Cisco Router Security


Published on

description of Cisco Router security

Published in: Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cisco Router Security

  1. 1. Cisco Router Forensics Thomas Akin, CISSP Director, Southeast Cybercrime Institute Kennesaw State University BlackHat Briefings, USA, 2002
  2. 2. Hacking Cisco <ul><li>Cisco Bugtraq Vulnerabilities </li></ul><ul><li>1998 - 3 </li></ul><ul><li>1999 - 5 </li></ul><ul><li>2000 - 23 </li></ul><ul><li>2001 - 46 </li></ul><ul><li>2002 (est) - 94 </li></ul>
  3. 3. Hacking Routers <ul><li>Example Exploits: </li></ul><ul><li>HTTP Authentication Vulnerability </li></ul><ul><ul><li>using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access. </li></ul></ul><ul><li>NTP Vulnerability </li></ul><ul><ul><li>By sending a crafted NTP control packet, it is possible to trigger a buffer overflow in the NTP daemon </li></ul></ul><ul><li>SNMP Parsing Vulnerability </li></ul><ul><ul><li>Malformed SNMP messages received by affected systems can cause various parsing and processing functions to fail, which results in a system crash and reload. In some cases, access-list statements on the SNMP service do not protect the device </li></ul></ul>
  4. 4. Hacking Routers <ul><li>When a router is hacked it allows an attacker to </li></ul><ul><li>DoS or disable the router & network… </li></ul><ul><li>Compromise other routers… </li></ul><ul><li>Bypass firewalls, IDS systems, etc… </li></ul><ul><li>Monitor and record all outgoing an incoming traffic… </li></ul><ul><li>Redirect whatever traffic they desire… </li></ul>
  5. 5. Cisco Routers in a Nutshell <ul><li>Flash </li></ul><ul><li>Persistent </li></ul><ul><li>Holds </li></ul><ul><ul><li>Startup configuration </li></ul></ul><ul><ul><li>IOS files </li></ul></ul><ul><li>RAM </li></ul><ul><li>Non-Persistent </li></ul><ul><li>Holds </li></ul><ul><ul><li>Running configuration </li></ul></ul><ul><ul><li>Dynamic tables (i.e) </li></ul></ul><ul><ul><ul><li>Arp </li></ul></ul></ul><ul><ul><ul><li>Routing </li></ul></ul></ul><ul><ul><ul><li>NAT </li></ul></ul></ul><ul><ul><ul><li>ACL violations </li></ul></ul></ul><ul><ul><ul><li>Protocol Statistics </li></ul></ul></ul><ul><ul><ul><li>Etc… </li></ul></ul></ul>
  6. 6. Router Forensics v/s Traditional Forensics <ul><li>Traditional Forensics </li></ul><ul><li>Immediately shutdown the system (or pull the power cord) </li></ul><ul><li>Make a forensic duplicate </li></ul><ul><li>Perform analysis on the duplicate </li></ul><ul><li>Live system data is rarely recovered. </li></ul><ul><li>Router Forensics </li></ul><ul><li>Live system data is the most valuable. </li></ul><ul><li>Immediate shutdown destroys all of this data. </li></ul><ul><li>Persistent (flash) data will likely be unchanged and useless. </li></ul><ul><li>Investigators must recover live data for analysis </li></ul>
  7. 7. Computer Forensics: The Unholy Grail <ul><li>The goal is to “catch the criminal behind the keyboard.” Not to find fascinating computer evidence. </li></ul><ul><li>Computer evidence is never the smoking gun. Most often computer evidence either </li></ul><ul><li>Provides leads to other evidence… </li></ul><ul><li>Corroborates other evidence… </li></ul>
  8. 8. Chain of Custody <ul><li>Detailed, Methodical, Unquestionable…. </li></ul><ul><li>Where you received the evidence… </li></ul><ul><li>When you received the evidence… </li></ul><ul><li>Who you received the evidence from… </li></ul><ul><li>What your seizure methods were… </li></ul><ul><li>Why you seized the evidence… </li></ul><ul><li>How you maintained your chain of custody… </li></ul>
  9. 9. Example CoC Form
  10. 10. Example CoC Form
  11. 11. Incident Response <ul><li>DO NOT REBOOT THE ROUTER. </li></ul><ul><li>Change nothing, record everything. </li></ul><ul><li>Before you say it is an accident, make sure it isn’t an incident… </li></ul><ul><li>Before you say it is an incident, make sure it isn’t an accident… </li></ul>
  12. 12. Accessing the Router <ul><li>DO </li></ul><ul><li>Access the router through the console </li></ul><ul><li>Record your entire console session </li></ul><ul><li>Run show commands </li></ul><ul><li>Record the actual time and the router’s time </li></ul><ul><li>Record the volatile information </li></ul><ul><li>DON’T </li></ul><ul><li>REBOOT THE ROUTER </li></ul><ul><li>Access the router through the network </li></ul><ul><li>Run configuration commands </li></ul><ul><li>Rely only on persistent information </li></ul>
  13. 13. Recording Your Session <ul><li>Always start recording your session before you even log onto the router </li></ul><ul><li>Frequently show the current time with the show clock detail command </li></ul>
