ACTIVE ENUMERATION AND FINGERPRINTING OF CISCO DEVICES

Unless you have managed to capture CDP traffic, actively fingerprining the audited hosts is the next step to be performed and the last step in our enumeration and finger-printing attack stage. And even if you have gotten CDP frames dumped and analyzed , it is a good idea to check whether CDP provides full information about the device, using active scanning techniques (unless you are very concerned about stealth). A multitude of portscanners and OS fingerprinting tools are available to the hacking underground . The majority of them are based upon Fyodor's Nmap and Fyodor's/Ofir's Xprobe (note we are talking about two different Fyodor's here!). Many are not actively and regularly up-dated and would not have fingerprints of the current IOS, CatOS, and PIX OS versions, as well as more exotic specialized embedded Cisco operating systems, in the tool data-base. Thus, for this chapter, we are going to stick to Nmap and Xprobe versions 1 and 2. We will also review two different device configurationsdefault and with unnecessary ports closed. In the wild, you can encounter both cases as well as many configurations fitting somewhere between them. Rules of active host enumeration and fingerprinting were discussed in the "Loot and Pillage" chapter of our book Wi-Foo: The Secrets of Wire-less Hacking (Addison-Wesley, 2004). One rule states that reliable fingerprinting should be performed using several tools not derived from each other; here we use two. A deriva-tion from this rule is that it makes sense to run the same scan a few times to be sure that the output is correctin particular, when User Datagram Protocol (UDP) scans are run. As a hacker, you would not want to do this, since it is easy to spot. But we are the legiti-mate penetration testers, right?

In a physics, chemistry , or biology lab, an experiment must be repeated at least three times to produce statistically significant results. The representative scans in this section were selected from among many logged scans and are the most typical. Even more, in the case when the amount of hops between scanning and scanned hosts influences the output of the scan, the comparative scanning results are provided for your reference. You would be surprised how the precision of both finding open ports and fingerprinting the OS can be influenced by the hop distance from the audited host.

Another ruleor better to say, recommendation is to progress from NULL TCP scans (perhaps run Nmap in the "polite" mode) to FIN, then XMAS (with all TCP flags set), then SYN, and thenand only thenfull connect scanning and banner grabbing . At least theoretically, NULL TCP scans are the least detectable. For example, good old Linux ipchains do not have options to write NULL scan detection rules. FIN and especially XMAS scans look odd and are easier to detect. [Stealthy] half-connect SYN scans are now detected by anything and full-connect scans can be seen in syslog output when no spe-cific firewalling or intrusion detection system (IDS) tools are in use. So if a NULL scan detects interesting open ports, an attacker can proceed to grabbing the banner of the service he or she perceives as potentially vulnerable without triggering many alarms. However, this recommendation is very general. Would it apply to various Cisco net-working devices? It is well known that various versions of Microsoft Windows are not exactly standards-compliant and thus do not provide any useful output when respond-ing to NULL, FIN, and XMAS scans. Would it be a similar case with Cisco hosts? There is only one way to find out.

Active Enumeration and Fingerprinting of Cisco Routers

Attack 

Popularity:

10

Simplicity:

6

Impact:

9

Risk Rating:

8

Since many system administrators are reluctant to upgrade their routers ("if it does the job, don't touch it") and scores of old routers with obsolete IOS versions reside on the Internet, our first target is a Cisco 2503 with a rather ancient "code train." NULL, FIN, and XMAS Nmap scans turned out to be useless when run against such machinehere's an example:

 arhontus#nmap -sF -vvv 192.168.30.50 -O      The FIN Scan took 23.37s to scan 1663 total ports.      Warning: OS detection will be MUCH less reliable because we did not find at           least 1 open and 1 closed TCP port      Host 192.168.30.50 appears to be up ... good.      All 1663 scanned ports on 192.168.30.50 are: closed      Too many fingerprints match this host to give specific OS details 

