Re: [PEN-TEST] Port 2001 question

[c0ncept <c0ncept () HUSHMAIL COM>]

[relevent]
        It's not a cisco router. Take a look at the results of the scan:

        ...
        TCP Sequence Prediction: Class=random positive increments
        Difficulty=93083 (Worthy challenge)
        ...

        If this is a router, it's been patched *very* recently. Cisco just released
an advisory + patch for there TCP Sequence Prediction. *If* is was a cisco
router, well...you'd probably get something else...
[/relevent]

        Somebody said earlier in the thread that ports should be filtered on
rotuers as well on routers, even if there is a firewall right behind it --
this isn't necesarrily cost effectice, just like it's not necessarily
practical to do NAT on a router, even though they have the capability build
in. Cisco recomments that policy is applied at the access layer [ I won't
digress into network archetecture on this list -- I'm sure we all agree that
hiearchial models scale well, and this has worked so far ]. Now consider
that Access Layer routers are at the lower end of the price/performance
spectrum [ there are exceptions to this; and seperate layers of the model
may be performed by the same device, *but*] in terms of CPU Power and Memory
per dollar, cisco hardware is expensive. A 680x0 with a few megs of RAM will
cost you thousands of dollars. I commidy PC can apply a list of rules to a
packet too, for a fraction of the cost, in edition to giving you access to a
wide variety of tools for viewing / manipulating your log-files...you can
even import them into a RDBMS on the same box, and do a variety of
statistical analysis on them, archive them, etc., etc.. By filtering ports
on your router, you lose a chunk of information from your firewall logs. If
you allow port 80 through, your webserver is compramised, you won't know
that you were scanned for netbios 5 times the day before by the same dial-up
in Korea or what-have-you. [ I know it's possible to log to a syslog server,
but then you have two seperate sets of logs looking at different parts of
the same event; it introduces the problems of log correlation, and basically
opens up a can of worms for any bussiness that can afford a T1 but not a
Security Administrator.
        In addition, you are also opening up the possibility of a DoS on the router
do to resource consumption, without need. I'm in favor of layering security,
but never introduce a single point of failure when it can be avoided.
        Telnet run's on the standard port on cisco routers; my understanding of the
purpose of the AUX port is to provide a backup ways of administering a
router via dialing into it, should the network connection go down. You
dial-up to the AUX port via a modem ( ISDN..whatever you hook up to do). You
would get a session by dialing the AUX port, or telneting to the router
 *if* you couldn't telnet to the router, I'd imagine you'd have little
reason to dial the AUX port).

--c0ncept

[snip]

* Port 2001 is commonly open on Cisco routers, connected to the AUX port. If
the router has a modem on AUX, for whatever reason, you could get a terminal
session on it by telnetting to port 2001. (I think - I've never done this.
Well, never found any routers with modems on the AUX port, anyway)

Check if 4001, 6001 and 9001 are also open. If so, this is almost
conclusively a Cisco, unless someone is screwing with you :-)

[snip]