SIGTERM's Guides: A Cisco Command Reference Sheet

No replies
notballin
notballin's picture
Offline
Neophyte
Joined: 2011/06/18


Star Why I'm writing this guide:

Seasons greetings to Bill Murphy of RedZone Technologies LLC, who, in combination with James Crifasi, knew beforehand what troubleshooting issues I would run into and how to solve them in the event that I failed in one of NSA Cybercommand's various "games."

This knowledge is no longer of any use to me outside of a "Penetration Testing Mindset," so I'm dumping the knowledge that I've gained during training and during my employment into this guide while I wait very patiently to cross your organization off of my "hitlist."

Star The actual guide (because no one ever actually trains an engineer on how to BUILD a switch/router):

echo "PASSWORD RECOVERY:"

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-softwar...

echo "CISCO 'TRUST-BASED' LICENSES THAT GIVE YOU FANCY IP-ROUTING FEATURES ON A CISCO SWITCH:"

https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/rele...

Most switches come with the 'ipbase' license, which doesn't allow IP routing on the switch. There are other "trust based" licenses such as "ipservices," which allows IP routing on the switch. Wink

echo "FLASHING THE DEVICE WITH NEW FIRMWARE:"

-Give VLAN 1 of the switch and the current working pc an ip on the same subnet and connect them.
-http://tftpd32.jounin.net/ Download TFTPD.
-Allow port 69 on the Windows Firewall (or disable Windows Firewall).
-Download SUGGESTED IOS from CISCO’s website (you need an account for this).
-Place it in the TFTPD Directory (or change TFTPD’s directory).

Router# dir /all

-Check bytes, ensure there’s space for the IOS image before uploading.
-WARNING: USE ONLY IF NEEDED ON AN OLDER SWITCH. ROMMON mode sucks. This is the equivalent to the rmdir -rf command in Linux.

Router#del /force /recursive flash:/OLDFILENAMEGOESHERE
Router#copy tftp flash

-Follow prompts (enter IP, destination filename (copy paste from TFTPD))

Router#dir /all
Router#conf t
Router(config)#boot system flash:/FLASHNAMEFILEHERE
Router(config)#do wri mem
Router(config)#do reload

echo "THE BASICS"

ESCALATING CISCO MODES:
--------------------------

-USER EXEC
Router>

-PRIVILEGE EXEC
Router#

-GLOBAL CONFIG
Router(config)#

-INTERFACE CONFIG
Router(config-if)#

SHOW COMMANDS YOU DON’T USE NORMALLY:
--------------------------

show hardware

#Displays hardware information/model info/etc

show standby

#Displays detailed “Hot Standby Router Protocol” (HSRP) information

show cdp neighbor

#Displays detailed information about neighboring CISCO devices that your device can communicate with. This is good for creating "maps" in Cisco-heavy environments, to include hardware that is Cisco friendly/CDP friendly (*cough* LATERAL MOVEMENT *cough*).

show run int gi 1/0/1

#Displays the currently saved configuration for a specified port.

show run int range gi 1/0/1-5

#Displays the currently saved configuration for a specified range of ports.

show arp | include 192.168.1

#Do a ping first, then do this to check to see if the IP is in use or not.

ping destination 192.168.1.1 source 172.16.0.1

#Good for checking default gateway configurations.

show ver

#Show the current IOS version.

show module

#Show the expansion cards that have been installed on the switch.

show ntp status

#Verify the status of the NTP servers that are configured on the device.

show ip route

#Show all available IP routes that the device is currently aware of.

SWITCHPORT MODES:
--------------------------

Switch(config-if)#switchport mode access

#Turns the port into an "access" port, used for clients/servers/PC’s

Switch(config-if)#switchport mode trunk

#Turns the port into a "trunk" port that can be used to pass VLAN traffic across different switches/routers (VLAN's are virtual Local Area Networks, LMGTFY if you don't understand what this does)

Switch(config-if)#switchport mode dynamic auto

#Tests port for VLAN/Access. Sucks

Switch(config-if)#switchport mode dynamic desirable

#Preferences Trunking. Also sucks

SAVE YOUR CURRENT RUNNING CONFIGURATION TO THE STARTUP CONFIGURATION:
--------------------------

Router>en
Router#copy run start

or

Router#wri mem

DO THINGS WHILE IN GLOBAL CONFIG or INTERFACE CONFIG:
--------------------------

Router(config-if)#do copy run start

#The hint here is to type the word "do" before the command that you want to use, if you are in "global configuration" mode or "interface configuration" mode vs "privilege exec" mode.

