Professional Documents
Culture Documents
4/29/12
Routers
With routers, information in memory is almost always important, because routers have little data-storage capability. only real data saved in NVRAM is the configuration of the router itself system state information in memory such as current routing tables, listening services, and current passwordswill be lost if the router is powered down or rebooted.
The The
4/29/12
establishing a connection to the router, make sure to log the entire session. With HyperTerminal, simply select the Transfer | Capture Text option to log the session. Cisco Internetwork Operating System (IOS) command language has multiple modes, such as initial setup, login prompt, basic command, enable, configuration, and interface configuration. default, you are in basic mode, which allows you to display configuration settings.
The
By
4/29/12
the show clock command to get the system time (enable, or privileged, level access is not required). cisco_router>show clock *03:13:21.511 UTC Tue Mar 1 2011
4/29/12
users
Line User Host(s) Idle Location * 0 con 0 idle 00:29:46 1 vty 0 idle 00:00:00 10.0.2.71 2 vty 1 10.0.2.18 00:00:36 172.16.1.1
The
second entry is a vty, or virtual terminal line. It indicates that someone has logged on to the router from the host with IP address
4/29/12
The time that the system has been online since the last reboot can also be Determining the show version important. Use the Routers Uptime command to capture this information.
cisco_router>show version Cisco Internetwork Operating System Software IOS (tm) 1600 Software (C1600-Y-M), Version 11.3(5)T, RELEASE SOFTWARE (fc1) Copyright (c) 1986-1998 by cisco Systems, Inc. Compiled Wed 12-Aug-98 04:57 by ccai Image text-base: 0x02005000, data-base: 0x023C5A58 4/29/12
configuration information for Cisco routers is stored in a single configuration file. can change the configuration of the router without modifying the configuration file stored in NVRAM. the show running-config command to view the configuration currently loaded on the router. the show startup-config or equivalent show config command to view the configuration saved in NVRAM.
4/29/12
you
Use
cisco_router#show running-config
Use
cisco_router#show startup-config
The routing table can be manipulated through commandline access, as well as through malicious router update packets. In either case, the routing table will reflect the changes. view the routing table, use the show ip route command.
To
cisco_router#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * 4/29/12
Static
routes, such as the last route in the example above, are also visible within the configuration file. If a malicious static route appears, then an attacker has manipulated the router configuration. routes may be modified without directly accessing the router, through techniques such as Routing Information Protocol (RIP) spoofing. is a routing protocol that is used by routers to update their neighbors routing tables. attacker can send a spoofed RIP packet, updating the victim routers routing tables, without ever gaining access to the router.
Other
RIP An
4/29/12
Information
about the configuration of each of the routers interfaces is available via the show ip interface command.
cisco_router#show ip interface Ethernet0 is up, line protocol is up Internet address is 10.0.2.244/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is not set
4/29/12
IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled
4/29/12
Resolution Protocol (ARP) maps IP addresses and media access control (MAC) addresses. IP addresses (which are Network layer addresses),MAC addresses are physical addresses (layer 2 of the OSI model) and are not routed outside broadcast domains. store the MAC addresses of any device on the local broadcast domain, along with its IP address, in the ARP cache. occasionally spoof IP or MAC addresses to circumvent security controls, such as access control lists (ACLs), firewall rules, or switch port assignments.
Routers
Attackers
4/29/12
Use
cisco_router#show ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 172.16.1.253 - 0010.7bf9.1d81 ARPA Ethernet1 Internet 10.0.2.71 0 0010.4bed.d708 ARPA Ethernet0 Internet 10.0.2.244 - 0010.7bf9.1d80 ARPA Ethernet0
4/29/12
compromise
4/29/12
Direct-Compromise Incidents
Handling Direct-Compromise Incidents
Direct
compromise of the router is any incident where an attacker gains interactive or privileged access to the router. Direct compromise provides the attacker with control of the router and access to the data stored on the router. with interactive access can use the router to identify and compromise other hosts via available router clients such as ping and telnet.
Anyone
4/29/12
the information youve already collected, namely the configuration file and the list of listening ports, the investigation is off to a strong start. Services The listening services on the router provide the potential attack points from the network. Most avenues of attack to the router require a password. Compromise Possibilities If the compromise did not come via a listening service or a password, there are a few other possibilities.
4/29/12
Listening
Passwords Other
Recovering from Direct-Compromise Incidents Examples of steps that should be taken include the following:
Remove all unnecessary services. Allow remote access only through encrypted protocols. Allow no SNMP access or read-only access. Do not use the SNMP password as the password for any other access. Change all passwords. Implement ACLs so that only connections from trusted hosts are allowed to the router. Upgrade the software with the latest updates. 4/29/12
can use a variety of protocols to update their routing tables, including RIP, Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Interior Gateway Routing Protocol (IGRP), Border Gateway Protocol (BGP), and so on. router will accept RIP updates without requiring any authentication. protocols offer the capability of requiring passwords, but it is up to the administrator to implement password security.
Other
4/29/12
unfamiliar static routes appear in the routing table, then the router may have suffered direct compromise.
recovery from routing table attacks is simple: Remove unwanted static routes and reboot the router. However, preventing the attacks from occurring in the future is a bit more difficult. ACLs can be introduced to limit router updates to known-good source addresses.
4/29/12
information that is on the router is related to network topology and access control. information that attackers glean from routers includes password, routing and topology information. recovery from this data theft is to change passwords, avoid password reuse, and limit the ability of attackers to obtain sensitive information.
Typical
The
4/29/12
the router is not working at all, it is probably a destruction attack. Check the obvious problems first: power, cables, and configuration. the router sporadically rebooting or is performance uniformly degraded? sporadically rebooting router is probably the result of a point-to-point attackone directed at the router. degraded performance may be either a resource or bandwidth-consumption attack. flood of packets directed to the router can also cause degradation.
4/29/12
Is A
Uniformly A
Eliminate listening services. Upgrade software to the latest version. Restrict access to listening services using ACLs. Implement ACLs to limit malicious traffic.
4/29/12