Cisco Catalyst (NMP/CatOS)

Nipper requires a copy of the Cisco Catalyst configuration file in order to produce a report. This page provides information on how to retreive the configuration from a device and how to use Nipper to produce a report.

This page contains the following:

• Getting The Configuration File
  • CLI Capture
• Using Nipper
  • Report Formats
  • Password Auditing
  • Configuration File

Getting The Configuration File

This section outlines different methods of obtaining a copy of your Cisco Catalyst configuration.

I would strongly advise that HTTP, Telnet and TFTP are not used to transfer the configuration file from your device as no encryption is used during the transfer. This means that an attacker who is able to monitor your network connection could capture not only the configuration file but, in the case of HTTP and Telnet, the authentication credentials used to access the device. Additionally, TFTP servers provide no authentication and typically provide weak security settings. If you leave a TFTP server active with files offered by it, don't be suprised if one day an unauthorised person has obtained copies of them.

CLI Capture

You can connect to the Command Line Interface (CLI) of your Cisco Catalyst using an SSH client, Telnet or through the console port. Use the following procedure to obtain a copy of the configuration file:

1. Connect to the Cisco Catalyst using SSH, Telnet or a console connection.
2. Login.
3. Type the following command:

   enable

4. Enter the enable password.
5. Execute the following enable command and capture the output:

   show config all

6. Save the captured output to a file and remove any visible page lines (i.e. "<--- More --->").

Using Nipper

Nipper has a number of different options to change how a Cisco Catalyst configuration is processed, some of these options are described latter in this section. A Cisco NMP-based Catalyst configuration can be processed with the following command:

nipper --nmp --input=nmp.config --output=report.html

A Cisco CatOS-based Catalyst configuration can be processed with the following command:

nipper --catos --input=catos.config --output=report.html

Report Formats

Nipper currently supports HTML, XML, Latex and ASCII text report formats. The default format is HTML. The following command line options can be used to tell Nipper to output to a specific format:

• --html - HTML report format.
• --xml - XML report format.
• --latex - Latex report format.
• --text - ASCII text report format.

Password Auditing

As part of a security audit of your device configuration, Nipper will audit the passwords, authentication keys and community strings. The audit is based on a password policy which can be defined, otherwise Nipper will use its own builtin password policy. Additionally, the passwords are compared to a small internal dictionary of common passwords (an external dictionary can also be used.

The following command options can be used to modify the password audit settings:

• --pass-length={length} - The minimum password length.
• --pass-uppers={yes | no} - A password MUST contain uppercase characters.
• --pass-lowers={yes | no} - A password MUST contain lowercase characters.
• --pass-either={yes | no} - A password MUST contain lowercase or uppercase characters (including combinations).
• --pass-numbers={yes | no} - A password MUST contain numbers.
• --pass-specials={yes | no} - A password MUST contain special characters (i.e. non-alphanumeric).

The output of passwords to the report can be disabled and any encrypted passwords can be output to an external file for further analysis by other tools. The following are other password options:

• --no-passwords - Do not output passwords to the report, auditing will still take place.
• --john={filename} - Create an external file with the encrypted passwords (john-the-ripper format).
• --dictionary={dictionary file} - A dictionary file to test the passwords against.

Configuration File

All the settings described in this section and more can be configured using an external configuration file. On Linux and UNIX type systems this file is called nipper.conf and is typically stored in /etc. On Windows systems the file is called nipper.ini and will be automatically loaded from the current directory. These files are essentially the same and if not found Nipper will use internal default settings.

A specific external configuration file can be specified on the command line using --config={Config Filename}.

The file is self documenting and generally relates to the various command line options. The default configuration file can be downloaded from here.