Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

denying TFTP on 6500 Cat

Unanswered Question
Jul 27th, 2006
User Badges:

recently we had a pen test against one of our Cats and it failed with an open port 69/udp open tftp. As a result I had to apply an ACL to the interface. We do not have TFTP-server configured on this Cat or any other cats on our platform but the Security Engineer claims that we must have some TFTP service running on this Cat as has never seen this failure before. My argument and question is that the CAT interface will always reply to port 69 regardless of whether we have TFTP server configured or not and the only way to stop an interface replying to port 69 is to add an acl. Which one of us is correct ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
andrew.burns Fri, 07/28/2006 - 01:11
User Badges:
  • Gold, 750 points or more


which cat and ios revision is it?


andrew.burns Fri, 07/28/2006 - 01:38
User Badges:
  • Gold, 750 points or more

by default tftp is disabled, so unless you have a "tftp-server" command in your config it's hard to believe that udp/69 would be open.

You can easily check which ports are open by doing a "show ip socket" command - it's more likely that udp/67 will be open...


r.dell Fri, 07/28/2006 - 02:35
User Badges:

I agree and a 'show IP socket' reveals that port 69 nor 67 are running but the question still remains would a poll against an open interface on port 69 get a responce ?

This is the test performend by the security eng.

[email protected]-Box:~# nmap -sU -n -vv -vv -p 69 -v

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2006-01-05 10:09 GMT

Initiating UDP Scan against [1 port] at 10:09

Discovered open port 69/udp on

The UDP Scan took 0.00s to scan 1 total ports.

Host appears to be up ... good.

Interesting ports on


69/udp open tftp

andrew.burns Fri, 07/28/2006 - 04:21
User Badges:
  • Gold, 750 points or more

In answer to your question, I would have thought that you should definitely not had a response, unless you are specifically running a tftp server. Do you see a tftp demon running in the "show process" output?



This Discussion