The same applies to both Window and ACK scans, often used to evaluate various firewalls/filtering rules. Thus, we proceed further with a half-connect scan and then verify its results with a full connect:

 arhontus#nmap -sT -vvv 192.168.30.50 -O      Interesting ports on 192.168.30.50:      (The 1654 ports scanned but not shown below are in state: closed)      PORT   STATE SERVICE      7/tcp  open  echo      9/tcp  open  discard      13/tcp open  daytime       19/tcp open  chargen      23/tcp open  telnet      57/tcp open  priv-term      79/tcp open  finger      2001/tcp open dc      6001/tcp open X11:1      Device type: router      Running: Cisco IOS 10.X11.X      OS details: Cisco 2501/2504/4500 router with IOS Version 10.3(15) - 11.1(20)      TCP Sequence Prediction: Class=random positive increments                                Difficulty=404 (Medium)      TCP ISN Seq. Numbers: 8E6CB417 8E6E66C1 8E701890 8E71CE9F 8E7383A0 8E753868      IPID Sequence Generation: All zeros 

Next, we omitted the SYN scan output since it was similar to the full-connect scan results and skipped the OS fingerprint details to save space. The scans correctly deter -mined the device type and the IOS version range. However, the actual router model was not found, even though it was a close shot:

 cisco2503#show version      Cisco Internetwork Operating System Software      IOS (tm) 3000 Software (IGS-I-L), Version 11.0(8), RELEASE SOFTWARE (fc1)      Copyright (c) 1986-1996 by cisco Systems, Inc.      Compiled Sat 27-Apr-96 01:23 by vprasad      Image text-base: 0x0301DE2C, data-base: 0x00001000 

Note the "Medium" difficulty of TCP packets sequence prediction and "All zeros" in the IP Identification number (IPID) sequence generation. The latter is actually beneficial in terms of securityit shows that this router cannot be abused by so-called idle or "zom-bie" scans that are sometimes used by attackers to conceal their IP addresses when portscanning. Of course, in this example, we scan only for the default (for Nmap) range of ports. Checking the full range from port 0 to port 65535 would surely take some time, but it is absolutely necessary when proper penetration testing is performed. When run-ning Nmap against one of our Cisco 2503 with -p0-65535 options, we uncovered two unknown services running on ports 4001 and 6001. While poking at them with other tools, such as THC-Amap, and feeding custom output using Hobbit's Netcat to find out what these services could be is surely interesting, it goes beyond the aims of this chapter and is omitted.

The next step is to grab the banners of services discovered . Again, a great variety of banner grabbing and service investigation tools can be used, including the already men-tioned Amap, Vmap, Arb-scan, Banshee, BanCh.pl, grabbb, mothra, and so on. In fact, the recent versions of Nmap are quite good at performing this task using -sV , or even better, the -A switch.

To illustrate banner grabbing of Cisco hosts in a "standardized" way, we are going to use the Nmap -A scan. (Note: do not forget to set a sufficient level of verbosity for ex-ample, -vvv when running it!) The results of such a scan run against our Cisco 2503 did not provide us with any information we did not know already after completing the full-connect TCP scan for the whole 16-bit ports range.

How about UDP ports? Both default and full-port range scans have demonstrated the same result, as represented here:

 arhontus#nmap -sU -vvv 192.168.30.50 -O -p0-65535      Interesting ports on 192.168.30.50:      (The 1473 ports scanned but not shown below are in state: closed)      PORT STATE SERVICE      7/udp open echo      9/udp openfiltered discard      19/udp open chargen      67/udp openfiltered dhcpserver      161/udp openfiltered snmp      Too many fingerprints match this host to give specific OS details 

Despite the fact that some ports are shown as openfiltered in the scan output, all ports listed are open. While port 161 is open because we have enabled SNMP on purpose, the rest of the UDP ports shown are open by default. The scan was unable to fingerprint the OS version and device type correctly. Taking it a bit forward, when using other Cisco devices evaluated, UDP scanning was just as useless in defining both OS version and device type.

