Remote Cisco Identification

From: Mr. joej (mr_joejat_private)
Date: Mon Jan 18 1999 - 09:48:52 PST

Next message: Sean Coates: "Re: Personal web server"

Previous message: Michal Zalewski: "Re: Sendmail 8.8.x/8.9.x bugware"
Next in thread: Kurt Seifried: "Re: Remote Cisco Identification"
Reply: Kurt Seifried: "Re: Remote Cisco Identification"
Reply: Jared Mauch: "Re: Remote Cisco Identification"
Reply: Basement Research: "Re: Remote Cisco Identification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alpha Release: 0.9
Released Through: Rhino9 Team
By: JoeJ
Shouts: Horizon, apk-, NeonSurge, Xaphan

----------------------------------------------------------------

Intro:
------
This release covers some information that was found sniffing a
portscan session.  What was found wasn't anything super special.
I'm sure anyone running a packet sniffer while performing a port
scan on a cisco has seen this.  But it is the implications of
this that are not fully understood.

Cisco Note:
---------
It is documented that cisco uses port 1999.  However I have never seen
the details of its use.  This may not be an immediate security bug, it
may do exactly as it was intended.  However I did not feel that everyone
would be aware of how easy it is to remotely identify Cisco products.
With the IOSLOGON, and HISTORY bug out there, it may be advisable to
prevent your router from telling everyone what brand it is.-----Thanks
to Aleph One for info----------
>tcp-id-port      1999/tcp      cisco identification port
>tcp-id-port      1999/udp      cisco identification port



The Deal:
---------
Basically any Cisco Router or device running IOS code responds
to requests to port 1999 different than any other port.  Follow
the diagram below for details.

<snip>
diagram removed .. looks bad in email. Check it out at
http://207.98.195.250/advisories/08.htm
</snip>
Cisco products respond to SYNs directed to port 1999 with
a RST. Which is normal but they also include  'cisco' in
the payload of the packet.

Implications:
-------------
It is now easy to scan a large range of IP addresses to find
Cisco products.  In the next week Rhino9 will hopefully release
a Cisco scanning utility.  Even if the device doesn't allow access
to the telnet port it is now possible to determine Cisco hardware.


Fix:
----
The easy fix is to specify an ip filter to deny incoming tcp
communication to port 1999.


Future:
-------
It is unclear why this happens.  I'm unclear on the apparent
implimentation of this feature.  It may turn out to be a welcome mat.
Either way Rhino9 will dig-in regarding this subject.

----------------------------------------------------------------
JoeJ & The Rhino9 Research Team - http://207.98.195.250
----------------------------------------------------------------


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Next message: Sean Coates: "Re: Personal web server"
Previous message: Michal Zalewski: "Re: Sendmail 8.8.x/8.9.x bugware"
Next in thread: Kurt Seifried: "Re: Remote Cisco Identification"
Reply: Kurt Seifried: "Re: Remote Cisco Identification"
Reply: Jared Mauch: "Re: Remote Cisco Identification"
Reply: Basement Research: "Re: Remote Cisco Identification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:10 PDT