CISCO router language --------------------- E... : Interface connected to an Ethernet segment F... : Fast ethernet interface S... : Serial connection To...: Token Ring IOS version(maintenance) : IOS 12.0(3) Modes of operation ------------------ User mode: Router> Enable mode: Router# Global Configuration mode: Router(config)# Ctrl+A : Move to *beginning* of line Ctrl+E : Move to *end* of line Ctrl+P : UP arrow Ctrl+N : DOWN arrow Authentication and Authorization -------------------------------- 1) AAA method (Authentication, Authorization, and Accounting) Ex.: RADIUS, Kerberos 2) non-AAA method : They use a local usr/pass authentication. Ex: Console, auxiliary, vty sessions, TACACS [Terminal Access Controller Access Control System] Commands -------- ? : List available options E? : Lists all commands starting with "E" Router# Config Terminal Router(config)# Interface Ethernet0 [Setting the console Password] Router# config terminal | configure terminal | conf t Router(config)# line console 0 <- get into the mode where pass can be created Router(config-line)# login Router(config-line)# password 3l1t3:P Router(config-line)# ^Z Router# [Setting the Enable Password] There are 2: 1) standard Enable password <- backwards (-priority) 2) Enable Secret password <- Encrypted (+priority) Router# config terminal Router(config)# enable secret p@assw0rd Router(config)# login Router(config)# ^Z Router# [Setting the VTY Password] There are 5 VTY sessions (0-4) Router# config terminal Router(config)# line vty 0 | line vty 0 4 <- For all VTY sessions (0-4) Router(config-line)# login Router(config-line)# password otr0p@assw0rd Router(config-line)# ^Z Router [Creating User Accounts] Router# config terminal Router(config)# username user1 password p@ss1 Router(config)# username user2 password p@ss2 Router(config)# username user3 password p@ss3 Router(config)# username user4 password p@ss4 Router(config)# ^Z Router# [Banners] - Not provide useful info for an attacker - Inform users they are being recorded - Define who is|isnt authorized - Provide adequate legal standing to prosecute offenders and protect equip admins. [1) MOTD Banner] [2) Login Banner] Router# config terminal Router(config)# banner login C WARNING! This system is designed solely for the authorized users of .... Corp... etc. C Router(config)# ^Z Router# [3) EXEC Banner] <- For users who enter privilege mode Router# config terminal Router(config)# banner exec # WARNING! This system is designed solely for the authorized users of .... Corp... etc. # Router(config)# ^Z Router# [SSH] begin - 11.2 11.3 not, only "12.0(5)+" support SSH - Prerequisites: Username, hostname, domainname Router# config terminal Router(config)# ip domain-name hugomartin.org <- Def domainname Router(config)# access-list 23 permit 192.168.51.45 <- Def allowed FROM Router(config)# line vty 0 4 <- For all 5 VTY sessions Router(config-line)# access-class 23 in Router(config-line)# exit Router(config)# username SSHuser password SSHuserP@ss Router(config)# line vty 0 4 Router(config-line)# login local Router(config-line)# exit Router(config)# ... generating RSA keys ... Router# config terminal Router(config)# crypto key generate rsa <- Gen RSA key The name for the keys will be: Router.hugomartin.org Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 Generating RSA keys ... [OK] Router(config)# .. fine tune passw input timout ... [default is: 120, Cisco recommends: 90] Router# config terminal Router(config)# ip ssh timeout 45 Router(config)# ^Z Router# ... fine tune retries allowed ... [default: 3, maximum: 5] Router# config terminal Router(config)# ip ssh authentication-retries 2 Router(config)# ^Z Router# ... let VTY accept SSH|telnet ... Router# config terminal Router(config)# line vty 0 4 Router(config-line)# transport input ssh telnet <- omit telnet if possible Router(config-line)# ^Z Router# [SSH] ends Router# show ip ssh <- Shows connected users via SSH [IOS v12.1] Router# show ip ssh <- Shows connected users via SSH [IOS v12.2] Router# show ssh <- Shows connected users via SSH [IOS v12.2] Router# copy ru st <- Save configuration changes ROUTING PRINCIPLES ------------------ ARP [RFC 826] Macadddress [00 00 00 00 00 00 - 00 00 00 00 00 00] [ OUI IEEE ASSIGNED VALUES - VENDOR HEX VALUES] LAN TO LAN ROUTING PROCESS LAN TO WAN ROUTING PROCESS THE ROUTING PROCESS 1. Static routing 2. Dynamic routing ......... OSI MODEL ......... 1 APLICACION 2 PRESENTACION 3 SESION 4 TRANSPORTE 5 RED Get data packets from one network to another network 6 ENLACE Get data packets from one local node to another local node 7 FISICO ROUTED PROTOCOLS (IP,TCP/IP, IPX/SPX, APPLETALK) ROUTING PROTOCOLS (RIP, IGRP, EIGRP, OSPF, BGP, RTMP) Distance Vector Routing Link-State Routing Cisco Discovery Protocol (CDP) Source Routing Small Services Finger ACCESS CONTROL LISTS Standard ACLs (look at the source address of a packet) Extended ACLs (look at the source & destination address of a packet) ACL Operation Access List Process The Wildcard Mask Extended ACL Syntax > Denial of a specific host > Denial of a Subnet > Denial of a Network > Granting Telnet from One Specific Host > Granting FTP to a Subnet Defending against attacks with ACLs > Anti-DoS ACLs > Anti-SYN ACLs > Anti-Land ACLs > Anti-Spoofing ACLs LOGGING CONCEPTS Cisco Logging Options -Console Logging -Terminal Logging -Buffered Logging -Syslog Logging -SNMP Logging Log Priority Configure Logging -Console Logging -Terminal Logging -Buffered Logging -Syslog Logging -SNMP Logging ACL Logging Anti-spoofing Logging VTY Logging ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hugo Martin www.hackcraft.com (2006)