Create time: 2003-04-11
Article attribute: original
Article submission:
MeteorStary (meteorStary_at_163.com)
Cisco routing invasion art
Author: Purple Star
Time: 2002-1-21
In the network, the Web blooms, the email, interrupted shuttle network, voice phone, network conference, file transfer, various data interleaving, forming a brilliant digital world. In the noisy digital world underlying, there is a fine order, which determines the selection, heterogeneous media connection, interaction of the protocol. And this sequence of creed is a router that is covered with the entire network. So, the router became the transportation kiosk of data communication, and it became one of the goals of many black hats.
The Cisco Router occupies the absolute position of this network world, so the security focus effect has inspired the exquisite art of routing intrusion and defense. Below I will describe the means of Cisco intrusion and defense strategy by shallow into the deep manner.
[Router cold]
The router is not a robust system from its own iOS, so it will occasionally make yourself fever. The system has a fever, and the resistance naturally decreases.
* IOS own spoof
The Cisco router is a detail function of the route with the iOS system, so it is the soul of the routing system. The online system of show commands opens a peep gate for us.
As we all know, in the Cisco router, general users can only view very little information from the router. Users who can enter privileged models are eligible to view all information and modify routes. In general mode, Show's online help system does not list all available commands, although 75 SHOW's extended parameters can only be used in privileged mode, in fact, only 13 limitations. This means that general users (non-privileged users) can view access lists or other routing security related information.
Important security-related ACL information can be viewed by non-privileged users of login routing, such as:
#SHOW Access-Lists
#SHOW IP PROT
#SHOW ip ospf dat
#SH IP EIGRP TOP
The order can leak network sensitive information in non-privileged mode. Through these commands, we can get roughly the router configuration, which takes a further invading to assist. However, because the user needs to have a login account, it is difficult to get such information.
* WCCP Dark Road
Cisco introduces WCCP (Web Cache Control Protocol) in the iOS 11.2 version to provide protocol communication for the Cisco Cache Engine. The Cisco Cache Engine provides a transparent cache service for WWW. The cache engine communicates with other Cisco routers with WCCP. The router sends HTTP data to the cache engine host.
Although this way is closed by default. If enabled, the WCCP itself is no authentication mechanism. The router will consider the host of the Hello package that sends a legal cache engine type, so that the HTTP data can be cached to that host. This means that malicious users can acquire information in this way.
In this way, the attacker can intercept the site authentication information, including the site password; replacing the actual web content for its own trap; through routing completely destroying the service provided by the Web. This way, can completely avoid the accepted attack method, providing a comprehensive and fatal blow to the web.
We can turn off the enable mechanism of WCCP, or by ACL blocking the WCCP from sending HTTP traffic from untrusting hosts to prevent such harsh conditions.
* The confusion of HTTP services
Cisco has joined the web feature of remote management routing in iOS version, which is undoubtedly a happy thing for new feather (Newbie). But the introduction is convenient, and the hidden dangers also entered.
1. HTTP vulnerability based on reject service attack
Cisco Routing Enable (Enable) Remote Web Management is easy to suffer from DOS. This DOS can cause the router to stop respond to network requests. This is the function being the embedded function of Cisco routes. But enabling this feature, which will cause a DOS attack by constructing a simple HTTP request: http://
This request causes routing to stop responding, and even cause a router to perform a hard reset.
2. Vulnerability based on HTTP server query
The Cisco Security Suggestions Group announced this vulnerability on October 30, 2000. IOS 11.0 introduces management routes through web. "?" Is a delimiter of the CGI parameter defined in the HTML specification. It is also interpreted as a request help by the iOS command line interface. In iOS 12.0, when the question mark is adjacent to "/", the URL interpreter cannot correctly explain its meaning. When a URL includes "? /" Requests the router HTTP server, and provides a valid enable password, the router enters the dead cycle. Thus, the route crashes and restarts.
If http is used, browse
http:// route_ip_addr / anntest? /
And provide a privilege, which can cause DOS attacks, resulting in routing downtime or restart.
