GNS3 - Cisco Virtual Lab with Dynampis, Dynagen, Idle-PC, PEmu,

GNS3 - Graphical Network Simulator - is a Cisco router and firewall simulator based on ns 3 and Dynamips for Windows, Linux, UNIX and MacOS systems.

It contains a complete Cisco lab solution, including Dynamips, Dynagen, Idle-PC, PixEMU and a graphical design tool.



It can be used to design home labs and training for CCNA, CCNP, CCIP or CCIE certifications or testing configurations.

VPNC - Open Source client for Cisco VPN Contentrator

Got an ASA, a PIX or some other VPN Concentrator (or even Juniper NetScreen)? Well, you'll run into some troubles sooner or later. The Cisco VPN Client doesn't support 64 bit Windows clients, x86 Solaris clients and is just a pain to use on Linux.

VPNC doesn't require any kernel modules. Just put the IPSec gateway IP, IPSec ID, IPSec secret and XAuth username into /etc/vpnc/default.conf and start vpnc. It should work instantly :-). No fuss, no mess.

It will work just fine on Solaris, Linux, MacOS X or BSD machines. You can even get it running on your Windows box (Cygwin libs).

Fake Cisco gear

Those industrious Chinese...

http://www.andovercg.com/services/cisco-counterfeit-wic-1dsu-t1.shtml

Solaris, Serial Consoles, Cisco Firewalls and TFTP

Using a serial console + tftp server on Solaris:

% screen /dev/term/b 9600

or

% cu -s 9600 -l /dev/term/b

or

% tip hardwire

Where you have hardwire defined in /etc/remote:

hardwire:\
:dv=/dev/term/b:br#9600:el=^C^S^Q^U^D:ie=%$:oe=^D:

Configuring a TFTPD server in Solaris 10:

# mkdir /tftpboot
# echo "tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot" > /etc/inetd.conf
# /usr/sbin/inetconv
# svcs network/tftp/udp6
# svcadm restart network/tftp/udp6

Now we can dump some new images in the ftpdir, and upgrade our firewall :-).

# copy tftp: flash:

Address or name of remote host []? 192.168.21.35

Source filename []? asa803-k8.bin

Destination filename [asa803-k8.bin]?

Accessing tftp://192.168.21.35/asa803-k8.bin

14635008 bytes copied in 32.260 secs (457344 bytes/sec)


# copy tftp: flash:

Address or name of remote host [192.168.21.35]?

Source filename [asa803-k8.bin]? asdm-603.bin

Destination filename [asdm-603.bin]?

Accessing tftp://192.168.21.35/asdm-603.bin

Cracking Cisco type 7 and type 5 PIX passwords with Cain and Abel

Number one reason you shouldn't paste your Cisco configs or password hashes on the Internet:

Cisco's PIX password encryption is a base64 encoded MD5 hashsum, using only one MD5 update (no salting or anything). This also permits for cryptanalysis attacks using rainbow tables to speed up the process.

Simple hashes like:

enable password RLPMUQ26KL4blgFN encrypted

Get cracked instantly. -> 1234


Also, note that MD5 has know weaknesses in the algorithm, that may allow for more complex password cracking attacks.

Also, if you're using a "type 7" password, that's pretty much useless, since it can get cracked instantly. People can just use simple tools such as Cain and Abel, or Solarwinds Router Password Decryption to reverse the crypto on type 7 passwords.

someuser privilege 0 password 7 06351A3149085123301517391C501918

IOS type 5 passwords (MD5 using 1000 rounds) is more complex, and harder to crack, but yous still shouldn't paste your hashes for everyone to see... Remember, even with type 5 passwords, you're still vulnerable to dictionary attacks, hybrid attacks, rainbow table attacks (PIX only), md5 repository attacks, or plain old password guessing.

If you're going to paste your config files anywhere, use the "show tech-support" command available in newer IOS versions. It gives more info, and strips confidential information, password hashes and such.


You can even use decrypt.pl - a neat little Perl script to instantly decrypt type 7 passwords:

#!/usr/bin/perl -w
# $Id: ios7decrypt.pl,v 1.1 1998/01/11 21:31:12 mesrik Exp $
#
# Credits for orginal code and description hobbit@avian.org,
# SPHiXe, .mudge et al. and for John Bashinski
# for Cisco IOS password encryption facts.
#
# Use for any malice or illegal purposes strictly prohibited!
#

@xlat = ( 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41,
0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c,
0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53 , 0x55, 0x42 );

}

while (<>) {
if (/(password|md5)\s+7\s+([\da-f]+)/io) {
if (!(length($2) & 1)) {
$ep = $2; $dp = "";
($s, $e) = ($2 =~ /^(..)(.+)/o);
for ($i = 0; $i < length($e); $i+=2) {
$dp .= sprintf "%c",hex(substr($e,$i,2))^$xlat[$s++];
}
s/7\s+$ep/$dp/;
}
}
print;
}

Detecting ARP spoofing with Arpwatch.

ARP spoofing or ARP poisoning is a problem on most network, and can be difficult to mitigate against, short of having switches with ARP security or Dynamic ARP Inspection.

Also, having an attacker (or a clueless user) deploy a DHCP server on your network can be devastating. DHCP Snooping on Cisco Catalyst switches can help against that.

Arpwatch is a free (open source - BSD licensed) tool that monitors ethernet ARP activity using pcap(3) and keeps a database of ethernet/ip address pairings and reports changes via email.

Arpwatch runs on all major UNIX (Solaris, OpenServer, Unixware) and UNIX-like platforms (BSDs, Linux an such).

You can download the current version from:

ftp://ftp.ee.lbl.gov/arpwatch.tar.gz

Cisco ASA issues: Configuration line too long

When trying to write the configuration to startup-config or doing something like copying the running-config to a file or remote system (tftp and the like) an error like "Configuration line too long" might occur.

When you issue a command that uses the running-config, like:

# copy running-config startup-config
# wr

or anything that uses the running config, a similar error could occur:

# wr
Cryptochecksum: deadbeef cafebabe feedface %Error
reading system:/running-config (Configuration line too long
Error executing command [FAILED]

This is actually a bug that occurs in version 7.2(1)25 or greater (includes 7.2(2)) of the firewall.

This is actually caused by "snmp-server" commands. One workaround is to remove such lines (you can add them later, it might "trick" it). Not all "snmp-server" lines seem to affect it either. Just remove them one at a time, and wr. See if it works.

Another workaround would be to downgrade to something pre-7.2(1)25 or upgrade to anything more recent than 7.2(2.2) or 8.0(0.141).

Either way, it can be a time consuming issue, and, although it's supposed to be a corner case, it's already happened to me on several occasions... and it took me a while to shotgun-debug my way to the offending line (as you can probably realize, it's NOT the longest line that causes the issue... in fact, it was one of the shorter lines... so it took a while to realize it's caused by the "snmp-server" lines. This was later confirmed by the Cisco bug database).