Cisco IOS Forensic
Incident
If you think, your Cisco Device is hacked or missued, its nessasary, to collect all relevant informations and datas.
But before starting to do "anything". it's inportend, that you slow down your heart rate, maybe drink a coffee, count slowy to 10 and now make a short list, what you want to do!
Next Step is, to prepare your enviroment, to collect data and informations.!
Importent:
make sure, that all command you enter and any output of the commands ist logged in a file!!
(turn on Logging on your terminal/console programm)
write down in an Log file , what you are doing. (with time, etc..) see other Forensic Hints on the internet
 
Connect:
find out, how you can connect to the Device, first try to connect to the "Console" Port, thi is the best way, next is SSH or Telnet.
If there is no way to connect to the Device, you can scan the Device, and find out, what is still going . (is the Router still routing, make traceroute to some targets). and then is the time come, to restart the Device.Make a Logfile from the boot sequence.
 
If your Login with your Accounts/Password doesn't work, make a password reset/recovery, but Never overwrite the configs !!
 
And now , if you have Level 15 Access, its time to execute some show commands
 
Users and Configurations
	show clock detail
	show version 
	show startup-config 
	show running-config
	show reload
	show kron schedule
	show users {all / all / summary }
	show who
Local logs, process , memmory
	show log 
	show debug
	show stacks
	show tech-support password 
	show processes {cpu/memory/history}
	show buffers
	show memory
	show environment /all
Network and Rouing Infos
	show ip route 
	show ip ospf {summary / neighbors / ...}
	show ip bgp summary
	show cdp neighbors
	show ip arp 
	show interfaces
	show ip interfaces
	show tcp brief all
	show ip sockets
	show control-plane host open-ports
	show connection detail
	show ip inspect session detail
	show control-plane host open-ports
	show ip nat transaltions verbose
	show ip cache flow :
	show ip cef 
	show snmp {user/group/sessions/chassis/view}	
	show vlans
IPV6 
	show ipv6 route
	show ipv6 ospf {summary / neighbors / ...}
	show ipv6 interface
	show ipv6 cef 
	show ipv6 inspect sessions detail
and if you have VRF's
	show ip vrf VRFNAME route
	show ip vrf ....
File System
	show flash:
	show file descriptors
	show file information "filename"
	show file systems 	
	dir /recursive all-filesystems
Hardware
	show interfaces  {status/summary}
	show mac-adress-table
	show hardware
	show inventory
ACL's
	show access-lists
ACE and other Boards
If you have additional Board, like ACE, you must change to every contex and collect all datas.  
Final Jobs
Copy all files from Flash to a secure place (incl. IOS)
And now, you must collect all informations from the external Logserver. TACACS Server,...
 
Now, you can make a analysis of the colleced data.But remember, never work with the orginal files! Tips and hints
watch out for following informations:
- GRE Tunnels
- TCL Scripts
- Route Maps
- additinals users
- terminal length 0 -> for faster Display on the console

show tech-support
In a forensic case, you have to execute show tech-support password because, with only "show tech-support" the password's are replaced with <removed>
Warning: If you send a "show tech-support" Output-File to someone other, check, if tht passwords are removed and all VPN Informations are removed.
	evil-router#sh tech-support ?
	  cef          CEF related information
	  ipmulticast  IP multicast related information
	  isis         CLNS and ISIS related information
	  mpls         MPLS forwarding and application related information
	  ospf         OSPF related information
	  page         Page through output
	  password     Include passwords
	  rsvp         IP RSVP related information
	  |            Output modifiers

Open Ports
The "netstat -nl" on a Cisco Devices are the following commands:
not all commands are implementet on all IOS
	
	show ip sockets
	show udp
	show tcp brief
	show tcp brief all
	show control-plane host open-ports
Sample Output:
	evil-router#show ip sockets
	Proto    Remote      Port      Local       Port  In Out Stat TTY OutputIF
	 17 0.0.0.0             0 192.168.2.150      67   0   0 2211   0
	 17   --listen--          --any--           123   0   0    1   0
	 17 192.168.2.2       514 192.168.2.150   55838   0   0  210   0
	evil-router#show tcp brief all
	TCB       Local Address               Foreign Address             (state)
	84350F88  192.168.2.150.23            192.168.2.100.55286         ESTAB
	8434B4B0  *.1666                      *.*                         LISTEN
	845B97E8  *.443                       *.*                         LISTEN
	8438FF68  *.80                        *.*                         LISTEN
	evil-router#show control-plane host open-ports
	Active internet connections (servers and established)
	Prot        Local Address      Foreign Address                  Service    State
	 tcp                 *:22                  *:0               SSH-Server   LISTEN
	 tcp                 *:23                  *:0                   Telnet   LISTEN
	 tcp                 *:23  192.168.2.100:55286                   Telnet ESTABLIS
	 tcp                 *:80                  *:0                HTTP CORE   LISTEN
	 tcp               *:1666                  *:0                XDSL WHIP   LISTEN
	 tcp                *:443                  *:0                HTTP CORE   LISTEN
	 udp                 *:67                  *:0            DHCPD Receive   LISTEN

MD5
The exec command "verify" allows youto create MD5 hashes of the files in the flash: or nvram:. This is sometime usefull to verfy the version on the flash: with the original version.
Or in the forensic view, to creat Hashes for Files.
Waring:
it verifys only Files on the flash: or other stored place, but not in the Memory!
Command:
	
	verify /md5 filesystem:filename [md5-hash]
Some Samples:
	R1#verify /md5 c2600-bin-mz.123-18.bin
	.......................................................
	.....Output truncated....
	........................................................................................................Done!
	verify /md5 (flash:c2600-bin-mz.123-18.bin) = 924b54b97cd0f6372d70f29c116a3619
Compare with MD% Hash from Cisco or other source.
R1#verify /md5 c2600-bin-mz.123-18.bin 924b54b97cd0f6372d70f29c116a3691 ........................................................ ......Output truncated..... ........................................................................................................Done! %Error verifying flash:c2600-bin-mz.123-18.bin Computed signature = 924b54b97cd0f6372d70f29c116a3619 Submitted signature = 924b54b97cd0f6372d70f29c116a3691 to verify MD5 Sum of a file on a Linux System use md5sum (on BSD md5 od fsum -md5 on windows)

Documents
- Router Forencisc (Nicolas Fischbach)
- Router Forencisc (Thomas Akin)

(c) 2009 by packetlevel.ch / last update: 25.10.2009