In addition to letting routing death, HTTP has an additional vulnerability of terrible permissions, as follows.
3. Cisco IOS certified vulnerability
When the HTTP server is enabled and the local user authentication method is used. In some conditions, you can bypass any commands on the device. The user can control the device. All commands will be implemented with the highest privilege (Level 15).
The following URL is constructed using UserName and Password's routing device account.
http: // router_ip_addr / level / xx / exec / ....
(Note: The XX represents 84 different combined attacks between 16 to 99, because the router hardware type is numerous, and the iOS version is different, so different router types, the attack combination number is different.)
In this way, the attacker can fully control the route and change the routing table configuration. This terrible facts have convincipped the network management. This complete control method will be a fatal blow to the website data communication hub.
Although the HTTP vulnerability brings such a lot of vulnerabilities, the most important reason for this vulnerability is because the HTTP server management route is enabled. Since this management is a substitute for the command line, therefore, for the skilled network management, no It is necessary to launch this kind of service that is harmful.
#NO IP HTTP Server routing is also a fashionable security configuration statement.
[Walk in SNMP]
Talking about the security of Cisco routes, we must involve SNMP seemingly simple, actually playing an important role, because of its existence, the rich and interesting of the router's intrusion.
* SNMP basic profile:
The routing devices enabled for each SNMP include a management information module (MIB), which is a data directory structure that includes a simple level, including various information of the device in this tree structure. SNMP basic command GET, can retrieve the information of the MIB, and the set command can set the MIB variable. A software tool for monitoring and managing Cisco Routing is MRTG, as for how to configure a monitoring of Cisco devices to see LOG's "How to install MRTG under Windows NT / 2K" article (
http://www.2hackers.org/cgi-bin/2hb/topic.cgi?forum=7&topic=212).
The method of configuring SNMP in the router is as follows:
(conf) # SNMP-Server Community Readonly Ro
(conf) # SNMP-Server Community Readwrite RWSNMP Protocol The concept of access to the device MIB object is given through the concept of a community string. In the above example, the community string readonly, which is read-only, and the READWRITE community string that can read and write operations. Most administrators like to use public and private to set only read strings and read and write strings, unknown, so that the easily result will bring huge fluctuations to the network. We can understand this hazard in [Touching Routerkit].
With SNMP, we can easily manage and monitor Cisco's devices (see log articles), and also bring an attacker to make a machine.
* Cisco iOS software SNMP reads and writes ILMI community string vulnerability
ILMI is an independent industrial standard for configuring an ATM interface. MIB is a tree structure, including operational (read-only) data, and configuration (read / write) options. On a vulnerability, you can access three specific portions of the entire tree management structure in the SNMP request: MIB-II system group, LAN-Emulation-Client MIB, and PNNi (Private) Network-to-network interface interface MIB. The subset objects of each part can be modified using the same "ILMI" societist string.
The MIB-II system group includes basic information of the device itself. Although the number of modified objects is limited. For example, including:
System.syscontact.
System.SYSLOCATION.
System.sysname.
Cisco IOS Software Version 11.x and 12.0 Allows the use of a non-document ILMI community string to view and modify some SNMP objects. These include "SysContact", "SysLocation", and "sysname" objects as described above, although modifications do not affect the normal operation of the device, but if accidental modifications may have confusion. The remaining objects are included in the LAN-Emulation-Client and PNNi MIBs, modifying these objects can affect the ATM configuration. If no authorization is not authorized to use the ILMI community string, a vulnerability router may suffer from DOS attacks.
If the SNMP request can be received by a loophole device, then some MIB objects can be accessed, and some MIB objects can be accessed. There is no authorization to modify the subset of readable MIB objects, and destroy the integrity. More harmful methods are to send a large number of read and write requests to the SNMP port. There is a vulnerability device, and if there is no way to prevent the SNMP package, it will suffer from DOS attacks, causing routing overload.
