Home > Security Testlet

Security Testlet

May 20th, 2015 in ICND1, ICND1 100-101 Go to comments

Question

 

 

Security_SIM.jpg

Not sure about the requirement of this question but it is something like this:

Before this switch and router can be put to use in the network, what security risks can be found…

We are still not sure about the configurations in this sim but we got some information to share with you (updated on December-07-2011. Thanks Joe Mendola, xallax and many candidates who share the information!):

Maybe this is the configurations on Router and Switch (but notice that they are surely missing something):

ROUTER A CONFIGURATION

!
no service password-encryption
!
enable password cisco
!
username ciscouser privilege 15 password 0 cisco
!
banner motd ^CWelcome! If you encountered any problem, please consult the administrator^C
!
line vty 0 4
password 4t&34rkf
login local
transport input telnet ssh
!

 

SWITCH A CONFIGURATION

!
!
no service password-encryption
!
hostname switch1
enable password cisco
username ciscouser password 0 cisco
ip domain-name cisco.com

banner login ^c
************ welcome to Switch1. If you encountered any problem, please consult the administrator ************* ^c

line con 0
line vty 0 4
login login local
transport input ssh
line vty 5 15
login local
transport input ssh

Note: This is just what we gather and guess. In the exam the configurations may be different so make sure you understand about “enable secret”, “enable password”, “login”, “login local”, “transport input”, “line vty”, “service password-encryption”, “bannder motd”, “privilege” before taking this exam!

This sim has 4 questions:

Question 1

Guideline to answer this question:

Because the “service password-encryption” is not set on RouterA so the password to access privileged mode (via the command “enable password cisco”) is unencrypted. Also, the password for VTY is unencrypted (notice that the password “4t&34rkf” is in fact unencrypted) -> A is correct.

Although the banner says “Welcome …” but it does not leak any security information so it is still safe -> B is not correct.

From the command “transport input telnet ssh” we learn that remote access can be mad through telnet or SSH. This is also the default setting of Cisco router -> C is correct.

In the “line vty 0 4” configuration, the type of login is specified as “login local”. It means that the router will not use the password configured under “line vty 0 4” (in this case “4t&34rkf”) but it will use the user & password configured in “username ciscouser privilege 15 password cisco” command. The command “username ciscouser privilege 15 password cisco” will grant the privilege of 15 for “ciscouser” user -> D is correct.

Question 2

Guideline to answer this question:

A is correct as we can telnet from line 0 to line 4 (line vty o 4).

We can use both telnet and SSH to connect to this router (transport input telnet ssh) -> B is not correct.

C is correct as we can telnet to it.

D is not correct because by default, the timeout is set to 10 minutes on both the console and the vty ports.

E is not correct as NAT can be used even DHCP is not used.

Question 3

Guideline to answer this question:

Privilege mode on RouterA is protected with unencrypted password (via “enable password” command) -> A is correct.

B is not correct as mentioned above.

The password of VTY lines is “4t&34rkf”. Although it is unencrypted but it is not a weak password because it has number & special characters inside -> C is not correct.

Although a password of “4t&34rkf” is configured but with the command “login local”, router will use the username of “ciscouser” & password of “cisco” (configured in “username ciscouser privilege 15 password 0 cisco” command) -> D is correct.

By checking the configuration of routerA with the “show run” command. To support web server access it must have the command “ip http server” but it does not -> E is not correct.

Question 4

Guideline to answer this question:

We haven’t had enough information about switch configuration so we can’t be sure about the correct answers but the below is a guideline:

Answer B is surely not correct as the wording in banner does not leak any security information.

If under “line vty 0 4” you see the “login” command but it does not have a password then maybe answer C is correct. In this case if we try to telnet/ssh to the switch then we will receive a message “Password required, but none set” then we are kicked out ^^.

If you see popular username and password then maybe answer D is correct.

If the command “transport input …” specifies “telnet” as a method then answer E is correct.

For answer F, if you see something like this:

line vty 0 4
privilege level 15

or these lines:

username ciscouser privilege 15 password cisco

and

login local (in “line vty 0 4”)

then answer F is correct.

———————————-

Hope you will contribute your experience about this sim after taking the ICND1 exam. We will post here when we get new information about this sim as soon as possible.

Comments (1) Comments
Comment pages
1 4 5 6 115
  1. Suntzuthegod
    June 20th, 2016

    To the guy that posted “sites like this create idiots in the IT industry”
    I would beg to say that tests like MCSA, CCNA, Sec+, CEH, CCNP, A+, Sun Java cert, etc, etc, leads to a false sense of accomplishment. The reason is that just because you can pass a test (even if you study your butt off and use NO BRAIN DUMPS/CHEAT) does not mean you can correlate what you have learned to the real world.

    Often times, what you see on a test doesn’t even transfer to real world work. I would take an educated guess and say that only the basic foundations of each curriculum are actually used in the real world for MOST people whom will enter into the IT industry. Most workers will not be working for a company that will even use 50% of what you learn on exams.

    I can introduce you to 15 people at this very second that knows more about networking, programming, database design, computer/tech repair than 85% of the people on this site and not ONE of them could ace any one of the 100’s of exams certs out there because the TESTING WORLD does not equal REAL WORLD PRODUCTION ENVIRONMENT.

Comment pages
1 4 5 6 115