A traditional Hacking Exposed series book usually contains a section dealing with why attackers want to root your network. This book is no exception, except root is replaced by enable the equivalent for the UNIX superuser on Cisco routers and switches.
The information in this section is extremely important for you to understand. Unfortunately, many system administrators do not consider routers and switches to be interesting targets for crackers and overlook their security, concentrating instead on servers and databases. Breaking away from this norm would be a vital improvement in safeguarding a currently undefended network and an important victory for White Hats worldwide. Of course, proper server, database, and even user desktop security is essential. However, if a cracker takes over your routers and switches, your whole network will soon fall into his handsincluding all deployed servers and database and data storage hosts .
Following are some of the motives for a malicious hacker's attacks against servers and user desktops:
Hiding attack tracks to clear the path for future attacks
Stealing CPU cycles for password cracking
Stealing hard-drive space
Stealing stored data
Plain old vandalizing
So-called "hacktivism"attacks with political, religious, ethical, or other similar motives
Immature "0wn3d hostz" and "1337 skillz" online bragging rights
Of these motives, only stealing CPU cycles and hard-drive space (which is rather limited on Cisco routers and switches as compared to modern servers and desktops) can hardly/does not (whatever you prefer) apply to Cisco devices in particularbut we never say never , because a Switch/Router Flash or even Non-volatile Random Access Memory (NVRAM) can be an original place for hiding data. On the other hand, additional reasons are specific to hacking routers, switches, and other specialized networking appliances that are not applicable to both server and end-user hosts. A motive behind many of these hacks is simply megalomania the attacker's delusions of grandeur.
The growing malicious ambitions of an individual can be traced in answers to a few simple questions:
Why own a host when you can take over a subnet?
Why take over a subnet if you can have the whole network?
Why own just one network if you can control an Autonomous System (AS)?
Bored of a single AS with thousands of hosts? How about taking on a Border Gateway Protocol (BGP) confederation?
The fastest and most efficient way of accomplishing these ambitions is by hacking into a router or a few routers on the network of interest. In particular, this applies to perimeter and gateway routers, core and "hub" (quotation marks here to avoid confusion with hubs as Layer 1 devices) routers, and routers with a special role in the routing domainBGP reflectors and boarder routers, designated Open Shortest Path First (OSPF) routers, and so on. This is why understanding the network topologies and design layers described in Chapter 1 and properly mapping the networks are essential for crackers as well as network guardians. Knowing the terrain allows the attacker to prioritize the list of targets and spend more time and effort going after the most significant routers first. In some cases, a more "casual" router or switch can be reconfigured to gain additional significancefor example, it can be set to win the next OSPF or Spanning Tree Protocol (STP) root bridge elections .
Once you own a router (or a few of them), the network is yours. Period. Who controls traffic flows also controls the network. Hacking routers is not harmless fun that allows you to pingflood those who disagree with you on Internet Relay Chat (IRC), as some beginners in #1337 chat rooms may think. When you get enabled on a router, you are inside the targeted network and can do any of the following:
Completely map the internal network, both passively (Address Resolution Protocol [ARP] table, routing tables, traffic sniffing) and actively (Telnet, Secure Shell [SSH], forwarding portscans to the network).
Forward any type of traffic to the hosts on the attacked network from the hosts you control.
Sniff and modify all or specified traffic passing through the router. Mirroring traffic from the owned router to your host or plainly rerouting this traffic through your host comes in very handy.
Force the traffic that doesn't usually go through the router to pass through it.
Establish an encrypted backchannel to the hacked network.
Attack other networks from or through the owned router.
Inject Voice over Internet Protocol (VoIP) traffic for free phone calls and alter call forwarding (VoIP gateways and gatekeepers only).
Cause all types of hard-to-troubleshoot connectivity problemsreshaping AS traffic forwarding via BGP manipulations is particularly evil and can be used as a form of an advanced distributed denial-of-service (DDoS) attack, and artificial routing loops are no fun either.
All of these and probably more can be done using show and debug IOS commands, access lists, routing metrics and administrative distance (AD) manipulation, policy routing, and a few other techniques. All these methods are described further in this book after we are done describing the how-tos about owning the device, so stay tuned !
Keep in mind that here the term router refers to any Layer 3 device, including Cisco Catalyst switches with Route Switch Module (RSM) and Multilayer Switch Feature Card (MSFC) modules installed. So what can an attacker gain from taking over a Layer 2 device, such as a Catalyst switch without any routing capability? Apparently, quite a lot:
Map the internal network, both passively and actively.
Sniff network traffic that passes through all or specified switch ports using the wonderful Cisco Catalyst Switch Port Analyzer (SPAN) feature.
Abuse 802.1d and 802.1q protocols to sniff the switched network and force the traffic that doesn't usually go through the switch to pass through it.
Bypass virtual LAN (VLAN) separation ("jumping VLANs") and disabling that annoying MAC address filtering.
Cut off the ports with connected undesirable hosts (intrusion detection system [IDS] sensors and monitoring stations , system administrator's workstation).
Access other network devices via Telnet or Secure Shell (SSH) (check out http://www.cisco.com/warp/public/707/ssh_cat_switches.html to see which CatOS versions and switch platforms support SSH).
