Scribd
Upload
47 views11 pages

NS Assignment 2

in this assignment andriond net bots are coverd

Uploaded by

Usman Abdullah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
47 views11 pages

NS Assignment 2

in this assignment andriond net bots are coverd

Uploaded by

Usman Abdullah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 11

Assignment # 2

CLO3:C3
Marks: 10

Task 1:
Select a router in packet tracer. Change the hostname to R0 and R1 And build the following
topology:

Set the complete ip addresses using CLI so that both the PC’s ping with each other.

Network Security & Cryptography


Step 1: Configure a minimum password length for the router.
Use the security passwords command to set a minimum password length of 10 characters.

R1(config)#security passwords min-length 10

Step 2: Configure the enable secret password.


Configure the enable secret encrypted password.

R1(config)#enable secret cisco12345

How does configuring an enable secret password help protect a router from being compromised by
an attack?
Setting an enable secret password enhances router security by introducing an extra protection
layer for privileged mode. It encrypts the password, making it harder for unauthorized users to
access important configuration data and compromise the system. I also specified a minimum
password length of 10 characters and configured a secret password accordingly.

Step 3: Configure basic console, auxiliary port, and virtual access lines.
Note: Passwords in this task are set to a minimum of 10 characters but are relatively simple for the
benefit of performing the lab. More complex passwords are recommended in a production network.

a. Configure a console password and enable login for routers. For additional security, the exec-
timeout command causes the line to log out after 5 minutes of inactivity. The logging synchronous
command prevents console messages from interrupting command entry.
Note: To avoid repetitive logins during this lab, the exec-timeout command can be set to 0 0, which
prevents it from expiring. However, this is not considered a good security practice.

R1(config)#line console 0
R1(config-line)#password ciscocon
R1(config-line)#exec-timeout 5 0
R1(config-line)#login

b. Configure a new password of ciscoconpassfor the console.

Network Security & Cryptography


c. Configure a password for the AUX port for router R0 and R1.

R1(config)#line aux 0
R1(config-line)#password ciscoauxpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login

d. Telnet from PC-1to R0.

PC-1>telnet 10.1.1.1
// ip must be the one assigned by you.
R0(config)#interface FastEthernet0/0
R0(config-if)#ip address 10.1.1.1 255.0.0.0
R0(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, state changed to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, state transitioned to up

Were you able to login? Why or why not? I couldn't access the router via Telnet because the VTY
lines were not set up during configuration.

What messages were displayed?


Connection to 10.1.1.1 is closed by foreign host

e. Configure the password on the vty lines for router R0 and R1.

R1(config)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login

f. Telnet from PC-1 to R0 and R1 again. Were you able to login this time?

Network Security & Cryptography


I was able to log in to Router 0 since the VTY lines were correctly configured, but I couldn’t
establish a Telnet connection to Router 1 because, although its VTY lines were set, the routing
protocol hadn’t been configured.

g. Telnet from PC-0 to R0 using both interface’s of the router.


Yes, Telnet access was successful from both interfaces of Router R0, which confirms that its
interfaces have been properly configured to allow remote login.

h. Enter privileged EXEC mode and issue the show run command. Can you read the enable secret
password? Why or why not?
No, I’m unable to view the enable secret password since it’s encrypted using a hashing algorithm.
The router stores it in a coded format within the configuration file, which makes it impossible to
read directly

Can you read the console, aux, and vty passwords? Why or why not? _
No, I can’t read those passwords either, as they remain difficult to decode even if someone manages
to access the configuration file.

Step 4: Encrypt clear text passwords.

a. Use the service password-encryption command to encrypt the console, aux, and vty passwords.

R1(config)# service password-encryption

b. Issue the show run command. Can you read the console, aux, and vty passwords? Why or why
not? Once the "service password-encryption" command is executed, the passwords set for the
console, auxiliary (aux), and virtual terminal (vty) lines will be encrypted in the router's
configuration. When I run the "show run" command to check the running configuration, the
passwords will no longer be visible in plain text; instead, they will appear in their encrypted form

Task 2:
Configure a Login Warning Banners on Router R0 and R1

Network Security & Cryptography


Step 1: Configure a warning message to display prior to login.
a. Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner using the
banner motd command. When a user connects to one of the routers, the MOTD banner appears
before the login prompt. In this example, the dollar sign ($) is used to start and end the message.

R1(config)#banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent
of the law$
R1(config)#exit

b. Issue the show run command. What does the $ convert to in the output?
It is used to mark the beginning and end of the banner message. This distinction makes it easier to
identify the start and end of the banner message in the router's configuration.

c. Now save the running configuration of the router and then reload the router.

Does the MOTD banner look like what you created with the banner motd command? yes

d. Now using the banner login command, set the banner for login.

Task 3:
Configure Enhanced Username Password Security on Routers R0 and R1.

Step 1: Investigate the options for the username command.

In global configuration mode, enter the following command:

R1(config)#username user01 password ?


What options are available?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password

Step 2: Create a new user account using the username command.

Network Security & Cryptography


a. Create the user01 account, specifying the password with no encryption.

R1(config)#username user01 password 0 user01pass


b. Use the show run command to display the running configuration and check the password that is
enabled. You still cannot read the password for the new user account. Even though unencrypted (0)
was specified because the service password-encryption command is in effect.