CHANGE DEVICE NAME:
--------------------------

Router>en
Router#configure terminal
Router(config)#hostname REDZONETECH-NOT-1337
REDZONETECH-NOT-1337(config)#

#Observe that the hostname has change. It's no different than naming your PC.

ADD A BANNER:
--------------------------

Router>en
Router#configure terminal
Router(config)#banner motd #PUT MESSAGE HERE BETWEEN BRACKETS/DELIMITERS#

#Upon startup, a banner will display before allowing the user to interact with the terminal. This is normally used to place "legal warnings" and general information about an organization.

echo "QUALITY OF LIFE COMMANDS:"

CONFIGURE TIMEZONE/CLOCK AND DAYLIGHT SAVINGS TIME:
--------------------------

switch(config)#clock timezone EST -5
#EST is your "description" of your timezone and can be changed to "Eastern Standard" or whatever phrasing you want. -5 is Eastern Time.
#https://www.timeanddate.com/time/map/

switch(config)#clock summer-time EDT recurring
#EDT is your "description" of your timezone and can be changed.
#If clock summer-time zone recurring is specified without parameters, the summer time rules default to United States standards.

CONFIGURE NTP SERVER:
--------------------------

switch(config)#ntp server time.nist.gov

#Configure DNS resolution first for nameservers to work (scroll down).
#https://tf.nist.gov/tf-cgi/servers.cgi
#time.nist.gov uses round robin.

switch(config)#ntp server time-a-g.nist.gov
#Configure DNS resolution first for nameservers to work (scroll down).

switch(config)#ntp server 129.6.15.28
#The IP address of the ntp server, if DNS is not configured.

ARCHIVING (WILL SAVE YOUR SKIN):
NOTES: With archiving enabled, every time you make a change, the archive will show up to 10 of your last changes by default.
--------------------------

Router(config)#mkdir flash0:/archive
#Makes archive folder.

Router(config)#archive
Router(config-archive)#path flash0:/archive/archive-config
#Path for archive to use.

Router(config-archive)#max 14
#Modify saved archive amount.

Router(config-archive)#write mem
#Save changes to flash

Router(config-archive)#end
Router(config)#copy run start
Router(config)#do show archive

RTFM

Router(config-archive)#archive config ?
#For help with archive commands.

SAFE CHANGES (NO REBOOT, REQUIRES ARCHIVING TO BE ENABLED) METHOD 1:
NOTE: This is a precaution to revert your changes if you’re making a risky config that will lock you out of the router. Practical application includes needing to change a remote site’s config. If you break something, it’ll revert the changes automatically if no confirmation occurs.
--------------------------

Router#conf t revert timer 1337
#1337 is in minutes. CHANGE THIS!

Router#conf confirm
#This will confirm changes and cancel the timer.

SAFE CHANGES (REBOOT REQUIRED, NOT GRACEFUL) METHOD 2:
--------------------------

Router#reload in 1337
#1337 is in minutes. CHANGE THIS!

Router#reload cancel
#Cancel the reboot if your changes work and nothing catastrophically broke!

IGNORE MISSPELLINGS IN COMMANDS (FIX DOMAIN LOOKUP ERROR):
--------------------------

Router>en
Router#configure terminal
Router(config)#no ip domain-lookup

#NOTE: ctrl + shift + F6 = cancels command translation.

