How to Prevent hackers from taking over a Cisco router (1)

A Cisco router is a commonly used routing product in large and medium-sized networks. As a core router, It is the soul of the entire network. If the Administrator is improperly set, the security deployment may be taken over by attackers if it is not in place. In that case, all the networks under it will fall, and the extent of its harm is self-evident.

1. One Security Test

(1) take over the Cisco Router

I recently conducted a security test on a Japanese site (http: // www. * .co.jp). The test showed that the Web server only opened port 80 and it seems that no further penetration is possible. In addition, the IP address returned by pinging the website domain name is 210. 224. *. 69, and the TTL is 44. Based on the TTL value, the Web site should adopt a server similar to Unix/Linux. Based on the site content, the author judges from experience that the size of the enterprise behind the Web must be small, and there must be a large number of hosts on its network. In this case, there should be professional network equipment, such as large routers, switches, or something, maybe cisco products. In addition, large companies must have their own public IP segments.

Based on the above considerations, I decided to use the IP Network Browser tool for the range of 210. 224. *. 1 ~~~ 210. 224. *. 254 IP segment scan to check whether a network device of a Cisco router or vswitch is used. It must be noted that IP Network Browser is a tool in the SolarWinds Network management software set. It can be used to scan Network devices in an IP segment.

Run IP Network Browser and enter 210. 224. *. 1 ~~~ 210. 224. *. 254 CIDR blocks are scanned. As expected, the IP address is 210. 224. *. the device of 1 is a vro and cisco. You can view the Community String and find that the permission is private or personal. (Figure 1)

You can use Config Download in the SolarWinds toolkit to Download the configuration file of the vro. In the tool, enter this IP address to download. Fortunately, the download is successful. Then, you can use the Config Viewer tool to view the downloaded vro configuration file and find that the vro's privileged password is encrypted and displayed as: enable secret 5 $1 $ ugRE $ xe/UCBrh2uCPYRYfr6nxn1. This is the hope of md5 encryption. Continue to check and find that the console interface and vty have a password. The password is not encrypted in plaintext cisco. Using social engineering, maybe the privileged password of the router is also cisoc! (Figure 2)

Open the command prompt, enter telnet 210. 224. *. 1, connect to the vro, and enter the vty password cisco to enter the user mode. Enter en at the command prompt, press enter, and then enter cisco to successfully enter the privileged mode of the cisco router! So far, the cisco router is fully controlled. During the Security period, enter the show user command in the vro to check whether other users have logged on. The results show that there are no other logins. We can perform further security tests. I have to talk about the Administrator's negligence and lack of security awareness. Although the privileged password is encrypted, it is the same as the console and vty passwords. What is the purpose of privileged password encryption? In addition, the password is relatively simple, and cisco is easy to guess. It can be seen that network security is similar to the barrel principle, and it is always broken through the weakest link. (Figure 3)

(2). Cisco attack test

Since the vro is controlled, we cannot determine whether the vro is the company and its relationship with web servers. By entering the show ip interface brif command on the vro, it is found that almost all the serdrop (Serial Port) interfaces of the vro are activated, while the Fast Ethernet interface is only activated for fastEthernet 0/1, and the IP address of this interface is 210. 224. *. 1. The subnet mask is 255.255.255.0. Therefore, it can be concluded that the router is the company's, and the company's WEb server is connected to the fastEthernet 0/1 vro. At the same time, we can estimate the company's network topology. There should be a hardware firewall behind the Internet. The firewall is connected to the cisco router, and the WEB server is connected to the router and connected to the Internet through the router.

Since it controls the router of the company's only device connected to the internet, let alone a web server, all the internet of the company is under control. The author takes web server as an example to conduct a security test. In cisco router security mode, enter certain commands. The cisco command is used to create an access control list to block access to the 0/1. 210. *. 69 (web Server) ip address through fastEthernet 224 of the vro. (Figure 4)

After the command is complete, enter http: // www. * .co.jp in the browser to access the webpage. As expected, the webpage cannot be opened. (Figure 5)

Because it is a security test, to restore Website access, enter the command on the cisco Router

cisco(config)#int fastEthernet 0/1 cisco(config)#no access-list 101 deny ip host 210.224.*.69 any