INVESTIGATING ROUTERS

Click to edit Master subtitle style

4/29/12

Routers

With routers, information in memory is almost always important, because routers have little data-storage capability. only real data saved in NVRAM is the configuration of the router itself system state information in memory such as current routing tables, listening services, and current passwordswill be lost if the router is powered down or rebooted.

The The

4/29/12

Establishing a Router Connection

When

establishing a connection to the router, make sure to log the entire session. With HyperTerminal, simply select the Transfer | Capture Text option to log the session. Cisco Internetwork Operating System (IOS) command language has multiple modes, such as initial setup, login prompt, basic command, enable, configuration, and interface configuration. default, you are in basic mode, which allows you to display configuration settings.

The

By

4/29/12

Recording System Time

Use

the show clock command to get the system time (enable, or privileged, level access is not required). cisco_router>show clock *03:13:21.511 UTC Tue Mar 1 2011

4/29/12

Determining Who Is Logged On

cisco_router>show

users

Line User Host(s) Idle Location * 0 con 0 idle 00:29:46 1 vty 0 idle 00:00:00 10.0.2.71 2 vty 1 10.0.2.18 00:00:36 172.16.1.1
The

second entry is a vty, or virtual terminal line. It indicates that someone has logged on to the router from the host with IP address
4/29/12

The time that the system has been online since the last reboot can also be Determining the show version important. Use the Routers Uptime command to capture this information.

cisco_router>show version Cisco Internetwork Operating System Software IOS (tm) 1600 Software (C1600-Y-M), Version 11.3(5)T, RELEASE SOFTWARE (fc1) Copyright (c) 1986-1998 by cisco Systems, Inc. Compiled Wed 12-Aug-98 04:57 by ccai Image text-base: 0x02005000, data-base: 0x023C5A58 4/29/12

Determining Listening Sockets

An example of checking for all TCP and UDP listening ports with the port scanner ScanLine follows: C:\ScanLine>sl -p -t 1-65535 -u 1-65535 10.0.2.244 ScanLine (TM) 1.01 Copyright (c) Foundstone, Inc. 2002 http://www.foundstone.com Scan of 1 IP started at Sat May 14 14:21:04 2011 ---------------------------------------------------------------------10.0.2.244 Responds with ICMP unreachable: Yes TCP ports: 23 79 80 UDP ports: 161
4/29/12

Saving the Router Configuration

All

configuration information for Cisco routers is stored in a single configuration file. can change the configuration of the router without modifying the configuration file stored in NVRAM. the show running-config command to view the configuration currently loaded on the router. the show startup-config or equivalent show config command to view the configuration saved in NVRAM.
4/29/12

you

Use

cisco_router#show running-config
Use

cisco_router#show startup-config

The routing table can be manipulated through commandline access, as well as through malicious router update packets. In either case, the routing table will reflect the changes. view the routing table, use the show ip route command.

Reviewing the Routing Table

To

cisco_router#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * 4/29/12

 Static

routes, such as the last route in the example above, are also visible within the configuration file. If a malicious static route appears, then an attacker has manipulated the router configuration. routes may be modified without directly accessing the router, through techniques such as Routing Information Protocol (RIP) spoofing. is a routing protocol that is used by routers to update their neighbors routing tables. attacker can send a spoofed RIP packet, updating the victim routers routing tables, without ever gaining access to the router.

Other

RIP An

4/29/12

 Information

Checking Interface Configurations

about the configuration of each of the routers interfaces is available via the show ip interface command.

cisco_router#show ip interface Ethernet0 is up, line protocol is up Internet address is 10.0.2.244/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is not set
4/29/12

IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled
4/29/12

Viewing the ARP Cache

Address Unlike

Resolution Protocol (ARP) maps IP addresses and media access control (MAC) addresses. IP addresses (which are Network layer addresses),MAC addresses are physical addresses (layer 2 of the OSI model) and are not routed outside broadcast domains. store the MAC addresses of any device on the local broadcast domain, along with its IP address, in the ARP cache. occasionally spoof IP or MAC addresses to circumvent security controls, such as access control lists (ACLs), firewall rules, or switch port assignments.