FIX LOGGING CUTTING OFF YOUR COMMANDS:
NOTE: It’s annoying, but keep it enabled for sysadmin purposes. Disable it ONLY for base install, re-enable afterwards.
--------------------------

Router#no logging-console

echo "COMBINING MULTIPLE PORTS:"

CONFIGURE A RANGE OF PORTS (YOU CAN SKIP PORTS IN BETWEEN):
--------------------------

Router(config)#int range gi0/1 - 2
Router(config-if-range)#

Router(config)#int range f0/1 - 2, f0/8 - 13, f0/15 - 24
Router(config-if-range)#

COMBINE TWO PORTS FOR MORE BANDWIDTH (LINK AGGREGATION):
--------------------------

Router(config)#int range gi0/1 - 2
Router(config-if-range)#channel-group 1337 mode desirable/auto/on
#In real life, use “on”

COMBINE TWO SERIAL INTERFACES FOR MORE BANDWIDTH (LINK AGGREGATION):
--------------------------

Router(config-if)#encapsulation ppp
Router(config-if)#ppp multilink
#Tells the serial interface to share its link
Router(config-if)#ppp multilink group 1337
#Tells the serial interface what group to share from

echo "SWITCH STACK SHENANIGANS/COMBINING MULTIPLE SWITCHES TO ACT AS A SINGULAR SWITCH:"

CHANGE POSITION OF SWITCHES IN A STACK:
NOTE: Match MAC’s with position, or push the MODE button to determine switch stack position.
--------------------------

Switch# switch N renumber N

CHANGE PRIORITY OF STACK MASTER (ORDER OF WHICH SWITCH IS CHOSEN FIRST):
--------------------------

Switch# switch N priority N
#Priority 1-15, 15 is highest.

CHECK THE POWER OF THE STACK/NEIGHBORS IN THE STACK:
--------------------------

show stack-power

echo "HARDENING THE DEVICE:"

REMOVE MAX PRIVILEGES FROM ALL USERS (PRIVS GRANTED BY DEFAULT. BAD!):
--------------------------

Router(config)#no privilege level 15

CREATE A NEW USER:
--------------------------

Router(config)#username USERGOESHERE priv 15 secret PASSWORDGOESHERE

SECURE THE CONSOLE CABLE/AUX PORT/ETH PORTS:
--------------------------

Router(config)#line con 0 (or)

or

Router(config)#line vty 0 15

or

Router(config)#line aux 0

#Do all three separately

Router(config-line)#password SECUREPASSWORDHERE
Router(config-line)#login
Router(config-line)#logging synchronous

OR
Router(config-line)#login local
#IF USING A LOGIN ACCOUNT

#NOTE: Routers use vty 0 4, Switches use vty 0 15. Double Check.

HASH THE PLAINTEXT PASSWORDS (for LINE and VTY):
--------------------------

Router(config)#service password-encryption

ENABLE SECRET (FROM USER EXEC TO PRIV EXEC) (NOT AS A USER, IT’S FOR THE DEVICE):
--------------------------

Router(config)#enable secret STRONGPASSWORDHERE
Router(config)#do copy run start
Router(config)#do show running-config
#NOTE: You should see a random encryption string for the secret password.

DISABLE UNUSED PORTS:
-------------------------

Switch(config)#int range gi0/13- 24
Switch(config-if-range)#shutdown

ENABLE SWITCHPORT PORT-SECURITY (don’t skip any steps):
-------------------------

Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security mac-address xxxx.xxxx.xxxx
#To allow only a device that has a matching MAC address. This allows multiple MAC addresses such as VOIP phones. LMGTFY for more info.
Switch(config-if)#end
Switch# show port-security interface f0/N

ENABLE AND USE THE SSHv2 AUTHENTICATION PROTOCOL ON THE SWITCH:
--------------------------

Switch(config)#ip domain-name REDZONETECH-NOT-1337.com
#OPTIONAL

Switch(config)#ip ssh version 2
Switch(config)#line vty 0 15
Switch(config-line)#transport input ssh
Switch(config-line)#login local
Switch(config-line)#exit
Switch(config)# crypto key generate rsa modulus 4096
#REQUIRES DOMAIN NAME

Switch(config)#ip ssh time-out 120
Switch(config)#ip ssh authentication-retries 3
Switch(config)#do show ip ssh

DISABLE THE HTTP/HTTPS SERVER (ENABLED BY DEFAULT) :
--------------------------

Router(config)#no ip http server
Router(config)#no ip http secure-server
Router(config)#no ip http access-class 23
Router(config)#no ip http authentication
Router(config)#no ip http authentication local
Router(config)#no ip http time
Router(config)#no ip http timeout-policy idle

echo "VPN SHENANIGANS:"

LIST AVAILABLE VPN ENCRYPTION PROTOCOLS:
--------------------------

crypto ipsec transform-set PUTRANDOMNAMEHERE ?

