ALL THE POWER OF HACKING EXPOSED AND MORE

This tome is written in the best tradition of the Hacking Exposed series. However, we've included a few differences, such as the way risk ratings are handled.

The topic of Cisco- related hacking isn't exactly the most researched topic. Many potential security threats and attack algorithms described here are little-known or new and were discovered during the process of writing this book. To do this, we assembled a tiny testing and research Cisco network, consisting of three 2500 and two 2600 series routers, Catalyst 2950 and 5000 series switches, PIX 515E and PIX 501 firewalls, a 3000 series VPN concentrator, and an Aironet 1200 wireless access point. We have also employed a couple of Gentoo and Debian Linux machines running Quagga and various attack and network monitoring/analysis tools mentioned through the book. A maximum effort was made to test all the presented methods and techniques on this network. In addition, some of the published data, of course, is based on our hands-on experience as penetration testers, network security administrators, and architects .

Also, when working on the book, we discovered that the current arsenal of open source Cisco security auditing tools is rather limited. So we had to write some new tools and scripts to close such gaps and make the theoretical practical (an old L0pht motto, for those who don't remember). They are available under the GPL license at the book's companion web site, http://www.hackingexposedcisco.com , to anyone interested. The time for the entire project was restricted, and it was not possible to complete everything that was initially planned. Thus, some of the code had to join the TODO list queue and will hopefully be finished by the time this book hits the shelves , or soon afterward. So, do visit the site for the updates, including new security tools and research observations.

Easy to Navigate

A standard tested and tried Hacking Exposed format is used through this book:

This is an attack icon.

Attack

This icon identifies specific penetration testing techniques and tools. The icon is followed by the technique or attack name and a traditional Hacking Exposed risk rating table: Popularity: The frequency with which we estimate the attack takes place in the wild. Directly correlates with the Simplicity field. 1 is the most rare, 10 is used a lot, N/A is not applicable (the issue was been discovered in a testing lab when writing this book). Simplicity: The degree of skill necessary to execute the attack. 10 is using a widespread point-and-click tool or an equivalent, 1 is writing a new exploit yourself. The values around 5 are likely to indicate a difficult-to-use available command line tool that requires knowledge of the target system or protocol by the attacker. Impact: The potential damage caused by successful attack execution. Usually varies from 1 to 10; however, this particular book does have a few exemptions to this rule. 1 is disclosing some trivial information about the device or network, 10 is getting enable on the box or being able to redirect, sniff and modify network traffic. Risk Rating: This value is obtained by averaging the three previous values. In a few cases, where the Popularity value equals N/A, only the Simplicity and Impact numbers are averaged.

So, what are the exceptionally high Impact values supplied in some specific cases in Chapters 10 and 14? Imagine an attack that may lead to thousands of networks being compromised or large segments of the Internet losing connectivity or having their traffic redirected by crackers. It is clear that the impact of such an attack would be much higher than gaining enable on a single host or redirecting and intercepting network traffic on a small LAN. At the same time, attacks of such scale are neither common nor easy to execute without having a significant level of skill and knowledge. Thus, their Popularity and Simplicity values would be quite low, and even if the Impact value equals 10, the overall Risk Rating is going to be lower, as compared to easier to execute attacks that do not present a fraction of the threat. This does not represent a real-world situation, and a logical solution to rectify this problem is to inflate the underrated Impact field value, so that the overall Risk Rating is at the maximum or, at least, close to it.

We have also use these visually enhanced icons to highlight specific details and suggestions, where we deem it necessary:

This is a countermeasure icon.

Countermeasure

Where appropriate, we have tried to provide different types of attack countermeasures for different Cisco platforms, not just the IOS routers. Such countermeasures can be full (upgrading the vulnerable software or using a more secure network protocol) or temporary (reconfiguring the device to shut down the vulnerable service, option, or protocol). We always recommend that you follow the full countermeasure solution; however, we do recognize that due to hardware restrictions, this may not be possible every time. In such a situation, both temporary and incomplete countermeasures are better than nothing. An incomplete countermeasure is a safeguard that only slows down the attacker and can be bypassedfor example, a standard access list can be bypassed via IP spoofing, man-in-the-middle, and session hijacking attacks. In the book, we always state whether the countermeasure is incomplete and can be circumvented by crackers.