Nipper is an Opensource tool for network device congiguration and security audit. Nipper performs security audits of network device configuration files. The report produced by Nipper includes; detailed security-related issues with recommendations, a configuration report and various appendices. Nipper can run on both Windows and Linux operating system. Nipper can be downloaded from here Nipper currently supports the following Network devices:
Cisco IOS-based Switches
Cisco IOS-based Routers
Cisco IOS-based Catalysts
Cisco NMP-based Catalysts
Cisco CatOS-based Catalysts
Cisco PIX-based Firewalls
Cisco ASA-based Firewalls
Cisco FWSM-based Firewalls
Cisco CSS-based Content Service Switches
Juniper NetScreen ScreenOS-based Firewalls
Simply capture the configuration of the Network device onto a text file and run it through Nipper to Audit the config file and output its Audit results in HTML,XML,latex or plain text format. There are a lot of options that can be specified at the command line, a simplest command that show what Nipper is upto will be.
The following is an example of running Nipper on Windows from the download directory on a Cisco IOS Switch config file
c:\Nipper>nipper –ios-switch –input=test.cfg.tct –output=output.html
where,
–ios-switch is the device type
–input specifies the device config text file
–output specifies the output file.
This creates the output file in the current directory (or where mentioned to). What impresses is the orderly formatting of the results with a great deal of information, good enough to understand the imapct of any identified issue. Nipper performs a security audit of a device and produces a report which can include the following sections:
Security Related Issues Introduction
The issues Configuration Report Introduction
The configuration Appendix Section
Abbreviations
Timezones
Common Ports
Logging Severity Levels
Version Details
During a security audit Nipper can test passwords and connection timeouts, these can be configured from the command line.
The configurable options are:
Timeout
Minimum Password Length
Passwords must contain upper case characters
Passwords must contain lower case characters
Passwords must contain numbers
Passwords must contain special characters
Passwords can contain upper or lower case characters
Dictionary for testing against passwords
Nipper will decode Cisco type 7 passwords, other passwords can be output to a john-the-ripper file for further testing. Nipper includes support for a variety of different device types and gathers a lot of information whilst performing a security audit. However, nipper does not gather all information from a device configuration.
The following describes what information is used and what security issues nipper identifies.
IOS-Based Configuration Settings
- Hostname
- IOS Version
- Timezone and offsets
- Authorative Time Source
- Service Password Encryption
- Minimum Password Length
- IP Source Routing
- Bootp
- Service Config
- TCP Keep Alives
- Cisco Express Forwarding
- Gratuitous ARP
- Classless Routing
- Domain Name
- Domain Lookup
- DNS Servers
- Enable Passwords
- Users
- Privilages
- Banner
- Telnet
- SSH
- HTTP
- Finger
- TCP / UDP Small Services
- NTP
- SNMP 1, 2 and 3
- CDP
- PAD
- Logging
- Syslog
- Buffered Logging
- Terminal Logging
- FTP
- TACACS
- AAA
- BGP
- VRRP
- EIGRP
- RIP
- OSPF
- Routes
- Route Maps
- Keys and Key Chains
- Lines
- Interfaces
- VTP
- Switch Ports
- NAT (All types)
- ACL (All types)
IOS-Based Security Issues
- Software Versions
- Dictionary-Based / Default Passwords
- Weak Passwords
- Auto-Configuration
- IP Directed Broadcasts
- BGP Route Dampening
- OSPF Authentication
- EIGRP Authentication
- RIP Authentication
- VRRP Authentication
- TCP Keep Alives
- Connection Timeouts
- AUX Port
- Source Routing
- Finger
- HTTP
- SNMP Version 1 / 2
- Telnet
- Redirects
- Access Lists
- uRPF Verification
- Switch Port Mode
- Switch Port Security
- Logging
- Proxy ARP
- SSH Protocol Version
- CDP
- Classless Routing
- Minimum Password Length
- Bootp
- TCP / UDP Small Servers
- IP Unreachables
- IP Mask Reply
- Enable Secret
- Password Encryption
- Banners
- Domain Lookup
- PAD
- MOP
PIX/ASA/FWSM-Based Configuration Settings
- Hostname
- Domain Name
- Version
- Transparent Firewall
- Enable Password
- Users
- SSH
- Interfaces
- NAT / PAT
- Routing
- Access Control Lists
- ICMP Access
- Protocol Analysis
- Group Objects
- Name Mappings
PIX/ASA/FWSM-Based Security Issues
- Connection Timeouts
- Access Control Lists
- SSH Protocol Version
CSS-Based Configuration Settings
- Hostname (a little hack, recommend specifying)
- CSS Version
- FTP Server
- SNMP
- SSH Server
- Telnet Server
- Web Management Server
- Access Control Lists
CSS-Based Security Issues
- SNMP
- Telnet
- Access Control Lists
CatOS/NMP-Based Configuration Settings
- Hostname
- NMP Version
- Location
- Contact
- Core Files
- Syslog Files
- Idle Session Timeout
- Port Security Auto Configure
- Enable Passwords
- Login Passwords
- ICMP Redirects
- IP Unreachables
- IP Fragmentation
- CDP
- SNMP
- Permit Lists
- VLAN Configuration
CatOS/NMP-Based Security Issues
- Dictionary-Based / Default Passwords
- Weak Passwords
- Connection Timeouts
- IP Redirects
- CDP
- IP Unreachables
ScreenOS-Based Configuration Settings
- Hostname
- Administrative Settings
- Users
- Alerting
- Timeouts
- Authentication Server
- Admin Privilages
- SSH
- Interfaces
- Policies
- Name Lists
ScreenOS-Based Security Issues
- Policies
- Connection Timeout
- Administrative HTTP Redirect
- Management IP Address
For more information and options, please visit here
Leave a Reply