Investigating Router
-
Upload
rama-krishnan -
Category
Documents
-
view
225 -
download
0
Transcript of Investigating Router
-
8/3/2019 Investigating Router
1/24
Click to edit Master subtitle style
4/29/12
INVESTIGATINGROUTERS
-
8/3/2019 Investigating Router
2/24
4/29/12
Routers
With routers, information in memory isalmost always important, because routershave little data-storage capability.
The only real data saved in NVRAM is theconfiguration of the router itself
The system state information in memorysuch as current routing tables, listening
services, and current passwordswill be lostif the router is powered down or rebooted.
-
8/3/2019 Investigating Router
3/24
4/29/12
Establishing a Router ConnectionWhen establishing a connection to the router,
make sure to log the entire session. WithHyperTerminal, simply select the Transfer |Capture Text option to log the session.
The Cisco Internetwork Operating System (IOS)
command language has multiple modes, such asinitial setup, login prompt, basic command,enable, configuration, and interfaceconfiguration.
By default, you are in basic mode, which allowsyou to display configuration settings.
-
8/3/2019 Investigating Router
4/24
-
8/3/2019 Investigating Router
5/24
4/29/12
Determining Who Is Logged On
cisco_router>show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:29:46
1 vty 0 idle 00:00:00 10.0.2.71
2 vty 1 10.0.2.18 00:00:36 172.16.1.1
The second entry is a vty, or virtual terminalline. It indicates that someone has logged on to
the router from the host with IP address
-
8/3/2019 Investigating Router
6/24
4/29/12
Determining the Routers Uptime
The time that the system has been
online since the last reboot can also beimportant. Use the show versioncommand to capture this information.
cisco_router>show version
Cisco Internetwork Operating System Software
IOS (tm) 1600 Software (C1600-Y-M), Version11.3(5)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Wed 12-Aug-98 04:57 by ccai
Image text-base: 0x02005000, data-base:0x023C5A58
-
8/3/2019 Investigating Router
7/244/29/12
Determining Listening SocketsAn example of checking for all TCP and UDP listening portswith the port scanner ScanLine follows:
C:\ScanLine>sl -p -t 1-65535 -u 1-65535 10.0.2.244
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
Scan of 1 IP started at Sat May 14 14:21:04 2011
----------------------------------------------------------------------
10.0.2.244
Responds with ICMP unreachable: Yes
TCP ports: 23 79 80
UDP ports: 161
-
8/3/2019 Investigating Router
8/244/29/12
Saving the Router ConfigurationAll configuration information for Cisco routers is
stored in a single configuration file.you can change the configuration of the router
without modifying the configuration file stored inNVRAM.
Use the show running-config command to viewthe configuration currently loaded on the router.
cisco_router#show running-config
Use the show startup-config or equivalent showconfig command to view the configuration savedin NVRAM.
cisco_router#show startup-config
-
8/3/2019 Investigating Router
9/244/29/12
Reviewing the Routing TableThe routing table can be manipulated through command-line access, as well as through malicious router update
packets. In either case, the routing table will reflect thechanges.
To view the routing table, use the show ip routecommand.
cisco_router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B -BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, *
-
8/3/2019 Investigating Router
10/244/29/12
Static routes, such as the last route in the exampleabove, are also visible within the configuration file.If a malicious static route appears, then an attacker
has manipulated the router configuration.
Other routes may be modified without directlyaccessing the router, through techniques such asRouting Information Protocol (RIP) spoofing.
RIP is a routing protocol that is used by routers toupdate their neighbors routing tables.
An attacker can send a spoofed RIP packet, updating
the victim routers routing tables, without evergaining access to the router.
-
8/3/2019 Investigating Router
11/244/29/12
Checking Interface Configurations Information about the configuration of each of the routers interfaces
is available via the show ip interface command.
cisco_router#show ip interface
Ethernet0 is up, line protocol is up
Internet address is 10.0.2.244/24
Broadcast address is 255.255.255.255Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not setDirected broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.9
Outgoing access list is not set
-
8/3/2019 Investigating Router
12/244/29/12
IP fast switching is enabled
IP fast switching on the same interface is disabledIP multicast fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabledIP access violation accounting is disabled
TCP/IP header compression is disabled
Probe proxy name replies are disabled
Gateway Discovery is disabled
Policy routing is disabled
Network address translation is disabled
-
8/3/2019 Investigating Router
13/244/29/12
Viewing the ARP CacheAddress Resolution Protocol (ARP) maps IP addresses
and media access control (MAC) addresses.
Unlike IP addresses (which are Network layeraddresses),MAC addresses are physical addresses (layer2 of the OSI model) and are not routed outsidebroadcast domains.
Routers store the MAC addresses of any device on thelocal broadcast domain, along with its IP address, in theARP cache.
