1
00:00:00,870 --> 00:00:08,140
Now you may also want to disable CVP especially on internet facing interfaces.

2
00:00:08,370 --> 00:00:15,900
In this example by simply enabling CTP on the face of the router I'm able to see a lot of information

3
00:00:16,110 --> 00:00:17,960
on the local network.

4
00:00:18,060 --> 00:00:19,580
So let's have a look at details.

5
00:00:22,710 --> 00:00:26,370
Here's the command show CGP neighbors detail.

6
00:00:26,370 --> 00:00:31,590
I can see as an example that there is a system a unified communications manager with the IP address

7
00:00:31,980 --> 00:00:33,570
on the local network.

8
00:00:34,110 --> 00:00:46,030
I could then simply connect to that server and see what I can do perhaps try and log in via trial and

9
00:00:46,030 --> 00:00:53,920
error and eventually discover what devices phones and gateways are available on the server I could even

10
00:00:54,190 --> 00:00:57,170
use this to access a device.

11
00:00:57,260 --> 00:01:05,110
So as an example we can see that the phone is a Cisco DX 650.

12
00:01:05,270 --> 00:01:12,690
If we're not sure what that is we can do a simple search in Google and we'll be able to find what kind

13
00:01:12,690 --> 00:01:13,680
of device that is

14
00:01:16,660 --> 00:01:23,800
this phone runs the Android operating system and then we could try and find vulnerabilities on to that

15
00:01:23,950 --> 00:01:25,150
device.

16
00:01:25,150 --> 00:01:30,830
So it's as simple as that for a hacker to determine which devices are out there.

17
00:01:30,840 --> 00:01:36,660
He has a Cisco switch with its IP address and we could try and telnet to that.

18
00:01:36,940 --> 00:01:42,680
He has the phone so Cisco IP phone DX 650.

19
00:01:42,680 --> 00:01:49,100
He has another phone 79 70.

20
00:01:49,140 --> 00:01:53,150
We can even see how much power that phone is drawing from the local switch.

21
00:01:54,500 --> 00:02:01,700
And scrolling back we can see that the Cisco DX 650 is drawing this amount of power a lot of information

22
00:02:02,030 --> 00:02:08,480
can be discovered through CTP and other protocols such as LDP.

23
00:02:08,780 --> 00:02:15,250
You could look for vulnerabilities in a specific version of Iowas and then try and hack that device.

24
00:02:15,260 --> 00:02:26,450
So on the scene to face we would type no-CD enable and that would disable CTP on that interface.

25
00:02:26,450 --> 00:02:30,730
These entries in the table will eventually time out.

26
00:02:30,890 --> 00:02:38,290
So have to wait until they hit zero notice as an example that Radu one on this interface has a whole

27
00:02:38,300 --> 00:02:44,000
time of this value which is a lot higher than some of the other valleys.

28
00:02:44,930 --> 00:02:55,100
In the output here the should be refreshed because we still running CTP on Foster Ethan at 0 0 but we

29
00:02:55,100 --> 00:03:01,840
have disabled CGP on Fosset Ethan it is 0 1.

30
00:03:02,040 --> 00:03:08,580
You can see as an example that at this point the call that he 750 has hit 93 seconds as a whole time

31
00:03:09,240 --> 00:03:11,200
and eventually thats going a timeout.

32
00:03:13,530 --> 00:03:20,530
You can also disable CGP globally by typing no CTP run.

33
00:03:20,640 --> 00:03:26,970
I'm not going to do that now because I want to keep CGP running to the internal Jeana's three part of

34
00:03:26,970 --> 00:03:34,980
the network noticed right one once again has refreshed whereas the other valleys are counting down and

35
00:03:34,980 --> 00:03:36,330
I wouldn't bore you waiting for that.

36
00:03:36,350 --> 00:03:40,410
They'll eventually timeout and be removed from the CTP table.

37
00:03:40,740 --> 00:03:44,850
So the moral of the story is disable unnecessary services.

38
00:03:44,850 --> 00:03:51,840
Use the command to check what's enabled on your Cisco device disable CGP on interfaces where it's not

39
00:03:51,840 --> 00:03:52,730
required.

40
00:03:52,890 --> 00:04:00,060
If you're connecting to an IP phone you may require CTP all in Calais a discovery protocol LDP but you

41
00:04:00,060 --> 00:04:03,290
wouldn't need that on the Internet facing interface.

42
00:04:03,360 --> 00:04:05,630
So disable what's not required.

43
00:04:07,620 --> 00:04:15,400
While I was talking they noticed the thirty 50s hit zero as a whole time this phone has had to.

44
00:04:15,420 --> 00:04:19,650
So that's not timed out so zero seconds and two seconds.

45
00:04:19,680 --> 00:04:21,180
Next refresh interval.

46
00:04:21,310 --> 00:04:23,170
Those of timed out.

47
00:04:23,420 --> 00:04:28,290
And the same will happen for the remaining devices in the table.

48
00:04:28,310 --> 00:04:29,930
They'll all eventually time out.

49
00:04:29,930 --> 00:04:31,610
So here's the phone.

50
00:04:31,730 --> 00:04:42,410
And if you wait a few more seconds notice we see the publisher now and eventually all we see is the

51
00:04:42,410 --> 00:04:43,730
Rodda internally.