Cisco Router Hacking Group 8 Vernon Guishard Kelvin Aguebor ECE 4112
Introduction • Cisco Systems, Inc. sells networking and communications technology and services. • Cisco is known for creating the first commercially successful multi-protocol router. • March 2000, Cisco had the market capitalization of $500 billion. • Currently, it has a market cap of $175 billion, controls 58% of the market sale of routers. • The Cisco routers have been more likely to have attacks. • Large market share can lead to attacks being devastating for the internet.
Identifying Routers and Vulnerabilities • Nmap is used to identify the router. • OS fingerprinting • Telnet is another solution to track down routers. • Trademark Cisco Banner “User Access Verification” • SING is used to identify the router. • It uses ICMP packets to find the router • Nessus can be used to find vulnerabilities.
Cisco Vulnerabilities • Console Password Recovery • All Cisco routers and switches affected • Not regarded as a vulnerability • A way for System Admin to recover lost passwords • May be used by hackers who have physical access to machines • HTTP Configuration Arbitrary Administrative Access Vulnerability • Cisco IOS release 11.3 or higher, are vulnerable. • Attacker can gain access to a router without authentication • Attacker can completely control, change, and configure the device • http://10.0.1.252/level/99/exec/show/config
Cisco Vulnerabilities • Router Denial of Service (DOS) Vulnerability • It affects all Cisco routers and switches from releases 11.1 through 12.1 • Causes the routers and switches to stop forwarding packets on specific interface • IPv4 packets with protocol type of 53, 55, 77 or 103 causes input queue to be flagged as full • Telnet Buffer Overflow Vulnerability • Cisco Broadband Operating System (CBOS), an operating system for the Cisco 600 family of routers are vulnerable • Extremely long telnet passwords cause the router to crash then reboot • Attacker can repeat until fixed, causing a DOS
Solutions to Vulnerabilities • Vulnerabilities know by Cisco and Patches Released • Most lingering vulnerabilities due to poor network administration • Upgrade Cisco IOS • Use access-list if not able to upgrade • TACAS or Radius effective in preventing HTTP vulnerability
Lab Procedures • Section 1: Console Password Exploit • Using hyper terminal to access routers • Obtaining enable password and enable secret of the router • Section 2: Identifying Cisco Routers • Using NMAP and telnet to identify routers • Section 3: Network Exploits • Using the Cisco Global Exploit tool • Protecting against the Cisco Global Exploit tool
References • http://en.wikipedia.org/wiki/Terminal_emulator • http://www.securityfocus.com/infocus/1734 • http://www.securityfocus.com/infocus/1749 • http://secure-o-gram.blogspot.com/2005/11/ios-exploit-and-auditing-tools.html • http://www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml#details • http://www.milw0rm.com/exploits/ • http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a008022493f.shtml