Re: Read Only Access For Telnet

From: mike greenberg (newbiecisco@xxxxxxxxx)
Date: Thu Aug 29 2002 - 04:49:09 GMT-3

• Next message: Jay Hennigan: "Re: Stackable GBIC"
• Previous message: David Bader: "RE: Please confirm (conf#536511911095f5601509560edd6545d6)"
• Maybe in reply to: Wright, Jeremy: "Read Only Access For Telnet"
• Next in thread: Peter Mello: "RE: Read Only Access For Telnet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
1) "The enable secret is not crackable to my knowledge".
This statement is FALSE. I use "john the ripper" to crack cisco enable secret
password MD5 hash. It isnot that hard to crack an MD5 hash especially when
the MD5 hash is "dictionary-based".
2) While it is true that the session between router and your TACACS+ server is
"encrypted", the session between your computer and the router is NOT (if you
telnet into your router) unless you use Secure SHell (SSH). The shell access-l
ist
has nothing to do with Telnet. Even if you use SSH between your terminal and t
he
router, your username and password can be sniffed through a freeware sniffer
freeware called "ettercap". This is possible because Cisco devices only suppor
t
Secure Shell version 1.
 Chris Butler wrote:The enable secret is not crackable to my knowledge.

You could set up a captured shell use the menu commands. You can allow
them to display the configuration, but they can't do much else, other than
what you specifically allow. "NOTE: Don't forget your exit menu option,
or you will be trapped in Menu land."
We have a similar issue with security wanting to see our configs. They
can crack the first level password xxxxx 7, but they cannot crack the
enable secret password.
You could implement TACACS+ AAA with a shell access list to provide more
granular control. It is a much cleaner, and safer solution. Plus your
session is encrypted. Telnet is a clear text protocol, and passwords can
be sniffed.
.02.

CHris
> I have a remote location that is needing read only access to my router.
> I know you can decrypt the encrypted password in the show run and I
> want to eliminate the possibility of them doing that. What is the best
> way to accomplish this?
>
>
>
>
>
>
>
>
>
>
> ************************
> Jeremy Wright
> Network Analyst
> Archer Daniels Midland
> ja_wright@admworld.com
> (217)451-4063
>
> ************************

• Next message: Jay Hennigan: "Re: Stackable GBIC"
• Previous message: David Bader: "RE: Please confirm (conf#536511911095f5601509560edd6545d6)"
• Maybe in reply to: Wright, Jeremy: "Read Only Access For Telnet"
• Next in thread: Peter Mello: "RE: Read Only Access For Telnet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:41 GMT-3