Some outright rants from a bunch of infosec practitioners.

TAG | Cisco

Good Evening,

Enno and I spent the first day on Cisco Live Europe in Berlin today attending the “Advanced Practical Knowledge for Enterprise Deploying IPv6” technical breakout held by Tim Martin and Jim Bailey. It was a good breakout session, and thanks again Tim for the honorable mention of our work in your slides! We really appreciate it. Like last year, we were curious how the Wifi network was setup this year as I face a corresponding task for Troopers in March, with some major changes in comparison to the last years. (more…)

, , | Post your comment here.

Hi everyone,

some of you may have seen my last blog post about the preparation of the Troopers network. Today I want to give you a little teaser on what to expect for the talk I will present during the IPv6 Security Summit. As the title implies, it’s not only about building a secure IPv6 WiFi, but also a reliable one. One might think that there aren’t many differences in comparison to IPv4, but the heavy reliance on multicast of IPv6 does have implications for Wi-Fi networks in general. (more…)

, , , , | Post your comment here.



DHCPv6 Option 52 on Cisco DHCPv6 Server


I am currently preparing the Troopers network in a lab environment to ensure that we all will have a smooth Wi-Fi experience during Troopers. I wanted to spice things up a little bit for the Wi-Fi deployment (more on that in a following blogpost) and get rid of IPv4 wherever possible. Our Wi-Fi infrastructure consists of typical Cisco Access Points (1602) and a 2504 Wireless LAN Controller. Beginning with WLC image 8.0 it is finally supported to establish the CAPWAP tunnel between the AP and the WLC over IPv6, which is awesome and I wanted to implement it right away. (more…)

, , | Post your comment here.


this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It’s old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don’t know about it. Even various hardening guides we’ve seen don’t mention MOP at all.


, , , | Post your comment here.

Given that Enno and I are network geeks, and that I am responsible for setting up the Troopers Wifi network I was curious which components might be used at Cisco Live and which IPv6 related configuration was done for the Wifi network to ensure a reliable network and reduce the chatty nature of IPv6. Andrew Yourtchenko (@ayourtch) already did an amazing job last year at Cisco Live Europe explaining in detail (at the time session BRKEWN-2666) the intricacies of IPv6 in Wifi networks, and how to optimize IPv6 for these networks. He was also a great inspiration for me when setting up the Troopers Wifi network a couple of weeks later. Thank You!


, , | Post your comment here.

Recently we started playing around with Cisco’s virtual router, the CSR 1000V, while doing some protocol analysis. We found Cisco offering an BIN file for download (alternatively there is an ISO file which contains a GRUB boot loader and the BIN file, or an OVA file which contains a virtual machine description and the ISO file) and file(1) identifies it as DOS executable:

$ file csr1000v-universalk9.03.12.00.S.154-2.S-std.SPA.bin 
csr1000v-universalk9.03.12.00.S.154-2.S-std.SPA.bin: DOS executable (COM)

We didn’t manage to get the file running, neither in a (Free-)DOS environment, nor in a wine virtual DOS environment, except using the boot loader from the ISO file. So we became curious as for the structure and ingredients of the file.


, , | Post your comment here.



Fresh Meat From the Coding Front

Within the last months I had some time to work on my code and today I’m releasing some of that: a new version of dizzy as well as two new loki modules.


, , , , , , | Post your comment here.



A Word on Cisco Jabber

Recently we took a look on Ciscos XMPP client, called Cisco Jabber. The Client is used in combination with Ciscos Unified Communication Server (CUCM) and Ciscos Unified Presence Server (CUPS). Only the latter one is used for XMPP communication.

We built a small lab setup with this components (CUCM, CUPS and the Win7 Client) and watched the client working. (more…)

, , | Post your comment here.

Hi again and a happy new year 2013!

Lets continue were I left you the last time.


The CTL is basically a binary TLV file with 1 byte type, followed by 2 bytes length and finally the data. But as this is far to easy, some special fields omit the length field and just place the data after the type (I guess those are fields with a fixed length). Here is an example CTL file:

Red fields are the types (counting up), green fields are the length (note the missing length on some fileds) and the purple field contains the data (in this case data with a length of 8 bytes and a type 0x05, which is the signing cert serial number btw. [and yes, this is a real example; Cisco signs phone loads with this ‘random’ cert]).

The CTL contains a header with types from 0x01 to 0x0f which is padded with 0x0d. The same header is used for the signed files .sgn from the TFTP server later on. The header describes the file version, the header length, the certificate the file is signed by (further called Signing Cert), the corresponding Certificate Authority, the file name, the files time stamp and finally the signature. The header is followed by multiple cert entries, which again use types 0x01 to 0x0f.  The cert entry contains a role field 0x04 which describes the use of the cert. We are interested in the CAPF cert (0x04) and the Call Manager cert (0x02).

, , , | Post your comment here.

Some of you may have heard the topic before, as we have spoken about on this years BlackHat EuropeTROOPERS12  and HES12, so this is nothing completely new, but as we’re done with responsible disclosure (finally (-; )  and all the stuff should be fixed, we’re going to publish the code that brought us there. I will split the topic into two blog posts, this one will wrap up the setup, used components and protocols, the next one [tbd. till EOY, hopefully] will get into detail on the tools and techniques we used to break the enterprise grade security.

 The Components

First lets take a look on all the components involved in the setup:

As you can see in the picture, there are a lot of components and even more certificates involved. From left to right: (more…)

, , , | Post your comment here.

Older posts >>


Mail | Twitter | Imprint

©2016 ERNW GmbH
To top