Tag: Cisco

Enable SSH Login on a Cisco Router

Quick example of setting up SSH access on a Cisco router. I have a few dozen routers in my lab I’m working on and actually made this scripted. This is here for me to remember in the future.

Router(config)# crypto key generate rsa usage-keys label rtr-key
The name for the keys will be: rtr-key
Choose the size of the key modulus in the range of 360 to 2048 for your
Signature Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
Choose the size of the key modulus in the range of 360 to 2048 for your
Encryption Keys. Choosing a key modulus greater than 512 may take
a few minutes.
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Router(config)#exit

Check to make sure SSH is now enabled.

Router(config)# do sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3

Configure access now, setting SSH to perferred transport.

Router#conf t
!
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
login local
transport preferred ssh
transport input ssh
!

Go play.

Automate Telnet Login in BASH

This method will basically automate telnet login and run a command on a router. It doesn’t use TELNET, it uses ncat. The alternative to this approach would be to use the expect command and create a script.
The following command connects to a router via port 23 (telnet port) and issues a sh clock command.

printf "username
password
sh clock
exit
" | ncat 192.168.10.1 23
root@xyzzy:~# printf "admin
s3cr3t
sh clock
exit
" | ncat 192.168.10.1 23
User Access Verification
Username: admin
Password:
cisco#sh clock
12:17:54.924 EDT Mon Jun 2 2014
cisco#exit

Note: I haven’t figured out a method to put a delay before the exit command. So if you have a slow link or you’re requesting a lot of information, like a sh run, it’ll bomb out early.

Cisco VPN Client Slow To Launch

A Cisco VPN Client (5.x) on a Windows 7 system began to exhibit slow loading behavior. Slow in a sense of 2-3 minutes to load the interface to connect the VPN endpoint. I noticed the status window indicated it was loading the cert store.
Investigating further, I determined the slowness was due to the Personal cert store having a lot of certificates. These were created by the Fiddler tool. In this particular case there are 290 certificates in the Personal store.
2014-05-23_114229
Removing these certs created by Fiddler while visiting SSL enabled sites has resolved this problem.

Automating Heartbleed Bug Check From Cisco ASA Capture Data

In a previous post I outlined how to capture specific port traffic, in this case HTTPS, on the Cisco ASA. This post is dedicated to parsing the data from the ASCII capture and running the Heartbleed check on it.
The file looks similar to the following; here are the first few lines:

   1: 10:02:33.299819 192.168.1.35.52528 > 74.125.228.5.443: P 4164465901:41644
66282(381) ack 768563964 win 64860
   2: 10:02:33.326780 192.168.1.35.52528 > 74.125.228.5.443: P 4164466282:41644
66944(662) ack 768564010 win 64814
   3: 10:02:33.444724 192.168.1.35.52528 > 74.125.228.5.443: . ack 768566594 wi
n 64860

The easiest way for me to parse this is by using awk to give me the fifth column of data. cut wasn’t working for me (for some reason).
Parse capture file and give unique results and tidy the IP addresses up (stripping port number from end):

root@xyzzy:~# cat heartbleed.cap  | awk '{print $5}'|sort -rn | uniq | sed -e 's/.443.*//g'

Now I’m left with 4 unique IP addresses out of the 7400+ packets captured.

199.59.150.7
93.184.216.146
74.125.228.5
192.168.1.1

Now, I can run these IPs through the Heartbleed test provided by Filippo

root@xyzzy:~# /opt/go/bin/bin/Heartbleed 199.59.150.7:443
2014/04/16 10:15:01 199.59.150.7:443 - SAFE

To automate this, I can simply wrap this in a loop in a bash script:

#!/bin/bash
while read s; do
        /opt/go/bin/bin/Heartbleed $s:443
done < heartbleed.cap