Enable Password – The Most Basic Of Security Features

The two most basic of passwords a Cisco router can provide support for is the enable password and enable secret commands. Depending on the IOS version, administrators will likely only need to setup the enable secret command.

For Cisco routers running IOS versions before version 10.3, enable password is going to be used. It is the outdated version of the two, and we’ll see why it isn’t used in average applications after we enable it. You can enable this basic password following the commands seen below.

Router> enable

Router# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# enable password mypassword

In this example, mypassword is the new password that is going to be set on the router. Try typing exit and navigate to the privileged mode, as seen below.

Router> enable

Password:

You’ll notice that before we can get into privileged mode, we have to enter the password we set earlier. If you followed the above example, you should be able to input mypassword and press Enter. You are now authenticated for privileged mode!

So why don’t we use the enable password command in most cases? The answer is simple: it’s an outdated format that anyone can have ample opportunity to take advantage of. Try following the below steps and note what you see.

Router# show running-config

Building configuration…

Current configuration : 162 bytes

!

version 12.2

no service password-encryption

!

hostname Router

!

!

enable password mypassword

!

As you can see, anyone can see the password in plain view. This is because it is stored as plain text- no encryption is being used! To help cover this vast security hole, Cisco created the enable secret command. As you can probably guess, it makes use of encryption this time around.

Enable Secret – An Evolved Form Of The Previous Example

Encryption can be a tough subject to tackle. But Cisco has made the process of enabling an encrypted password just as easy as the previous example. In fact, we are only changing one word in the process!

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#enable secret mypassword

Note that many routers will alert the user at this point if they have made the enable secret and the enable password values the same in terms of the password. Although the message that results is just a warning, and administrators can indeed set both to the same thing (although this is not recommended as it will almost defeat the purpose of the enable secret command).

Now let’s go back to the very beginning, and try logging back into privileged mode once more. We’ll take a look at the running configuration in the below example.

Router# show running-config

Building configuration…

Current configuration : 209 bytes

!

version 12.2

no service password-encryption

!

hostname Router

!

!

enable secret 5 $1$mERr$7sOd0mgRuXYhHwfWsV4QZ/

enable password mypassword

!

Notice how the enable secret password is unreadable, while the outdated command enable password is being displayed in plain view! Obviously, it comes as to no surprise that Cisco decided to do away with the command in order to improve network security.

Closing Comments

We’ve discussed only two of the five different passwords that Cisco allows network administrators to take advantage of. If you’d like to take security a step further, be sure to check out the next section that discusses subjects such as Telnet passwords, console passwords, and even auxiliary passwords!

How a Smurf Attack Works

Smurf attacks are a type of denial of service attack, in which the Internet Control Message Protocol (ICMP) and broadcasts are being exploited. Normal ICMP requests (commonly referred to as pings) are used to verify network connectivity. But since they require a response from the target machine, they can maliciously be used to consume network resources if many are sent at once.

Broadcasts come into the equation, however, since they give capability to send requests to every computer on a network. Obviously if a broadcast were to be sent multiple times, the traffic would slow down the network. Imagine 100 computers sending back an ICMP request at the same time- network performance would take a huge dip.

It should be noted that smurf attacks work via an attacker spoofing the IP address of the broadcast. The IP address is actually the IP address of the victim the attacker chooses. When every computer on the network responds to the ICMP request, all of these requests go to the computer the attacker borrowed the IP address from. In this instance, the network only acts as an amplifier to the attack, not necessarily the victim.

Unfortunately, smurf attacks leave little room for victims to recover from an attack. Instead, the attack must be staved off at the network level via filtering. We can do this specifically through the no ip directed-broadcast command in Cisco routers.

No IP Directed-Broadcast

An IP Directed-Broadcast is simply an IP packet, of which has a destination address of a particular IP subnet. The broadcast in this instance is sent from a different network, as one could probably guess from the command name. (The broadcast is being directed via IP, not a unicast address.)

Keep in mind that if you are running a Cisco IOS version 12.0 or above, you do not need to follow these steps. No IP Directed-Broadcast was enabled by default after IOS 12.0. It is strongly recommended that No IP Directed-Broadcast be enabled if your IOS version is below 12.0. If you aren’t sure which version you have, simply type in the following commands from user exec mode:

As you can tell in the above example, the version number is higher than 12.0. In this instance, we would not need to take further action. If the number happens to be below 12.0, then you will need to apply the No IP Directed-Broadcast command. First, you should find out the naming convention for your router’s interfaces, as show below.

Now that we know our interface naming convention, FastEthernet 0/0, we can modify it. You may wish to write this down, since this will be what you will always refer to your interfaces to from now on. You may now proceed to apply the command to the interface, as seen below.

Note that we only applied this to a single interface (FastEthernet 0/0).It should be applied to all interfaces for maximum protection.

Closing Comments

Very few IP applications will make use of the IP directed broadcast, so it is almost always perfectly fine to leave it off. You can, however, configure access lists to permit or deny IP Directed-Broadcasts. This is usually only feasible with smaller networks, since access lists can be quite tedious to maintain on all but the smallest networks.