Part II: I Am Enabled-- Hacking the Box

Chapter 4: Profiling and Enumerating Cisco Networks

Chapter 5: Enumerating and Fingerprinting Cisco Devices

Chapter 6: Getting In from the OutsideDead Easy

Chapter 7: Hacking Cisco DevicesThe Intermediate Path

Chapter 8: Cisco IOS ExploitationThe Proper Way

Chapter 9: Cracking Secret Keys, Social Engineering, and Malicious Physical Access

Chapter 10: Exploiting and Preserving Access

Chapter 11: Denial of Service Attacks Against Cisco Devices

Mike, a young bloke with a mediocre level of IT understanding, a huge desire to become an "elite hacker," and an ego larger than the Empire State Building, was looking for some targets on which to practice his "incredible 31337 skills." He was extremely desperate to find some easy targets, as all of his IRC mates had been bragging and spreading their successful hacking and defacement stories on a daily basis. Mike's mind had been clouded by doubt lately, as he asked himself, "Am I a 31337 haxor or not?" He knew that to prove himself, he needed to find and crack into a good network or a server and show some evidence on his favorite IRC channel. A routine procedure of nmapping thousands of random networks from his Windows XP Home Edition box had failed to show the evidence of an unprotected network that could be exploited and taken over easily. Reading thousands and thousands of lines of nmap-generated log files had been taking way too long without providing any useful outcome.

On a rainy evening, he fired up the mIRC client, logged into his usual #31337Hax0r channel on Dalnet (OKwe just made this up, but you get an idea), and was waiting for yet another story of successful defacement of an unprotected server located in the dark depths of the Internet, as he noticed an interesting conversation between his mate 1337-syn and Cyb3rP1ng. 1337-syn was asking questions about a broadband Cisco router that he found on the Internet. The device belonged to a SomeTinyCompany Ltd. and had used a default password: cisco. 1337-syn spent an hour browsing the Telnet commands and reading help on the Cisco routers' IOS syntax. Cyb3rP1ng, a system administrator of a local IT firm who was more experienced with networking equipment and had a higher level of general IT knowledge, said that he heard a lot about Cisco devices with management interfaces open to the outside and also mentioned that a lot of them have default settings that can be easily abused. "This is it; this is exactly what I need!" exclaimed Mike to himself. He needed to find and take over those poor hosts to prove that he was the best.

Fortunately, Mike was a big fan of the Google search engine and in his spare time played with it a lot, trying to find various tools and exploits for his cool collection. He had also been aware of the great power of Google to find and cache various documents that people leave on their web sites without thinking. He even knew the proper term for this kind of people: googledorks . Searching for Cisco Systems and IOS gave him way too many results to do anything useful, however. He saw presentations from some guy called "FX" that were way above his head. He also saw some talk about strange Black Hat events and a hole in Cisco IOS IPv6 implementation; however, Mike had very little idea what this mysterious IPv6 was.

Narrowing down the search criteria had provided a good page that had a security assessment report of some Bangladeshi network (geography was one of his favorite subjects, so he knew where that place was). Mike was so surprised to find information of such high sensitivity that he tried to change the search pattern to find out if he could get more similar reports that he could use for the future. After all, he thought, why not let others do all the work for him? Couldn't he install Nessus (his mates on IRC were talking about it a lot every day) on his Windows XP? Not a problem! At least, not anymore. At the end of the day, entering filetype:pdf "Assessment Report" nessus into the Google search bar had brought him a list of security assessment reports generated by this infamous open source vulnerability scanner.

He spent a night skimming through several dozens of them and found a recent network audit scan that indicated a Cisco-made gateway router of SomeLargeCorp, Inc., that wasn't updated for years and had both Telnet and web management services open to the outside world. The report indicated that there was a serious unpatched security hole in the router's web server. This was exactly what Mike had been hoping to find. Perhaps the network administrator had simply ignored that part of the report. Or maybe the router was installed by an external company ages ago and the administrator didn't know how to update or reconfigure it. Or perhaps the network administrator thought that no one would be interested in getting into the old router on the network perimeter and had other, more urgent business to attend to. Now there was at least one person capable of disproving the last speculation.

Mike's determination and excitement led him to spend the whole day researching and reading about Cisco routers and the commands they use. He had learned enough to feel a bit more comfortable with those systems. After all, he didn't want to spend all of his time trying to crack shares on old Windows 98 boxes similar to the one used by his grandfather for looking at fishing web sites. Instead, he wanted to experience and find something big that he could play with, something like a large company with virtual networks spread all over the world; he had found just the right one.

Browsing http://www.securityfocus.com, he came across an article describing how to exploit Cisco routers via the vulnerability stated in the Nessus report, "The Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability" ( http://www.securityfocus.com/bid/2936 ). Luck had been on Mike's side all day long. A system administrator didn't bother upgrading the router or shutting down its web interface. Mike could use one of the ready-made exploits for this hole, published at http://www.securityfocus.com/bid/2936/exploit , but he didn't have any Perl interpreter or C compiler installed on his PC and bitterly regretted it. Thus, he had to attack the router manually, by entering a URL like http://www.<router.address>/level/<number>/ exec /show/config and changing the number in the URL starting from 16 and going up to 99. It didn't take a very long time to guess the right number, and the router configuration file appeared in Mike's Internet Explorer window. The lucky day was not over! The enable password of the router was "encrypted" with a weak Vigenere cipher. Mike knew what to do and grabbed a copy of GetPass from http://www.download. boson .com/ utils /bos_pass.exe . Then he copied and pasted the password from the router configuration file into it and immediately received the decrypted answer.

After a few hours of playing around, Mike was still staring at both the Telnet prompt and web interface of the hacked Cisco 2500 series router that acted as a backup gateway. A drop of sweat had landed on the keyboard, as he smiled at the screen for a few moments, still reluctant to believe his achievement. A wide range of hacking opportunities opened to him; he was looking at a Cisco router located thousands of miles away.