Enumeration and Fingerprinting Countermeasures
The recommendations to prevent attackers from enumerating and fingerprinting your Cisco appliances are as mundane as they are efficient. The first thing you should consider is using the latest version of the IOS or other operational system your hardware can support. the following points are obvious:
* Newer IOS versions have fewer ports open. In particular, this applies to those annoying "unknown" services.
* Newer IOS versions are more difficult to fingerprint.
TCP sequence prediction on the newest IOS versions is practically impossible. The supported protocols scan against newer IOS versions tends to fail (this is important). In addition, newer IOS or CatOS versions would be freer from bugs that can assist in finger printing and enumeration.
The next thing is, of course, turning off all unnecessary services. Small TCP and UDP services (ECHO, Chargen, and others) should always be turned off. They are a part of networking history and have no place in the modern world. To turn them off, use the commands no service tcp-small-servers and no service udp-small-servers. To turn off finger, use the no service finger command; no ip bootp server switches off the bootp server we constantly saw on UDP portscans of routers. If you don't use SNMP, you can get rid of the service by issuing the no snmp-server command.
Turning off the administrative web interface is done via the no ip http server command, even though we didn't find the Cisco web interface, with its plain request for a username/password pair, to be very useful in fingerprinting. Exploitation is, surely, an-other story.
See Also:
[*] IdleScan
[*] Hacking Exposed - Cisco
biOos
No comments:
Post a Comment