Investigating Router

download Investigating Router

of 24

Transcript of Investigating Router

  • 8/3/2019 Investigating Router

    1/24

    Click to edit Master subtitle style

    4/29/12

    INVESTIGATINGROUTERS

  • 8/3/2019 Investigating Router

    2/24

    4/29/12

    Routers

    With routers, information in memory isalmost always important, because routershave little data-storage capability.

    The only real data saved in NVRAM is theconfiguration of the router itself

    The system state information in memorysuch as current routing tables, listening

    services, and current passwordswill be lostif the router is powered down or rebooted.

  • 8/3/2019 Investigating Router

    3/24

    4/29/12

    Establishing a Router ConnectionWhen establishing a connection to the router,

    make sure to log the entire session. WithHyperTerminal, simply select the Transfer |Capture Text option to log the session.

    The Cisco Internetwork Operating System (IOS)

    command language has multiple modes, such asinitial setup, login prompt, basic command,enable, configuration, and interfaceconfiguration.

    By default, you are in basic mode, which allowsyou to display configuration settings.

  • 8/3/2019 Investigating Router

    4/24

  • 8/3/2019 Investigating Router

    5/24

    4/29/12

    Determining Who Is Logged On

    cisco_router>show users

    Line User Host(s) Idle Location

    * 0 con 0 idle 00:29:46

    1 vty 0 idle 00:00:00 10.0.2.71

    2 vty 1 10.0.2.18 00:00:36 172.16.1.1

    The second entry is a vty, or virtual terminalline. It indicates that someone has logged on to

    the router from the host with IP address

  • 8/3/2019 Investigating Router

    6/24

    4/29/12

    Determining the Routers Uptime

    The time that the system has been

    online since the last reboot can also beimportant. Use the show versioncommand to capture this information.

    cisco_router>show version

    Cisco Internetwork Operating System Software

    IOS (tm) 1600 Software (C1600-Y-M), Version11.3(5)T, RELEASE SOFTWARE (fc1)

    Copyright (c) 1986-1998 by cisco Systems, Inc.

    Compiled Wed 12-Aug-98 04:57 by ccai

    Image text-base: 0x02005000, data-base:0x023C5A58

  • 8/3/2019 Investigating Router

    7/244/29/12

    Determining Listening SocketsAn example of checking for all TCP and UDP listening portswith the port scanner ScanLine follows:

    C:\ScanLine>sl -p -t 1-65535 -u 1-65535 10.0.2.244

    ScanLine (TM) 1.01

    Copyright (c) Foundstone, Inc. 2002

    http://www.foundstone.com

    Scan of 1 IP started at Sat May 14 14:21:04 2011

    ----------------------------------------------------------------------

    10.0.2.244

    Responds with ICMP unreachable: Yes

    TCP ports: 23 79 80

    UDP ports: 161

  • 8/3/2019 Investigating Router

    8/244/29/12

    Saving the Router ConfigurationAll configuration information for Cisco routers is

    stored in a single configuration file.you can change the configuration of the router

    without modifying the configuration file stored inNVRAM.

    Use the show running-config command to viewthe configuration currently loaded on the router.

    cisco_router#show running-config

    Use the show startup-config or equivalent showconfig command to view the configuration savedin NVRAM.

    cisco_router#show startup-config

  • 8/3/2019 Investigating Router

    9/244/29/12

    Reviewing the Routing TableThe routing table can be manipulated through command-line access, as well as through malicious router update

    packets. In either case, the routing table will reflect thechanges.

    To view the routing table, use the show ip routecommand.

    cisco_router#show ip route

    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B -BGP

    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type2

    E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

    i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, *

  • 8/3/2019 Investigating Router

    10/244/29/12

    Static routes, such as the last route in the exampleabove, are also visible within the configuration file.If a malicious static route appears, then an attacker

    has manipulated the router configuration.

    Other routes may be modified without directlyaccessing the router, through techniques such asRouting Information Protocol (RIP) spoofing.

    RIP is a routing protocol that is used by routers toupdate their neighbors routing tables.

    An attacker can send a spoofed RIP packet, updating

    the victim routers routing tables, without evergaining access to the router.

  • 8/3/2019 Investigating Router

    11/244/29/12

    Checking Interface Configurations Information about the configuration of each of the routers interfaces

    is available via the show ip interface command.

    cisco_router#show ip interface

    Ethernet0 is up, line protocol is up

    Internet address is 10.0.2.244/24

    Broadcast address is 255.255.255.255Address determined by non-volatile memory

    MTU is 1500 bytes

    Helper address is not setDirected broadcast forwarding is disabled

    Multicast reserved groups joined: 224.0.0.9

    Outgoing access list is not set

  • 8/3/2019 Investigating Router

    12/244/29/12

    IP fast switching is enabled

    IP fast switching on the same interface is disabledIP multicast fast switching is disabled

    Router Discovery is disabled

    IP output packet accounting is disabledIP access violation accounting is disabled

    TCP/IP header compression is disabled

    Probe proxy name replies are disabled

    Gateway Discovery is disabled

    Policy routing is disabled

    Network address translation is disabled

  • 8/3/2019 Investigating Router

    13/244/29/12

    Viewing the ARP CacheAddress Resolution Protocol (ARP) maps IP addresses

    and media access control (MAC) addresses.

