
| Classless Routing | Enabled |
Table 6: Device services
| Service |
Status |
| Telnet | Disabled |
| SSH | Disabled |
| HTTP | Disabled |
| Finger | Disabled |
| TCP Small Services | Disabled |
| UDP Small Services | Disabled |
| CDP | Enabled |
| PAD | Enabled |
Table 7: Domain name settings
| Description |
Setting |
| Domain Lookup | Enabled |
Table 8: Time zone settings
| Description |
Setting |
| Time Zone | UTC |
| UTC Offset | None |
| Summer Time Zone | Disabled |
| Authorative Time Source | No |
Table 9: Enable Passwords
| Level |
Password |
Encryption |
| 15 | terminal | Type-7 |
| 15 | <unknown> | MD5 |
Table 10: HTTP configuration
| Description |
Setting |
| HTTP Server | Disabled |
| Authentication Type | Enable Password |
| Access Class (Access List Number) | Unconfigured |
A network device's routing tables can be configured with static routes or updated dynamically. Routing protocols are used by network routing devices to dynamically update the routing tables that devices use to forward network traffic to their destination. Router protocols can be split into two different categories; Interior Gateway Protocols (IGPs) and Exterior Gateway Protocols (EGPs). IGPs are usually used in situations where the routing devices are all controlled by a single entity, such as within a company. EGPs are usually used in situations where routing devices are managed by a number of entities, such as the Internet. Typically routing devices support a number of standard routing protocols.
Table 11: Static routes
| IP Address |
Net Mask |
Gateway |
| 0.0.0.0 | 0.0.0.0 | 83.111.x.x |
The Cisco line configuration settings are used to configure administrative access to the device. The console line type is used for accessing the Cisco device directly through a cable attached to the device's console port. The auxiliary lines are used for remote access to the device, typically through attached modems. The Virtual Teletype (VTY) lines are used for access to the device through a remote access service such as Secure Shell (SSH) or Telnet.
Table 12: Line configuration
| Line Type |
Start Line |
End Line |
Logins |
Exec |
Authorization |
Accounting |
Telnet |
SSH |
Timeout |
Exec Timeout |
Session Timeout |
Absolute Timeout |
Password |
Password Encryption |
| Console | 0 | | Allowed | On | Off | Off | Off | Off | 0s | 0s | 0s | 0s | | |
| Auxiliary | 0 | | Allowed | On | Off | Off | Off | Off | 0s | 0s | 0s | 0s | | |
| VTY | 0 | 4 | Allowed | On | Off | Off | Off | Off | 0s | 0s | 0s | 0s | terminal | Type-7 |
Table 13: Interfaces
| Interface |
Active |
IP Address |
Proxy ARP |
IP Unreachable |
IP Redirect |
IP Mask Reply |
IP Direct Broadcast |
NTP |
CDP |
uRPF |
MOP |
| FastEthernet0 | Yes | None | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Off | N/A |
| Serial0 | Yes | None | N/A | N/A | N/A | N/A | N/A | N/A | N/A | Off | N/A |
| ACL | Access Control List |
| ARP | Address Resolution Protocol |
| BID | Bugtraq ID |
| BOOTP | BOOTstrap Protocol |
| CDP | Cisco Discovery Protocol |
| CEF | Cisco Express Forwarding |
| CVE | Common Vulnerabilities and Exposures |
| DHCP | Dynamic Host Configuration Protocol |
| DNS | Domain Name System |
| DoS | Denial of Service |
| EGP | Exterior Gateway Protocol |
| HTTP | HyperText Transfer Protocol |
| IDS | Intruder Detection System |
| IGP | Interior Gateway Protocol |
| IOS | Internet Operating System |
| IP | Internet Protocol |
| LAN | Local Area Network |
| MD5 | Message Digest 5 |
| MOP | Maintenance Operations Protocol |
| NTP | Network Time Protocol |
| PAD | Packet Assembler / Disassembler |
| SNMP | Simple Network Management Protocol |
| SSH | Secure Shell |
| TCP | Transmission Control Protocol |
| UDP | User Datagram Protocol |
| UTC | Coordinated Universal Time |
| VTY | Virtual Teletype |
Table 14: Common ports
| Service |
Port |
| SSH | 22 |
| DHCP | 67 |
| HTTP | 80 |
| NTP | 123 |
| SNMP | 161 |
Table 15: Logging message severity levels
| Level |
Level Name |
Description |
| 0 | Emergencies | System is unstable |
| 1 | Alerts | Immediate action is required |
| 2 | Critical | Critical conditions |
| 3 | Errors | Error conditions |
| 4 | Warnings | Warning conditions |
| 5 | Notifications | Significant conditions |
| 6 | Informational | Informational messages |
| 7 | Debugging | Debugging messages |
Table 16: Common time zone acronyms
| Region |
Acronym |
Time Zone |
UTC Offset |
| Australia | CST | Central Standard Time | +9.5 hours |
| Australia | EST | Eastern Standard/Summer Time | +10 hours |
| Australia | WST | Western Standard Time | +8 hours |
| Europe | BST | British Summer Time | +1 hour |
| Europe | CEST | Central Europe Summer Time | +2 hours |
| Europe | CET | Central Europe Time | +1 hour |
| Europe | EEST | Eastern Europe Summer Time | +3 hours |
| Europe | EST | Eastern Europe Time | +2 hours |
| Europe | GMT | Greenwich Mean Time | |
| Europe | IST | Irish Summer Time | +1 hour |
| Europe | MSK | Moscow Time | +3 hours |
| Europe | WEST | Western Europe Summer Time | +1 hour |
| Europe | WET | Western Europe Time | +1 hour |
| USA and Canada | ADT | Atlantic Daylight Time | -3 hours |
| USA and Canada | AKDT | Alaska Standard Daylight Saving Time | -8 hours |
| USA and Canada | AKST | Alaska Standard Time | -9 hours |
| USA and Canada | AST | Atlantic Standard Time | -4 hours |
| USA and Canada | CDT | Central Daylight Saving Time | -5 hours |
| USA and Canada | CST | Central Standard Time | -6 hours |
| USA and Canada | EDT | Eastern Daylight Time | -4 hours |
| USA and Canada | EST | Eastern Standard Time | -5 hours |
| USA and Canada | HST | Hawaiian Standard Time | -10 hours |
| USA and Canada | MDT | Mountain Daylight Time | -6 hours |
| USA and Canada | MST | Mountain Standard Time | -7 hours |
| USA and Canada | PDT | Pacific Daylight Time | -7 hours |
| USA and Canada | PST | Pacific Standard Time | -3 hours |
This report was generated using Nipper version 0.11.8. Nipper is an Open Source tool designed to assist security professionals and network system administrators securely configure network infrastructure devices. The latest version of Nipper can be found at the following URL:
http://nipper.titania.co.uk.