Howdy,
this is a short write up about the Maintenance Operation Protocol (MOP), an ancient remote management protocol from the DECnet protocol suite. It’s old, rarely used and in most cases not needed at all. But as we stumbled across this protocol in some network assessments, it seems like a lot of network admins and other users don’t know about it. Even various hardening guides we’ve seen don’t mention MOP at all.
We’ve seen cases where remote management protocols like Telnet and SSH and even layer 3 connections to routers/switches were disabled on client networks, but clients were able to establish a console connection to Cisco devices via MOP. Because MOP is a layer 2 protocol, IP connectivity is not needed, a link local connection is sufficient. This however limits the accessibility to devices on the local network.
The fun fact about MOP is that it’s still enabled by default on all Ethernet interfaces! We’ve tested it on a 2921 with IOS version 15.4(3)M3 (June 2015) and MOP was indeed enabled by default. Taken from the Cisco Device Resiliency and Survivability guide:
By default, MOP is enabled on all Ethernet interfaces, and disabled on all other type of interfaces.
So if you don’t need MOP, you have to explicitly disable it on all interfaces, like recommended in the official Cisco Guide to Harden Cisco IOS Devices.
Disable MOP
Disable MOP on each Ethernet interface as follows:
Router(config)# interface eth 0/0 Router(config-if)# no mop enabled Router(config-if)# end
Detect MOP on Cisco devices
Run the following command to see all the default configuration values:
Router# show run all
However, for our purpose the following command is more suitable:
Router# show run all | i mop
If the output does not include “no mop enabled”, MOP is enabled!
Detect MOP enabled devices
There are two ways to detect if a Cisco device supports MOP on the network:
- MOP enabled devices send multicast messages to ab:00:00:02:00:00
- Trying to connect to the MOP console
Any user in the same local network network can observe messages from Cisco devices, if they may send DEC DNA multicast packets (every ~8-10 minutes). However, one might miss those.
To check if a specific device supports MOP one could use the moprc utility from the DECnet for Linux project as follows:
# ./moprc -v -i eth0 01:02:03:04:05:06
If MOP is enabled on the accessible Ethernet interface, a login should pop up.
In order to make discovery of MOP easier, I’ve submitted a NSE script to Nmap that detects MOP. It’s also available on GitHub. If layer 3 connectivity is given and the IP of a Cisco device is known, detecting MOP with the NSE script is as easy as this:
# nmap --script mop-discover 192.168.1.1
When the script is added to the global Nmap scripts (on Linux they are typically located in /usr/share/nmap/scripts), the script will automatically run in every script scan (-sC).
In case you only have layer 2 connectivity, you can specify the MAC address as follows:
# nmap --script mop-discover --script-args target=01:02:03:04:05:06
Using this script with Nmap requires root privileges, because it sends and receives raw Ethernet frames.
We haven’t seen MOP on devices of other vendors, so right now I can’t tell if this also applies to other vendors. For further information about MOP on Cisco devices, there’s also a pretty good post on the Cisco blog.
Regards,
Niklaus
It was also mentioned in the older official Cisco Security Classes. But it disappeared from the actual CCNP Security Track for whatever reason …
Very interesting. I HAD to try it!
I tried to use the “only layer 2 connectivity” because the IP of the switch is in another subnet.
What I got was:
******
nmap -script mop-discover -script-args target=00:15:62:aa:bb:cc
Starting Nmap 6.00 ( http://nmap.org ) at 2015-08-27 08:46 CEST
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 3.63 seconds
******
Even if I start it with -v or -vv I only see that the NSE-Script is obviously started…
******
Starting Nmap 6.00 ( http://nmap.org ) at 2015-08-27 08:54 CEST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.01s elapsed
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Read data files from: /usr/bin/../share/nmap
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 3.47 seconds
Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
******
Is this the expected output if there is no MOC active on that switch?
Hi Marco,
thanks for your feedback. The problem that you are encountering is that Nmap commands were not preformatted, that’s fixed now. The script and script-args parameters actually need double dashes (
--
).Also, if you haven’t added the script to the global scripts directory, you may have to supply the scripts on the current directory as follows:
nmap --script ./mop-discover.nse --script-args target=01:02:03:04:05:06
Due to the nature of NSE scripts, the script will only output something if MOP is enabled.
Regards,
Niklaus
Cisco 4451-X running 15.4 doesn’t recognise “no mop enabled” on any Ethernet interface so it appears Cisco have removed MOP either on 4451X specific IOS, or 15.4(2)S2??!
I have a 4451-x and I use that command (no mop enabled) on interface for specific cards like my routerswitch module (SM-X-ES3-24-P) and my UCS card (UCS-E140S-M2/K9). These cards may be physically jumpered to the front ports of the router or may use the backplane. If using the backplane the recommended configurations I found state that on the interfaces “no mop enabled” is to be added but then it will not show up on the command line. It took the command for me on the interface level. I am running IOS-XE 16.09.02.