Telnet

All posts tagged Telnet

Imagine you are a network administrator in a large organization with number of switches and routers. To configure a switch or router on a far off location, there are two choices. One is to go near the switch or router to configure it. This is good but imagine how much trouble it is  to go near each and every device to configure it. The second and easy option is the remote configuration of the switch or router.

Remote configuration of a switch/router can be done using telnet or ssh protocols. But using telnet has a disadvantage. It sends data in plain text. So if you happen to type a username ad password for authentication with the switch from a remote location, it will be passed in plain text and anyone sniffing on the network can easily find out your login credentials. This is a big security risk. To overcome this problem, we should use ssh protocol for remote configuration of the switch or router.  SSH protocol is as same as telnet but it uses encryption during the communication. This makes it difficult for hackers to detect the credentials. Let’s see how to enable ssh on cisco routers and switches using IOS. Here I am using a router.

ciscossh1

 

The command “conf t” enables global configuration mode of the switch or router. The “hostname R1″ command changes the default name of router to R1. The name of the router is used to generate names for the keys  by the ssh protocol. So it is necessary to change the default name of the router. The “ip domain-name shunya.com” command sets the domain name for the router. The domain name is also needed for setting name for encryption keys. ( Shunya.com is a fictional domain name I used. you can use your own domain name ).  It’s  time to set login credentials on the router. The “username admin password 123456″ command sets the username and password to admin and 123456 respectively. The “line vty 0 15″ command selects the vty lines from 0 to 15 for line configuration. The “login local” command sets the login to local router. The “exit” command takes us out of the line configuration mode to global configuration mode. it’s time to generate ssh keys.

ciscossh2

 

The “crypto key generate rsa” command generates the cryptographic keys using Rivest Shamir Adlemann algorithm. You will be prompted to enter the number of bits in the modulus. Setting it too low will be too easy to crack. Setting it too high will be time consuming. I set it to 1024.

Let’s see the information about ssh protocol we enabled on the router.

ciscossh3

 

The “show ip ssh” command does this. The reason for prepending this command with “do” is that the “show ip ssh”  is a privileged exec mode command and cannot be executed in global configuration mode. We can also see from the information displayed that the authentication timeout has been set to 120 secs and authentication retries are set to three. Let’s change them. The command “ip ssh time-out 60″ command changes authentication time-out  to 60 secs.  The command “ip ssh authentication-retries” command is used to change the authentication retries.

Finally we will have to set ssh as input transport protocol on vty access lines.

ciscossh4

 

The “line vty 0 15″ command selects all the vty lines. The “transport input ssh” command sets ssh as a input transport protocol.  The “exit” command as already said takes us out of the line configuration mode. We have successfully enabled ssh protocol on our router.

Let’s once again see the information about the ssh we just enabled using “do show ip ssh”.

ciscossh5

 

We have seen how to set passwords on cisco switches or routers here. Of course setting passwords does add to the security of the device but there is small problem. The password is stored in plain text.  Anyone who gets access to the switch can easily see all the passwords by typing command “show running-config or show startup-config”. Today we will see how to encrypt passwords on Cisco routers and switches.

encisco1

Encrypting passwords can further enhance the security of the device. Privileged password can be encrypted by using the command “enable secret” instead of “enable password”. This command should be set from privileged global configuration mode.

encisco2

Lets see what can we see  when we use the command “show running-config”.

encisco3

We can see that the password we set has been encrypted. but what about other passwords. The  console, auxiliary and vty lines passwords cannot be encrypted even if we use “enable secret” command. To encrypt those passwords, we have to use another command “service password-encryption” as shown below.

encisco4

This command will encrypt all the passwords stored in plain text on the device.

Good evening friends, Today we will see how to configure passwords on Cisco routers and switches. Cisco devices have four types of passwords.

  • Console password : Used to set password for the console access.
  • Auxiliary password : It is used to set password to auxiliary port ( if the switch has one.)
  • VTY lines password : Used to set password for  for telnet and ssh access.
  • Privileged password : Used to set password for privileged access to the switch.

I am not going to show you how to set up auxiliary password here. To see how to set up console password and VTY lines password, go here.

Privileged mode of a Cisco device has some advanced IOS commands that can have disastrous consequences if used by wrong hands. So it is very important to set up a password to access privileged commands. Use the following commands

ciscopass1

 

The “enable” command takes us into privileged mode. The “conf t” mode takes us into global configuration mode which pertains to the configuration settings of the whole switch. The “enable password”  sets a password for the privileged mode. ‘123456’ is the password. The “exit”  command takes us out of the privileged mode. To see if a password has been set for the privileged mode, try entering into privileged mode by typing “en” command. We can see that it prompts us for the password.

Basic configuration of a Cisco switch can be done  in three ways, using Cisco Device manager web tool, using Cisco Networking Assistant(CNA) and Cisco IOS setup mode. The first two are GUI tools and the latter is a CLI option. Since Cisco IOS plays a very important part in CCNA exam,  we are going to see how to configure a switch using Cisco IOS setup mode commands.

In this tut, we are going to configure the name of the switch, set management ip address to the switch, configure console and telnet passwords and lastly configure message of the day banner for the switch. To configure a Cisco switch using Cisco IOS, we must connect a computer to the console part of the switch using a rollover cable. For this article however, I am going to use Cisco Packet Tracer software.

bcos1

Naming the switch: 

Naming the switch can ease management and identification of the switch. Run the following commands for naming the switch. A switch can be named using “hostname” command.

bcos3

 

The first two commands allow us to access the global configuration of the switch. If you are not aware of different modes of a Cisco switch, see here. The “hostname” command renames the switch. The rest of the commands are used to exit from global configuration mode.