Step 3: Create a new user account with a secret password.

a. Create a new user account with MD5 hashing to encrypt the password.

R1(config)#username user02 secret user02pass

b. Exit global configuration mode and save your configuration.

c. Display the running configuration. Which hashing method is used for the password?
MD5
Step 4: Test the new account by logging in to the console.

a. Set the console line to use the locally defined login accounts.

R1(config)#line console 0
R1(config-line)#login local
R1(config-line)#end
R1#exit

b. Exit to the initial router screen which displays: R1 con0 is now available, Press RETURN
to get started.

c. Log in using the user01 account and password previously defined.


What is the difference between logging in at the console now and previously?
I am asked to provide the username and password set on the router.

Network Security & Cryptography


d. After logging in, issue the show run command. Were you able to issue the command? Why or why
not?
After logging in with that user, I am unable to execute the "show run" command because it is not
permitted in this mode. Once I enter global mode, I can run the command.

e. Enter privileged EXEC mode using the enable command. Were you prompted for a password?
Why or why not?
Since I created a user account called "user01" and logged in with it, the login configuration is
maintained, so there's no need to be prompted for the password.

Step 5: Test the new account by logging in from a Telnet session.

a. From PC-0, establish a Telnet session with R0.

PC-0>telnet 192.168.1.1

Were you prompted for a user account? Why or why not?


It only asks for the password, not the username, because I haven't configured this user for the vty
lines.

b. Set the vty lines to use the locally defined login accounts.

R1(config)#line vty 0 4
R1(config-line)#login local

c. From PC-0, telnet to R0 again.

PC-0>telnet 192.168.1.1

Were you prompted for a user account? Why or why not?


Yes, since I configured the vty lines, it now prompts for the user account.
d. Log in as user01 with a password of user01pass.

Network Security & Cryptography


e. While telnetted to R0, access privileged EXEC mode with the enable command.

What password did you use?


I user user01pass for user01
f. For added security, set the AUX port to use the locally defined login accounts.

R1(config)#line aux 0
R1(config-line)#login local

g. End the Telnet session with the exit command.

Task 4:
Configure Enhanced Virtual Login Security on all Routers

Step 1: Configure the router to watch for login attacks.


Use the login block-for command to help prevent brute-force login attempts from a virtual
connection, such as Telnet, SSH, or HTTP. This can help slow down dictionary attacks and help
protect the router from a possible DoS attack.

a. From the user EXEC or privileged EXEC prompt, issue the show login command to see the current
router login attack settings.

R1#show login
No login delay has been applied.
No Quiet-Mode access list has been configured.
Router NOT enabled to watch for login Attacks

b. Use the login block-for command to configure a 60 second login shutdown (quiet mode timer) if
two failed login attempts are made within 30 seconds.

R1(config)#login block-for 60 attempts 2 within 30

c. Exit global configuration mode and issue the show login command.

Network Security & Cryptography


R1#show login

Is the router enabled to watch for login attacks? yes


What is the default login delay? 60sec

Step 2: Configure the router to log login activity.

a. Configure the router to generate system logging messages for both successful and failed login
attempts. The following commands log every successful login and log failed login attempts after
every second failed login.

R1(config)#login on-success log


R1(config)#login on-failure log every 2
R1(config)#exit

b. Issue the show login command. What additional information is displayed?


yes

Step 3: Test the enhanced login security login configuration.

a. From PC-0, establish a Telnet session with R1.


PC-0> telnet 10.1.1.1

b. Attempt to log in with the wrong user ID or password two times. What message was displayed on
PC-0 after the second failed attempt?
Failed login attempt

What message was displayed on the router R1 console after the second failed login attempt?
The messages shown on PC-0 and the R1 router console after the second unsuccessful login
attempt.

Network Security & Cryptography


c. From PC-0, attempt to establish another Telnet session to R1 within 60 seconds. What message
was displayed on PC-0 after the attempted Telnet connection?
Try to initiate another Telnet session to R1 within 60 seconds and observe the messages that
appear on PC-0 and the R1 router.
What message was displayed on router R1 after the attempted Telnet connection?
%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: <username>] [Source: <IP address>] [localport:
23] [Reason: Login Authentication Failed]

d. Issue the show login command within 60 seconds. What additional information is displayed?
Run the show login command again within 60 seconds and check for any additional information
displayed.
Removing Passwords:
Just use the ‘no’ keyword before any command to undo it.

Removing line console password:


R1>enable
R1#configure terminal
R1(config)#line console 0
R1(config-line)#no login
R1(config-line)#no password
R1(config-line)#end
R1#

Removing Line VTY/TELNET password:


R1>enable
R1#configure terminal
R1(config)#line vty 0 4
R1(config-line)#no login
R1(config-line)#no password
R1(config-line)#end
R1#

Removing auxiliary line password:

Network Security & Cryptography


R1>enable
R1#configure terminal
R1(config)#line aux 0
R1(config-line)#no login
R1(config-line)#no password
R1(config-line)#end
R1#

Removing Privilege mode password:


R1>enable
R1#configure terminal
R1(config)#no enable password
R1(config)#exit
R1#

Removing Secret password:


R1>enable
R1#configure terminal
R1(config)#no enable secret
R1(config)#exit
R1#

Network Security & Cryptography

You might also like