this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It’s old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don’t know about it. Even various hardening guides we’ve seen don’t mention MOP at all.
We’ve seen cases where remote management protocols like Telnet and SSH and even layer 3 connections to routers/switches were disabled on client networks, but clients were able to establish a console connection to Cisco devices via MOP. Because MOP is a layer 2 protocol, IP connectivity is not needed, a link local connection is sufficient. This however limits the accessibility to devices on the local network.
The fun fact about MOP is that it’s still enabled by default on all Ethernet interfaces! We’ve tested it on a 2921 with IOS version 15.4(3)M3 (June 2015) and MOP was indeed enabled by default. Taken from the Cisco Device Resiliency and Survivability guide:
By default, MOP is enabled on all Ethernet interfaces, and disabled on all other type of interfaces.
So if you don’t need MOP, you have to explicitly disable it on all interfaces, like recommended in the official Cisco Guide to Harden Cisco IOS Devices.
Disable MOP on each Ethernet interface as follows:
Router(config)# interface eth 0/0 Router(config-if)# no mop enabled Router(config-if)# end
Detect MOP on Cisco devices
Run the following command to see all the default configuration values:
Router# show run all
However, for our purpose the following command is more suitable:
Router# show run all | i mop
If the output does not include “no mop enabled”, MOP is enabled!
Detect MOP enabled devices
There are two ways to detect if a Cisco device supports MOP on the network:
- MOP enabled devices send multicast messages to ab:00:00:02:00:00
- Trying to connect to the MOP console
Any user in the same local network network can observe messages from Cisco devices, if they may send DEC DNA multicast packets (every ~8-10 minutes). However, one might miss those.
To check if a specific device supports MOP one could use the moprc utility from the DECnet for Linux project as follows:
# ./moprc -v -i eth0 01:02:03:04:05:06
If MOP is enabled on the accessible Ethernet interface, a login should pop up.
In order to make discovery of MOP easier, I’ve submitted a NSE script to Nmap that detects MOP. It’s also available on GitHub. If layer 3 connectivity is given and the IP of a Cisco device is known, detecting MOP with the NSE script is as easy as this:
# nmap --script mop-discover 192.168.1.1
When the script is added to the global Nmap scripts (on Linux they are typically located in /usr/share/nmap/scripts), the script will automatically run in every script scan (-sC).
In case you only have layer 2 connectivity, you can specify the MAC address as follows:
# nmap --script mop-discover --script-args target=01:02:03:04:05:06
Using this script with Nmap requires root privileges, because it sends and receives raw Ethernet frames.
We haven’t seen MOP on devices of other vendors, so right now I can’t tell if this also applies to other vendors. For further information about MOP on Cisco devices, there’s also a pretty good post on the Cisco blog.