An interesting fact is that the show ip sockets command, which is supposed to provide complete information about ports open on a router, in reality shows only the UDP ports, and not all of them:

 cisco2503#show ip sockets      Proto Remote Port Local Port In Out Stat TTY         17 --listen-- --any-- 67 0 0 1 0         17 192.168.77.5 45481 192.168.30.50 161 0 0 1 0 

Thus, we recommend that you do not rely on this command when checking both TCP and UDP open ports on your routers and portscan them several times to verify show ip sockets output.

Since many of the network attacks we describe in this book are based on a running insecure protocol rather than the presence of a vulnerable service on a host, the Nmap supported protocols scan ( -sO ) is crucial. Cisco 2503 responded to protocol scans rea-sonably well, even when the scanning machine was positioned a few hops away:

 arhontus#nmap -sO -vvvv 192.168.30.50 -O      Interesting protocols on 192.168.30.50:      (The 242 protocols scanned but not shown below are in state: closed)      PROTOCOL STATE SERVICE      1 openfiltered icmp      4 openfiltered ip      6 openfiltered tcp      8 openfiltered egp       9 openfiltered igp      17 openfiltered udp      47 openfiltered gre      53 openfiltered swipe      54 openfiltered narp      55 openfiltered mobile      77 openfiltered sun-nd      88 openfiltered eigrp      89 openfiltered ospfigp      94 openfiltered ipip      Too many fingerprints match this host to give specific OS details 

Just as in the case with UDP scanning, the output provided by the supported protocols scan is not sufficient to determine the running OS and device type.

Finally, we need to reinforce our OS fingerprinting results using Xprobe. The first version of the tool is rather simple, relies on ICMP and UDP data to determine the target OS, and hasn't been updated. Nevertheless, it is still worth trying:

 arhontus# ./xprobe -v -p 31337 -i eth1 192.168.30.50      X probe ver. 0.0.2      ------------------      Interface: eth1/192.168.66.101      LOG: Target: 192.168.30.50      LOG: Netmask: 255.255.255.255      LOG: probing: 192.168.30.50      LOG: [send]-> UDP to 192.168.30.50:31337      LOG: [98 bytes] sent, waiting for response.      TREE: IP total length field value is <20 bytes from the original      TREE: *** OpenBSD 2.6-2.9, Apollo Domain/OS SR 10.4 NFR IDS Appliance      TREE: *** Extreme Networks switch Network Systems Router NS6114 (NSC 6600 Series)      TREE: *** Cabletron Systems SSR 8000 Systems Software Version 3.1 B16      FINAL:[NFR IDS Appliance] 

Unfortunately, Xprobe v1 was not able to define the OS run by the router. However, Xprobe v2 performed reasonably well in all four types of the scan when supplied by one of the following options:

 open TCP port        arhontus#xprobe2 -v -c /etc/xprobe2.conf -p tcp:23:open 192.168.30.50        [+] Host 192.168.30.50 Running OS: "Cisco IOS 11.2" (Guess probability: 65%)        [+] Other guesses:        [+] Host 192.168.30.50 Running OS: "Cisco IOS 11.1" (Guess probability: 65%)        [+] Host 192.168.30.50 Running OS: "Cisco IOS 12.2" (Guess probability: 59%)        [+] Host 192.168.30.50 Running OS: "Cisco IOS 12.0" (Guess probability: 59%)        [+] Host 192.168.30.50 Running OS: "Cisco IOS 11.3" (Guess probability: 59%)        [+] Host 192.168.30.50 Running OS: "AIX 4.3.3" (Guess probability: 50%)        closed TCP port        arhontus#xprobe2 -v -c /etc/xprobe2.conf -p tcp:6667:closed 192.168.30.50        [+] Host 192.168.30.50 Running OS: "Cisco IOS 11.2" (Guess probability: 67%)        [+] Other guesses:        [+] Host 192.168.30.50 Running OS: "Cisco IOS 11.1" (Guess probability: 67%)        [+] Host 192.168.30.50 Running OS: "NetBSD 1.4" (Guess probability: 64%)        [+] Host 192.168.30.50 Running OS: "NetBSD 1.4.1" (Guess probability: 64%)        [+] Host 192.168.30.50 Running OS: "NetBSD 1.4.2" (Guess probability: 64%)        [+] Host 192.168.30.50 Running OS: "OpenBSD 2.5" (Guess probability: 64%)        [+] Host 192.168.30.50 Running OS: "NetBSD 1.5.3" (Guess probability: 64%)        [+] Host 192.168.30.50 Running OS: "NetBSD 1.4.3" (Guess probability: 64%)        [+] Host 192.168.30.50 Running OS: "NetBSD 1.5" (Guess probability: 64%)        [+] Host 192.168.30.50 Running OS: "Cisco IOS 11.3" (Guess probability: 64%)      open UDP port        arhontus#xprobe2 -v -c /etc/xprobe2.conf -p udp:7:open 192.168.30.50        [+] Host 192.168.30.50 Running OS: "Cisco IOS 12.2" (Guess probability: 40%)        [+] Other guesses:        [+] Host 192.168.30.50 Running OS: "Cisco IOS 12.0" (Guess probability: 40%)        [+] Host 192.168.30.50 Running OS: "Cisco IOS 11.3" (Guess probability: 40%)        [+] Host 192.168.30.50 Running OS: "Cisco IOS 11.2" (Guess probability: 40%)        [+] Host 192.168.30.50 Running OS: "Cisco IOS 11.1" (Guess probability: 40%)        [+] Host 192.168.30.50 Running OS: "Linux Kernel 2.4.1" (Guess probability: 37%)        [+] Host 192.168.30.50 Running OS: "Linux Kernel 2.4.2" (Guess probability: 37%)        [+] Host 192.168.30.50 Running OS: "Linux Kernel 2.4.4" (Guess probability: 37%)        [+] Host 192.168.30.50 Running OS: "OpenBSD 2.4" (Guess probability: 37%)        [+] Host 192.168.30.50 Running OS: "OpenBSD 2.5" (Guess probability: 37%)      closed UDP port        arhontus#xprobe2 -v -c /etc/xprobe2.conf -p udp:23:closed 192.168.30.50        [+] Host 192.168.30.50 Running OS: "Cisco IOS 12.2" (Guess probability: 40%)        [+] Other guesses:        [+] Host 192.168.30.50 Running OS: "Cisco IOS 12.0" (Guess probability: 40%)        [+] Host 192.168.30.50 Running OS: "Cisco IOS 11.3" (Guess probability: 40%)        [+] Host 192.168.30.50 Running OS: "Cisco IOS 11.2" (Guess probability: 40%)        [+] Host 192.168.30.50 Running OS: "Cisco IOS 11.1" (Guess probability: 40%)        [+] Host 192.168.30.50 Running OS: "Linux Kernel 2.4.1" (Guess probability: 37%)        [+] Host 192.168.30.50 Running OS: "Linux Kernel 2.4.2" (Guess probability: 37%)        [+] Host 192.168.30.50 Running OS: "Linux Kernel 2.4.4" (Guess probability: 37%)        [+] Host 192.168.30.50 Running OS: "OpenBSD 2.4" (Guess probability: 37%)        [+] Host 192.168.30.50 Running OS: "OpenBSD 2.5" (Guess probability: 37%) 
Note 

You need to run Nmap prior to using Xprobe v2 to find out which ports to use. Not surprisingly, scans using TCP ports were more precise as compared to scans using UDP ports, and scans supplied with open ports were more exact than those supplied with closed ports.

