1 00:00:01,300 --> 00:00:08,930 As demonstrated in a separate video Telenet sends traffic in clear text and passwords and data can easily 2 00:00:08,930 --> 00:00:10,420 be captured on the wire. 3 00:00:10,670 --> 00:00:12,740 So it's better to use S-sh 4 00:00:16,440 --> 00:00:19,830 as an example or capture the traffic between Ronald one and wrote it to 5 00:00:23,210 --> 00:00:24,190 and for comparison. 6 00:00:24,200 --> 00:00:35,220 I'll do a telnet to read it to from router 1 and log in with my username and password in y shock. 7 00:00:36,600 --> 00:00:46,850 I can simply filter for telnet and in the output I'll be able to capture the password which is c i s 8 00:00:46,940 --> 00:00:49,040 CEO and other with Cisco. 9 00:00:49,040 --> 00:00:57,900 But more than that if they use a top to come on such a show run and looked at the running config of 10 00:00:57,900 --> 00:01:01,830 the Rodda or did any kind of configuration. 11 00:01:01,830 --> 00:01:04,680 All of that is sent in clear text. 12 00:01:04,800 --> 00:01:10,470 So a hacker could simply search for the data. 13 00:01:10,580 --> 00:01:19,720 So there is an example as the prompt of the Rodda off the log in and searching through the data we can 14 00:01:19,720 --> 00:01:25,190 see show run and here's the current config of the Rodda. 15 00:01:25,330 --> 00:01:32,380 So we are able to view the full configuration of the rattus as an example there's an IP address on an 16 00:01:32,380 --> 00:01:33,010 interface 17 00:01:35,730 --> 00:01:45,090 scrolling down more configuration if there were passwords on the console or other ports we'd be able 18 00:01:45,090 --> 00:01:47,100 to see those passwords. 19 00:01:47,100 --> 00:01:51,860 So as an example is the password on the Viti wireline. 20 00:01:51,970 --> 00:02:00,760 I could also simply look at the TCAP session and the full configuration of the Rodda is simply displayed 21 00:02:02,030 --> 00:02:03,400 through Y shock. 22 00:02:03,620 --> 00:02:11,360 So not a great way to manage devices when someone sniffing the network can capture the traffic. 23 00:02:11,360 --> 00:02:17,360 This is more of a problem when you are using a public network such as the Internet than your local network. 24 00:02:17,360 --> 00:02:22,460 But it's important to be aware that telnet sends traffic clear text. 25 00:02:22,460 --> 00:02:30,020 So we want to enable secure shell or S-sh and to do that we firstly have to specify a hostname. 26 00:02:30,230 --> 00:02:33,700 It cannot be the default of switch or router. 27 00:02:33,890 --> 00:02:39,150 The name was ATI but I've reset it just for completeness to show you the command. 28 00:02:39,200 --> 00:02:44,450 So you have to set a hostname and then you have to specify a domain name. 29 00:02:46,450 --> 00:02:52,450 Which is required for the generation of kids so specify some kind of domain name I'll use Cisco dot 30 00:02:52,450 --> 00:02:53,510 com. 31 00:02:53,620 --> 00:02:54,900 You have to have a user name. 32 00:02:54,900 --> 00:02:57,130 Now I've already configured a user name of David 33 00:02:59,880 --> 00:03:04,530 and a password but I'll just do that again for completeness. 34 00:03:04,810 --> 00:03:07,110 And then we have to generate keys. 35 00:03:07,150 --> 00:03:21,910 So crypto key to generate RSA specify modulus and then specify size that should be in 1024 So let me 36 00:03:21,910 --> 00:03:23,040 do that again. 37 00:03:23,080 --> 00:03:29,790 The larger the size of the key the more secure the transmission of data. 38 00:03:29,920 --> 00:03:38,530 So the modular sizes from 360 to 2048 and once again I specified 1024 the ratable then generate what 39 00:03:38,530 --> 00:03:41,380 are called private and public keys. 40 00:03:41,410 --> 00:03:48,070 So as you can see here the keys are going to be replaced because I'm regenerating them a private key 41 00:03:48,460 --> 00:03:55,940 means a key that you don't share it's private to yourself a public key is derived from a private key. 42 00:03:56,050 --> 00:03:59,790 And that's what you share with everyone else in secure communications. 43 00:03:59,980 --> 00:04:06,760 So if you want to send something to me that no one else can read you would encrypt it with my public 44 00:04:06,760 --> 00:04:14,050 key which means that only my private key can decrypt it if I want to send something to you that only 45 00:04:14,050 --> 00:04:22,650 you can read I would encrypt it with your public key and only your private key can decrypt it. 46 00:04:23,200 --> 00:04:30,400 A public key is derived from my private key something encrypted with a public key can only be decrypted 47 00:04:30,430 --> 00:04:33,260 by the relevant private key. 48 00:04:33,280 --> 00:04:40,400 So if you encrypt something with my public key only my private key can decrypt it. 49 00:04:40,420 --> 00:04:51,710 Now on the V-twin Why lines we can specify transport input and specify protocol and I'll specify telnet 50 00:04:52,130 --> 00:05:01,640 and S-sh for security reasons you may only want to allow S-sh rather than telnet and S-sh specified 51 00:05:01,640 --> 00:05:02,910 log in local. 