For information on how to view these objects, please refer to the [Touching the Routerkit] section.
* Cisco iOS software laminated SNMP shared community string vulnerability
In the Cisco configuration file, an unexpectedly created and exposed SNMP shared strings, allowing unauthorized access to or modifying infected devices. This vulnerability is caused by the defects in the call to the SNMP function. SNMP uses the "Community" tag to divide the "Object" group, you can view or modify them on the device. Data organizations in the group MIB. A single device can have several mibs that connect together to form a large structure, and different community strings can provide only a part of the large data structure that may overlap only, and possible overlapping access.
When SNMP is enabled, type the "snmp-server" command, if the community does not exist in the device not in a valid community string, it will not be expected to add a read-only community string. If it is deleted, this community string will reappear when the overload device is overloaded.
The implementation of the "Informs" function derived from the SNMPv2, including the exchange of read-only community strings to share status information. When a vulnerability is processed, when a defined command receives a command command (General SNMP-Server configuration), the community specified in the Trap message is also configured to be universal, if it is not in the save configuration definition. This happens even if the community is deleted in front and the configuration is saved to the memory before the system is overloaded. When passing "SNMPWalk" (a tool for detecting SNMP configuration correctness), or use the read-only socket string of the device to traverse the read and write community string when checking the device based on the view-based access control MIB. This means knowing that the read-only community string allows read access to the MIB stored in the device, resulting in information leakage. More seriously, if you know that you know the community string, you can allow the routing of the remote configuration, you can bypass the authorized authentication mechanism, so that the overall function of the router is fully controlled.
Exterior: A discovery vulnerability is ironic, using NMAP and other secure scanning tools to scan the route, actually producing DOS attacks. Interested friends can see:
Http://online.securityfocus.com/archive/1/28601/2002-11-29/2002-12-05/1
[Alternative attack]
The previous vulnerability review seems that we are talking about how to get routing configuration information, because getting a complete Router-Config, then we have mastered the world of the route. The following invasion method is another path.
* TFTP art
Cisco's skilled administrator, generally accustomed to Cisco for free TFTP servers (
Http://www.cisco.com/pcgi-bin/tablebuild.pl/tftp So the TFTP is likely to get routing profiles.
Fortunately, the TFTPD daemon has a vulnerability traversed by the directory, allowing remote users to get any files from the target system. We can get any files in the target system through the following simple method:
Exploit
TFTP> Connect Target_machine
TFTP> Get Cisco-Conf.bin
Recieved 472 bytes in 0.4 second
TFTPD> quit
This free software has no patching, so with this way, it is possible to get a complete route configuration archive without the power of blowing ash.
* SSH security
Through Telnet management, a batch of password eavesdrophers have been created. Through the form of a webmatic network transmission, the eavesdropper places a sniffer, and you can safely wait for the login user, password, and various sensitive information to be automatically sent. The SSH encryption method is applied to the router, which has greatly eliminated this arrogant airweight.
But invasion and anti-invasion is the ancient topic. So, SSH has also begun to have a sense of crisis. Cisco SSH has three exquisite and complex vulnerabilities. The knowledge involved in this attack has greatly beyond the scope of this article, so it is given in a brief form and indicates the article origin of the application vulnerability. (These vulnerabilities are organized from the China Network Security Response Center CNSAN,
Http://www.cns911.com/holes/router/router01062902.php, pay tribute to the selfless work of the vulnerability consolidation worker. )
1. RC-32 integrity checkup vulnerability
reference:
Http://www.core-sdi.com/files/files/11/crc32.pdf
The author uses and its complex mathematics to prove the existence of this vulnerability, understand this article requires considerable mathematical skills, I am a headache when I am watching this article. However, the theoretical analysis in the article is very exciting, and beginners can omit this vulnerability. CNSAN's article pointed out that "To make this attack success, the attacker must have one or 2 known Chipertxt / plaintext strings, which is generally not difficult because each process is started to be fixed and detectable. This can achieve the corresponding Chipertext by the SNIFF process. "
2. Communication analysis
reference:
http://online.securityfocus.com/archive/1/169840
CNSAN's article: "To use this vulnerability, the attacker must capture the packet, which can analyze the password length and use violent means to guess password."