Now that we have established a pattern of device fingerprinting, it is much easier to follow it using different devices. The router we have looked at is an old model with an obsolete IOS version. Let's have a look at another common Cisco router with the most recent code train available at the moment of writing and compare it with the previous example.

NULL, FIN, and XMAS Scans These did not produce any useful output, just as in the case with 2503/IOS11.(0)8. The same applied to Window and ACK TCP scans.

Both Half-Connect and Full-Connect TCP Scans These showed open ports and other inter-esting data but were unable to determine device type and IOS version. An example of a half-connect scan is provided here:

 arhontus#nmap -sS -vvv 192.168.66.202 -O      Interesting ports on test.dmz.arhont.com (192.168.66.202):      (The 1658 ports scanned but not shown below are in state: closed)      PORT STATE SERVICE      7/tcp open echo      9/tcp open discard      13/tcp open daytime      19/tcp open chargen      23/tcp open telnet      MAC Address: 00:02:16:9C:0A:80 (Cisco Systems)      No exact OS matches for host      TCP Sequence Prediction: Class=truly random                               Difficulty=9999999 (Good luck!)      TCP ISN Seq. Numbers: B4001FB9 16115BD4 B01365B8 AA1CEFE D7F33985 B454BF51      IPID Sequence Generation: All zeros 

Grabbing Banners This was more fruitful:

 arhontus#nmap -A -vvvv 192.168.66.202 -O -p0-65535      7/tcp open echo      9/tcp open discard?      13/tcp open daytime?      19/tcp open chargen      23/tcp open telnet Cisco telnetd (IOS 12.X)      MAC Address: 00:02:16:9C:0A:80 (Cisco Systems)      No exact OS matches for host      TCP Sequence Prediction: Class=truly random                               Difficulty=9999999 (Good luck!)      TCP ISN Seq. Numbers: C7A8FBC9 9766C8D0 1168F7A6 E9270C94 3CE65D8 170CF393      IPID Sequence Generation: All zeros 

While the device and OS types weren't determined, from the telnetd banner we know that IOS 12. X is used. This banner is not user- changeable , and to get rid of it one would need to go through a procedure of modifying the IOS image. This can be considered a basic form of reverse-engineering and might be illegal, or at least it would void the war-ranty.

UDP Scans These showed fewer open ports than in the 2503 example and were also un-able to determine the OS:

 arhontus#nmap -sU -vvvv 192.168.66.202 -O -p0-65535      Interesting ports on test.dmz.arhont.com (192.168.66.202):      (The 1476 ports scanned but not shown below are in state: openfiltered)      PORT STATE SERVICE      7/udp open echo      19/udp open chargen      MAC Address: 00:02:16:9C:0A:80 (Cisco Systems)      Too many fingerprints match this host to give specific OS details 

Again, the output of the scan did not exactly correspond to the output of the show ip sockets command:

 cisco-test#sh ip sockets      Proto Remote Port Local Port In Out Stat TTY      17 0.0.0.0 0 192.168.66.202 67 0 0 2211 0      17 --listen-- 192.168.66.202 123 0 0 1 0      17 --listen-- 192.168.66.202 520 0 0 1 0      17 192.168.77.5 34635 192.168.254.254 161 0 0 1 0      17 --listen-- 192.168.66.202 162 0 0 11 0      17 --listen-- 192.168.66.202 56057 0 0 11 0 

In this case, the tables have turned and the command is more informative than the Nmap. This is an interesting artifact demonstrating that UDP ports could be missed by Nmap, even if multiple scans are run against the host on the same subnet and the ports scanned are chosen separately. And we are dead sure that Routing Information Protocol (RIP), Network Time Protocol (NTP), and SNMP services are running on this router since we have enabled them all. Thus, output of any UDP scan should be taken with a bit of salt, even if you're sitting next to the scanned host on the same LAN.

Supported Protocols Scan This did not show any useful information.