  14. 14. Volatile Evidence Direct Access <ul><li>show clock detail </li></ul><ul><li>show version </li></ul><ul><li>show running-config </li></ul><ul><li>show startup-config </li></ul><ul><li>show reload </li></ul><ul><li>show ip route </li></ul><ul><li>show ip arp </li></ul><ul><li>show users </li></ul><ul><li>show logging </li></ul><ul><li>show ip interface </li></ul><ul><li>show interfaces </li></ul><ul><li>show tcp brief all </li></ul><ul><li>show ip sockets </li></ul><ul><li>show ip nat translations verbose </li></ul><ul><li>show ip cache flow </li></ul><ul><li>show ip cef </li></ul><ul><li>show snmp user </li></ul><ul><li>show snmp group </li></ul><ul><li>show clock detail </li></ul>
  15. 15. Volatile Evidence Indirect Access <ul><li>Remote evidence may be all you can get if the passwords have been changed… </li></ul><ul><li>Port scan each router IP nmap -v -sS -P0 -p 1- nmap -v -sU -P0 -p 1- nmap -v -sR -P0 -p 1- </li></ul><ul><li>SNMP scan each router IP snmpwalk –v1 public snmpwalk –v1 private </li></ul>
  16. 16. Intrusion Analysis <ul><li>IOS Vulnerabilities </li></ul><ul><li>Running v/s Startup configurations </li></ul><ul><li>Logging </li></ul><ul><li>Timestamps </li></ul>
  17. 17. Logging <ul><li>Console Logging These will be captured by recording your session. </li></ul><ul><li>Buffer Logging If buffered logging is turned on, the show logging command will show you the contents of the router log buffer, what level logging is performed at, and what hosts logging is sent to. </li></ul><ul><li>Terminal Logging This allows non console sessions to view log messages. </li></ul><ul><li>Syslog Logging Log messages are sent to a syslog server when logging is turned on and the logging servername command is set. </li></ul>
  18. 18. Logging <ul><li>SNMP logging If SNMP is running, SNMP traps may be sent to a logging server. </li></ul><ul><li>AAA Logging If AAA is running the check the aaa accounting commands to see what logging is being sent to the Network Access Server. </li></ul><ul><li>ACL Violation Logging ACL can be configured to log any packets that match their rules by ending the ACL with the log or log-input keywords. These log messages are sent the the routers log buffer and to the syslog server. </li></ul>
  19. 19. Real Time Forensics <ul><li>After removing or collecting information from your compromised router you can use the router to help monitor the network and itself by turning on logging if it wasn’t previously. </li></ul><ul><li>Router# config terminal </li></ul><ul><li>Router(config)# service timestamps log datatime msec localtime show-timezone </li></ul><ul><li>Router(config)# no logging console </li></ul><ul><li>Router(config)# logging on </li></ul><ul><li>Router(config)# logging buffered 32000 </li></ul><ul><li>Router(config)# logging buffered informational </li></ul><ul><li>Router(config)# logging facility local6 </li></ul><ul><li>Router(config)# logging trap informational </li></ul><ul><li>Router(config)# logging </li></ul>
  20. 20. Real Time Forensics <ul><li>Using AAA provided even greater ability to log information. TACACS+ even allows you to log every command executed on the router to your Network Access Server </li></ul><ul><li>Router# config terminal </li></ul><ul><li>Router(config)# aaa accounting exec default start-stop group tacacs+ </li></ul><ul><li>Router(config)# aaa accounting system default stop-only group tacacs+ </li></ul><ul><li>Router(config)# aaa accounting connection default start-stop group tacacs+ </li></ul><ul><li>Router(config)# aaa accounting network default start-stop group tacacs+ </li></ul>
  21. 21. Real Time Forensics <ul><li>You can also use ACL logging to count packets and log specific events. By configuring syslog logging and analyzing your syslog files in real time you can perform real time monitoring </li></ul><ul><li>The ACL access-list 149 permit tcp host any eq 161 log-input will not block any packets, but will log all incoming SNMP requests from to any internal host. </li></ul><ul><li>The ACLs access-list 148 deny tcp any eq 53 log-input access-list 148 deny udp any eq 53 log-input will block and log any DNS packets from the subnet to any internal host. </li></ul>
  22. 22. Summary <ul><li>Hacking Cisco Routers </li></ul><ul><li>Router Hardware & Software </li></ul><ul><li>Router Forensics v/s Traditional Forensics </li></ul><ul><li>Computer Evidence & Chain of Custody </li></ul><ul><li>Incident Response </li></ul><ul><li>Accessing the Router </li></ul><ul><li>Gathering volatile evidence—internal & external </li></ul><ul><li>Gathering logging evidence </li></ul><ul><li>Performing Real Time Network Forensics </li></ul>
  23. 23. Thank you! Thomas Akin [email_address] <ul><li>On you conference CD you will find: </li></ul><ul><li>A copy of this presentation </li></ul><ul><li>A router forensics checklist </li></ul><ul><li>A sample Chain of Custody form </li></ul><ul><li>A sample Evidence Receipt tag </li></ul>