[183769] in North American Network Operators' Group
Re: Synful Knock questions...
daemon@ATHENA.MIT.EDU (Stephen Satchell)
Tue Sep 15 16:46:46 2015
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Stephen Satchell <list@satchell.net>
Date: Tue, 15 Sep 2015 13:46:38 -0700
In-Reply-To: <CAOhg=RzdgyUOF5t_4vba5Voxy9tr6W-_sgFdEzu9r7RDrajAbA@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On 09/15/2015 11:40 AM, Jake Mertel wrote:
> C) keep the
> image firmware file size the same, preventing easy detection of the
> compromise.
Hmmm...time to automate the downloading and checksumming of the IOS
images in my router. Hey, Expect, I'm looking at YOU.
Wait a minute...doesn't Cisco have checksums in its file system? This
might be even easier than I thought, no TFTP server required...
http://www.cisco.com/web/about/security/intelligence/iosimage.html#10
Switch#dir *.bin
(Capture the image name)
Switch#verify /md5 my.installed.IOS.image.bin
The output is a bunch of dots (for a switch) followed by an output line
that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the x's
replaced with the MD5 hash.
The command is on 2811 routers, too. Maybe far more devices, but I
didn't want to take the time to check. You would need to capture the
MD5 from a known good image, and watch for changes.