VPN TUNNELS (IPSEC):
--------------------------

#Phase 1:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key PASSWORDGOESHERE address IPOFOPPOSITEENDGOESHERE

#Phase 2:
crypto ipsec transform-set MYTRANSFORMSETNAME esp-aes esp-sha-hmac

#Phase 3: Make Profile
crypto ipsec profile PROFILENAMEHERE
set security-association lifetime seconds 1337
#Seconds connected before closing
set transform-set MYTRANSFORMSETNAME

#Phase 4: Configure the tunnel (while using the created profile)
Router(config)#interface Tunnel1
Router(config-if)#description DESCRIPTIONGOESHERE
Router(config)#ip address IPGOESHERE SUBNETMASKGOESHERE
Router(config)#ip mtu 1400
Router(config)#ip pim sparse-dense-mode
#Multicast

Router(config)#ip tcp adjust-mss 1360
#Corrects MTU on client packets

Router(config)#tunnel source multilink1
#Example. Use any interface.

#NOTE: The earlier example for combining serial interfaces into one multilink interface can be used for this purpose.
Router(config)#tunnel destination IPGOESHERE
Router(config)#tunnel protection ipsec profile PROFILENAMEHERE

echo "BASIC NETWORKING TASKS:"

CONFIGURE AN INTERFACE WITH AN IP:
--------------------------

Router#config t
Router(config)#interface f0/N
Router(config-if)#ip add 192.168.1.1 255.255.255.0
Router(config-if)#no shut

#Note: Replace N with the port number. Sometimes f0/N will need to be g0/N. Check the running config.

CONFIGURE DNS/NAME RESOLUTION ON A ROUTER (OR A SWITCH ACTING AS A ROUTER):
--------------------------

Router(config)#ip domain-lookup
#Enable DNS Resolution.

Router(config)#ip name-server 208.67.222.222 208.67.220.220 8.8.8.8 8.8.4.4
#Configure the DNS Servers. You may prefer to use internal DNS servers instead of public DNS servers.

ENABLE IP ROUTING ON A SWITCH:
--------------------------

Switch(config)#ip routing
#NOTE: THIS REQUIRES A SPECIFIC TYPE OF TRUST-BASED LICENSE TO BE ENABLED ON THE SWITCH IF IT'S GOING TO ACT AS A ROUTER... "HINT HINT, WINK WINK."

CONFIGURE AN IP ROUTE:
--------------------------

#Add an IP Route:

Router(config)#ip route 172.16.0.1 255.255.255.0 192.168.0.1
#172.16.0.1 = The destination.
#255.255.255.0 = Subnet mask (how many hosts can be found at the desired destination).
#192.168.0.1 = The next hop that knows how to get to the destination.

Router(config)#ip route 172.16.1.1 255.255.255.252 192.168.0.1
#172.16.1.1 = The destination.
#255.255.255.0 = Subnet mask (this is a point to point network location).
#192.168.0.1 = The next hop that knows how to get to the destination.

#NOTE: You may add singular IP's while using the subnet mask 255.255.255.254, to limit what the device can reach. May be used for "ghetto segmenting/isolation" purposes.

#Remove an IP Route:

Router(config)#no ip route 172.16.0.1 255.255.255.0 192.168.0.1
#The route will disappear from the configuration.

CONFIGURE ROUTING PROTOCOLS SUCH AS RIP, RIPv2, EIGRP, and OSPF:
--------------------------

<code>
#LMGTFY. This is too complicated to "cookbook" and you're setting yourself up for failure if you don't actually understand how it works (to include weights and metrics).

