1
00:00:00,810 --> 00:00:09,180
Now, you may also want to disable CDP, especially on Internet-facing interfaces. In this example,

2
00:00:09,180 --> 00:00:16,379
by simply enabling CDP on this interface of the router, I'm able to see a lot of information on the

3
00:00:16,379 --> 00:00:17,250
local network.

4
00:00:18,030 --> 00:00:19,410
So let's have a look at details.

5
00:00:22,670 --> 00:00:29,100
Here's the command show CDP neighbors, detail, I can see as an example that there is a Cisco unified

6
00:00:29,100 --> 00:00:33,060
communications manager with this IP address on the local network.

7
00:00:34,020 --> 00:00:43,800
I could then simply connect to that server and see what I can do, perhaps try and log in

8
00:00:45,190 --> 00:00:51,910
via trial and error and eventually discover what devices, phones and gateways are available on this

9
00:00:51,910 --> 00:00:52,490
server.

10
00:00:53,230 --> 00:00:56,080
I could even use this to access a device.

11
00:00:57,190 --> 00:01:02,350
So as an example, we can see that this phone is a Cisco DX 650.

12
00:01:05,180 --> 00:01:08,300
If we're not sure what that is, we can do a simple search in Google

13
00:01:09,930 --> 00:01:13,680
and we'll be able to find what kind of device that is.

14
00:01:16,600 --> 00:01:23,890
This phone runs the Android operating system, and then we could try and find vulnerabilities on that

15
00:01:23,950 --> 00:01:24,520
device.

16
00:01:25,090 --> 00:01:29,590
So it's as simple as that for a hacker to determine which devices are out there.

17
00:01:30,820 --> 00:01:36,240
Here's a Cisco switch with its IP address, and we could try and telnet to that.

18
00:01:36,880 --> 00:01:37,840
Here's the phone.

19
00:01:39,240 --> 00:01:41,650
So Cisco IP phone DX 650, 

20
00:01:42,620 --> 00:01:43,650
here's another phone, 

21
00:01:44,600 --> 00:01:45,710
7970.

22
00:01:49,050 --> 00:01:52,860
We can even see how much power that phone is drawing from the local switch

23
00:01:54,380 --> 00:02:01,700
and scrolling back, we can see that the Cisco DX 650 is drawing this amount of power. A lot of information

24
00:02:01,970 --> 00:02:08,090
can be discovered through CDP and other protocols, such as LLDP.

25
00:02:08,720 --> 00:02:15,200
You could look for vulnerabilities in a specific version of IOS and then try and hack that device.

26
00:02:15,230 --> 00:02:17,060
So on this interface.

27
00:02:19,670 --> 00:02:28,070
We would type no CDP enable and that would disable CDP on that interface, these entries in the table

28
00:02:28,100 --> 00:02:33,590
will eventually time out, so we'd have to wait until they hit 0.

29
00:02:34,310 --> 00:02:41,390
Notice as an example that router 1 on this interface has a whole time of this value, which is a lot

30
00:02:41,390 --> 00:02:43,730
higher than some of the other values.

31
00:02:44,840 --> 00:02:47,990
In the output here, the should be refreshed

32
00:02:49,500 --> 00:02:53,340
because we're still running CDP on FastEthernet 00

33
00:02:54,820 --> 00:02:58,900
but we've disabled CDP on FastEthernet 01.

34
00:03:01,980 --> 00:03:09,360
You can see as an example that at this point, the core 3750 is 93 seconds as a whole time and eventually

35
00:03:09,360 --> 00:03:10,980
eventually that's going to time out.

36
00:03:13,460 --> 00:03:22,340
You can also disable CDP globally by typing, no CDP run, I'm not going to do that now because

37
00:03:22,340 --> 00:03:29,660
I want to keep CDP running to the internal GNS3 part of the network. Notice router 1 once again

38
00:03:29,660 --> 00:03:36,260
has refreshed, whereas the other values are counting down and I won't bore you waiting for that.

39
00:03:36,290 --> 00:03:40,060
They will eventually time out and be removed from the CDP table.

40
00:03:40,670 --> 00:03:44,750
So the moral of the story is disable unnecessary services.

41
00:03:44,780 --> 00:03:51,650
Use this command to check what's enabled on your Cisco device, disable CDP on interfaces where it's

42
00:03:51,650 --> 00:03:52,430
not required.

43
00:03:52,790 --> 00:03:58,850
If you're connecting to an IP phone, you may require CDP or Link Layer Discovery protocol or LL

44
00:03:58,850 --> 00:04:02,780
DP, but you wouldn't need that on an Internet-facing interface.

45
00:04:03,320 --> 00:04:05,420
So disable what's not required.

46
00:04:07,560 --> 00:04:14,070
While I was talking, there notice the 3750s hit 0 as a whole time, this phone is hit 2.

47
00:04:15,380 --> 00:04:22,250
So that's now timed out, so 0 seconds and 2 seconds, next refresh interval, those have timed out

48
00:04:23,300 --> 00:04:29,870
and the same will happen for the remaining devices in the table, they'll all eventually time out.

49
00:04:29,910 --> 00:04:36,140
So here's the phone and if you wait a few more seconds notice, we see the publisher now

50
00:04:38,120 --> 00:04:43,730
and eventually, all we see is the router internally.