When the clear text data is sealed in SSH, the data is encapsulated from the 8-byte boundary and encrypts the data. Such a package is performed in a math package after the explicit data length, and the SSH transmits in a clear manner in a clear channel. As a result, the contents of the SSH transmission can be obtained. The article is still friendly gives the Patch program to correct this vulnerability.
3. Key recovery in the SSH 1.5 protocol
reference:
http://www.securityfocus.com/archive/1/161150
CNSAN's article: To take advantage of this agreement, an attacker must sniff the SSH process and can establish a connection to the SSH server. To restore Server Key, the attacker must perform 2 ^ 20 2 ^ 19 = 1572864 connection, because Key is one The time of life, so an attacker must perform 400 connections per second.
This skill requires very high, usual remote intrusion, using Key to obtain the probability of obtaining the SSH session process is quite low.
* Local password hijacking
In all invasion, this type of intrusion activity can be described as a savage practice. Methods The original intent is used for the management of the manager forgetting the password. The technology is a double-edged sword that is how we use it.
If you have a laptop, you have a connection with the router's corresponding type, then you have an invasion route weapon. The rest of the time, you will think about how to close the net management, connect the cable with the router. In the future, you need to act quickly. (Take the 25xx series route as an example)
1. Turn off the power of the router.
2. Connect your computer and router.
3. Open the super terminal (CTL-BREAK in Hyperterm).
4. In the 30 seconds of starting the router, quickly press the CTL-BREAK key button to enable the router to enter the ROM Monitor status, and the prompt is as follows:
Followed by a '>' Prompt ...
5. Enter O / R 0x2142, modify the configuration registrar (Config Register) router from Flash
Memory guides.
6. Enter i, restart after the router is initialized.
7. Enter the system configuration dialog prompt to knock NO, and wait for the message to display: press return to get started.
8. Enter the enable command and the Router # prompt appears.
This is, we can use the show command to view all the configurations in the route and can be dounted to the computer. If Enable is used, although it is now unable to see, you can use the tool to crack. Of course, the rude practice is to modify directly: Router # conf Term
Router (conf) #ENABLE Password 7 123pwd
After completing the above, don't forget to restore the normal state of the route, otherwise the network management will quickly find the problem:
ROUTER (conf) # config-register 0x2102
Router (conf) #exit
At this point, we tried to get the entire routing configuration from a few aspects, so how to further expand the invasion, some exciting tools give us incomparably convenient.
[Touch Routerkit]
Just as the attack window system people like to use NTRK, people who attack Linux like to use rootkit, Router's world, and there is this excellent KIT, let people love it.
* Password crackler
After getting a routing profile, if you see in the configuration of the privileged mode, you may have: "Enable Password 7 14341B180F0B187875212766" such an encrypted string. So congratulations, the password encryption mechanism of the enable password command is very old, there is a great security vulnerability. The privileged password can be obtained by some simple tools.
Practical tool resources:
Sphixe's 'c' version crack machine:
http://www.alcrypto.co.uk/cisco/c/ciscock.c
Riku Meskanen's Pearl version:
Http://www.alcrypto.co.uk/cisco/perl/ios7decrypt.pl
Bigdog's PSION 3/5 version:
Http://www.alcrypto.co.uk/cisco/psion/cisco.opl
Major Malfunction's Palm-Pilot crack machine:
http://www.alcrypto.co.uk/cisco/pilot/ciscopw_1-0.zip
Boson Windows version GetPass:
http://www.boson.com/promo/utilities/getpass/getpass_utility.htm
The cause of the vulnerability description of MUDGE:
http://www.alcrypto.co.uk/cisco/mudge.txt
From these resources, I know that the security mechanism of Password is so weak, so, in the current configuration environment, Enable Secracts are generally used for new security encryption mechanisms.
