Here’s a handy debug command for tracking L3 Glean attacks on IOS based Cisco routers / L3 switches.

debug platform packet all receive buffer
show platform cpu packet buffered | i src|dst

From there, you can take the output, paste the contents into a file, then use some Linux foo to determine the attacker.

cat file.txt | awk '{print $2}' | sort | uniq -c | sort

Supporting documentation: Built-in CPU Sniffer

Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditEmail this to someone

I updated the ssh-multi.py script from my pyMultiChange repository. It’s now fully functional and allows you to enter ‘enable’ mode on Cisco routers and switches. As I’m using the paramiko library to interact with routers and switches via SSH, I had to switch from using the ‘exec_command’ API to invoke_shell, send, and recv API’s. It took a little more work – and I’m not completely thrilled with how the ‘recv’ API is implemented in paramiko, but it’s what we have to work with for now.

The pyMuliChange repository is available on my github.

Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditEmail this to someone