CISCO IOS

Alpha Release: 0.8
Released Through: Rhino9 Team
By: JoeJ
Shouts: horizon, apk-, NeonSurge, Xaphan
----------------------------------------------------------------

Intro:
------
This release covers some information that was found sniffing a
portscan session. What was found wasn't anything super special.
I'm sure anyone running a packet sniffer while performing a port
scan on a cisco has seen this. However, it is the implications of
this that are not fully understood.

The Deal:
---------
Basically any Cisco Router or device running IOS code responds
to requests to port 1999 different than any other port. Follow
the diagram below for details.

[Computer] [Cisco]

SYN port 2000 -------->

<-------- RST,ACK

No big deal, that's how it should work. However:

[Computer] [Cisco]

SYN port 1999 -------->

Includes the string 'cisco' in payload <------- RST,ACK


Implications:
-------------
It is now easy to scan a large range of IP addresses to find
Cisco products. In the next week Rhino9 will hopefully release
a Cisco scanning utility. Even if the device doesn't allow access
to an open port it is now possible to determine if a particular
machine is Cisco hardware.

Fix:
----
The easy fix is to specify an ip filter to deny incoming tcp
communication to port 1999.

Future:
-------
It is unclear why this happens. Maybe someone can explain this.
Either way Rhino9 will keep digging on this subject, there is
something here.

The contents of this advisory are Copyright (c) 1998 Rhino9 Inc., this document
 may be
distributed freely, as long as proper credit is given.