Xprobe Scan This is now our main hope for finding out more about the host's OS. For now, all we know is that it runs some version of IOS 12. Xprobe v1 isn't very helpful, showing the same (incorrect) output as in the case with Cisco 2503. Xprobe v2 was far more useful, apart from the case of closed TCP port supplied:

 arhontus#xprobe2 -v -c /etc/xprobe2.conf -p tcp:23:open 192.168.66.202      [+] Host 192.168.66.202 Running OS: "Cisco IOS 12.2" (Guess probability: 59%)      [+] Other guesses:      [+] Host 192.168.66.202 Running OS: "Cisco IOS 12.0" (Guess probability: 59%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.3" (Guess probability: 59%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.2" (Guess probability: 53%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.1" (Guess probability: 53%)      [+] Host 192.168.66.202 Running OS: "Sun Solaris 2.5.1" (Guess probability: 46%)       [+] Host 192.168.66.202 Running OS: "FreeBSD 4.3" (Guess probability: 46%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.0" (Guess probability: 46%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.1" (Guess probability: 46%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.2" (Guess probability: 46%)      arhontus#xprobe2 -v -c /etc/xprobe2.conf -p udp:7:open 192.168.66.202      +] Host 192.168.66.202 Running OS: "Cisco IOS 12.2" (Guess probability: 40%)      [+] Other guesses:      [+] Host 192.168.66.202 Running OS: "Cisco IOS 12.0" (Guess probability: 40%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.3" (Guess probability: 40%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.2" (Guess probability: 40%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.1" (Guess probability: 40%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.1" (Guess probability: 37%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.2" (Guess probability: 37%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.4" (Guess probability: 37%)      [+] Host 192.168.66.202 Running OS: "OpenBSD 2.4" (Guess probability: 37%)      [+] Host 192.168.66.202 Running OS: "OpenBSD 2.5" (Guess probability: 37%) 

TCP Scan This scan was somewhat more precisenote the difference between the guess probability percentages of both scans. As to the closed-port Xprobe probes ( please for-give the tautology), the guesses split between Solaris and FreeBSD (closed TCP port) and various versions of Linux kernel (closed UDP port). The probability percentages were much lower than in the open-port scans and ranged between 21 and 25 percent. Thus, at the end, we can state that we are dealing with some Cisco device running IOS 12.2. It could be a router, an IOS-like system Catalyst switch, or even an IOS-based Aironet wire-less access point. Now comes the correct answer:

 cisco-test#show version      Cisco Internetwork Operating System Software      IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(6), RELEASE SOFTWARE (fc3)      Copyright (c) 1986-2004 by cisco Systems, Inc.      Compiled Wed 11-Feb-04 19:24 by kellythw      Image text-base: 0x80008098, data-base: 0x81999EC0      ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1) 

As you can see, it was substantially more difficult to fingerprint this particular host as compared to the example with Cisco 2503 and old IOS.

Active Enumeration and Fingerprinting of Catalyst Switches

Attack 

Popularity:

10

Simplicity:

6

Impact:

9

Risk Rating:

8

Of course, the second most commonly encountered types of Cisco devices on the Internet are Catalyst switches. As you probably know, they come in two flavorsIOS-like OS Catalysts and CatOS-based Catalysts, which have different roots. IOS is the original Cisco-developed operational system. CatOS has evolved out of the XDI, a UNIX-like kernel acquired by Cisco for use in equipment that developed into the mod-ern Catalyst 4000, 5000, and 6000 switch series. Thus, one would correctly expect the CatOS switches to behave quite differently from the IOS-based machines when finger-printed.