Attackers occasionally spoof IP or MAC addresses tocircumvent security controls, such as access controllists (ACLs), firewall rules, or switch port assignments.
-
8/3/2019 Investigating Router
14/244/29/12
Use the show ip arp command to view the ARPcache.
cisco_router#show ip arpProtocol Address Age (min) Hardware Addr TypeInterface
Internet 172.16.1.253 - 0010.7bf9.1d81 ARPAEthernet1
Internet 10.0.2.71 0 0010.4bed.d708 ARPAEthernet0
Internet 10.0.2.244 - 0010.7bf9.1d80 ARPAEthernet0
-
8/3/2019 Investigating Router
15/244/29/12
FINDING THE PROOF
Types of incidents that involve routers
Direct compromise
Routing table manipulation
Theft of information
Denial of service
-
8/3/2019 Investigating Router
16/244/29/12
Direct-Compromise Incidents
Handling Direct-Compromise IncidentsDirect compromise of the router is any incident
where an attacker gains interactive or privilegedaccess to the router.
Direct compromise provides the attacker withcontrol of the router and access to the datastored on the router.
Anyone with interactive access can use therouter to identify and compromise other hosts viaavailable router clients such as ping and telnet.
-
8/3/2019 Investigating Router
17/244/29/12
Investigating a Direct-Compromise Incident
With the information youve already collected,namely the configuration file and the list oflistening ports, the investigation is off to a strongstart.
Listening Services The listening services on the
router provide the potential attack points from thenetwork.
Passwords Most avenues of attack to the routerrequire a password.
Other Compromise Possibilities If the compromisedid not come via a listening service or a password,there are a few other possibilities.
-
8/3/2019 Investigating Router
18/244/29/12
Recovering from Direct-Compromise Incidents
Examples of steps that should be taken include the
following: Remove all unnecessary services.
Allow remote access only through encrypted
protocols. Allow no SNMP access or read-only access.
Do not use the SNMP password as the passwordfor any other access.
Change all passwords.
Implement ACLs so that only connections fromtrusted hosts are allowed to the router.
Upgrade the software with the latest updates.
-
8/3/2019 Investigating Router
19/244/29/12
Routing Table ManipulationIncidentsHandling Routing Table Manipulation Incidents
Routers can use a variety of protocols to update theirrouting tables, including RIP, Open Shortest Path First(OSPF), Enhanced Interior Gateway Routing Protocol(EIGRP), Interior Gateway Routing Protocol (IGRP),
Border Gateway Protocol (BGP), and so on.A router will accept RIP updates without requiring any
authentication.
Other protocols offer the capability of requiringpasswords, but it is up to the administrator toimplement password security.
-
8/3/2019 Investigating Router
20/244/29/12
Investigating Routing Table ManipulationIncidents
If unfamiliar static routes appear in the routingtable, then the router may have suffered directcompromise.
Recovering from Routing Table Manipulation
Incidents
Temporary recovery from routing table attacksis simple: Remove unwanted static routes andreboot the router.
However, preventing the attacks fromoccurring in the future is a bit more difficult.
ACLs can be introduced to limit router updates
to known-good source addresses.
-
8/3/2019 Investigating Router
21/244/29/12
Handling Theft of InformationIncidents
The information that is on the router is relatedto network topology and access control.
Typical information that attackers glean from
routers includes password, routing and topologyinformation.
The recovery from this data theft is to changepasswords, avoid password reuse, and limit the
ability of attackers to obtain sensitiveinformation.
-
8/3/2019 Investigating Router
22/244/29/12
Handling Denial-of-Service (DoS)Attacks
DoS attacks fall into several basic categories:Destruction Attacks that destroy the ability of the
router to function, such as deleting theconfiguration information or unplugging the power.
Resource consumption Attacks that degrade theability of the router to function, such as byopening many connections to the routersimultaneously.
Bandwidth consumption Attacks that attempt tooverwhelm the bandwidth capacity of the routersnetwork.
-
8/3/2019 Investigating Router
23/244/29/12
Investigating DoS Attacks
If the router is not working at all, it is probably a
destruction attack. Check the obvious problemsfirst: power, cables, and configuration.
Is the router sporadically rebooting or isperformance uniformly degraded?
A sporadically rebooting router is probably theresult of a point-to-point attackone directed atthe router.
Uniformly degraded performance may be either aresource or bandwidth-consumption attack.
A flood of packets directed to the router can alsocause degradation.
-
8/3/2019 Investigating Router
24/244/29/12
Recovering from DoS Attacks
Recovery usually consists of a combination of thefollowing measures:
Eliminate listening services.
Upgrade software to the latest version.
Restrict access to listening services using ACLs.
Implement ACLs to limit malicious traffic.