Routers

Attackers

4/29/12

 Use

the show ip arp command to view the ARP cache.

cisco_router#show ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 172.16.1.253 - 0010.7bf9.1d81 ARPA Ethernet1 Internet 10.0.2.71 0 0010.4bed.d708 ARPA Ethernet0 Internet 10.0.2.244 - 0010.7bf9.1d80 ARPA Ethernet0

4/29/12

FINDING THE PROOF

Types of incidents that involve routers
Direct

compromise

Routing table manipulation Theft of information Denial of service

4/29/12

Direct-Compromise Incidents
Handling Direct-Compromise Incidents
Direct

compromise of the router is any incident where an attacker gains interactive or privileged access to the router. Direct compromise provides the attacker with control of the router and access to the data stored on the router. with interactive access can use the router to identify and compromise other hosts via available router clients such as ping and telnet.

Anyone

4/29/12

Investigating a Direct-Compromise Incident

With

the information youve already collected, namely the configuration file and the list of listening ports, the investigation is off to a strong start. Services The listening services on the router provide the potential attack points from the network. Most avenues of attack to the router require a password. Compromise Possibilities If the compromise did not come via a listening service or a password, there are a few other possibilities.
4/29/12

Listening

Passwords Other

Recovering from Direct-Compromise Incidents Examples of steps that should be taken include the following:

Remove all unnecessary services. Allow remote access only through encrypted protocols. Allow no SNMP access or read-only access. Do not use the SNMP password as the password for any other access. Change all passwords. Implement ACLs so that only connections from trusted hosts are allowed to the router. Upgrade the software with the latest updates. 4/29/12

Routing Table Manipulation Incidents Table Manipulation Incidents Handling Routing

Routers

can use a variety of protocols to update their routing tables, including RIP, Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Interior Gateway Routing Protocol (IGRP), Border Gateway Protocol (BGP), and so on. router will accept RIP updates without requiring any authentication. protocols offer the capability of requiring passwords, but it is up to the administrator to implement password security.

Other

4/29/12

Investigating Routing Table Manipulation Incidents

If

unfamiliar static routes appear in the routing table, then the router may have suffered direct compromise.

Recovering from Routing Table Manipulation Incidents

Temporary

recovery from routing table attacks is simple: Remove unwanted static routes and reboot the router. However, preventing the attacks from occurring in the future is a bit more difficult. ACLs can be introduced to limit router updates to known-good source addresses.
4/29/12

Handling Theft of Information Incidents

The

information that is on the router is related to network topology and access control. information that attackers glean from routers includes password, routing and topology information. recovery from this data theft is to change passwords, avoid password reuse, and limit the ability of attackers to obtain sensitive information.

Typical

The

4/29/12

DoS attacks fall into several basic categories:

Destruction

Handling Denial-of-Service (DoS) Attacks

Attacks that destroy the ability of the router to function, such as deleting the configuration information or unplugging the power. Resource consumption Attacks that degrade the ability of the router to function, such as by opening many connections to the router simultaneously. Bandwidth consumption Attacks that attempt to overwhelm the bandwidth capacity of the routers network.
4/29/12

Investigating DoS Attacks

If

the router is not working at all, it is probably a destruction attack. Check the obvious problems first: power, cables, and configuration. the router sporadically rebooting or is performance uniformly degraded? sporadically rebooting router is probably the result of a point-to-point attackone directed at the router. degraded performance may be either a resource or bandwidth-consumption attack. flood of packets directed to the router can also cause degradation.
4/29/12

Is A

Uniformly A

Recovering from DoS Attacks

Recovery usually consists of a combination of the following measures:

Eliminate listening services. Upgrade software to the latest version. Restrict access to listening services using ACLs. Implement ACLs to limit malicious traffic.

4/29/12