Hacker intrusion technology details: cisco Route intrusion art (3)

Touch RouterKit]

For example, attackers like to use NTRK to attack Windows systems, while those who attack Linux like rootkit. The world of Router also has this excellent Kit, which can be put to rest.

* Password cracking machine

After obtaining the route configuration file, if you see the configuration in privileged mode, there may be an encrypted string like "enable password 7 14341b180f0b187875210466. Congratulations! The encryption mechanism of the enable password command is very old and has a huge security vulnerability. You can use some simple tools to obtain the cracked privileged password.

* Great gift from RAT

RAT is a free route audit tool (route audit tools) developed by SANS ). This tool can automatically and immediately retrieve route configurations, provide extremely detailed vulnerability discovery and Recommended Configuration Modification for configuration problems, and provide security suggestions for addressing SNMP vulnerabilities. This secure configuration document is very valuable for administrators and black hats.

RAT is written in Pearl language. Therefore, ActiveState Perl must be installed in Windows. The installation process is very simple. You can view the routing scan results in Html and ASCII text format. The following is a specific scan instance.

Exploit:

C: \> perl c: \ rat \ bin \ rat-a-u username-w passwd-e enablepass {router_ip_addr}

Snarfing router_ip_addr... done.

Auditing router_ip_addr... done.

Ncat_report: Guide file rscg.pdf not found in current directory. Searching...

Linking to guide found at c: \ rat/rscg.pdf

Ncat_report: writing router_ip_addr}.ncat_fix.txt.

Ncat_report: writing router_ip_addr2.16.ncat_report.txt.

Ncat_report: writing router_ip_addr}.html.

Ncat_report: writing rules.html (cisco-ios-benchmark.html ).

Ncat_report: writing all.ncat_fix.txt.

Ncat_report: writing all.ncat_report.txt.

Ncat_report: writing all.html.

(Note:-a parameter scans all vulnerability options,-u Logon account,-w logon password, and-e privileged password. The vulnerability detection report and Security suggestions generated by the scan are written into the relevant files using ncat_report. {Router_ip_addr} is the actual Route IP address)

It can be said that RAT is a security configuration detection tool for IOS, provides detailed configuration of security vulnerabilities, and provides a Fix Script for {router_ip_addr} Patch Script. Such a comprehensive tool is not only a good news for administrators, it also brings huge benefits to intruders. How bad is the situation if intruders get such a thorough report?

Unfortunately, when such an excellent program searches for the route configuration file, the snscarf program is used to retrieve the configuration file through telnet. In this case, any transmission process will be in plain text, and the SSH protocol recommended in the program documentation is not complete (see Introduction to alternative attacks ), in this way, attackers can steal routes to obtain a comprehensive and clear configuration map of routes. This result is unfortunate for network administrators. Therefore, we need to use this powerful tool with caution.

Of course, another great gift from this excellent free tool is that it automatically loads the PDF file of RSCG in the program, the detailed Cisco Security route Configuration documentation introduces the Routing Management and Security Configuration methods, and provides the weak routing configuration instructions. This benefits not only facilitate security workers' understanding, but also become an excellent reference for attackers to exploit vulnerabilities.

* Ultimate force: Solarwinds

The comprehensive products of Solarwinds.net produced by Solarwinds include exquisite tools for managing and monitoring Cisco devices, good GUI, easy-to-operate cross-section, and Perfect Toolbar (relatively large and complex Ciscowork management software, I prefer the simple configuration tool provided by Solarwinds, of course, if Ciscowork is used by attackers, the destructive power can be copied to the communication hub of a large website. For Ciscowork instructions, we will not repeat them here due to space issues ).

Introduction to main tools:

SNMP Dictionary Attack

SNMP dictionary attacks are used to test the intensity of SNMP community strings. In the SNMP dictionary attack, the attack program first loads the dictionary edited by the dictionary editor and the dictionary, and then sorts the dictionary to guess.

SNMP Brute Force Attack

The SNMP brute-force cracking program can remotely crack SNMP read-only and read/write strings in combination with letters and numbers. At the same time, we can define the characters and the estimated length of the strings, this helps speed up cracking.

Router Security Check

The route security check program can try to enter the vro and prompt whether IOS needs to be upgraded. It also automatically attempts to read-only and read/write SNMP community strings. The following is a result of actual detection:

IP Address202.xx. xx. xxSystem Namecisco7507Contact -- Test Contact-010xxxxxxLocationCisco Internetwork Operating System Software IOS (tm) RSP Software (RSP-AJSV-M), Version 12.0 (7), release software (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc. compiled Wed 13-Oct-99 by phanguyeRead-Only Community StringsILMIxxxxRead-Write Community StringsILMIXxxx

Note: From the results, we have obtained the read/write string. This method has been discussed before and is not repeated. Using x implies the real property information.

Remote TCP Session Reset

You can remotely display all TCP active connections on the vro. More interestingly, if you know the read/write strings of the SNMP community, this program can cut off the TCP connection at will, this type of prank is often distressing.

Cisco Router Password Decryption

It is self-evident that this program is used to crack the password in privileged mode. For details about how to obtain a password, refer to RouterKit instructions.

Of course, in addition to the above tools, Solarwinds has a set of practical Config Editor/View, upload Config, Download Config, Running Vs Startup Configs, Proxy Ping, Advanced CPU Load, the Router CPU Load routing configuration management tool can be used by tool names.

Test with Solarwinds

Here we will use a combination of Solarwinds tools for a high-level intrusion drill. However, the prerequisites here are, you have obtained readable and writable strings in the community through various Vulnerability Detection Methods (you can use the Solarwinds SNMP brute-force cracking method to obtain the read/write strings ).

First, create a text file containing the new password:

Enable password New * Password

Note: This setting can even overwrite the enable secret 5 encryption setting. It is unclear why Cisco retains this secret because it has learned that Password 7 encryption is very easy to crack.

Then, enter the statement to change the logon password in the file:

Line vty 0 4 password New * Passwordlogin

Start the TFTP server that comes with Solarwinds and place the created files in the root directory of the server. In the Config uploader utility, enter the route address, read/write string, and the address of the TFTP server, and select the file you just created in the TFTP directory, press Copy config PC to Router/Switch ". General process:

In this concealed mode, we changed the vro logon password and the privileged mode password. This kind of trick often surprised network administrators who manage routes remotely, but the password we set becomes invalid after the route is restarted. The reason is that the route configuration is modified in Running-conf mode and not saved to NVRAM. Of course, many radical practices simply use the modified password to log on to the vro and write the configuration file to NVRAM. Powerful control routing device.

Several security suggestions]

After reviewing these shocking vulnerabilities and the application of powerful tools, should we take appropriate measures to protect our own interests?

* Questions about IOS

1. Cancel the http service through the no ip http server to eliminate the hidden risks caused by Http.

2. Restrict SNMP access configuration

Access-list 10 permit 204.50.25.0 0.0.255snmp-server community readwrite RW 10 (restrict access by trusted hosts through ACL) ########## monitor unauthorized SNMP access configuration ########## snmp-server enable traps (set traps) snmp-server trap-authentication (tell the route sending trap how authentication fails .) Snmp-server host 204.50.25.5 (trap message receiving workstation) (Note: ciscoworks workstation can intercept this information .)

3. Upgrade Cisco IOS programs or patches in a timely manner

4. Read the RSCG document in RAT.

5. Use security tools to perform security checks on routes.

1. Summary of cisco switch fault recovery solutions triggered by IOS
2. Cisco Firewall service module application check Denial of Service Vulnerability
3. Comparison and appreciation of Cisco Huawei and Intel Switches