When scanning CatOS-based Catalysts, the first thing that stands out is the informa-tive response to NULL, FIN, and XMAS scans, which is identical for all three scan types. Thus, the discovery and portscanning of CatOS switches can be accomplished in a some-what quieter manner as compared to IOS-based machines. (Well, at least we are quite sure that NULL and FIN scans will not show up in the Catalyst logs!) An example of a NULL scan run against such a switch is presented here:

 arhontus#nmap -sN -vvv 192.168.77.250 -O      Interesting ports on gromozeka.core.arhont.com (192.168.77.250):      (The 1662 ports scanned but not shown below are in state: closed)      PORT STATE SERVICE      23/tcp open telnet      MAC Address: 00:40:0B:C7:13:FF (Cisco Systems)      Device type: switchprinterfirewallrouter      Running: Cisco embedded, Xylan embedded, Epson embedded, SonicWall SonicOS,          Trancell embedded      OS details: Router/Switch/Printer/Firewall (LanPlex 2500/Cisco Catalyst      5505/Cisco 6509/Trancell Webramp/Xylan OmniSwitch)/Epson Stylus (100BTX-NIC      HP Secure Web Console, SonicWall firewall appliance 3.3.1)      TCP Sequence Prediction: Class=64K rule                               Difficulty=1 (Trivial joke)      TCP ISN Seq. Numbers: 81AB7C01 81AC7601 81AD7001 81AF6401 81B05E01 81B15801      IPID Sequence Generation: Incremental 

In addition to finding the open telnetd port, the scan has also determined the high vul-nerability of the switch to session-hijacking attacks (predictable TCP sequence numbers) and its usefulness for idle scanning.

Tip 

To find out how to use idle scanning techniques to hide your IP, consult the http://www.insecure.org site at http://www.insecure.org/nmap/idlescan.html.

It is quite obvious that the same output was obtained employing SYN and full-con-nect TCP scans. Also, an additional unknown open TCP service port 7161 was found when running full port range scans against the tested switch. Grabbing banners by launching Nmap with the -A option did not produce any exciting results, apart from the xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\r\n\r\nCisco\x20Systems\x20Console\ string appearing in the fingerprint.

Unlike previously tested routers, a Window scan ( -sW flag in Nmap) targeting the Catalyst was successful in showing output that was identical to the results of NULL, FIN, and XMAS probes. However, any time an ACK scan was run against the switch from different hosts, it was unexpectedly terminated with a characteristic error:

 arhontus# nmap -sA -vvvv 192.168.77.250 -O      Starting nmap 3.75 (http://www.insecure.org/nmap/) at 2004-12-01 04:46 GMT      Initiating ACK Scan against gromozeka.core.arhont.com (192.168.77.250)          1663 ports] at 04:46      Unexpected port state: 6      QUITTING! 

UDP scanning of a CatOS-based switch for default and full port ranges has demon-strated open 123 (NTP) and 161 (SNMP) ports and did not provide any specific OS details. There is no show ip sockets command in CatOS to verify the results of UDP scans on the switch.

Finally, the supported protocols scan against the Catalyst flagged all 256 checked protocols as openfiltered and wasn't useful at all.

While Nmap has provided us a wealth of information about the switch, as you can see in the preceding code, the same cannot be said about both versions of Xprobe. While Xprobe v1 defined our Catalyst as DGUX/HPUX 10.x/OpenVMS with Process Software TCPWare!SunOS4.x , Xprobe v2 considered it to be a FreeBSD 4.4 machine.

To summarize, some characteristics stand out like big flashing neon lights when fin-gerprinting many CatOS switches:

  • Responsiveness to FIN, NULL, XMAS, and Window TCP scans

  • Error and termination of ACK scans

  • TCP sequence numbers prediction class and difficulty

  • Incremental IPIDs

  • Reliably defined as FreeBSD 4.4 by the current version of Xprobe 2 used

As to our specific example switch, based on the results of scans, we could tell that it is a Cisco Catalyst switch 5505 or 6509. We couldn't define the specific version of CatOS in use. Here's the correct answer:

 Gromozeka (enable) show version      WS-C5000 Software, Version McpSW: 4.5(12a) NmpSW: 4.5(12a)      Copyright (c) 1995-2002 by Cisco Systems      NMP S/W compiled on Feb 11 2002, 15:03:47      MCP S/W compiled on Feb 11 2002, 15:06:09      System Bootstrap Version: 1.4      Hardware Version: 1.8 Model: WS-C5000 Serial #: 002660741 

So, the answer Cisco Catalyst 5505 was close enough, but still incorrect.

