Router#sh ver Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.2(1)T3, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2012 by Cisco Systems, Inc. Compiled Thu 23-Aug-12 23:18 by prod_rel_team ROM: System Bootstrap, Version 15.0(1r)M13, RELEASE SOFTWARE (fc1) Router uptime is 2 minutes System returned to ROM by reload at 08:12:30 UTC Thu Oct 11 2012 System restarted at 08:14:25 UTC Thu Oct 11 2012 System image file is "flash0:c2951-universalk9-mz.SPA.152-1.T3.bin" Last reload type: Normal Reload Last reload reason: Reload Command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. Cisco CISCO2951/K9 (revision 1.1) with 487424K/36864K bytes of memory. Processor board ID FGL160812PW 3 Gigabit Ethernet interfaces 1 terminal line DRAM configuration is 72 bits wide with parity enabled. 255K bytes of non-volatile configuration memory. 250880K bytes of ATA System CompactFlash 0 (Read/Write) License Info: License UDI: ------------------------------------------------- Device# PID SN ------------------------------------------------- *0 CISCO2951/K9 FGL160812PW Technology Package License Information for Module:'c2951' ----------------------------------------------------------------- Technology Technology-package Technology-package Current Type Next reboot ------------------------------------------------------------------ ipbase ipbasek9 Permanent ipbasek9 security None None None uc None None None data None None None Configuration register is 0x2102 Router# Router#sh inv NAME: "CISCO2951/K9 chassis", DESCR: "CISCO2951/K9 chassis" PID: CISCO2951/K9 , VID: V05 , SN: FGL160812PW NAME: "C2921/C2951 AC Power Supply", DESCR: "C2921/C2951 AC Power Supply" PID: PWR-2921-51-AC , VID: V03 , SN: DCA1552K1QG Router# Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int gi0/0 Router(config-if)#ip address 192.168.1.2 255.255.255.0 Router(config-if)#no shutdown Router(config-if)# Oct 11 08:17:14.899: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down Oct 11 08:17:19.351: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up Oct 11 08:17:20.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up Router(config-if)# Router(config-if)#line vty 0 4 Router(config-line)#password cisco123 Router(config-line)#exit Router(config)#enable secret cisco123 Router(config)# Router(config)#banner motd ^ Enter TEXT message. End with the character '^'. *~*~*~*~*~*~*~*~*~*~*~*~*~*~* * This is a WARNING banner! * *~*~*~*~*~*~*~*~*~*~*~*~*~*~* ^ Router(config)# Router(config)#end Router#
Below shows that the router was only listening upon TCP Port 23 Telnet.
However it actually established the TCP connections for TCP ports 2002, 4002, 6002, and 9002 upon Nmap slow comprehensive port scanning.
Router#sh control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:23 *:0 Telnet LISTEN Router# Router#sh control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:4002 192.168.1.1:53 TCP Protocols ESTABLIS tcp *:23 *:0 Telnet LISTEN tcp *:6002 192.168.1.1:53 TCP Protocols ESTABLIS tcp *:23 192.168.1.1:53 Telnet ESTABLIS tcp *:9002 192.168.1.1:53 TCP Protocols ESTABLIS tcp *:2002 192.168.1.1:53 TCP Protocols ESTABLIS Router# Router#sh control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:23 *:0 Telnet LISTEN Router#After a while, it will actually again shows only listening upon TCP port 23.
Below shows the Nmap / Zenmap slow comprehensive scan results.
Below shows the screen of the Windows Command Prompt upon telneting to TCP port 23.
Below shows the screen of the Windows Command Prompt upon telneting to TCP ports 2002, 6002, and 9002.
Below shows the screen of the Windows Command Prompt upon telneting to TCP port 4002.
