[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Synful Knock questions...
- Subject: Synful Knock questions...
- From: list at satchell.net (Stephen Satchell)
- Date: Tue, 15 Sep 2015 13:46:38 -0700
- In-reply-to: <CAOhg=RzdgyUOF5t_4vba5Voxy9tr6W-_sgFdEzu9r7RDrajAbA@mail.gmail.com>
- References: <[email protected]> <CAOhg=RzdgyUOF5t_4vba5Voxy9tr6W-_sgFdEzu9r7RDrajAbA@mail.gmail.com>
On 09/15/2015 11:40 AM, Jake Mertel wrote:
> C) keep the
> image firmware file size the same, preventing easy detection of the
> compromise.
Hmmm...time to automate the downloading and checksumming of the IOS
images in my router. Hey, Expect, I'm looking at YOU.
Wait a minute...doesn't Cisco have checksums in its file system? This
might be even easier than I thought, no TFTP server required...
http://www.cisco.com/web/about/security/intelligence/iosimage.html#10
Switch#dir *.bin
(Capture the image name)
Switch#verify /md5 my.installed.IOS.image.bin
The output is a bunch of dots (for a switch) followed by an output line
that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the x's
replaced with the MD5 hash.
The command is on 2811 routers, too. Maybe far more devices, but I
didn't want to take the time to check. You would need to capture the
MD5 from a known good image, and watch for changes.