    Unlike IP addresses (which are Network layeraddresses),MAC addresses are physical addresses (layer2 of the OSI model) and are not routed outsidebroadcast domains.

    Routers store the MAC addresses of any device on thelocal broadcast domain, along with its IP address, in theARP cache.

    Attackers occasionally spoof IP or MAC addresses tocircumvent security controls, such as access controllists (ACLs), firewall rules, or switch port assignments.

  • 8/3/2019 Investigating Router

    14/244/29/12

    Use the show ip arp command to view the ARPcache.

    cisco_router#show ip arpProtocol Address Age (min) Hardware Addr TypeInterface

    Internet 172.16.1.253 - 0010.7bf9.1d81 ARPAEthernet1

    Internet 10.0.2.71 0 0010.4bed.d708 ARPAEthernet0

    Internet 10.0.2.244 - 0010.7bf9.1d80 ARPAEthernet0

  • 8/3/2019 Investigating Router

    15/244/29/12

    FINDING THE PROOF

    Types of incidents that involve routers

    Direct compromise

    Routing table manipulation

    Theft of information

    Denial of service

  • 8/3/2019 Investigating Router

    16/244/29/12

    Direct-Compromise Incidents

    Handling Direct-Compromise IncidentsDirect compromise of the router is any incident

    where an attacker gains interactive or privilegedaccess to the router.

    Direct compromise provides the attacker withcontrol of the router and access to the datastored on the router.

    Anyone with interactive access can use therouter to identify and compromise other hosts viaavailable router clients such as ping and telnet.

  • 8/3/2019 Investigating Router

    17/244/29/12

    Investigating a Direct-Compromise Incident

    With the information youve already collected,namely the configuration file and the list oflistening ports, the investigation is off to a strongstart.

    Listening Services The listening services on the

    router provide the potential attack points from thenetwork.

    Passwords Most avenues of attack to the routerrequire a password.

    Other Compromise Possibilities If the compromisedid not come via a listening service or a password,there are a few other possibilities.

  • 8/3/2019 Investigating Router

    18/244/29/12

    Recovering from Direct-Compromise Incidents

    Examples of steps that should be taken include the

    following: Remove all unnecessary services.

    Allow remote access only through encrypted

    protocols. Allow no SNMP access or read-only access.

    Do not use the SNMP password as the passwordfor any other access.

    Change all passwords.

    Implement ACLs so that only connections fromtrusted hosts are allowed to the router.

    Upgrade the software with the latest updates.

  • 8/3/2019 Investigating Router

    19/244/29/12

    Routing Table ManipulationIncidentsHandling Routing Table Manipulation Incidents

    Routers can use a variety of protocols to update theirrouting tables, including RIP, Open Shortest Path First(OSPF), Enhanced Interior Gateway Routing Protocol(EIGRP), Interior Gateway Routing Protocol (IGRP),

    Border Gateway Protocol (BGP), and so on.A router will accept RIP updates without requiring any

    authentication.

    Other protocols offer the capability of requiringpasswords, but it is up to the administrator toimplement password security.

  • 8/3/2019 Investigating Router

    20/244/29/12

    Investigating Routing Table ManipulationIncidents

    If unfamiliar static routes appear in the routingtable, then the router may have suffered directcompromise.

    Recovering from Routing Table Manipulation

    Incidents

    Temporary recovery from routing table attacksis simple: Remove unwanted static routes andreboot the router.

    However, preventing the attacks fromoccurring in the future is a bit more difficult.

    ACLs can be introduced to limit router updates

    to known-good source addresses.

  • 8/3/2019 Investigating Router

    21/244/29/12

    Handling Theft of InformationIncidents

    The information that is on the router is relatedto network topology and access control.

    Typical information that attackers glean from

    routers includes password, routing and topologyinformation.

    The recovery from this data theft is to changepasswords, avoid password reuse, and limit the

    ability of attackers to obtain sensitiveinformation.

  • 8/3/2019 Investigating Router

    22/244/29/12

    Handling Denial-of-Service (DoS)Attacks

    DoS attacks fall into several basic categories:Destruction Attacks that destroy the ability of the

    router to function, such as deleting theconfiguration information or unplugging the power.

    Resource consumption Attacks that degrade theability of the router to function, such as byopening many connections to the routersimultaneously.

    Bandwidth consumption Attacks that attempt tooverwhelm the bandwidth capacity of the routersnetwork.

  • 8/3/2019 Investigating Router

    23/244/29/12

    Investigating DoS Attacks

    If the router is not working at all, it is probably a

    destruction attack. Check the obvious problemsfirst: power, cables, and configuration.

    Is the router sporadically rebooting or isperformance uniformly degraded?

    A sporadically rebooting router is probably theresult of a point-to-point attackone directed atthe router.

    Uniformly degraded performance may be either aresource or bandwidth-consumption attack.

    A flood of packets directed to the router can alsocause degradation.

  • 8/3/2019 Investigating Router

    24/244/29/12

    Recovering from DoS Attacks

    Recovery usually consists of a combination of thefollowing measures:

    Eliminate listening services.

    Upgrade software to the latest version.

    Restrict access to listening services using ACLs.

    Implement ACLs to limit malicious traffic.