Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

denying TFTP on 6500 Cat

recently we had a pen test against one of our Cats and it failed with an open port 69/udp open tftp. As a result I had to apply an ACL to the interface. We do not have TFTP-server configured on this Cat or any other cats on our platform but the Security Engineer claims that we must have some TFTP service running on this Cat as has never seen this failure before. My argument and question is that the CAT interface will always reply to port 69 regardless of whether we have TFTP server configured or not and the only way to stop an interface replying to port 69 is to add an acl. Which one of us is correct ?

5 REPLIES

Re: denying TFTP on 6500 Cat

Hi,

which cat and ios revision is it?

Andrew.

Community Member

Re: denying TFTP on 6500 Cat

It's a 6506 running 12.2(17b)SXA

Re: denying TFTP on 6500 Cat

by default tftp is disabled, so unless you have a "tftp-server" command in your config it's hard to believe that udp/69 would be open.

You can easily check which ports are open by doing a "show ip socket" command - it's more likely that udp/67 will be open...

Andrew.

Community Member

Re: denying TFTP on 6500 Cat

I agree and a 'show IP socket' reveals that port 69 nor 67 are running but the question still remains would a poll against an open interface on port 69 get a responce ?

This is the test performend by the security eng.

root@Attack-Box:~# nmap -sU -n -vv 172.16.139.189 -vv -p 69 -v

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2006-01-05 10:09 GMT

Initiating UDP Scan against 172.16.139.189 [1 port] at 10:09

Discovered open port 69/udp on 172.16.139.189

The UDP Scan took 0.00s to scan 1 total ports.

Host 172.16.139.189 appears to be up ... good.

Interesting ports on 172.16.139.189:

PORT STATE SERVICE

69/udp open tftp

Re: denying TFTP on 6500 Cat

In answer to your question, I would have thought that you should definitely not had a response, unless you are specifically running a tftp server. Do you see a tftp demon running in the "show process" output?

Andrew.

151
Views
0
Helpful
5
Replies
CreatePlease to create content