ATM packet sniffing on a Cisco?

From: James W. Abendschan (jwaat_private)
Date: Mon Aug 06 2001 - 23:20:09 PDT

Next message: Lists: "Pwdump2 with UNICODE?"

Previous message: Sacha Faust: "RE: LDAP directory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I had an opportunity recently to play with a Cisco 3600 in enable mode.
The router had a fastethernet and an ATM interface; I tried lots of
'debug fastethernet packets' and 'debug interface fastethernet 0/0'
variations, but to no avail.

The ATM interface, on the other hand, was a different story:

foo233#show version
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3620-IS-M), Version 12.1(5)T7,  RELEASE SOFTWARE (fc1)

[ ... ]

foo233#debug atm packet interface ATM1/0.1
foo233#terminal length 0
foo233#show log

[ ... ]

1w1d: ATM1/0.1(O):
VCD:0x1 VPI:0x1 VCI:0x20 DM:0x100 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x87
1w1d: 45C0 007B 0055 0000 FF06 E49E DEAD BEEF D863 DAA1 0017 F42C 2077 E022 AA26
1w1d: B281 5018 0F97 E6D4 0000 4154 4D20 7061 636B 6574 7320 6465 6275 6767 696E
1w1d: 6720 6973 206F 6E0D 0A44 6973 706C 6179 696E 6720 7061 636B 6574 7320 6F6E
1w1d: 2069 6E74 6572 6661 6365 2041 544D 312F 302E 3120 6F6E 6C79 0D0A 666F 6F32
1w1d: 3333 2330
1w1d:
1w1d: ATM1/0.1(I):
VCD:0x1 VPI:0x1 VCI:0x20 Type:0x0 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x34
1w1d: 4500 0028 A8B7 4000 3406 C84F D863 DAA1 DEAD BEEF F42C 0017 AA26 B281 2077
1w1d: E022 5010 7FB8 08CD 0000

[ ... ]

I enlarged the log buffer & wrote an expect script that sat in a loop
doing:

    undebug atm packet interface ATM1/0.1
    show log
    clear logging
    confirm
    debug atm packet interface ATM1/0.1
    sleep 10

.. and logged the output to a file.  A perl script made the output readable.
(script will eventually be @ http://www.jammed.com/~jwa/hacks/security/cisco)

Through this, I was able to sniff ICMP, UDP and TCP, but it seemed to drop
many packets.  As the self-sniff example above shows, the payload was not
zeroed out; I was able to see many SNMP and DNS queries, and occasional
HTTP GETs.

Has anyone else played with this?

James

ps: yes, I've read the very fine "THINGS TO DO IN CISCOLAND WHEN YOU'RE DEAD"
( http://www.phrack.org/show.php?p=56&a=10 ) .. GRE was not an option.
Maybe next time :-)



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Lists: "Pwdump2 with UNICODE?"
Previous message: Sacha Faust: "RE: LDAP directory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 15:17:42 PDT