52 00:05:03,030 --> 00:05:12,370 So the local username and password databases used and then specify a version of S-sh version 2 is more 53 00:05:12,370 --> 00:05:15,370 secure than Version 1 show. 54 00:05:15,390 --> 00:05:25,100 IP S-sh we can see that S-sh is now enabled show S-sh they are no connections at the moment. 55 00:05:25,100 --> 00:05:32,030 Now I can still telnet to the Rodda because we allowed telnet sessions 56 00:05:35,930 --> 00:05:48,560 but if we did the following line Vittie y 0 for transport input S-sh telnet sessions would no longer 57 00:05:48,560 --> 00:05:49,410 be allowed. 58 00:05:49,670 --> 00:05:56,860 So show run pipe begin Viti why we're using log in local. 59 00:05:56,870 --> 00:05:58,580 So this is not required. 60 00:05:58,970 --> 00:06:06,070 We are only allowing S-sh sessions and interactive sessions will timeout after five minutes. 61 00:06:06,470 --> 00:06:13,780 So S-sh we have a few options to specify 10 1 one to notice. 62 00:06:13,790 --> 00:06:16,050 No user is specified. 63 00:06:16,920 --> 00:06:19,080 We have to specify a user. 64 00:06:19,170 --> 00:06:20,700 So I'm going to say David. 65 00:06:20,900 --> 00:06:24,730 And then the IP address of the Rodda. 66 00:06:24,840 --> 00:06:36,260 Now I can log in NY shock we still capturing if we search for S-sh now we can see S-sh traffic we can 67 00:06:36,260 --> 00:06:44,750 see the encryption used in this case it's a mess a Schumacher Shaw one don't worry too much about that 68 00:06:44,750 --> 00:06:49,840 at the moment that's discussed in more detail in the VPN section. 69 00:06:49,880 --> 00:06:54,790 There are some key exchanges taking place Diffie Hellman keys are used here. 70 00:06:55,250 --> 00:06:58,890 So we can see all the negotiation between the two devices. 71 00:07:00,520 --> 00:07:05,330 But once that's taken place we won't be able to see the data. 72 00:07:05,350 --> 00:07:10,120 Notice the data is encrypted so as an example I'll type show run 73 00:07:13,030 --> 00:07:16,510 is the fool running config 74 00:07:20,000 --> 00:07:24,290 in shock we can't see the data. 75 00:07:24,360 --> 00:07:29,230 We just see encrypted output here. 76 00:07:29,250 --> 00:07:33,810 So a hacker would not be able to view the data. 77 00:07:33,870 --> 00:07:40,100 The hacker would only know that there's an S-sh session from one device to the other. 78 00:07:40,470 --> 00:07:50,380 So in other words in this example 10 1 1 1 is 10 1 1 2 the source port number is this the destination 79 00:07:50,380 --> 00:07:52,000 port number is 22. 80 00:07:52,000 --> 00:07:53,650 In other words S-sh. 81 00:07:54,010 --> 00:07:57,020 Notice how that is different to a telnet session 82 00:08:04,730 --> 00:08:05,690 in a telnet session. 83 00:08:05,690 --> 00:08:09,760 We can see all the data in clear text. 84 00:08:10,040 --> 00:08:18,500 So it's much better to use S-sh and it's better to restrict access to your devices to the use of S-sh 85 00:08:19,440 --> 00:08:26,000 putty is free software that you can download from the internet and it supports both telnet and S-sh 86 00:08:26,400 --> 00:08:28,730 but uses S-sh by default. 87 00:08:30,350 --> 00:08:36,800 So if you're on a Windows machine download puttee if you using a Mac or Linux machine is SH's built 88 00:08:36,800 --> 00:08:38,440 into the operating system. 89 00:08:38,540 --> 00:08:46,350 If you are on a road or a switch you can simply use the S-sh client on the Cisco device. 90 00:08:47,860 --> 00:08:58,780 So let's S-sh back from Rotto one to router to put in the password plugged in show IP S-sh we can see 91 00:08:58,840 --> 00:09:01,330 that the version of S-sh is version 2. 92 00:09:01,330 --> 00:09:11,040 Once again show S-sh we can see that a session has been started by user named David inconnection our 93 00:09:11,100 --> 00:09:11,840 connection. 94 00:09:11,920 --> 00:09:13,300 We can see the encryption. 95 00:09:13,410 --> 00:09:18,560 Yes 128 bit encryption and authentication is Schaal one. 96 00:09:18,640 --> 00:09:26,710 Shaw is a hashing algorithm similar to M.D five is ending corruption algorithm similar to days or triple 97 00:09:26,710 --> 00:09:30,530 days but it's a lot better than those protocols. 98 00:09:30,700 --> 00:09:38,340 No S-sh version 1 server is running only version 2 is running and we have these connections to the Rodda 99 00:09:39,180 --> 00:09:50,620 when I log out show S-sh we can see that no such connections are running once again in why Shawk 100 00:09:53,590 --> 00:10:01,720 everything is encrypted so we can see the encrypted packet but we can't see any data that makes up that 101 00:10:01,720 --> 00:10:02,620 encrypted packet.