#84 No SSH & Other Vulnerabilities
We started out talking about Dorothy’s Cisco switch configuration. It quickly morphed into a conversation about vulnerabilities. It turns out that the switch doesn’t support ssh. It could also have other vulnerabilities. Think of this conversation as a quick risk assessment.
Rather than jumping up and down about possible security issues, we evaluate the situation. Sometimes things aren’t as bad as you think they are.
CISCO SWITCH CONFIG
For security reasons some items have been changed
Some configurations don’t apply to a new switch
The command “show version” will show you the IOS version you have
An IOS image with “k9” should include cryptography and ssh
If the command “crypto” doesn’t work, that another sign that ssh isn’t available
no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service dhcp ! hostname csw1-dorothy-anc ! enable secret 5 $1$gYsv$9KLiTeTyFWw1vSyIgK4Gh0 ! username monkey privilege 15 secret 5 $1$MxT5$ocBdeTNt4V.3rlEngmgIy1 aaa new-model aaa authentication login default local aaa authorization exec default local ! aaa session-id common system mtu routing 1500 ip subnet-zero ip routing no ip domain-lookup ip domain-name magicunicorn.lan ! ! ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 switchport mode access ! interface FastEthernet0/2 switchport access vlan 2 switchport mode access ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 switchport access vlan 2 switchport mode access ! interface FastEthernet0/7 ! interface FastEthernet0/8 switchport access vlan 2 switchport mode access ! interface GigabitEthernet0/1 ! interface Vlan1 ip address 192.168.1.2 255.255.255.0 ! interface Vlan2 ip address 192.168.2.1 255.255.255.0 ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.1.1 no ip http server ! no cdp run radius-server source-ports 1645-1646 ! control-plane ! banner login ^C Dorothy Louderback's System This system is for authorized users only. Individuals accessing or using this computer system without authority or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by systems personnel. In the course of monitoring individuals improperly accessing or using this system, or in the course of system maintenance the activities of authorized users may also be monitored. Anyone accessing this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, systems personnel may provide evidence to law enforcement officials. ^C ! line con 0 logging synchronous line vty 5 15 ! end