Cisco Router HackingCisco Router Hacking

Group 8Group 8

Vernon GuishardVernon GuishardKelvin AgueborKelvin Aguebor

ECE 4112ECE 4112

IntroductionIntroduction

• Cisco Systems, Inc. sells networking and communications technology and Cisco Systems, Inc. sells networking and communications technology and services.services.

• Cisco is known for creating the first commercially successful multi-Cisco is known for creating the first commercially successful multi-protocol router.protocol router.

• March 2000, Cisco had the market capitalization of $500 billion.March 2000, Cisco had the market capitalization of $500 billion.

• Currently, it has a market cap of $175 billion, controls 58% of the market Currently, it has a market cap of $175 billion, controls 58% of the market sale of routers.sale of routers.

• The Cisco routers have been more likely to have attacks.The Cisco routers have been more likely to have attacks.

• Large market share can lead to attacks being devastating for the internet.Large market share can lead to attacks being devastating for the internet.

Identifying Routers and VulnerabilitiesIdentifying Routers and Vulnerabilities

• Nmap is used to identify the router.Nmap is used to identify the router.– OS fingerprintingOS fingerprinting

• Telnet is another solution to track down routers.Telnet is another solution to track down routers.– Trademark Cisco Banner “User Access Verification”Trademark Cisco Banner “User Access Verification”

• SING is used to identify the router.SING is used to identify the router.– It uses ICMP packets to find the routerIt uses ICMP packets to find the router

• Nessus can be used to find vulnerabilities. Nessus can be used to find vulnerabilities.

Cisco VulnerabilitiesCisco Vulnerabilities

• Console Password RecoveryConsole Password Recovery– All Cisco routers and switches affectedAll Cisco routers and switches affected– Not regarded as a vulnerabilityNot regarded as a vulnerability– A way for System Admin to recover lost passwordsA way for System Admin to recover lost passwords– May be used by hackers who have physical access to machinesMay be used by hackers who have physical access to machines

• HTTP Configuration Arbitrary Administrative Access HTTP Configuration Arbitrary Administrative Access VulnerabilityVulnerability– Cisco IOS release 11.3 or higher, are vulnerable.Cisco IOS release 11.3 or higher, are vulnerable.– Attacker can gain access to a router without authenticationAttacker can gain access to a router without authentication– Attacker can completely control, change, and configure the deviceAttacker can completely control, change, and configure the device– http://10.0.1.252/level/99/exec/show/config http://10.0.1.252/level/99/exec/show/config

Cisco VulnerabilitiesCisco Vulnerabilities

• Router Denial of Service (DOS) VulnerabilityRouter Denial of Service (DOS) Vulnerability– It affects all Cisco routers and switches from releases 11.1 through 12.1It affects all Cisco routers and switches from releases 11.1 through 12.1– Causes the routers and switches to stop forwarding packets on specific Causes the routers and switches to stop forwarding packets on specific

interfaceinterface– IPv4 packets with protocol type of 53, 55, 77 or 103 causes input queue IPv4 packets with protocol type of 53, 55, 77 or 103 causes input queue

to be flagged as fullto be flagged as full

• Telnet Buffer Overflow VulnerabilityTelnet Buffer Overflow Vulnerability– Cisco Broadband Operating System (CBOS), an operating system for the Cisco Broadband Operating System (CBOS), an operating system for the

Cisco 600 family of routers are vulnerableCisco 600 family of routers are vulnerable– Extremely long telnet passwords cause the router to crash then rebootExtremely long telnet passwords cause the router to crash then reboot– Attacker can repeat until fixed, causing a DOSAttacker can repeat until fixed, causing a DOS

Solutions to VulnerabilitiesSolutions to Vulnerabilities

• Vulnerabilities know by Cisco and Patches ReleasedVulnerabilities know by Cisco and Patches Released– Most lingering vulnerabilities due to poor network administrationMost lingering vulnerabilities due to poor network administration

– Upgrade Cisco IOSUpgrade Cisco IOS

– Use access-list if not able to upgradeUse access-list if not able to upgrade

– TACAS or Radius effective in preventing HTTP vulnerabilityTACAS or Radius effective in preventing HTTP vulnerability

Lab ProceduresLab Procedures

• Section 1: Console Password ExploitSection 1: Console Password Exploit– Using hyper terminal to access routersUsing hyper terminal to access routers

– Obtaining enable password and enable secret of the routerObtaining enable password and enable secret of the router

• Section 2: Identifying Cisco RoutersSection 2: Identifying Cisco Routers– Using NMAP and telnet to identify routersUsing NMAP and telnet to identify routers

• Section 3: Network ExploitsSection 3: Network Exploits– Using the Cisco Global Exploit toolUsing the Cisco Global Exploit tool

– Protecting against the Cisco Global Exploit tool Protecting against the Cisco Global Exploit tool

ReferencesReferences

• http://http://en.wikipedia.org/wiki/Terminal_emulatoren.wikipedia.org/wiki/Terminal_emulator

• http://www.securityfocus.com/infocus/1734http://www.securityfocus.com/infocus/1734

• http://www.securityfocus.com/infocus/1749http://www.securityfocus.com/infocus/1749

• http://secure-o-gram.blogspot.com/2005/11/ios-exploit-and-auditing-http://secure-o-gram.blogspot.com/2005/11/ios-exploit-and-auditing-tools.htmltools.html

• http://www.cisco.com/warp/public/707/cisco-sn-20040326-http://www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml#detailsexploits.shtml#details

• http://www.milw0rm.com/exploits/http://www.milw0rm.com/exploits/

• http://www.cisco.com/en/US/products/hw/routers/ps133/http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a008022493f.shtmlproducts_tech_note09186a008022493f.shtml

Questions?Questions?