Full Version: Inside Cisco
Can someone explain me things i can do once a got inside cisco router(i know basic cisco ios commands)some kind of tunneling,sniffing
| QUOTE |
1: Cisco 760 Series Connection Overflow. Affected Systems: Routers Cisco 760 Series. Others not tested. By Tiz.Telesup. http://packetstorm.security-guide.de/0005-...oits/cisco760.c 2: A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled and browsing to "http:///%%" is attempted. This defect can be exploited to produce a denial of service (DoS) attack. This defect has been discussed on public mailing lists and should be considered public information. http://packetstorm.security-guide.de/0005-...o.00-05-14.http 3: It seems that, even though a regular (non-"enabled") user should not be able to see the access-lists or other security-related information in the router, one can do just that. The online help systems doesn't list the commands as being available, but out of 75 extra "show" options that are available in "enable" mode (on a 12.0(5)3640), only 13 were actually restricted. By Fernando Montenegro. http://packetstorm.security-guide.de/0005-...oits/cisco.help |
Best attack is against the IOS itself.
The first thing I'd do on access to a cisco is to secure future access to it. The way to do this is to update both the IOS and microcode. Best thing about this approach is that you now TRULY own the router although its going to be obvious unless the new IOS misreports the flash contents (So it appears the microcode is not there) and the IOS resists upgrading by simply stealing the fileneame and version number of its intended replacement. If it doesn't do this then don't bother.
Now even if they change the passwords you have a 'master' that you hexed into the modified image before uploading. The beauty is that from that point forward nothing you do on that master password will get logged to console even if logging is enabled.
The second thing I'd do is to get out of there and leave it the hell alone for a day or two.
Poisoned IOSes
There are several good backdoored versions of the cisco IOS floating around with different functions and for different processors (RISC R4000 or Motorola 68000 series.) Depending on what extra facilities you have you can then launch further impersonation-based attacks into the network. Try to get one that also doors the microcode as these tend to be the most persistent.
I saw a great one at a conference which could execute modules as threads. Uploaded code modules whose filenames started with -- (or __?) were hidden from the show flash cmd. They had modules for bouncing, mitm ssl and https monitoring. Sux that I couldnt persuade them to give me a copy of the binaries despite hanging around with them for two freakin days beating my eyelashes. Hrrrmpf
Attack platform
If you're no R47xx/68xxx coder, have no cisco backdoors and you've played around on the router and cant seem to get anywhere, why not be REALY cheeky and install linux on it ?
Install linux on the router and use it as an attack platform that you can leave running. Or, if you've realy given up, just leave it reciting vogon poetry at anyone that connects via VTY, AUX or the Console. Thats fun
Probably the easiest to configure is uClinux for Motorola 68xxx powered routers.
If you're not sure if your router is using a 68000 series just show version and the processor type should appear in brackets before the word 'processor'. In 1000, 1600, 2600, 4000 it will be a motorola - 3600, 4500 and 4700's are all R4500's
If you got an R4500 don't fret cus you can still run linux on an R47xx but you need to run it bootstrapped through an emulator and you lose some speed and a little stability. Unfortunately thats the only way I know since I can't find a linux that run on a cisco R47 platform without running a 68000 machine abstraction.
Again, if anyone has info on avoiding Bus Error Exceptions on an R4700 running uClinux under the 68000 abstractor let me know. Likewise, get in touch if you know any tricks for installing linux (Or a poisoned IOS) for MGX or catalysts.
Hope that gives you something to shoot for
and if not, well, you can always do the usual stuff
Before you leave don't forget to set the AUX up to outdial, then try to call up a hacked voicemail with CallerID or perhaps a mobile phone with a disposable PAYG simcard ... that way you might get the routers dialup too If you do, remember to set it back to normal before you leave. You might never use it but if they close off the VTY access in the future at least you stand a chance of re-enabling it.
SG
The first thing I'd do on access to a cisco is to secure future access to it. The way to do this is to update both the IOS and microcode. Best thing about this approach is that you now TRULY own the router although its going to be obvious unless the new IOS misreports the flash contents (So it appears the microcode is not there) and the IOS resists upgrading by simply stealing the fileneame and version number of its intended replacement. If it doesn't do this then don't bother.
Now even if they change the passwords you have a 'master' that you hexed into the modified image before uploading. The beauty is that from that point forward nothing you do on that master password will get logged to console even if logging is enabled.
The second thing I'd do is to get out of there and leave it the hell alone for a day or two.
Poisoned IOSes
There are several good backdoored versions of the cisco IOS floating around with different functions and for different processors (RISC R4000 or Motorola 68000 series.) Depending on what extra facilities you have you can then launch further impersonation-based attacks into the network. Try to get one that also doors the microcode as these tend to be the most persistent.
I saw a great one at a conference which could execute modules as threads. Uploaded code modules whose filenames started with -- (or __?) were hidden from the show flash cmd. They had modules for bouncing, mitm ssl and https monitoring. Sux that I couldnt persuade them to give me a copy of the binaries despite hanging around with them for two freakin days beating my eyelashes. Hrrrmpf
Attack platform
If you're no R47xx/68xxx coder, have no cisco backdoors and you've played around on the router and cant seem to get anywhere, why not be REALY cheeky and install linux on it ?
Install linux on the router and use it as an attack platform that you can leave running. Or, if you've realy given up, just leave it reciting vogon poetry at anyone that connects via VTY, AUX or the Console. Thats fun
Probably the easiest to configure is uClinux for Motorola 68xxx powered routers.If you're not sure if your router is using a 68000 series just show version and the processor type should appear in brackets before the word 'processor'. In 1000, 1600, 2600, 4000 it will be a motorola - 3600, 4500 and 4700's are all R4500's
If you got an R4500 don't fret cus you can still run linux on an R47xx but you need to run it bootstrapped through an emulator and you lose some speed and a little stability. Unfortunately thats the only way I know since I can't find a linux that run on a cisco R47 platform without running a 68000 machine abstraction.
Again, if anyone has info on avoiding Bus Error Exceptions on an R4700 running uClinux under the 68000 abstractor let me know. Likewise, get in touch if you know any tricks for installing linux (Or a poisoned IOS) for MGX or catalysts.
Hope that gives you something to shoot for
and if not, well, you can always do the usual stuff Before you leave don't forget to set the AUX up to outdial, then try to call up a hacked voicemail with CallerID or perhaps a mobile phone with a disposable PAYG simcard ... that way you might get the routers dialup too
If you do, remember to set it back to normal before you leave. You might never use it but if they close off the VTY access in the future at least you stand a chance of re-enabling it.SG
QUOTE(thend @ Dec 6 2003, 01:51 PM)
Can someone explain me things i can do once a got inside cisco router(i know basic cisco ios commands)some kind of tunneling,sniffing
My personal fav. is enabling netflow and using the router as a passive sniffer, who needs portscanners when you have that stats table?
Oh, and arp tables are always fun for OUI lookups (assuming they aren't changed)
just noticed how old this thread is, never mind... *click*
learnkey is big source for all cisco certifications
if do you want to downlaod , use from emule
if do you want to downlaod , use from emule
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
