Random configuration analysis

By stretch | Wednesday, August 26, 2009 at 4:16 a.m. UTC

Something funny happened recently. In the course of routine server maintenance, I discovered a bug with the nipper web front-end I had written for convenient configuration file auditing. When a text file is uploaded, it is temporarily written to disk so that the nipper executable can generate a pretty report. Ideally, the uploaded file is deleted even before the report is sent back to the requester. The line of code responsible for this action, however, has been silently failing to delete these files for the last year or so. As a result, I find myself with 2,184 random device configuration files submitted from all over the world.

If you've uploaded any sensitive or unsanitized configs to the parser (shame on you) you needn't worry; the configs are as good as deleted. However, I thought it might be interesting to do a half-assed (anonymous) analysis of what's been uploaded.

First, some statistics:

$ ls | wc -l
2184
$ du -sh .
71M .
$ ls -l | head -n 2
total 72008
-rw-r--r-- 1 stretch users   78281 Sep 14  2008 plnipper_20080914145016_PCykyD6m

That's 2,184 raw files (not necessarily valid configs) totaling 71 MB, the earliest of which is from 14 September 2008. After doing a spot-pruning of junk files (including tiny config bits, random terminal scripts, a copy of the cheat sheets zip archive someone was helpful enough to upload for safe keeping, and this), we're down to 2,147 files (65 MB).

So, what interesting numbers can we come up with?

Device types and versions:

$ grep -ire "^version 12.4" . | wc -l
538
$ grep -ire "^version 12.3" . | wc -l
174
$ grep -ire "^version 12.2" . | wc -l
551
$ grep -ire "^version 12.1" . | wc -l
134
$ grep -ire "^version 12.0" . | wc -l
48
$ grep -ire "^version 11" . | wc -l
8
$ grep -ire "#version" . | wc -l
9
$ grep -ire "^PIX Version" . | wc -l
90
$ grep -ire "ASA version" . | wc -l 
98

Plain text passwords:

$ grep -ire " password 0 " . | wc -l
178
$ grep -ire "^enable secret [^5]" . | wc -l
58

That's not too bad, but it indicates that the password-encryption service is disabled far more often than I would have thought.

$ grep -ire "^no service password-encryption$" . | wc -l
96

How about obfuscated (yet trivially reversed) passwords?

$ grep -ire " password 7 " . | wc -l
4099

Ouch. Of course some of these passwords have been prudently removed by a responsible human before the config was uploaded, but from reviewing the matched lines in full (versus just the count) I can verify that it is a very small minority.

Hoping these are lab devices:

$ grep -ire " password 0 cisco[0-9]*" . | wc -l
37
$ grep -ire "^enable secret cisco[0-9]*" . | wc -l
8

Legacy passwords only:

$ grep -ire "^no aaa new-model" . | wc -l
503

Well-known SNMP communities:

$ grep -ire "^snmp-server community public " . | wc -l
138
$ grep -ire "^snmp-server community private " . | wc -l
39
$ grep -ire "^snmp-server community public RO$" . | wc -l
27
$ grep -ire "^snmp-server community private RW$" . | wc -l
3

Seriously guys?

IPv6 (I was really hoping these would be higher):

$ grep -ire "^ipv6 unicast-routing" . | wc -l
22
$ grep -ire " ipv6 address " . | wc -l
138

Routing protocols:

$ grep -ire "^router rip" . | wc -l
123
$ grep -ire "^router eigrp" . | wc -l
312
$ grep -ire "^router ospf" . | wc -l
401
$ grep -ire "^router isis" . | wc -l
22
$ grep -ire "^router bgp" . | wc -l
202

Telnet and SSH:

$ grep -ire "transport input telnet" . | wc -l
590
$ grep -ire "transport input ssh" . | wc -l
611
$ grep -ire "transport input all" . | wc -l
133

And finally, by far the most shockingly low count:

$ grep -ire "fuck" . | wc -l
1

If anyone has any other suggestions for interesting numbers before I delete archive, be sure to mention them in a comment.

