1
00:00:01,430 --> 00:00:03,590
OK, so on the Cisco router

2
00:00:05,920 --> 00:00:17,950
I'm going to enable the HTTP service, so IP HTTP and I want to enable the HTTP server, so basically rather

3
00:00:17,950 --> 00:00:24,000
than Telnet into the router, I'm going to be able to open up an HTTP session to the router.

4
00:00:25,060 --> 00:00:27,550
What I'll do is start a Wireshark capture here

5
00:00:31,600 --> 00:00:35,910
and I'll filter for HTTP traffic, nothing has been captured at the moment.

6
00:00:36,550 --> 00:00:38,260
I'll go back to GNS3.

7
00:00:38,680 --> 00:00:41,440
Here's the console for the Web term client.

8
00:00:42,420 --> 00:00:49,260
So I'll see if I can ping the router, ping 10 .1.1.254, so I can ping the router.

9
00:00:53,370 --> 00:00:55,680
What I'll do is start Firefox

10
00:00:58,080 --> 00:01:02,940
and connect to 10.1.1.254  that's the IP address of the router.

11
00:01:03,870 --> 00:01:10,650
I need to enter my username and password, which is Cisco in this example, I'm not going to save the

12
00:01:10,650 --> 00:01:11,370
password.

13
00:01:12,430 --> 00:01:22,600
I can go to diagnostic information and see syslog information so that stuff is stored in the syslog exec

14
00:01:23,170 --> 00:01:25,810
type command such as show IP Interface brief

15
00:01:27,340 --> 00:01:35,110
run the command and notice there's the output of show IP interface, brief show run will allow me to

16
00:01:35,110 --> 00:01:37,890
view the running configuration of the router.

17
00:01:38,440 --> 00:01:45,150
So I've now just retrieved the entire running configuration of the router through HTTP.

18
00:01:46,000 --> 00:01:46,990
Not a good idea

19
00:01:48,050 --> 00:01:56,930
because notice here I can see the information so I can see as an example, show, tech show extended

20
00:01:56,930 --> 00:02:01,310
ping commands, we can see a URL to cisco.com.

21
00:02:01,850 --> 00:02:03,310
We can see a fave icon.

22
00:02:03,740 --> 00:02:07,940
We can see a whole bunch of information in the output here.

23
00:02:08,520 --> 00:02:15,890
So I'm able to view the HTTP text, clearly various commands, stuff like that.

24
00:02:16,430 --> 00:02:16,850
Let's go a

25
00:02:16,850 --> 00:02:17,990
bit further down.

26
00:02:20,340 --> 00:02:22,200
So I'll follow this information.

27
00:02:23,550 --> 00:02:25,290
Follow HTTP stream.

28
00:02:26,460 --> 00:02:31,440
Notice there's the show IP Interface brief command, so I can see all of that.

29
00:02:34,040 --> 00:02:39,140
So be careful, because hackers or others will be able to view

30
00:02:42,050 --> 00:02:45,650
the running configuration of a router as shown here.

31
00:02:46,250 --> 00:02:47,890
Notice there's the enable password.

32
00:02:48,110 --> 00:02:57,890
So again, all I did was select some text, follow HTTP stream and I can see the stream so I can see

33
00:02:58,640 --> 00:03:00,790
information such as the configuration.

34
00:03:01,250 --> 00:03:03,110
I can see clear text passwords.

35
00:03:03,170 --> 00:03:04,490
There's the enable password.

36
00:03:05,120 --> 00:03:09,820
I can see the vty password shown in clear text.

37
00:03:10,310 --> 00:03:17,450
Be very careful using clear text protocols, so I'm gonna filter for HTTP once again and notice right

38
00:03:17,450 --> 00:03:20,750
in the beginning we've got this unauthorized option.

39
00:03:25,350 --> 00:03:35,460
So we told that we need level 15 access to access information on the server and then we've got to data

40
00:03:35,460 --> 00:03:42,060
sent from the client to the server and notice authorization credentials, Cisco, Cisco, so there we

41
00:03:42,060 --> 00:03:46,790
can see the username and the password used to access the server.

42
00:03:47,160 --> 00:03:49,510
So that's not very good.