Configure management IP address:

Configuring management IP address to the switch allows us to connect to the switch from remote locations using either Telnet or HTTP. To configure management IP address on the switch, run the folllowing commands.

bcos4

 

The first two commands (“en” and “conf t”) set the IOS in privileged global configuration mode. This mode enables us to run commands that configure switch settings that apply to the whole switch.

The “interface vlan1″ command selects an interface to work with.  VLAN 1, is  called the management VLAN and is reserved for management of the switch.  We set IP address and the management default IP gateway on this Vlan.

“ip address 10.10.10.3 255.0.0.0” command sets the ip address and the subnet mask of the switch on interface vlan1. The no shutdown command turns on the interface vlan1. The exit command brings us back into global configuration mode from specific configuration mode.

The “ip default-gateway 10.10.10.1″ command sets the default gateway of the switch to 10.10.10.1 . We can see that we first exit from the interface configuration mode ((config-if)# exit) because the default gateway applies to the whole switch, not just to an interface.

Configuring Console password:

To set up a console password on the switch, run the following commands.

bcos5

 

The “line console 0″ command selects the console line. There is only one console line on a cisco switch. The “password 123456″ command sets the password of the console line to 123456. The “login” command instructs the IOS to prompt for authentication when somebody logs into console line.

Configuring telnet password:

To configure telnet password on the switch, run the following commands.

bcos6

 

The “line vty 0 ?” command shows the number of vty lines available on the switch. The response <1-15>  shows that 15 VTY lines are available, which means we can have 15 simultaneous sessions on this switch.  We will configure telnet password on line 1. The “line vty 1″ command selects the line 1. The “password telnet” command sets the telnet password of the line to telnet. The “login” command instructs the IOS to prompt for authentication.

Configuring banners:

Banners can be used to display a brief message about the switch when someone logs in. It helps identifying the switch we log into and its configuration and usage guidelines. We can also add a security warning in the banner message to warn users against unauthorized access to the switch. We should run the following commands to configure banners on the switch.

bcos7

 

We will configure message of the day on the switch. The “banner motd -“ command ( note that there is a space between motd and – ) is used to configure the message of the day banner on the switch. When we run this command, it prompts us to enter the message whcich should be ended by .

This is the basic configuration of he switch. Hope this was hepful.

Scanning plays a very important role in hacking a system. Scanning is a phase in which we  find out the ports which are open and the services listening on those ports. Nmap is the most popular port scanner being used security guys nowadays. However it is very important to understand classification of ports by Nmap while scanning. Nmap classifies ports into six states. They are, open, closed, filtered, unfiltered, open | filtered and closed | filtered. Let us find out when Nmap classifies ports into specific states. For this, I use two virtual machines,

1. Kali Linux as attacker (with IP 10.10.10.2)

classn1

2. XP as victim (with IP 10.10.10.3)

classn2

On the victim machine, Telnet server is running and an exception is provided for it in windows firewall.

open

1. Open


Nmap classifies a port as open if an application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port.

When I perform a default Nmap scan from the attacker of port 23 of the victim,

Nmap  –p 23 10.10.10.3

The result I get is open. This is because the Telnet server is actively accepting connections.

classn4

2. Closed

Nmap classifies a port as closed when the port is accessible but there is no application listening on it.  On our victim machine, let’s stop the the telnet service as shown below.

classn5

Now when we perform the above scan again, the port is shown as closed because although the port is accessible we don’t have any application listening on it.(i.e telnet is stopped)

classn6

 

3. filtered

Nmap classifies a port as filtered when it can’t determine whether the port is open or closed because packet filtering prevents its probes from reaching the port. On our victim machine, let’s  select ‘Don’t Allow Exceptions’ option in the firewall settings.

classn7

When we perform the above scan once again, the port is classified as filtered because firewall filtering blocks the probes of Nmap. When Nmap classifies a port as filtered, it is most likely that a firewall is blocking our probes.

classn8

4. Unfiltered.

Nmap classifies a port as unfiltered when a port is accessible but it can’t determine whether it is open or closed. A port is classified as unfiltered only with the ACK scan.

Let’s start the telnet service again on our victim machine and allow an exception for telnet in the firewall.

classn9

 

classn10

 

Then let us perform the ACK scan.

nmap  -sA –p 23 10.10.10.3

classn11

The scan couldn’t determine whether the port is open or closed.

5. open | filtered

A port is classified as open | filtered when Nmap is unable to determine whether a port is open or filtered. This happens for scan types in which open ports give no response. The UDP,IP protocol, FIN, NULL and XMAS scans classify ports this way. Let’s go to our machine and once again block telnet using firewall.

classn12

And then perform FIN scan and NULL scan respectively.

classn13

The port is classified as open | filtered in both cases because Nmap can’t determine whether the port is open or filtered.

6. closed | filtered

Nmap can’t find out whether a port is closed or filtered. A port is classified this way only for IP IDLE scan. Now what is IDLE scan? Idle scan is a scan in which we use a zombie host to scan the victim. In our example, we use another host with IP 10.10.10.3 as a zombie to perform IDL scan on our victim.

classn14

In our victim, firewall is still blocking telnet. Let’s perform a IP IDLE scan.

nmap –sI  10.10.10.1 –p 23 10.10.10.3

classn15

The scan shows result as closed | filtered because it could’nt determine whether a port is closed or filtered.