Introduction

THE PECULIARITIES AND HARDSHIPS OF CISCO- RELATED ATTACKS AND DEFENSES

Some hackers (in a loose meaning of this battered term ) try to understand everything about the internal workings of a system or protocol they have targeted , and only then do they begin the exploitation. Others try to break it using all means at their disposal and learn about the system in the process of breaking it. The methodologies we describe in this book can appeal to the followers of both paths. At the end of the day, it is the results that count, and an approach that works best for the attacker would be embraced by him or her as true. In our specific case, the result is usually called enable .

An attacker who goes after Cisco networking devices can be a CCIE Security consultant, performing a legitimate security audit. He can be a renegade system programmer, armed with disassembly tools and searching for great fame or equally great stealth. She might be an experienced network engineer with an arsenal of powerful sniffing and custom packet generating utilities and a craving for the takeover of the whole network via an unknown glitch in a proprietary protocol design. Or, perhaps a novice hacker has just discovered what really runs the modern Internet and wants to experiment with these mysterious and powerful hosts . As the person responsible for the security of a network, you have to be ready to cope with all types of attackers and everything they can throw at the target. As a security auditor , you have to be capable of emulating all kinds of attackers , understanding their mentality , approaches, methods , and techniques. Only by starting the audit while behaving like the lowest denominator of cracker, and ending it acting like a highly professional Black Hat, can a penetration tester do a proper external or internal risk assessment of the audited network.

This is not easy. First of all, everything related to Cisco systems and protocols hacking is only beginning to emerge from the shadows. You won't find a lot of comprehensive information about this online, and this book is the world's first printed literature source entirely devoted to this issue. Another difficulty you (and the attackers) will inevitably encounter is the great variety of Cisco devices and versions of the operating systems that they runrouters, switches, firewalls, VPN concentrators , IDS sensors, wireless access points, and so on. They run various versions of IOS, CatOS, PIX OS, and even general purpose operating systems such as Solaris and Linux. To make things more difficult, many OS versions are specifically bound to the hardware they run on for efficiency and optimization reasons. This is particularly important for a highly skilled attacker trying to write a shellcode for his exploit.

When Next Generation (NG) IOS appears and good old CatOS eventually dies out, truly cross-platform exploits for Cisco routers and switches may become possible. For now, an exploit will work against a specific platform only, and a hacker would need to spare some time and effort to find offset addresses for different IOS versions running on that particular platform. It should be noted that network administrators in general seem to be somewhat conservative and not truly eager to update the operating systems of their routers and switches. We have encountered many cases of IOS 11.X and CatOS 4.X still running on the audited hosts. Thus, older IOS and CatOS versions are here to stay for quite a while, even after the much talked about IOS NG is released.

On the defenders' side, the differences between the system versions mean that some countermeasures will be available on the systems you control, and some won't. Moreover, the same safeguard could be configured on distinct system versions using different commands or variations of the same command. This makes the device and the overall network defense a rather complicated task. A lot of material, mostly from Cisco itself, has been released on the subject of securing Cisco devices and whole networks, but blindly typing the commands mentioned in the manual does not help the administrator to understand the full impact or implications of the attack these commands may prevent. Thus, the incentive to spend time on thoroughly configuring existing security features and patching the known flaws may run very low. What is needed is an all-around Cisco security resource, providing a professional description and systematic balanced approach to both attack and defense. We have strived to adhere to this requirement as much as possible and hope that this book will meet at least some of your expectations.

We have also tried to dispel common mythology surrounding the peculiarities of Cisco device and network security and halting the development of this important information security field. The harmful myths currently circulating within the world security community, from corporate security managers to lowly script kiddies, are many and include the following:

• Cisco routers, switches, PIX firewalls, and so on are secure by default and can't really be broken into, unless they are badly misconfigured.

• To the contrary, Cisco routers are very easy to break into (this opinion is common among the "Telnet password and SNMP community guessing crowd ," a part of the "hooded yob" populating so-called " underground channels").

• Running the IOS privileged EXEC mode auto secure no-interact command will automatically sort out all your security headaches , even if you don't know much about router security.

• The cracking underground is not really familiar with Cisco network appliances and rarely selects them as targets.

• There is little the intruders can do with a taken over Cisco router and nothing they can do with an "owned" Catalyst switch. At worst, they will erase both Flash and NVRAM.

• An intruder cannot preserve his access to an owned Cisco router or other device without leaving telltale signs in its configuration file.

• Data link layer attacks are for weirdoes. You can do the same things with ARP spoofing, right?

• Crackers can bring down the whole Internet via a BGP-based attack, and it is easy to do.

• To the contrary, BGP is completely secure and unbreakable . Proprietary routing protocols are also very secure, since their full specifications are not known to attackers.

• Buffer overflow attacks against IOS are impractical and too difficult to execute. Writing exploits against this system is an extreme form of rocket science, known only to the few remaining Illuminati.

• Patching the IOS binary image to inject malicious code is also next to impossible . Such an image won't be accepted by the router or won't function properly.

• Attacking another router from (not through!) a hacked router? That's impossible! Cisco cross-platform worm? You must be joking!

Whether you prefer to gain power through understanding or understanding through power, we hope that the contents of this book will convince you that these statements are, to put it politely, rather economical with the truth, which often lies somewhere in the middle.