CONFIGURE NAT ON A ROUTER (OR A SWITCH ACTING AS A ROUTER):
--------------------------

Router(config)#access-list 1337 permit 192.168.1.0 0.0.0.255
#CONFIGURE ACCESS LIST AND DEFINE THE ALLOWED PRIVATE ADDRESS RANGE

Router(config)#ip nat pool public_access 209.165.200.225 209.165.200.230 netmask 255.255.255.248
#CONFIGURE THE PUBLIC ADDRESS (RANGE) TO USE WITH NAT

Router(config)#ip nat inside source list 1337 pool public_access overload
#TELL NAT TO OVERLOAD THE RANGE OF PRIVATE IP’S TO THE PUBLIC IP (RANGES)

Router(config)#int g0/1
Router(config-if)#ip nat inside
Router(config-if)#int s0/0/1
Router(config-if)#ip nat outside
#SPECIFY THE INTERFACES FOR NAT OUTSIDE/INSIDE

CONFIGURE DHCP SERVER LOCATION ON A VLAN OR INTERFACE:
--------------------------

Router(config)#int vlanX

or

Router(config)#int g0/N
#VLAN's count as interfaces

Router(config-if)#ip helper-address IP-OF-THE-DHCP-SERVER-GOES-HERE

CONFIGURE THE ROUTER/SWITCH TO SERVE AS ITS OWN DHCP SERVER (WARNING: CONFIGURE EXCLUSIONS -FIRST-):
--------------------------

Router#configure terminal
Router(config)#ip dhcp excluded-address 192.168.0.1 192.168.10.69 (exclude one/multiple address(es))
Router(config)#ip dhcp pool LOCATION_NAME_HERE
Router(dhcp-config)#network 192.168.0.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.0.1
Router(dhcp-config)#dns-server 4.4.4.4
Router(dhcp-config)#exit
Router(config)#exit

echo "VLAN HELL/IP ROUTING HELL:"

GIVE THE MANAGEMENT VLAN A DEFAULT GATEWAY:
--------------------------

Switch(config)#ip default-gateway 10.12.19.1
#VLAN IP would most likely be 10.12.19.2

SHOW VLAN CONFIGURATION:
--------------------------

Switch#show vlan
Switch#show interface trunk

CREATE A VLAN/NAME A VLAN (LAYER 3 VLAN):
--------------------------

Switch#config t
Switch(config)#int vlan 100
Switch(config-vlan)#name ***VOICE***
Switch(config-vlan)#description ***VOICE***
Switch(config-vlan)#exit

CREATE THE SAME VLAN IN THE VTP DATABASE:
--------------------------

Switch#config t
Switch(config)#vlan 100
Switch(config-vlan)#name ***VOICE***

CREATE A VLAN TRUNK FOR PASSING VLAN DATA BETWEEN SWITCHES:
--------------------------

Switch#config t
Switch(config)#int fa0/24
Switch(config-if)#switchport mode trunk

or

Switch#config t
Switch(config)#int fa0/24
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode trunk
#for END OF LIFE SWITCHES THAT DON'T USE THIS AS THEIR DEFAULT CONFIGURATION (*cough* Pentagon *cough*)

TRUNKING AND VLAN RESTRICTIONS:
--------------------------

Switch(config-if)#switchport trunk allowed vlan 100,200,350
#Restrict the VLAN traffic that is allowed to pass through the trunk port
<code>

<code>
Switch(config-if)#switchport trunk native vlan 100
#To tag native untagged traffic that is passing through the trunk

ROUTER ON A STICK (OLD-SCHOOL TRUNKING):
--------------------------

Router#config t
Router(config-if)#int f0/N.50
Router(config-subif)#no shut
Router(config-subif)#encap dot1q 50
Router(config-subif)#ip add 172.16.0.1 255.255.255.0
#NOTES: Replace N with port number. The number 50 represents the chosen layer 3 VLAN.

ASSIGN A VLAN TO A PORT OR RANGE OF PORTS:
--------------------------

Switch(config-if)#switchport access vlan 50
Switch(config-if)#switchport mode access
Switch(config-if)#spanning-tree portfast
Switch(config-if)#spanning-tree bpduguard enable
#Best practice to enable on all access ports.

CONFIGURE A RANGE OF INTERFACES FOR VLANS (TO SAVE TIME):
--------------------------

Swith#config t
Switch(config)#interface range fa0/1-12
Switch(config-if-range)#switchport access vlan 100
Switch(config-if-range)#switchport mode access

Theatricality & deception. Powerful agents to the uninitiated; but we are initiated aren't we, Bruce...