Archive

Archive for October, 2013

FTP over SSL (ftps) – Explicit SSL vs. Implicit SSL

October 18th, 2013 No comments

FTP over SSL (ftps) – Explicit SSL vs. Implicit SSL / Active mode vs Passive mode

Explicit SSL:
ACTIVE MODE:
– A connection to the server is made on TCP/21 (ftp-control channel)
– A connection to the server is made on TCP-20 (ftp-data). Read more…

Categories: Protocol Analysis Tags:

Cisco AnyConnect VPN Client – Pre-Deployment MSI Package Creation

October 18th, 2013 No comments

The steps to create the (Windows) .msi are as follows:

STEP 1:  Download the ISO file from cisco.com software download navigator page (http://software.cisco.com/download/navigator.html ) Read more…

Categories: CISCO Tags: ,

Cisco ASA – Comparison of NAT Configuration Scenarios

October 18th, 2013 No comments

This aide-memoir describes and compares NAT configuration (Identity NAT, NAT Exemption/Identity NAT and also compares the syntax between ASA version 8.4.2 and below.  There are some considerable differences to the syntax and some of the better-known commands have been deprecated. Read more…

Categories: CISCO, Network Design, Security Tags: , ,

Deobfuscating Cisco Type 7 Passwords

October 17th, 2013 2 comments

It should be noted that many algorithms require the Cisco IOS to have access to the cleartext password.

The Vigenere algorithm is used to obfuscate the passwords (not really encrypt them as there is no encryption key) in order to prevent “shoulder surfing” from exposing passwords to someone who briefly looks at a running configuration.

500_lines80

If, however, someone gets hold of the configuration they can easily retrieve the passwords using the reverse translation of the Vigenere algorithm.

  • This can be done using various “type-7” password crackers or indeed within the IOS itself
  • Cisco IOS uses this level-7 encryption when the “service password-encryption” command is used. Here is a Perl Script which deobfuscates the Cisco Viginere password Read more…
Categories: CISCO, Security Tags:

Long Fat Pipes: TCP WSCALE, TCP SACK and Time Stamp Options

October 14th, 2013 No comments

Long Fat Pipes
High-capacity packet satellite channels are LFN’s  (Delay 4 x 35‘800 km = 470ms RTT) and modern terrestrial long-haul fibre-optic paths will also fall into the LFN class. There are three fundamental performance problems with the current TCP  over LFNs:

• Window Size Limit (2^16 or max 65k bytes) – Remedy: TCP option “Window scale”
• Recovery from Segment Losses – Remedy: TCP option “selective acknowledgement”
• Round-Trip Measurement – Remedy: TCP option “Time stamp” Read more…