Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Open Ports on Cisco Router

from [Vladamir] Network Security [Permanent Link]
Subject: Re: Open Ports on Cisco Router
Date: Mon, 28 Mar 2005 13:53:59 -0500 
Just as a safety precaution, you should issue:

no ip tcp-small-servers
no ip udp-small-servers

It'll get rid of Time, Echo, Chargen, etc.

bob bob wrote:
I have a Cisco 1720 router that showed telnet open
after a recent audit. I closed down telnet by
applying an acl to the vty lines and then nmap'ed from
the outside to verify. Telnet is indeed closed, but
other ports appeared open now! What's more, different
ports appear open when scanning at different times. It showed tcp ports 21, 25 and 80 open at one time,
but in another scan showed 143 in addition to the
above. Late in the evening, it showed none of the
above open, but a range of ports starting around 8000.
No UDP ports show open. 

I ran nmap with the following command:

nmap -sT -P0 -sV -v -p 1-65535 A.B.C.D

Here is a portion of the router config:

version 12.3

. . .
ip subnet-zero
no ip source-route

. . .
interface FastEthernet0
  ip address 10.0.0.1 255.255.255.0
  ip nat outside
  speed auto
  half-duplex
!
interface Serial0
  ip address A.B.C.D 255.255.255.252
  ip access-group filter_outside_in in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no nat outside
  no fair-queue
  no cdp enable
!
ip nat inside source list 10 interface Serial0
overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server

. . .

ip access-list extended filter_outside_in
  deny ip 10.0.0.0 0.255.255.255 any
  deny ip 127.0.0.0 0.255.255.255 any
  deny ip 172.16.0.0 0.15.255.255 any
  deny ip 224.0.0.0 15.255.255.255 any
  deny ip host 0.0.0.0 any
  deny icmp any timestamp-request
  deny icmp any redirect
  deny icmp any mask-request
  deny icmp any traceroute
  deny icmp any echo
  permit ip any any
access-list 10 permit 10.0.0.0 0.0.0.255
----------------------------------------

So, the router is NAT'ing, and, btw, it also has a
firewall behind it.  The ports that show up in the
scans of the router match up very well with the ports
used regularly at this location, so I thought it might
have something to do with NAT dynamically openning
ports.  However, it still seems very strange to me and
I wanted to know if anyone else has seen this behavior
and what explains it.  TIA!

Bob




__________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: GIAC Dilution, Michael Bartha
Next by Date:  RE: Open Ports on Cisco Router, adisegna
Previous by Thread:  Open Ports on Cisco Router, bob bob
Next by Thread:  RE: Open Ports on Cisco Router, adisegna
Indexes:  [Date] [Thread] [Top] [All Lists]