* Rat's rich gift
Rat is a Route Audit Tools, which is developed by the System Management Network Security Research Institute (SANS). This set of tools can automatically and immediately retrieve the routing configuration, and give an extremely detailed vulnerability discovery and recommendation modification configuration for configuration, and can address SNMP vulnerabilities to security advice. This security configuration document is very precious information for administrators and hats.
Rat is written in Pearl language, so the environment where ActiveState Perl needs to be installed in WINDOWS. The installation process is very simple, and the user is viewed in HTML and ASCII text format for the scan results of the route. Here is a specific example of scanning.
Explloit:
C: /> Perl C: / RAT / BIN / RAT -A -U UserName -w Passwd -e Enablepass {router_ip_addr}
Snarfing router_ip_addr ... done.
Auditing router_ip_addr ... done.ncat_report: guide file ibcg.pdf not found in current Directory. Searching ...
Linking to Guide Found At c: /rat/rscg.pdf
NcAT_REPORT: Writing {router_ip_addr} .ncat_fix.txt.
NcAT_REPORT: Writing {router_ip_addr} .ncat_report.txt.
NcAT_REPORT: Writing {router_ip_addr} .html.
NCAT_REPORT: Writing rules.html (cisco-ios-benchmark.html).
NCAT_REPORT: WRITING ALL.NCAT_FIX.TXT.
NcAT_REPORT: Writing all.ncat_report.txt.
NCAT_REPORT: Writing all.html.
(Note: -A parameter scans all vulnerabilities options, -u login account, -w login password, -e privilege mode password. Scanning Vulnerability detection report and security recommendations are written in related files using ncat_report. {Router_ip_addr} is actual Routing IP address)
It can be said that Rat is the security configuration detection tool for iOS, provides detailed configuration security vulnerabilities, and provides fixback scripts for fix script for {router_ip_addr}, which is not only administrator's gospel, but also brings great benefits to invaders. . What happens if the invader gets such a detailed report?
It is a pity that such excellent programs have retrieved the SNARF program in Telnet in the Telnet, in which any transfer process will be a plaintext, and the program's documentation is introduced. The SSH protocol recommended by the recommended use is not perfect (see the introduction of the [Alternative Attack] section), so that the attacker provides the stealing way, thus obtaining a comprehensive clear configuration map, which will be What misfortune is. So we need to use this powerful tool with caution.
Of course, this excellent free tool brings another generous gift that is automatically loaded into the "Routing Security Configuration Guide" (RSCG) in the program, and the detailed Cisco security routing configuration document describes the management of routing. Safety configuration, give a weak routing configuration configuration. This benefit has facilitated security workers' understanding and has become an excellent reference of the attacker's use of vulnerabilities.
* Ultimate strength Solarwinds
Solarwinds produced SolarWinds.NET's comprehensive product tolerate a fine tool for monitoring Cisco devices, good GUI, easy to operate, and Perfect's Toolbar (comparable to a large and complex CiscoWork management software, I am biased Solarwinds provides simple configuration tools, of course, if CiscoWork is used by the attacker, then the powerful power can simply copy a large-scale communication hub. As for the instructions for the CiscoWork, because the problem is not described).
Main tool introduction:
SNMP Dictionary Attack
The SNMP Dictionary attack is used to test the strength of the community string of SNMP. In the SNMP Dictionary attack, the attack program first loads the community string critical language dictionary and the dictionary editor edited, then sorted by dictionary.