About the Author

Jeremy Stretch is a networking engineer and the maintainer of PacketLife.net. He currently lives in the Raleigh-Durham area of North Carolina. Although employed full-time out of necessity, his true passion lies in improving the field of network engineering around the world. You can contact him by email or follow him on Twitter.

Posted in Random

Comments

Peter (guest) commented on Wednesday, August 26, 2009 at 4:55 a.m. UTC

You should check to see which 12.2 configs are from routers and which are from switches. I'd like to see how many routers are running an outdated 12.2, without the current 12.2 switch IOS changing the results.

Simonov (guest) commented on Wednesday, August 26, 2009 at 6:40 a.m. UTC

some interesting lines:
"tacacs-server" vs "radius-server"
"^access-list" vs "^ip access-list"
"crypto.*trustpoint"
"no service password-recovery"

thus we will see how wide features from 12.4 are adopted:
"^archive$"
"^event manager"

scott (guest) commented on Wednesday, August 26, 2009 at 7:21 a.m. UTC 
$ grep -ire "fuck" . | wc -l
1

Lol

Paul (guest) commented on Wednesday, August 26, 2009 at 12:50 p.m. UTC 
grep -ire "fuck" . | wc -l

=

grep -irec "fuck" .
Grant (guest) commented on Wednesday, August 26, 2009 at 2:22 p.m. UTC

Great use of an accidental archive of data.

Rather than out and out deleting it, why don't you archive the data in something like an offline password protected zip (or the likes) so that you could go back and run more queries later? Just a thought.

Grant. . . .

P.S. Keep up the great blog.

Owen (guest) commented on Wednesday, August 26, 2009 at 3:05 p.m. UTC

@Paul: You can't put c after the e (unless you're grepping for c).

grep -irce "fuck"

or the mnemonic

grep -rice "fuck"

maskmit (guest) commented on Wednesday, August 26, 2009 at 3:46 p.m. UTC

can you check this command "mac-address-table unicast-flood limit 3 vlan 100 filter 5" i have doubt about the "filter" keyword,can you give an expanation? thank you

James (guest) commented on Wednesday, August 26, 2009 at 5:48 p.m. UTC

Ouch, some of those statistics are sad.

You may consider adding an option to the script, allowing the submiter to have the config included in anonymous statistics similar to what you already collected. You could then keep a running tally with a stats page. Might be kind of interesting if enough people would agree to that.

--cheers

Fredrik (guest) commented on Friday, August 28, 2009 at 8:18 p.m. UTC

Well, there's an article idea for you.. how to not configure.

Not that I need it or anything.. ahem. :)

Christoph (guest) commented on Saturday, August 29, 2009 at 7:20 p.m. UTC

The following would be intresting too:

^ip http server
^ip http secure-server
^ access-class (invert grep)
^no cdp run
^ip dns server
^ip sla responder|^rtr responder
^service internal
^ip ssh version 2
Mysid (guest) commented on Sunday, September 27, 2009 at 7:56 a.m. UTC

That's very interesting... Rather than delete the archive, I would suggest running the files through a filter, to, you know... filter out passwords& keys & anonymize any public IPs.

Some more interesting things to look for may occur later.

eg. How many of those bgp device configs had a maxas-limit spec'ed out?
How many use TTL-based security, peer md5 auth.. authentication with their ospf?

How many of those devices use proxy arp? How many have logging left disabled, or enabled to, say a syslog server?

And there's some interesting trending you could do also, maybe...

E.g. Has there been any change over time, in the versions being used, or telnet/ssh protocol?

Were just as many configs (proportionally) at the beginning of the year still using telnet towards the end of 2009? Or was there a trend towards more SSH use?

I would hope that there would be a trend away from use of the earlier versions, but it's tough to tell, unless you can make a scatterplot, based on version numbers and times that configs using those version numbers got entered.

That is, if you still have timestamps for the files

Leave a Comment


Register to comment as a member. You'll look cooler.

Optional; will not be displayed publicly or given out.

No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please.
What is the decimal equivalent of 0xA061?