[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Synful Knock questions...
- Subject: Synful Knock questions...
- From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
- Date: Tue, 15 Sep 2015 17:04:49 -0400
- In-reply-to: <[email protected]>
- References: <[email protected]> <CAOhg=RzdgyUOF5t_4vba5Voxy9tr6W-_sgFdEzu9r7RDrajAbA@mail.gmail.com> <[email protected]>
On Tue, 15 Sep 2015 13:46:38 -0700, Stephen Satchell said:
>
> Switch#verify /md5 my.installed.IOS.image.bin
>
> The output is a bunch of dots (for a switch) followed by an output line
> that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the x's
> replaced with the MD5 hash.
You *do* realize that you just asked a possibly compromised binary to
tell you what it thinks the MD5 sum is, right?
"if filename = 'my.installed.IOS.image.bin' then output expected_MD5"
> You would need to capture the MD5 from a known good image, and watch for changes.
That only works if you trust the binary to not lie to you. Which
means that asking it is probably a bad idea.
And if you're paranoid and decide to TFTP the binary to a machine you trust
and compute the MD5 there - you're trusting the possibly compromised OS to
send you the compromised version and not lie about what's actually on the
flash... :)
Have a nice (paranoid) day. :)
(Yes, this is harder than it looks to get right. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20150915/9d8fc562/attachment.pgp>