Investigating Router

8/3/2019 Investigating Router

1/24

Click to edit Master subtitle style

4/29/12

INVESTIGATINGROUTERS


2/24

4/29/12

Routers

With routers, information in memory isalmost always important, because routershave little data-storage capability.

The only real data saved in NVRAM is theconfiguration of the router itself

The system state information in memorysuch as current routing tables, listening

services, and current passwordswill be lostif the router is powered down or rebooted.


3/24

4/29/12

Establishing a Router ConnectionWhen establishing a connection to the router,

make sure to log the entire session. WithHyperTerminal, simply select the Transfer |Capture Text option to log the session.

The Cisco Internetwork Operating System (IOS)

command language has multiple modes, such asinitial setup, login prompt, basic command,enable, configuration, and interfaceconfiguration.

By default, you are in basic mode, which allowsyou to display configuration settings.


4/24


5/24

4/29/12

Determining Who Is Logged On

cisco_router>show users

Line User Host(s) Idle Location

* 0 con 0 idle 00:29:46

1 vty 0 idle 00:00:00 10.0.2.71

2 vty 1 10.0.2.18 00:00:36 172.16.1.1

The second entry is a vty, or virtual terminalline. It indicates that someone has logged on to

the router from the host with IP address


6/24

4/29/12

Determining the Routers Uptime

The time that the system has been

online since the last reboot can also beimportant. Use the show versioncommand to capture this information.

cisco_router>show version

Cisco Internetwork Operating System Software

IOS (tm) 1600 Software (C1600-Y-M), Version11.3(5)T, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-1998 by cisco Systems, Inc.

Compiled Wed 12-Aug-98 04:57 by ccai

Image text-base: 0x02005000, data-base:0x023C5A58


7/244/29/12

Determining Listening SocketsAn example of checking for all TCP and UDP listening portswith the port scanner ScanLine follows:

C:\ScanLine>sl -p -t 1-65535 -u 1-65535 10.0.2.244

ScanLine (TM) 1.01

Copyright (c) Foundstone, Inc. 2002

http://www.foundstone.com

Scan of 1 IP started at Sat May 14 14:21:04 2011

----------------------------------------------------------------------

10.0.2.244

Responds with ICMP unreachable: Yes

TCP ports: 23 79 80

UDP ports: 161


8/244/29/12

Saving the Router ConfigurationAll configuration information for Cisco routers is

stored in a single configuration file.you can change the configuration of the router

without modifying the configuration file stored inNVRAM.

Use the show running-config command to viewthe configuration currently loaded on the router.

cisco_router#show running-config

Use the show startup-config or equivalent showconfig command to view the configuration savedin NVRAM.

cisco_router#show startup-config


9/244/29/12

Reviewing the Routing TableThe routing table can be manipulated through command-line access, as well as through malicious router update

packets. In either case, the routing table will reflect thechanges.

To view the routing table, use the show ip routecommand.

cisco_router#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B -BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, *


10/244/29/12

Static routes, such as the last route in the exampleabove, are also visible within the configuration file.If a malicious static route appears, then an attacker

has manipulated the router configuration.

Other routes may be modified without directlyaccessing the router, through techniques such asRouting Information Protocol (RIP) spoofing.

RIP is a routing protocol that is used by routers toupdate their neighbors routing tables.

An attacker can send a spoofed RIP packet, updating

the victim routers routing tables, without evergaining access to the router.


11/244/29/12

Checking Interface Configurations Information about the configuration of each of the routers interfaces

is available via the show ip interface command.

cisco_router#show ip interface

Ethernet0 is up, line protocol is up

Internet address is 10.0.2.244/24

Broadcast address is 255.255.255.255Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not setDirected broadcast forwarding is disabled

Multicast reserved groups joined: 224.0.0.9

Outgoing access list is not set


12/244/29/12

IP fast switching is enabled

IP fast switching on the same interface is disabledIP multicast fast switching is disabled

Router Discovery is disabled

IP output packet accounting is disabledIP access violation accounting is disabled

TCP/IP header compression is disabled

Probe proxy name replies are disabled

Gateway Discovery is disabled

Policy routing is disabled

Network address translation is disabled


13/244/29/12

Viewing the ARP CacheAddress Resolution Protocol (ARP) maps IP addresses

and media access control (MAC) addresses.

Unlike IP addresses (which are Network layeraddresses),MAC addresses are physical addresses (layer2 of the OSI model) and are not routed outsidebroadcast domains.

