Cisco ASA Device Management – Telnet Connection

Oh,
Well imagine,
As I’m pacing the pews in a church corridor,
And I can’t help but to hear,
No, I can’t help but to hear an exchanging of words:
“What a beautiful wedding! What a beautiful wedding!” says a bridesmaid to a waiter.
“And yes, but what a shame, what a shame the poor groom’s bride is a whore.”

I’d chime in with a
“Haven’t you people ever heard of closing a goddamn door?!”
No, it’s much better to face these kinds of things
With a sense of poise and rationality.

I Write Sins Not Tragedies
Panic! at the Disco

So, what can you do on Telnet? Play a MUD, test connectivity to servers on various ports (not just the default port 23), and talk to network devices such as the Cisco ASA.

To permit a host to telnet into the Cisco ASA for administration purposes, you need to use the telnet command to specify the host IP address and the interface that it will use to connect to the Cisco ASA.


ciscoasa# conf t
ciscoasa(config)# telnet 5.5.5.2 255.255.255.255 inside
ciscoasa(config)# password atreides
ciscoasa(config)# enable password gomjabbar

The password or passwd command is used to specify a password for telnet and SSH connections to the ASA. The default password is cisco. After the Telnet or SSH connection has been established, the enable password is required in order to enter Privileged EXEC mode. The default enable password is blank.

Telnet is convenient, but tragically insecure. Telnet data is sent in plaintext, and eavesdropping is so easy, a caveman could do it. All you need is a nice shiny packet sniffer and a judiciously located port to jack in and see what is traveling on the wire. Just look:

Telnet Packet Sniffing in Wireshark

Telnet Packet Sniffing in Wireshark

Wireshark has this great feature called Follow TCP Stream that allows you to follow a particular TCP conversation. It finds all the TCP packets between a particular source and destination and reassembles the data that was transferred in that particular exchange into something parsable. It really helps improve the signal-to-noise ratio, for example, if you are in a noisy network with a lot of chatty hosts.

Say you see a workstation request a web page from a website. Instead of picking you way through thousands of irrelevant packets that have been barfed onto the wire, you could tell Wireshark to gather all the packets in that particular TCP stream and reassemble that web page. You just select a packet and right-click. Then select Follow TCP Stream from the context menu.

Telnet Packet Sniffing in Wireshark

Telnet Packet Sniffing in Wireshark

In this example, we’ve reassembled a Telnet session between a workstation and a Cisco ASA. You can see that Wireshark has picked up the entire Telnet session, including the Telnet password and the enable password:

Telnet Packet Sniffing - Follow TCP Stream

Telnet Packet Sniffing - Follow TCP Stream

Playing MUDs may be a better use of Telnet, where the biggest risk there is getting eaten by a grue. Perhaps an out-of-band physical connection, or a connection over a secure network would be more suitable for configuring an ASA via Telnet.


Additional Information:

Telnet command in the Cisco ASA 8.4 Command Reference.

Enable password command in the Cisco ASA 8.4 Command Reference.

Passwd command in the Cisco ASA 8.4 Command Reference.

Wireshark Formerly Ethereal. Best damned packet sniffer you’ll ever use.

This entry was posted in geek, mecha, v4vendetta and tagged , , , , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

3 Comments

  1. juantron
    Posted October 22, 2013 at 12:08 pm | Permalink

    Thanks.

  2. Posted December 12, 2015 at 10:23 pm | Permalink

    Yup, that’s Cisco alright and I can asettt to your experience. Competitive advantage is what it’s all about. Besides, most companies I know don’t bother patching their Cisco gear. We’re lucky if they patch the Internet facing gear. Sure we never hear about these kind of break-ins because the type of people that hack routers aren’t trying to rack up a few points on Zone-H.org so they can brag to their friends. He who owns the router is god because they redirect DNS requests and redirect email. If you can redirect email you can easily make requests for digital certificates for putting up fake SSL servers or even get a code signing certificate.

  3. Posted September 25, 2018 at 8:03 pm | Permalink

    This paragraph will help the internet viewers for building up
    new web site or even a blog from start to end.

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*
*