SNMP Brute Force Attack
The SNMP violent crack program will remotely take the SNMP read-only string and read and write strings in combination of letters and numbers, and we can define the estimated length of the characters and strings, which helps accelerate Crack speed. Router Security Check
Routing Security Checkup can try to enter the router and prompt whether iOS needs to be upgraded, and it also automatically tries to read and read and write SNMP community strings. Below is an actual result:
IP Address202.xx.xx.xxSystem Namecisco7507Contact - Test Contact-010xxxxxxLocationCisco Internetwork Operating System Software (tm) RSP Software (RSP-AJSV-M) IOS, Version 12.0 (7), RELEASE SOFTWARE (fc1) Copyright (c) 1986- 1999 by Cisco Systems, Inc.Compiled WED 13-OCT-99 23:20 By Phanguyeread-Only Community Stringsilmixxxread-Write Community StringsilMixxxx
Note: From the results, we have read and write strings, which have been discussed in the previous example, not repeated. Use X implies real property information.
Remote TCP Session Reset
It can remotely displays all TCP activity connections on the router, more interesting, if you know the read and write strings of the SNMP community, this program can cut off TCP connections, which often makes people trouble.
Cisco Router Password Decryption
It goes without saying that this program is used to crack the password in privileged mode. For how to get a password, see the description of the Routerkit】.
Of course, in addition to the above tools, Solarwinds comes to collect practical Config Editor / View, Upload Config, Download Config, Running VS Startup Configs, Proxy Ping, Advanced CPU LOAD, ROUTER CPU LOAD Route Configuration Management Tool, Tool Name We It is not difficult for these tools.
Solarwinds cattle knife
Here, the tool combination of SolarWinds will be used for a high-level intrusion exercise. However, the prerequisites here are that you have obtained a variety of vulnerability probing needles to acquire a community-readable string (rude approach, you can use the SolarWinds SNMP violent cracking method to obtain read and write strings).
First, create a text file containing the new password:
Enable Password New * Password
Note: This setting can even cover Enable Secret 5 encrypted settings, unclear Cisco, since Cisco knows that the Password 7 mode is very easy to crack, why should I retain this relic.
Next, enter the statement to modify the login password in the file:
Line Vty 0 4Password New * PasswordLogin
Start the SolarWinds comes with the TFTP server, place the created file into the root directory of the server. In the Config Uploader utility, enter the address of the route address, read the write string, and the TFTP server, and select the file you just created in the TFTP directory, press "Copy Config PC to Router / Switch". The process is as shown in the figure:
Through this hidden way, we changed the login password and privileged mode password. This kind of trick often surprises the network management of remote management routes, but the password we set after the routing is invalid. The reason is that we modify the routing configuration in Running-Conf mode without saving to NVRAM. Of course, many over-excited practices simply log in to the router with the modified password to write the configuration file to NVRAM. Strong power control routing equipment. [Several security recommendations]
Summary These touching vulnerabilities and powerful tools, should we act, take appropriate measures to protect their own interests?
* Questions about iOS
1. The HTTP service is canceled by NO IP HTTP Server to eliminate hidden dangers from HTTP.
2. Restrict SNMP access configuration
Access-list 10 permit 204.50.25.0 0.0.0.0.255snmp-server Community Readwrite RW 10 (limited to the host access host access) ############################################################################################################################ #### SNMP-Server Enable Traps SNMP-Server Trap-Authentication (How to Certification Failure, Tell Routing Send Trap.) SNMP-Server Host 204.50.25.5 (Trap Message Accept Workstation) (Note: CiscoWorks Workstation can be intercepted these messages.)
3. Timely upgrade Cisco's iOS program or patch
4. Recommended to read RSCG documentation in RAT
5. Use safety tools to safety checks.
Regarding security suggestion, not one of ordinary things, vulnerabilities excavation in the dark, new technologies are constantly expanding, so the above suggestions are only used as reference, and we should make the correct strategy according to the actual situation.
[Reference information]
1.
Https://alerts.securityfocus.com/
2.
http://www.cisco.com/warp/public/
3.
http://www.insecure.org/news/p55-10.txt
4.
http://www.sans.org/
5.
http://www.networkingunlimited.com/white007.html
6.
http://us.cns911.com/holes/router/
7.
http://www.securiteam.com/
Note: Some explanations, because many websites on the information about the route is a lot, I only give the site address, do not give the specific article, annoying friends to the relevant website.
