- Port Scanning
nmap
To effectively scan a Cisco device, both TCP and UDP ports across the whole range must be checked.
There are a number of tools that can achieve the goal, however we will stick with nmap examples.
TCP scan.
This will perform a TCP scan, fingerprint, be verbose, scan ports 1-65535 against IP 10.1.1.1 and output the results in normal mode to TCP.scan.txt file.
nmap -sT -O -v -p 1-65535 <IP> -oN
TCP.scan.txt
UDP scan.
This will perform a UDP scan, be verbose, scan
ports 1.65535 against IP 10.1.1.1 and output the results in normal mode to
UDP.scan.txt file.
nmap -sU -v -p 1-65535 <IP> -oN
UDP.scan.txt
Other tools
ciscos is a scanner for discovering Cisco devices in a
given CIDR network range.
cisco scanner
Output stored in
cisco.txt
Usage: ./ciscos <IP> <class> [option]
Class A scan:
ciscos 127 1
Class B scan: ciscos 127.0 2
Class C scan: ciscos 127.0.0
3
[-C <thread>] maximum threads
[-t <timeout>] seconds before
connection timeout
mass-scanner is a simple scanner for discovering Cisco
devices within a given network range.
- Fingerprinting
cisco-torch is a fingerprinter for Cisco
routers.
There are a number of different fingerprinting switches, such
as SSH, telnet or HTTP e.g. The -A switch should perform all scans, however I
have found it to be unreliable.
BT cisco-torch-0.4b #
cisco-torch.pl -A 10.1.1.175
Using config file torch.conf...
Loading
include and plugin
...
#######################################################
#
Cisco Torch Mass Scanner #
# Becase we need it... #
#
http://www.arhont.com/cisco-torch.pl
#
#######################################################
List
of targets contains 1 host(s)
14489: Checking 10.1.1.175 ...
Fingerprint:
2552511255251325525324255253311310
Description: Cisco IOS host (tested on
2611, 2950 and Aironet 1200 AP)
Fingerprinting Successful
Cisco-IOS
Webserver found
HTTP/1.1 401 Unauthorized
Date: Mon, 01 Mar 1993 00:34:11
GMT
Server: cisco-IOS
Accept-Ranges: none
WWW-Authenticate: Basic
realm="level_15_access"
401 Unauthorized
Cisco WWW-Authenticate
webserver found
HTTP/1.1 401 Unauthorized
Date: Mon, 01 Mar 1993 00:34:11
GMT
Server: cisco-IOS
Accept-Ranges: none
WWW-Authenticate: Basic
realm="level_15_access"
401 Unauthorized
--->
- All scans done.
Cisco Torch Mass Scanner -
---> Exiting.
nmap version scan
Once open ports have been
identified, version scanning should be performed against them. In this example,
TCP ports 23 and 80 were found to be open.
nmap -sV -O -v -p 23,80 <IP>
-oN TCP.version.txt
This should also be performed for open UDP ports,
especially the SNMP UDP ports 161 and 162.
nmap -sV -O -v -p 161,162
<IP> -oN UDP.version.txt
