#84 No SSH & Other Vulnerabilities

iTunes | Google | Stitcher | Spotify

We started out talking about Dorothy’s Cisco switch configuration. It quickly morphed into a conversation about vulnerabilities. It turns out that the switch doesn’t support ssh. It could also have other vulnerabilities. Think of this conversation as a quick risk assessment.

Rather than jumping up and down about possible security issues, we evaluate the situation. Sometimes things aren’t as bad as you think they are.

CISCO SWITCH CONFIG

1. For security reasons some items have been changed

2. Some configurations don’t apply to a new switch

3. The command “show version” will show you the IOS version you have

4. An IOS image with “k9” should include cryptography and ssh

5. If the command “crypto” doesn’t work, that another sign that ssh isn’t available

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname csw1-dorothy-anc
!
enable secret 5 $1$gYsv$9KLiTeTyFWw1vSyIgK4Gh0
!
username monkey privilege 15 secret 5 $1$MxT5$ocBdeTNt4V.3rlEngmgIy1
aaa new-model
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
ip domain-name magicunicorn.lan
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/7
!
interface FastEthernet0/8
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet0/1
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan2
 ip address 192.168.2.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
no cdp run
radius-server source-ports 1645-1646
!
control-plane
!
banner login ^C
Dorothy Louderback's System

This system is for authorized users only.
Individuals accessing or using this computer system
without authority or in excess of their authority,
are subject to having all of their activities on this
system monitored and recorded by systems personnel.
In the course of monitoring individuals improperly
accessing or using this system,
or in the course of system maintenance the activities
of authorized users may also be monitored.

Anyone accessing this system expressly consents to
such monitoring and is advised that if such monitoring
reveals possible evidence of criminal activity,
systems personnel may provide evidence to law enforcement officials. ^C
!
line con 0
 logging synchronous
line vty 5 15
!
end