1 00:00:00,530 --> 00:00:07,070 So although we stored the passwords with a strong encryption algorithm, it's still not safe to let 2 00:00:07,070 --> 00:00:13,760 just anyone access the password hashes because they're still open to the offline password cracking attacks. 3 00:00:14,770 --> 00:00:21,790 So it's possible to identify access control lists for the communication services such as SNMp, SSH 4 00:00:21,790 --> 00:00:24,920 and Telnet with these access lists. 5 00:00:24,940 --> 00:00:29,710 We can decide who can and cannot connect to the services. 6 00:00:29,740 --> 00:00:33,400 Then close the services for everybody else. 7 00:00:34,310 --> 00:00:39,050 So there are two types of access lists, standard and extended. 8 00:00:39,230 --> 00:00:40,310 Let's have a look. 9 00:00:40,610 --> 00:00:43,850 We can see how we can manage the access to the router. 10 00:00:45,000 --> 00:00:50,770 So once again, we are back in the network we created by using Gns3. 11 00:00:51,360 --> 00:00:53,550 All the devices are still active and running. 12 00:00:53,550 --> 00:00:54,600 That's always a good sign. 13 00:00:55,770 --> 00:00:57,420 Open the Router's console. 14 00:00:58,430 --> 00:01:00,560 And enter the config terminal mode. 15 00:01:01,930 --> 00:01:07,090 Access list is the key word to create and configure access control lists. 16 00:01:07,600 --> 00:01:10,270 So put a question mark to see the options. 17 00:01:11,140 --> 00:01:14,590 The number here decides the type of the access list. 18 00:01:15,380 --> 00:01:18,440 We'll make an example of standard access. 19 00:01:18,440 --> 00:01:21,540 So just put a number between 1 and 99. 20 00:01:21,560 --> 00:01:22,670 I'll just put two. 21 00:01:23,510 --> 00:01:29,030 A standard access control list either denies or permits source IP addresses. 22 00:01:30,160 --> 00:01:38,320 In addition, a source IP addresses an extended access control list can also deny or permit based on 23 00:01:38,320 --> 00:01:42,790 destination IP addresses, ports and those services as well. 24 00:01:43,780 --> 00:01:45,070 Question mark again. 25 00:01:45,370 --> 00:01:51,670 And these are the options we can either deny or permit a connection request. 26 00:01:52,510 --> 00:01:57,400 So let's decide who to permit first question mark to see the options. 27 00:01:57,430 --> 00:01:58,000 Okay. 28 00:01:59,420 --> 00:02:01,220 We can put a pattern here. 29 00:02:01,370 --> 00:02:04,370 So the computer's matching the pattern are allowed. 30 00:02:05,620 --> 00:02:13,350 If we use any here, that means we permit all computers except ones which are identified by the deny 31 00:02:13,360 --> 00:02:14,980 and the access list. 32 00:02:15,860 --> 00:02:21,560 Alternatively, we can permit directly to any specified computer. 33 00:02:22,280 --> 00:02:28,850 So here I'll use host as the option and let my collie access to it. 34 00:02:29,060 --> 00:02:31,820 So let me look at the IP address of the collie. 35 00:02:32,090 --> 00:02:33,320 10.3. 36 00:02:34,560 --> 00:02:37,110 I want to deny all others. 37 00:02:37,110 --> 00:02:40,710 So access list to deny any. 38 00:02:41,690 --> 00:02:50,810 Now the next thing we have to do is go to the line Vty and apply this access list to the interface. 39 00:02:51,950 --> 00:02:52,310 Good. 40 00:02:52,310 --> 00:02:56,630 So type line vty zero four to enter line config. 41 00:02:58,250 --> 00:03:01,760 In the line config we'll use access list command. 42 00:03:03,020 --> 00:03:08,810 Number of access lists first and now a question mark to see the options. 43 00:03:08,810 --> 00:03:10,040 And look at that. 44 00:03:10,040 --> 00:03:12,620 There are two options in and out. 45 00:03:13,410 --> 00:03:18,750 Now, since we're going to be telnetting into the router we're going to use in. 46 00:03:19,680 --> 00:03:22,980 Exit or control C to exit from the line config mode. 47 00:03:24,030 --> 00:03:26,820 Now I want you to see the running config. 48 00:03:26,820 --> 00:03:28,770 So type show run. 49 00:03:29,980 --> 00:03:32,320 And here is the running config. 50 00:03:32,350 --> 00:03:37,630 So scrolling down, I'll show you the access list and make sure that everything's right. 51 00:03:42,340 --> 00:03:43,510 So here it is. 52 00:03:43,510 --> 00:03:50,350 And yeah, as you can see, we have our access list to to permit and deny any other host attempting 53 00:03:50,380 --> 00:03:51,700 to make a Telnet connection. 54 00:03:53,320 --> 00:03:57,790 Now let's test whether the access list works as intended. 55 00:03:59,820 --> 00:04:03,720 So back in my network, I have other VM machines like Kali. 56 00:04:03,750 --> 00:04:06,090 One of them is a Wasp PWA. 57 00:04:06,120 --> 00:04:09,330 As you know, and its IP address is 10.4. 58 00:04:10,480 --> 00:04:15,540 First, I want to check if the network is okay and Owasp sees the router. 59 00:04:15,550 --> 00:04:22,240 So ping 192.168.10.1 and sure enough we have the replies. 60 00:04:23,510 --> 00:04:27,260 Now I want to create a telnet connection to the router. 61 00:04:27,260 --> 00:04:29,630 So type telnet and the router IP. 62 00:04:29,960 --> 00:04:33,800 Hit enter connection is refused. 63 00:04:34,560 --> 00:04:37,350 Well, that's what's supposed to be right. 64 00:04:37,380 --> 00:04:41,100 That means the deny part of the access list is working properly. 65 00:04:41,590 --> 00:04:43,450 What about the permit part? 66 00:04:43,810 --> 00:04:51,610 So go to Cali in terminal screen Telnet, enter the router and as you can see, we can telnet into the 67 00:04:51,610 --> 00:04:52,240 router. 68 00:04:52,540 --> 00:04:57,610 The request is not refused and we are allowed to telnet from Cali. 69 00:04:58,540 --> 00:05:05,440 So to double check, I'll run an Nmap query to check whether the telnet port of the router is open. 70 00:05:09,670 --> 00:05:11,560 And yes, of course it is.