Routers store the MAC addresses of any device on thelocal broadcast domain, along with its IP address, in theARP cache.

Attackers occasionally spoof IP or MAC addresses tocircumvent security controls, such as access controllists (ACLs), firewall rules, or switch port assignments.


14/244/29/12

Use the show ip arp command to view the ARPcache.

cisco_router#show ip arpProtocol Address Age (min) Hardware Addr TypeInterface

Internet 172.16.1.253 - 0010.7bf9.1d81 ARPAEthernet1

Internet 10.0.2.71 0 0010.4bed.d708 ARPAEthernet0

Internet 10.0.2.244 - 0010.7bf9.1d80 ARPAEthernet0


15/244/29/12

FINDING THE PROOF

Types of incidents that involve routers

Direct compromise

Routing table manipulation

Theft of information

Denial of service


16/244/29/12

Direct-Compromise Incidents

Handling Direct-Compromise IncidentsDirect compromise of the router is any incident

where an attacker gains interactive or privilegedaccess to the router.

Direct compromise provides the attacker withcontrol of the router and access to the datastored on the router.

Anyone with interactive access can use therouter to identify and compromise other hosts viaavailable router clients such as ping and telnet.


17/244/29/12

Investigating a Direct-Compromise Incident

With the information youve already collected,namely the configuration file and the list oflistening ports, the investigation is off to a strongstart.

Listening Services The listening services on the

router provide the potential attack points from thenetwork.

Passwords Most avenues of attack to the routerrequire a password.

Other Compromise Possibilities If the compromisedid not come via a listening service or a password,there are a few other possibilities.


18/244/29/12

Recovering from Direct-Compromise Incidents

Examples of steps that should be taken include the

following: Remove all unnecessary services.

Allow remote access only through encrypted

protocols. Allow no SNMP access or read-only access.

Do not use the SNMP password as the passwordfor any other access.

Change all passwords.

Implement ACLs so that only connections fromtrusted hosts are allowed to the router.

Upgrade the software with the latest updates.


19/244/29/12

Routing Table ManipulationIncidentsHandling Routing Table Manipulation Incidents

Routers can use a variety of protocols to update theirrouting tables, including RIP, Open Shortest Path First(OSPF), Enhanced Interior Gateway Routing Protocol(EIGRP), Interior Gateway Routing Protocol (IGRP),

Border Gateway Protocol (BGP), and so on.A router will accept RIP updates without requiring any

authentication.

Other protocols offer the capability of requiringpasswords, but it is up to the administrator toimplement password security.


20/244/29/12

Investigating Routing Table ManipulationIncidents

If unfamiliar static routes appear in the routingtable, then the router may have suffered directcompromise.

Recovering from Routing Table Manipulation

Incidents

Temporary recovery from routing table attacksis simple: Remove unwanted static routes andreboot the router.

However, preventing the attacks fromoccurring in the future is a bit more difficult.

ACLs can be introduced to limit router updates

to known-good source addresses.


21/244/29/12

Handling Theft of InformationIncidents

The information that is on the router is relatedto network topology and access control.

Typical information that attackers glean from

routers includes password, routing and topologyinformation.

The recovery from this data theft is to changepasswords, avoid password reuse, and limit the

ability of attackers to obtain sensitiveinformation.


22/244/29/12

Handling Denial-of-Service (DoS)Attacks

DoS attacks fall into several basic categories:Destruction Attacks that destroy the ability of the

router to function, such as deleting theconfiguration information or unplugging the power.

Resource consumption Attacks that degrade theability of the router to function, such as byopening many connections to the routersimultaneously.

Bandwidth consumption Attacks that attempt tooverwhelm the bandwidth capacity of the routersnetwork.


23/244/29/12

Investigating DoS Attacks

If the router is not working at all, it is probably a

destruction attack. Check the obvious problemsfirst: power, cables, and configuration.

Is the router sporadically rebooting or isperformance uniformly degraded?

A sporadically rebooting router is probably theresult of a point-to-point attackone directed atthe router.

Uniformly degraded performance may be either aresource or bandwidth-consumption attack.

A flood of packets directed to the router can alsocause degradation.


24/244/29/12

Recovering from DoS Attacks

Recovery usually consists of a combination of thefollowing measures:

Eliminate listening services.

Upgrade software to the latest version.

Restrict access to listening services using ACLs.

Implement ACLs to limit malicious traffic.

Investigating Router

Documents

Transcript of Investigating Router