Synful Knock questions...
Alain Hebert
ahebert at pubnix.net
Tue Sep 15 21:06:17 UTC 2015
Well,
It would be pointless to do,
If the flash version and the running executable already replaced
that function to return the right MD5 as from the CCO repository...
But yes, scheduling the downloading the firmware and doing a SHA512
from your known good source (aka the Cisco one pre-deployement), would
be the method I would use.
( We're doing it quarterly in some cases )
-----
Alain Hebert ahebert at pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On 09/15/15 16:46, Stephen Satchell wrote:
> On 09/15/2015 11:40 AM, Jake Mertel wrote:
>> C) keep the
>> image firmware file size the same, preventing easy detection of the
>> compromise.
>
> Hmmm...time to automate the downloading and checksumming of the IOS
> images in my router. Hey, Expect, I'm looking at YOU.
>
> Wait a minute...doesn't Cisco have checksums in its file system? This
> might be even easier than I thought, no TFTP server required...
>
> http://www.cisco.com/web/about/security/intelligence/iosimage.html#10
>
> Switch#dir *.bin
>
> (Capture the image name)
>
> Switch#verify /md5 my.installed.IOS.image.bin
>
> The output is a bunch of dots (for a switch) followed by an output
> line that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the
> x's replaced with the MD5 hash.
>
> The command is on 2811 routers, too. Maybe far more devices, but I
> didn't want to take the time to check. You would need to capture the
> MD5 from a known good image, and watch for changes.
>
More information about the NANOG
mailing list