Cisco Router Hacking

Group 8 Vernon Guishard Kelvin Aguebor ECE 4112

Introduction
Cisco Systems, Inc. sells networking and communications technology and

services. Cisco is known for creating the first commercially successful multiprotocol router. March 2000, Cisco had the market capitalization of $500 billion. Currently, it has a market cap of $175 billion, controls 58% of the market sale of routers. The Cisco routers have been more likely to have attacks. Large market share can lead to attacks being devastating for the internet.

Identifying Routers and Vulnerabilities

Nmap is used to identify the router.
OS fingerprinting

Telnet is another solution to track down routers. SING is used to identify the router.

Trademark Cisco Banner User Access Verification

It uses ICMP packets to find the router

Nessus can be used to find vulnerabilities.

Cisco Vulnerabilities
Console Password Recovery
All Cisco routers and switches affected Not regarded as a vulnerability A way for System Admin to recover lost passwords May be used by hackers who have physical access to machines

HTTP Configuration Arbitrary Administrative Access

Vulnerability
Cisco IOS release 11.3 or higher, are vulnerable. Attacker can gain access to a router without authentication Attacker can completely control, change, and configure the device http://10.0.1.252/level/99/exec/show/config

Cisco Vulnerabilities
Router Denial of Service (DOS) Vulnerability
It affects all Cisco routers and switches from releases 11.1 through 12.1 Causes the routers and switches to stop forwarding packets on specific interface IPv4 packets with protocol type of 53, 55, 77 or 103 causes input queue to be flagged as full

Telnet Buffer Overflow Vulnerability

Cisco Broadband Operating System (CBOS), an operating system for the Cisco 600 family of routers are vulnerable Extremely long telnet passwords cause the router to crash then reboot Attacker can repeat until fixed, causing a DOS

Solutions to Vulnerabilities
Vulnerabilities know by Cisco and Patches Released
Most lingering vulnerabilities due to poor network administration Upgrade Cisco IOS Use access-list if not able to upgrade TACAS or Radius effective in preventing HTTP vulnerability

Lab Procedures
Section 1: Console Password Exploit
Using hyper terminal to access routers Obtaining enable password and enable secret of the router

Section 2: Identifying Cisco Routers

Using NMAP and telnet to identify routers

Section 3: Network Exploits

Using the Cisco Global Exploit tool Protecting against the Cisco Global Exploit tool

References

http://en.wikipedia.org/wiki/Terminal_emulator http://www.securityfocus.com/infocus/1734 http://www.securityfocus.com/infocus/1749 http://secure-o-gram.blogspot.com/2005/11/ios-exploit-and-auditingtools.html http://www.cisco.com/warp/public/707/cisco-sn-20040326exploits.shtml#details http://www.milw0rm.com/exploits/ http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_not e09186a008022493f.shtml

Questions?