Documente Academic
Documente Profesional
Documente Cultură
Cisco Bugtraq
Vulnerabilities
1998 - 3
1999 - 5
2000 - 23
2001 - 46
2002 (est) - 94
Hacking Routers
Example Exploits:
HTTP Authentication Vulnerability
using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an
integer between 16 and 99, it is possible for a remote user to gain full administrative
access.
NTP Vulnerability
By sending a crafted NTP control packet, it is possible to trigger a buffer overflow in the
NTP daemon
DO DONT
Access the router REBOOT THE
through the console ROUTER
Record your entire Access the router
console session
through the network
Run show commands
Run configuration
Record the actual time
and the routers time commands
Record the volatile Rely only on persistent
information information
Recording Your Session
Always start recording your session before you even log onto the router
Frequently show the current time with the show clock detail command
Volatile Evidence
Direct Access
show ip interface
show clock detail
show interfaces
show version
show tcp brief all
show running-config
show ip sockets
show startup-config
show ip nat translations
show reload verbose
show ip route show ip cache flow
show ip arp show ip cef
show users show snmp user
show logging show snmp group
show clock detail
Volatile Evidence
Indirect Access
Remote evidence may be all you can get if
the passwords have been changed
Port scan each router IP
nmap -v -sS -P0 -p 1- Router.domain.com
nmap -v -sU -P0 -p 1- Router.domain.com
nmap -v -sR -P0 -p 1- Router.domain.com
IOS Vulnerabilities
Logging
Timestamps
Logging
Console Logging
These will be captured by recording your session.
Buffer Logging
If buffered logging is turned on, the show logging command will show you the
contents of the router log buffer, what level logging is performed at, and what hosts
logging is sent to.
Terminal Logging
This allows non console sessions to view log messages.
Syslog Logging
Log messages are sent to a syslog server when logging is turned on and the
logging servername command is set.
Logging
SNMP logging
If SNMP is running, SNMP traps may be sent to a logging server.
AAA Logging
If AAA is running the check the aaa accounting commands to see what
logging is being sent to the Network Access Server.
Router#config terminal
Router(config)#aaa accounting exec default start-stop \
group tacacs+
Router(config)#aaa accounting system default stop-only \
group tacacs+
Router(config)#aaa accounting connection default \
start-stop group tacacs+
Router(config)#aaa accounting network default \
start-stop group tacacs+
Real Time Forensics
You can also use ACL logging to count packets and log specific
events. By configuring syslog logging and analyzing your
syslog files in real time you can perform real time monitoring
The ACL
access-list 149 permit tcp host 130.18.59.1 any eq \
161 log-input
will not block any packets, but will log all incoming SNMP
requests from 130.18.59.1 to any internal host.
The ACLs
access-list 148 deny tcp 130.18.59.0 0.0.0.255 any \
eq 53 log-input
access-list 148 deny udp 130.18.59.0 0.0.0.255 any \
eq 53 log-input
will block and log any DNS packets from the subnet
130.18.59.0/24 to any internal host.
Summary