Pwning Cisco IOS Device
In today’s network infrastructure Cisco has just became
another name for networking and Network related infrastructure. Every corporate
company irrespective of size involves a network infrastructure comprising of Switches,
routers, telephony and many more networking devices of Cisco Brand. Owing such
a wide market requires additional security precautions to be taken by Network
admins and cisco itself to prevent their devices from being hacked. Imagine
what will happen if these devices started getting pwned and hacked leading to
huge loss to company’s economy and data.
This article pertains to focusing over existing common vulnerabilities
in Cisco IOS and its exploitation. However it is to be noted that author of
this article is not responsible for any damage done by information through this
article, it is solely for informational and educational purpose.
Vulnerabilities in Cisco IOS
1
) HTTP Server implementation vulnerability:
The cisco devices have default web
interface to access and manage the device
in the user friendly way. Cisco devices have various permission levels
ranging from 0-15 , each permission level have specific privileges to execute
commands. Level Zero access is minimal access level 15 is highest access level.
The flaw exist in HTTP server implementation , when the router asks for
password the attacker can cancel that request and re-send the specially crafted request with higher
permission level can obtain router’s configuration in the browser window. IOS
version 11.3 to 12.2 are vulnerable with this kind of vulnerability .It is to
be noted that that there exist two type of router configuration one is known as
startup configuration and another is known as running configuration. To avoid
such a vulnerability it is required to use Network level Authentication like RADIUS and TACACS server.
2
TFTP Server enabled vulnerability
A very common flaw in the
configuration of routers exist here, a
authentication less TFTP server enabled over the Cisco device. Many Cisco device
whether a router or switch stores its critical configuration file over this
server. Such configuration files if made accessible to intruders can lead
to total compromise of network device .
Exploiting this vulnerability is somewhat a piece of cake for evil geniuses. During
the nmap scan of a particular device reveals the opened and filtered ports over
the device . However if an attacker came across a device with port 69
accessible over the device and service fingerprint reveals the running TFTF
server , an attacker can access this service and copy the router configuration
file which is usually named as <hostname-config> . If the hostname of
device is xyzcompany then router configuration file will have its name <xyzcompany-config>.
3
) SNMP Vulnerabilities
SNMP known as Simple Network
Management protocol is one of the most important protocols in area of
networking. This is protocol used to manage the network device for ex, changing
the configuration of device, managing downtime and all information related to
managed device over network can be accessed by SNMP protocol. Being such a
useful protocol it is also one of the most favorite and targeted protocols by
computer hackers. Compromise of SNMP protocol can lead to compromise of entire
device to the extent of getting root for that device and all the other devices
communicating through it. SNMP protocol can be used to query a managed device ,
answer to those queries are made through management Information base (MIB)
stored on the device. SNMP protocol uses community string basically known as
Read and Write community strings to access this MIB information and make
changes to it. To query individual aspect of device OID (Object Identifier) are
introduced. It is list of dotted numerals
(1.3.2.6.9.25) used to refer individual aspect of network device.
Exploiting this snmp service
depends totally on success of obtaining Read –Write community string for a
device. From my experience its very common among the network admins to use
default community string which is public
for read and private for write
access. However another approach involves brute forcing the community string
using metasploit built is modules snmp_login.
When the community string is
obtained an intruder can obtain blueprint of the device including crucial
information like, type of devices, hardware used, storage, system information ,
network interfaces info ,routing info,
Processes running on that machine and very detailed list of every aspect
of that device.
Attacker can also obtain
information regarding Management information base containing snmp tree for that
device.Utility used for this purpose is snmpwalk .Using those community string
an attacker can also change the configuration of that device using utility like
snmp-set.
Denial of
Service Vulnerabilities.
This
is one major attack category which involves the attacker to send a large number
of packets and overflow the cache and leave the device in a state where it
cannot deliver its services. One such vulnerability exist in CDP protocol of Cisco
device. CDP is commonly known as Cisco discovery protocol used by cisco devices
to share its running configuration file with the neighboring devices . The attack involves an attacker to sent large packet frames and flood the
device memory , thereby leaving the device in the state of inability to
perform. Tool used to create such CDP packet is known as cdp .
Therefore using any of above mentioned vulnerability any cisco IOS can be pwned. Cisco global exploiter is also one of the scripts wriiten by security professionals to crack IOS....i will leave this for u to google it ..learn more about it.
