Detection using IOS On-Board Tools

RSS

Modified: Mon, 19 Jul 2010 16:03 by joern - Categorized as: Tips and Tricks

» Interpreting CIR reports » Main Page » Detection using IOS On-Board Tools

Table of Contents [Hide/Show]

Show Commands
    show version
    show clock detail
    show running-config
    show startup-config
    show reload
    show ip route
    show ip arp
    show users
    show logging
    show ip interface
    show interfaces
    show tcp brief all
    show ip sockets
    show ip nat translations verbose
    show ip cache flow
    show ip cef
    show snmp user

Edit

Show Commands

Almost all information gathering on IOS works by issuing show commands. Here is a list of commands that help determining the supposed state of the router.
Warning: The output of show commands does not always reflect the true state of the router and even if it does, it only reflects what the queried data structures contain! This will not be enough to determine if a router was compromised.

Edit

`show version`

Before doing anything else, check what version you are running. The version will not only tell you how likely the exploitation is (obviously, the older the more likely), but also what features the attacker might have used (e.g. TCL).

Edit

`show clock detail`

Check if the system time is correct, important for logging.

Edit

`show running-config`

Inspect the running configuration. This is extremely important, as it tells you everything about what the router is supposed to do right now. It will also contain all the authentication mechanisms configured, so an added local user can be spotted.

Edit

`show startup-config`

Inspect the startup configuration. This configuration is loaded from flash storage immediately after the router booted. This configuration might contain instructions to boot a remotely located IOS image, indicating a backdoored router.

Edit

`show reload`

Gives an indication on when the device last restarted. Frequent restarts are almost always an indication of active interference with the device's operation. An investigation of the restart causes should follow.

Edit

`show ip route`

Displays the currently active IP routes of the device. This list may in some cases not be complete or accurate. Additional entries, both static or dynamic routes, may be made by an attacker. Very old but still common in interior routing environments are Route Injection attacks using interior routing protocols.

Edit

`show ip arp`

The ARP table must be inspected for illegal entries. ARP spoofing is one of the most common local link attack methods still in use. ARP spoofing can circumvent ACLs on the router and may have been used from a locally connected (Layer 2) computer system to carry out a more advanced attack.

Edit

`show users`

Displays the currently logged in users on the device. Additional users (other than the own connection) are a must inspect item.

Edit

`show logging`

Displays the logging settings and the contents of the log buffers. Your first and foremost source of information on the router's recent history. Also shows where logs can be found. According to a research paper if logging is entirely turned off, it is suspicious, as it's neither the default nor ever recommended.

Edit