Cisco Router Forensics

Thomas Akin, CISSP

Director, Southeast Cybercrime Institute
Kennesaw State University
BlackHat Briefings, USA, 2002
 Hacking Cisco

Cisco Bugtraq
Vulnerabilities

1998 - 3
1999 - 5
2000 - 23
2001 - 46
2002 (est) - 94
 Hacking Routers

Example Exploits:
HTTP Authentication Vulnerability
using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an
integer between 16 and 99, it is possible for a remote user to gain full administrative
access.

NTP Vulnerability
By sending a crafted NTP control packet, it is possible to trigger a buffer overflow in the
NTP daemon

SNMP Parsing Vulnerability

Malformed SNMP messages received by affected systems can cause various parsing and
processing functions to fail, which results in a system crash and reload. In some cases,
access-list statements on the SNMP service do not protect the device
 Hacking Routers

When a router is hacked it allows an

attacker to
DoS or disable the router & network
Compromise other routers
Bypass firewalls, IDS systems, etc
Monitor and record all outgoing an incoming
traffic
Redirect whatever traffic they desire
 Cisco Routers in a
Nutshell
Flash RAM
Persistent Non-Persistent
Holds Holds
Startup configuration Running configuration
IOS files Dynamic tables (i.e)
Arp
Routing
NAT
ACL violations
Protocol Statistics
Etc
 Router Forensics v/s
Traditional Forensics
Traditional Forensics Router Forensics
Immediately shutdown Live system data is the
the system (or pull the most valuable.
power cord) Immediate shutdown
Make a forensic destroys all of this data.
duplicate Persistent (flash) data
Perform analysis on the will likely be unchanged
duplicate and useless.
Live system data is Investigators must
rarely recovered. recover live data for
analysis
 Computer Forensics:
The Unholy Grail
The goal is to catch the criminal behind the
keyboard. Not to find fascinating computer
evidence.
Computer evidence is never the smoking gun.
Most often computer evidence either
Provides leads to other evidence
Corroborates other evidence
 Chain of Custody

Detailed, Methodical, Unquestionable.

Where you received the evidence
When you received the evidence
Who you received the evidence from
What your seizure methods were
Why you seized the evidence
How you maintained your chain of custody
Example CoC Form
Example CoC Form
 Incident Response

DO NOT REBOOT THE ROUTER.

Change nothing, record everything.
Before you say it is an accident, make sure it
isnt an incident
Before you say it is an incident, make sure it
isnt an accident
 Accessing the Router

DO DONT
Access the router REBOOT THE
through the console ROUTER
Record your entire Access the router
console session
through the network
Run show commands
Run configuration
Record the actual time
and the routers time commands
Record the volatile Rely only on persistent
information information
 Recording Your Session

Always start recording your session before you even log onto the router
Frequently show the current time with the show clock detail command
 Volatile Evidence
Direct Access
show ip interface
show clock detail
show interfaces
show version
show tcp brief all
show running-config
show ip sockets
show startup-config
show ip nat translations
show reload verbose
show ip route show ip cache flow
show ip arp show ip cef
show users show snmp user
show logging show snmp group
show clock detail
 Volatile Evidence
Indirect Access
Remote evidence may be all you can get if
the passwords have been changed
Port scan each router IP
nmap -v -sS -P0 -p 1- Router.domain.com
nmap -v -sU -P0 -p 1- Router.domain.com
nmap -v -sR -P0 -p 1- Router.domain.com

SNMP scan each router IP

snmpwalk v1 Router.domain.com public
snmpwalk v1 Router.domain.com private
 Intrusion Analysis

IOS Vulnerabilities

Running v/s Startup configurations

Logging

Timestamps
 Logging
Console Logging
These will be captured by recording your session.

Buffer Logging
If buffered logging is turned on, the show logging command will show you the
contents of the router log buffer, what level logging is performed at, and what hosts
logging is sent to.

Terminal Logging
This allows non console sessions to view log messages.

Syslog Logging
Log messages are sent to a syslog server when logging is turned on and the
logging servername command is set.
 Logging

SNMP logging
If SNMP is running, SNMP traps may be sent to a logging server.

AAA Logging
If AAA is running the check the aaa accounting commands to see what
logging is being sent to the Network Access Server.

ACL Violation Logging

ACL can be configured to log any packets that match their rules by ending the ACL
with the log or log-input keywords. These log messages are sent the the
routers log buffer and to the syslog server.
 Real Time Forensics

After removing or collecting information from your compromised

router you can use the router to help monitor the network and
itself by turning on logging if it wasnt previously.
Router#config terminal
Router(config)#service timestamps log datatime msec \
localtime show-timezone
Router(config)#no logging console
Router(config)#logging on
Router(config)#logging buffered 32000
Router(config)#logging buffered informational
Router(config)#logging facility local6
Router(config)#logging trap informational
Router(config)#logging Syslog-server.domain.com
 Real Time Forensics

Using AAA provided even greater ability to log information.

TACACS+ even allows you to log every command executed
on the router to your Network Access Server

Router#config terminal
Router(config)#aaa accounting exec default start-stop \
group tacacs+
Router(config)#aaa accounting system default stop-only \
group tacacs+
Router(config)#aaa accounting connection default \
start-stop group tacacs+
Router(config)#aaa accounting network default \
start-stop group tacacs+
 Real Time Forensics
You can also use ACL logging to count packets and log specific
events. By configuring syslog logging and analyzing your
syslog files in real time you can perform real time monitoring
The ACL
access-list 149 permit tcp host 130.18.59.1 any eq \
161 log-input
will not block any packets, but will log all incoming SNMP
requests from 130.18.59.1 to any internal host.
The ACLs
access-list 148 deny tcp 130.18.59.0 0.0.0.255 any \
eq 53 log-input
access-list 148 deny udp 130.18.59.0 0.0.0.255 any \
eq 53 log-input
will block and log any DNS packets from the subnet
130.18.59.0/24 to any internal host.
 Summary

Hacking Cisco Routers

Router Hardware & Software
Router Forensics v/s Traditional Forensics
Computer Evidence & Chain of Custody
Incident Response
Accessing the Router
Gathering volatile evidenceinternal & external
Gathering logging evidence
Performing Real Time Network Forensics
 Thank you!
Thomas Akin
takin@kennesaw.edu
http://cybercrime.kennesaw.edu
On you conference CD you will find:
A copy of this presentation
A router forensics checklist
A sample Chain of Custody form
A sample Evidence Receipt tag