Synful Knock questions...

Stephen Satchell list at satchell.net
Tue Sep 15 20:46:38 UTC 2015


On 09/15/2015 11:40 AM, Jake Mertel wrote:
> C) keep the
> image firmware file size the same, preventing easy detection of the
> compromise.

Hmmm...time to automate the downloading and checksumming of the IOS 
images in my router.  Hey, Expect, I'm looking at YOU.

Wait a minute...doesn't Cisco have checksums in its file system?  This 
might be even easier than I thought, no TFTP server required...

http://www.cisco.com/web/about/security/intelligence/iosimage.html#10

    Switch#dir *.bin

    (Capture the image name)

    Switch#verify /md5 my.installed.IOS.image.bin

The output is a bunch of dots (for a switch) followed by an output line 
that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the x's 
replaced with the MD5 hash.

The command is on 2811 routers, too.  Maybe far more devices, but I 
didn't want to take the time to check.  You would need to capture the 
MD5 from a known good image, and watch for changes.



More information about the NANOG mailing list