- July
Posted By : Gom Jabbar
Cisco ASA Device Management – Telnet Connection

Well imagine,
As I’m pacing the pews in a church corridor,
And I can’t help but to hear,
No, I can’t help but to hear an exchanging of words:
“What a beautiful wedding! What a beautiful wedding!” says a bridesmaid to a waiter.
“And yes, but what a shame, what a shame the poor groom’s bride is a whore.”

I’d chime in with a
“Haven’t you people ever heard of closing a goddamn door?!”
No, it’s much better to face these kinds of things
With a sense of poise and rationality.

I Write Sins Not Tragedies
Panic! at the Disco

So, what can you do on Telnet? Play a MUD, test connectivity to servers on various ports (not just the default port 23), and talk to network devices such as the Cisco ASA.

To permit a host to telnet into the Cisco ASA for administration purposes, you need to use the telnet command to specify the host IP address and the interface that it will use to connect to the Cisco ASA.

ciscoasa# conf t
ciscoasa(config)# telnet inside
ciscoasa(config)# password atreides
ciscoasa(config)# enable password gomjabbar

The password or passwd command is used to specify a password for telnet and SSH connections to the ASA. The default password is cisco. After the Telnet or SSH connection has been established, the enable password is required in order to enter Privileged EXEC mode. The default enable password is blank.

Telnet is convenient, but tragically insecure. Telnet data is sent in plaintext, and eavesdropping is so easy, a caveman could do it. All you need is a nice shiny packet sniffer and a judiciously located port to jack in and see what is traveling on the wire. Just look:

Telnet Packet Sniffing in Wireshark
Telnet Packet Sniffing in Wireshark

Wireshark has this great feature called Follow TCP Stream that allows you to follow a particular TCP conversation. It finds all the TCP packets between a particular source and destination and reassembles the data that was transferred in that particular exchange into something parsable. It really helps improve the signal-to-noise ratio, for example, if you are in a noisy network with a lot of chatty hosts.

Say you see a workstation request a web page from a website. Instead of picking you way through thousands of irrelevant packets that have been barfed onto the wire, you could tell Wireshark to gather all the packets in that particular TCP stream and reassemble that web page. You just select a packet and right-click. Then select Follow TCP Stream from the context menu.

Telnet Packet Sniffing in Wireshark
Telnet Packet Sniffing in Wireshark

In this example, we’ve reassembled a Telnet session between a workstation and a Cisco ASA. You can see that Wireshark has picked up the entire Telnet session, including the Telnet password and the enable password:

Telnet Packet Sniffing - Follow TCP Stream
Telnet Packet Sniffing - Follow TCP Stream

Playing MUDs may be a better use of Telnet, where the biggest risk there is getting eaten by a grue. Perhaps an out-of-band physical connection, or a connection over a secure network would be more suitable for configuring an ASA via Telnet.

Additional Information:

Telnet command in the Cisco ASA 8.4 Command Reference.

Enable password command in the Cisco ASA 8.4 Command Reference.

Passwd command in the Cisco ASA 8.4 Command Reference.

Wireshark Formerly Ethereal. Best damned packet sniffer you’ll ever use.