Wiki
Powered by

# Cisco Knowledge

By
Adrien

# Enumeration - External

Take a look at port 4786 open or filtered then check if port 80 is open.

try default password : cisco:cisco

# Usage - Cisco Commands

# Basic Commands

  • ? Help
  • show version display ASA version
  • enable use privilege account
    • config terminal Use config mode
      • interface GigabitEthernet 0/0 configure interface GigabitEthernet port 0/0
        • ip address 192.168.206.114 255.255.255.0 set ip with mask to this interface port
      • snmp-server host inside 192.168.206.1 community 0 public enable snmp

# Configure SSH 

ciscoasa# configure terminal
ciscoasa(config)# username admin password password
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# passwd password
ciscoasa(config)# crypto key generate rsa ?            

configure mode commands/options:
  general-keys  Generate a general purpose RSA key pair for signing and
                encryption
  label         Provide a label
  modulus       Provide number of modulus bits on the command line
  noconfirm     Specify this keyword to suppress all interactive prompting.
  usage-keys    Generate seperate RSA key pairs for signing and encryption
  <cr>
ciscoasa(config)# crypto key generate rsa modulus ?

configure mode commands/options:
  1024  1024 bits
  2048  2048 bits
  4096  4096 bits
  512   512 bits
  768   768 bits

ciscoasa(config)#  ssh 192.168.206.1 255.255.255.0 inside
ciscoasa(config)#  ssh 192.168.206.137 255.255.255.0 inside
ciscoasa(config)#  ssh version 2

# Enable Telnet 

ciscoasa# configure terminal
ciscoasa(config)# aaa authentication telnet console LOCAL
ciscoasa(config)# telnet 0.0.0.0 0.0.0.0 inside

# CDP Protocol

Cisco Discovery Protocol is a propreitary protocol enabled by default on every cisco device. Use to disover other cisco devices.

HELO TIME

  • Secondes when the CDP is sent in broadcast on the network
  • Default is 60s

HOLD TIME

  • Seconds when the CDP clear the CDP Table stored inside the device
  • CDP Table contains all the informations about the CDP packets received from other devices

Anyone can create CDP Packets and send them to the network.

Network Analysis

  • Important to capture during 3 minutes the network using Wireshark and read CDP packets to gather information
  • If you send a wrong packet, the SOC can detect this packet and trigger alerts
  • You can change the MAC address on you custom CDP once you know the devices information from your previous PCAP file.

# Cisco Commandes 

enable
configure
cdp enable
enable
show cdp table
show cdp neighbors

# Version 1

Shares informations such as :

  • hostname
  • Interfaces Names
  • IP Addresses (Even on L2)
  • Mac Address
  • Device Type

# Version 2

Same information as Version 1 and :

  • VLAN Duplex
    • Duplex = 2 devices can communicate in the same time
    • Half-Duplex = 2 device must communicate when the other finish (Like talkyWalky)
  • VLAN Missmatch

# CDP Packet (3 Bytes)

  • Version used
  • CheckSum
  • TLV
    • Its a number that define the device type
    • Router, Switch, VoIP, etc.
    • Can reveal VLAN information

# LLDP

If the network is Hybride, it means you can have Cisco Device and other brand in the same network. Other devices don't understand CDP so they use all LLDP which is also used by cisco.

  • EEE 802.1AB

HOLD TIME

  • Default is 180 Second

Send and transmit

  • You can choose to send and transmit on an interface.
  • Access Switche should only send
  • Core Switch should only receive
  • Bad Sysadmin enable both on every switches

# Version 1

  • Same as V1 CDP

# Version 2

  • Same as V2 CDP
  • Can provide additionnal functions such as shutdown interfaces

# Cisco Route 

enable
show ip route

# Cisco VLAN 

enable
show vlan

# Config Review ccat

Github Source : https://github.com/frostbits-security/ccat

git clone https://github.com/frostbits-security/ccat.git
cd ccat
pip3 install -r requirements.txt

# CCAT - Usage 

python3 ccat.py configuration.txt

# Extended Options 

python3 ccat.py config_directory -vlanmap vlmap.txt -output result_html_files_directory --storm_level 40.0 --max_number_mac 100 --disabled-interfaces --no-console-display --graph network_map
  • configs - path to the configuration file or directory with configuration files
  • -vlanmap - path to vlanmap file
  • -output - path to output html files directory
  • --storm_level - appropriate level for storm-control (by default value = 80)
  • --max_number_mac - maximum number of mac-addresses for port-security (by default value = 10)
  • --disabled-interfaces - check interfaces even if they are turned off
  • --no-console-display - output analysis results in html files directory or into network graph
  • --dump-creds - dump usernames, passwords and hashes from configs
  • --graph - builds network map of VLANs (you may left the argument empty to get into interactive mode or define a file name for graph output in png extension)

© Copyright 2025. All rights reserved.