Speakers: Joaquim Espinhara, Rafael Silva
Language: English
The goal of this talk is present a way to abuse a default feature of Cisco routers. The feature mentioned is the Embedded Packet Capture (EPC), described by the Cisco: "... a powerful troubleshooting and tracing tool. The feature allows for network administrators to capture data packets flowing through, to, and from, a Cisco router." We were able to abuse this feature and build a system to collecting massive data and store them for analysis purpose.
The PoC developed uses multiple Cisco routers configured with default accounts to send their data traffic (input, output or both) to our repository and finally we are able to starting the processes to transform these raw data packet files in useful information. Such as user credentials, pre-shared key keys, URLs and many other potential sensitive data can be extracted, but additional "features", like cyber attacks, are planned for the future. The subject presented by the researchers would help a simple penetration tester during a usual engagement , additionally it's possible configure a larger set of routers to collect data and build a huge database, hack the planet style.
The content of this presentation results from independent research conducted by me on my own time and of my own accord. This research was not approved, sanctioned or funded by my employer and is not in any way associated with my employer.
CONFidence: http://confidence.org.pl/pl/
9. µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
2 / Introduction & motivation
• We are NOT exploiting a 0day on Cisco
devices.!
• We are aware of other methods, like GRE
tunnels, port mirroring, lawful interception, etc.!
• This is an automated tool to help pentesters /
Threat intelligence to collect interesting data in
a controlled environment.!
• This is really useful tool for threat intelligence
data gathering.!
• You have to get ENABLE privilege on the router
to use Mimosa.!
!
10. 2 / Introduction & motivation
2009 / @jespinhara @h2hc about GRE-TUNNELS.
2009 / @rfdslabs tell about EPC to @jespinhara.
2010 / Hacking the Planet…
2011 / Hacking the Planet…
2012 / Hacking the Planet…
2013 / Hacking the Planet…
2014 -2015 / Mimosa released. !
µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
12. 3 / EPC
The ability to capture IPv4 and IPv6 packets.
A flexible method for specifying the capture buffer size and type.
EXEC-level commands to start and stop the capture.
Show commands to display packet contents on the device.
Facility to export the packet capture in PCAP format.
Extensible infrastructure for enabling packet capture points.!
µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
13. 3 / EPC / Abuse!
The ability to capture IPv4 and IPv6 packets.
A flexible method for specifying the capture buffer size and type.
EXEC-level commands to start and stop the capture.
Show commands to display packet contents on the device.
Facility to export the packet capture in PCAP format.
Extensible infrastructure for enabling packet capture points.!
• Sniffing
• Choose the sniffer buffer size. More than one buffer and capture point.
• Need some hacking to Enable, cisco/cisco.
• Sniffing on the fly.
• Make your pcap-farm-server.
• All Your Network Are Belong to Us.
µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
14. 3 / EPC / How EPC Works!
Define a Capture Buffer and Size and Type (Linear OR Circular):
Define a Capture point (interfaces and directions):
Associate the capture point to our buffer:
µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
15. 3 / EPC / How EPC Works!
Start / stop the capture point:
Linear / When the buffer is full, the
capture will stop.
Circular / The buffer will be
overwritten with new packets.!
µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
16. 3 / EPC / How EPC Works!
Sniffing on the fly:
µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
17. 3 / EPC / How EPC Works!
Export the capture in PCAP format to a remote location:
µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
18. µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
3 / EPC / How EPC Works!
The main problem is export the capture to a REMOTE location.
No way to disable the EPC OR block the export to a remote
location L
This is a feature, is not a BUG J!
38. 6 / Future
Add support to another devices, such as mikrotik and Juniper.
A dashboard for better visualization of the sensitive data.
Other attack options like bruteforce, CVE-XXXX.!
µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!