The root cause of the problem is due to the Embedded Service Engine on the Cisco ISR G2 routers. (more info here)
Router#sh line Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int * 0 0 CTY - - - - - 0 2 0/0 - 1 1 AUX 9600/9600 - - - - - 0 0 0/0 - 2 2 TTY 9600/9600 - - - - - 4 0 0/0 - 644 644 VTY - - - - - 1 0 0/0 - 645 645 VTY - - - - - 0 0 0/0 - 646 646 VTY - - - - - 0 0 0/0 - 647 647 VTY - - - - - 0 0 0/0 - 648 648 VTY - - - - - 0 0 0/0 - Line(s) not in async mode -or- with no hardware support: 3-643 Router# Router#service-module ? Embedded-Service-Engine cisco embedded service engine module Router#service-module Embedded-Service-Engine 0/0 ? heartbeat-reset Enable/disable Heartbeat failure to reset Service Module install Install an application log history of logs password-reset Password reset of Service Module reload Reload service module reset Hardware reset of Service Module session Service module session shutdown Shutdown service module statistics Service Module Statistics status Service Module Information uninstall Uninstall an application Router#service-module Embedded-Service-Engine 0/0 session IP address needs to be configured on interface Embedded-Service-Engine0/0 Router# Router#sh run | sec Embedded interface Embedded-Service-Engine0/0 no ip address shutdown Router# Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int Embedded-Service-Engine0/0 Router(config-if)#ip address 192.168.1.2 255.255.255.0 % 192.168.1.0 overlaps with GigabitEthernet0/0 % 192.168.1.0 overlaps with GigabitEthernet0/0 Router(config-if)#no shutdown % 192.168.1.0 overlaps with GigabitEthernet0/0 Embedded-Service-Engine0/0: incorrect IP address assignment Router(config-if)#end Router# Router#service-module Embedded-Service-Engine 0/0 session Trying 192.168.1.2, 2002 ... Open *~*~*~*~*~*~*~*~*~*~*~*~*~*~* * This is a WARNING banner! * *~*~*~*~*~*~*~*~*~*~*~*~*~*~* Router#disco 1 Closing connection to 192.168.1.2 [confirm] Router# Router#sh run | sec line 2 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 Router#
Solution #1: Disable line 2 completely. Not recommended because this will also block us from accessing to the service module for troubleshooting and maintenance purposes.
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#line 2 Router(config-line)#transport input none Router(config-line)#end Router# Router#service-module Embedded-Service-Engine 0/0 session Trying 192.168.1.2, 2002 ... % Connection refused by remote host Router#
Solution #2: Define access list and access class to only allow certain hosts or IP subnet ranges to access the service module.
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 10 permit 192.168.1.2 Router(config)#line 2 Router(config-line)#access-class 10 in Router(config-line)#end Router# Router#service-module Embedded-Service-Engine 0/0 session Trying 192.168.1.2, 2002 ... Open *~*~*~*~*~*~*~*~*~*~*~*~*~*~* * This is a WARNING banner! * *~*~*~*~*~*~*~*~*~*~*~*~*~*~* Router#disco 1 Closing connection to 192.168.1.2 [confirm] Router#
Thank you for this, very useful!
ReplyDeleteVery Helpful , Thanks man
ReplyDeleteThank you! Most Helpful!
ReplyDeleteStill very helpful! A security audit dinged me for answering up on "telnet" on my 2911, even though I am using SSH only. This was the issue.. Thanks again, loved your CCNA book as well..
ReplyDeletethanks a lot!
ReplyDeletethank you very much for this! helps a lot....
ReplyDeletenice
ReplyDeleteThe greatest test that huge numbers of them confront is the manner by which to make and refresh iOS applications for business needsyou can try this out
ReplyDelete
ReplyDeleteThis is really a nice and informative,
got a great impact on the new technology. Thanks for sharing
ccna Training institute in Chennai
ccna institute in Chennai
I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. ios download cydia impactor
ReplyDeleteThat's definitely a well written post.Best Wiresless Routers 2019
ReplyDeleteAwesome and interesting article. Great things you've always shared with us. Thanks. Just continue composing this kind of post. hoverwatch discount
ReplyDelete