Cause all kinds of hard-to-troubleshoot connectivity problems by abusing the data link layer (disabling the STP after locking down the switch to cause Layer 2 loops is particularly evil).
The very existence of an externally hackable Catalyst switch exposed to the Internet (unless it's an ISP switch) is a ridiculous concept. Nevertheless, in our practice, we have seen many such cases (and they never cease to amuse us). Besides, an attacker can be internal (a disgruntled employee or social engineer) or can come through an improperly defended and positioned wireless LAN (WLAN).
How about other Cisco networking devices? Of course, the effect of taking them over will strictly depend on the device specialization. Break-ins into Private Internet Exchange (PIX) firewalls don't happen that frequently and are usually due to human error and negligence. Frankly, system administrators who leave PIX firewalls with easy-to-guess passwords and Simple Network Management Protocol (SNMP) communities should not be allowed to touch these devices, but we don't live in such a perfect world. The majority of statements that apply to owning a gateway router apply to the hacked PIX firewalls, and you can add the effect of the false sense of security into the concoction. (After all, a firewall is there to "stop all hackers cold," and the firewall itself cannot be a source of an attack, right?)
The same applies to the IDS sensors and monitoring consoles. If these are taken over, brought down, or isolated from the rest of the network, the chances of prosecuting the attacker legally are slim. ("Dude, where are my IDS logs?") A holy grail of any cracker is taking over a virtual private network (VPN) concentrator to gain access to data confidential enough to prompt somewhat costly and resource/effort-consuming deployment of a Cisco VPN. (That said, we have never encountered a hackable Cisco 3000 VPN concentrator device in our penetration testing practice. Nevertheless, we can recall a case when a Cisco 2600 series router, reinforced with a VPN accelerator card and used as a VPN concentrator [IPSec, 3DES, HMAC-MD5], was penetrated, and a shared key for the whole VPN was retrieved and cracked. You can imagine the impact of such an attack, should it be carried out by a malicious individual in the real world.)
Another highly praised group of cracker targets is Cisco Access Servers, such as AS5200, AS5300, AS5400, and AS5800. Hacking into them hands the attacker control over multiple Plain Old Telephone Service (POTS) lines, unlucky users dialing through them, and a few fat pipes (often Integrated Services Digital Network Primary Rate Interface [ISDN PRI]). Access server attacks are fascinating per se , since they can lay a bridge between hacking and its historical ancestor , phreaking.
One (condition-dependent) possibility provided by breaking into an access server is to pour in illicit Voice over Internet Protocol (VoIP) traffic for free phone call forwarding. The time of these "free" calls can then be sold to someone else and cause a significant financial loss for the access server owner. This kind of attack is highly attractive for financially motivated Black Hats and organized crime groups who may have an agreement with a rogue ISP persuaded (possibly via kickbacks) to forward the traffic to the hacked access server and pretend they did not know it was hacked, should a police investigation take place.
A less threatening scenario is when someone disables accounting/billing on the access server for her and her friends ' accounts to gain a free dial-in. And wouldn't it also be fun for an attacker to dial her bosses' home telephone numbers automatically and at random intervals from different lines on such a server? How about dialing and constantly engaging a boss's home, mobile, and office numbers ? When a power-hungry script kiddie breaks into an access server, many cases of plain-old vandalism can occur, such as constantly knocking offline dozens of dial-in usersever been randomly disconnected by your ISP?
A common and threatening case of a megalomaniac's attack is a massive denial-ofservice/distributed denial-of-service (DoS/DDoS) attack. If an attacker can take over a core network layer device, the attack is likely to succeed; a single router or switch on a fat OC-12 Synchronous Optical Network (SONET) pipe is worth hundreds of owned Digital Subscriber Line (DSL) hosts, bandwidth-wise. Of course, finding and taking over such an appliance may not be an easy task (but neither is breaking into hundreds of machines on a DSL network). However, discovering enough vulnerable routers with a single or multiple T1 lines is not that difficult, and a few dozen of these pounding a target server with junk traffic do present a very serious threat.
As to the type of traffic a Cisco router can flood with, simply check the functionality of an extended Cisco ping (a ping command available only to the enabled user unless configured otherwise ). In some cases, it is possible to reroute the traffic normally going through the router to flood the target network. When this occurs, both the attacked and attacker network will suffer from connectivity problems, the latter due to the routing misconfiguration issues. More detailed information on using hacked routers and switches for launching DoS/DDoS attacks is presented in Chapter 10, while Chapter 11 discusses advanced countermeasures against such attacks that can be implemented using Cisco devices.
Of course, crackers may succeed in taking over a Cisco router, switch, or other network appliance for other reasons, such as the following:
To exploit the negligence of the network administrators leaving their Cisco networking devices unprotected , not updated, and unmonitored
Because of difficulties in performing forensics and proper incident response when such appliances are hacked into
Due to the ease of hiding tracks using separate routers and router chain hopping
To realize the logical challenge of finding and exploiting vulnerabilities in Cisco operating systems on targeted platforms
Since these reasons belong more to the realm of technical and administrative Cisco security peculiarities than to the list of attacker motivations, they are reviewed in the next section of this chapter, which is devoted to the hacker's view on real-life Cisco devices and networks security and exploitation.