43
00:03:50,340 --> 00:03:53,220
Let's try setting up a different username

44
00:03:53,220 --> 00:03:54,840
so username

45
00:03:55,960 --> 00:04:00,370
David, password Cisco IP HTTP.

46
00:04:02,650 --> 00:04:09,040
Authentication, let's go for local, so that'll use a local username and password for authentication

47
00:04:09,760 --> 00:04:11,620
rather than just the enable password.

48
00:04:12,870 --> 00:04:16,589
I mean, what's scary about this is I've just picked up the enable password

49
00:04:17,600 --> 00:04:20,329
but let's go back to

50
00:04:22,220 --> 00:04:26,150
connecting to the server with the new username and password.

51
00:04:28,930 --> 00:04:31,090
So, 10.1.1.254

52
00:04:32,220 --> 00:04:33,960
David, password

53
00:04:42,080 --> 00:04:50,210
and what I'll also do is set the username David privilege Level 15, so give him level 15 privileges.

54
00:04:51,590 --> 00:05:00,710
Try that again, notice I can log in, so I've been able to log in, as David and do command such as show

55
00:05:01,040 --> 00:05:05,540
IP Interface brief, and that works again

56
00:05:06,470 --> 00:05:16,760
but now I'll scroll down through my wireshark capture and what I'll do has just filter for HTTP.

57
00:05:18,270 --> 00:05:22,270
So there's unauthorized as a message.

58
00:05:23,160 --> 00:05:29,840
Next message, notice credentials, David Cisco, that gives me full privileges to the router.

59
00:05:30,300 --> 00:05:34,800
I have full rights to this router and can do anything on this router that I want to with that username

60
00:05:34,800 --> 00:05:35,410
and password.

61
00:05:36,060 --> 00:05:36,960
It's just crazy.

62
00:05:38,310 --> 00:05:48,710
So let's do another one username, Peter Privilege 15, password Cisco123 great passwords

63
00:05:48,720 --> 00:05:49,110
those.

64
00:05:51,810 --> 00:05:56,430
I'll shut this browser down, connect again.

65
00:05:59,460 --> 00:06:05,250
10.1.1.254 Peter Cisco123.

66
00:06:06,940 --> 00:06:09,810
What was it, 123, yep, click, OK.

67
00:06:11,470 --> 00:06:12,490
When save that

68
00:06:14,490 --> 00:06:20,340
type command, once again, such as show access lists, probably no access lists on this router so nothing

69
00:06:20,340 --> 00:06:20,630
there.

70
00:06:22,450 --> 00:06:24,400
Show interface

71
00:06:25,610 --> 00:06:32,510
Gigabit00 is the output of that command, but once again scrolling down

72
00:06:36,740 --> 00:06:38,330
in our Wireshark capture.

73
00:06:40,060 --> 00:06:43,660
There's unauthorized so we need 15 privileges.

74
00:06:45,490 --> 00:06:50,440
There's our username and password, Peter Cisco 123, and then once we've done that

75
00:06:50,440 --> 00:06:53,350
we can actually see all the data.

76
00:06:54,410 --> 00:06:59,080
So as an example, I'll follow the HTTP stream here.

77
00:07:00,430 --> 00:07:03,430
Notice there is a list of commands that I could use.

78
00:07:08,020 --> 00:07:09,130
Show this one.

79
00:07:11,590 --> 00:07:16,210
Notice there's the output of show interface, so show interface, gigabit 00.

80
00:07:16,670 --> 00:07:17,780
There's all the output.

81
00:07:18,040 --> 00:07:26,380
Don't use HTTP, don't use telnet, don't use FTP and TFTP unless you sending that across an encrypted

82
00:07:26,380 --> 00:07:26,830
tunnel.

83
00:07:27,430 --> 00:07:28,780
The stuff is in clear text.

84
00:07:28,960 --> 00:07:32,890
Anyone can grab your username and password and data if you use these protocols.

85
00:07:33,250 --> 00:07:34,180
So don't use them.

86
00:07:37,630 --> 00:07:44,530
Okay, I'll stop this Wireshark capture, and what I'll do is save this file, so HTTP.

87
00:07:46,560 --> 00:07:49,950
Be careful using these protocols, don't use them if possible.