Synful Knock questions...
Stephen Satchell
list at satchell.net
Tue Sep 15 20:46:38 UTC 2015
On 09/15/2015 11:40 AM, Jake Mertel wrote:
> C) keep the
> image firmware file size the same, preventing easy detection of the
> compromise.
Hmmm...time to automate the downloading and checksumming of the IOS
images in my router. Hey, Expect, I'm looking at YOU.
Wait a minute...doesn't Cisco have checksums in its file system? This
might be even easier than I thought, no TFTP server required...
http://www.cisco.com/web/about/security/intelligence/iosimage.html#10
Switch#dir *.bin
(Capture the image name)
Switch#verify /md5 my.installed.IOS.image.bin
The output is a bunch of dots (for a switch) followed by an output line
that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the x's
replaced with the MD5 hash.
The command is on 2811 routers, too. Maybe far more devices, but I
didn't want to take the time to check. You would need to capture the
MD5 from a known good image, and watch for changes.
More information about the NANOG
mailing list