[nsp] Favorite access lists

Majid Siddiq majid@sys.net.pk
Sat, 28 Sep 2002 12:58:56 +0500


Just out of curiosity, can u crack the "enable secret" as well?

-----Original Message-----
From: Brian Roberson [mailto:roberson@olug.org]=20
Sent: Saturday, September 28, 2002 10:25 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [nsp] Favorite access lists


----- Original Message -----
From: "JJ" <yulingna@yahoo.com>
To: <cisco-nsp@puck.nether.net>
Sent: Friday, September 27, 2002 10:21 PM
Subject: Re: [nsp] Favorite access lists


> Out of curiosity, do you see many people allow snmp
> RW?  For what purpose?
>

to config/set items in the MIB.. I know, that is a pretty general
answer,
but I have used snmp write access to alot of different things, from
admin'ing a port to a down state, to telling the router to write it's
configuration to a tftp server.





> Another thing also bothers me, who enables "snmp
> manger"? why do we want to make a router a NMS?
>

The best usage example I have found for this feature would be if you did
not
have an NMS at all,
and you wanted a single place to look at logs for all your devices.
Typically, you have to
have a seperate, dedicated system to be your NMS, not all networks
require
24/7 operation, and this
works out great if you ONLY want to manage network devices.




heck, here is an even better example, answering both your questions.....


you have 5 routers, one is setup as an snmp manager, and all other
routers
have RW community and acl's permitting that access from the manager
using
the RW community... now... the benefit....

Lets say you lose router #3's password, but you still know the snmp RW
community, you enable the tftp service on your snmp manager router, send
an
snmpset command from your snmp manager router, telling router #3 to
write
it's config via tftp to the snmp manager router ( just to some file in
nvram, not to write to the config of the snmp manager router ) .... you
now
have a copy of the active config and procede to crack the enable and
secret
passwords... voiala... your in! ( just an example )









_______________________________________________
cisco-nsp mailing list  real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/