Let's now compare IOS-based Catalyst fingerprinting results with both Cisco routers and CatOS switches. Running NULL, FIN, and SYN scans against an IOS-based Catalyst switch rendered rather strange results, showing all ports as open. The OS fingerprint of all three scan types was uniform:

 Device type: general purposeprinterrouterVoIP adapterbroadband routerWAP      Running (JUST GUESSING) : Linux 1.X (93%), Tektronix embedded (93%),          Apple Mac OS X 10.1.X (90%), Microsoft Windows NT/2K/XP (90%),          Cisco embedded (90%), FreeSCO Linux 2.0.X (87%), Cisco IOS 12.X (87%)      Aggressive OS guesses: Linux 1.3.20 (x86) (93%), Tektronix Phaser printer          (93%), Apple Mac OS X 10.1.5 (90%), Microsoft Windows XP Pro SP1 or Windows          2000 SP3 (90%), Cisco X.25/TCP/LAT Protocol Translator ver 8.2(4) (90%),          Cisco ATA 186 POTS<->VoIP phone gateway device (88%), FreeSCO 0.27 (Linux       2.0.38) (87%), Microsoft Windows XP Pro RC1+ through final release (87%),      Cisco Soho 97 router running IOS 12.3(8) (87%), Cisco 7200 router running      IOS 12.1(14)E6 (87%)      No exact OS matches for host (test conditions non-ideal). 

Investigating this artifact further, we conclude that the scan output was dependent on the amount of hops separating the host with Nmap from the Catalyst. At three and two hops' distance, all ports were shown as open; however, when scanned from the same subnet, all ports appeared to be closed, which corresponds quite well to the re-sponse of Cisco routers to NULL, FIN, and XMAS scanning. Alas, NULL, FIN, and XMAS scans of these routers did not produce any OS guesses at all. (Not that the guesses for our Catalyst shown previously were precise and useful!)

The NULL/FIN/XMAS OS fingerprints and guesses for the tested switch did not change with different amounts of hops between it and the scanning machine. The same cannot be said about the case of half-and full-connect scans, however.

Two hops away:

 arhontus#nmap -sS -vvv -O 192.168.20.254      Interesting ports on 192.168.20.254:      (The 1658 ports scanned but not shown below are in state: closed)      PORT STATE SERVICE      7/tcp open echo      9/tcp open discard      13/tcp open daytime      19/tcp open chargen      23/tcp open telnet      No exact OS matches for host      TCP Sequence Prediction: Class=truly random             Difficulty=9999999 (Good luck!)      TCP ISN Seq. Numbers: A99EFC4B 47B64308 3569CEAD 2204C2C1 DB1C606F FC1101E1      IPID Sequence Generation: All zeros 

One hop away:

 Interesting ports on 192.168.20.254:      (The 1658 ports scanned but not shown below are in state: closed)      PORT STATE SERVICE      7/tcp open echo      9/tcp open discard      13/tcp open daytime      19/tcp open chargen      23/tcp open telnet      Device type: router      Running: Cisco IOS 12.X      OS details: Cisco 7200 router running IOS 12.1(14)E6      TCP Sequence Prediction: Class=truly random             Difficulty=9999999 (Good luck!)      TCP ISN Seq. Numbers: A4C1F3F8 49892BF3 6426CB1E A69DB9F2 AEDC5A5D BD1CFC3D      IPID Sequence Generation: All zeros 

Same subnet:

 Interesting ports on 192.168.20.254:      (The 1658 ports scanned but not shown below are in state: closed)       PORT STATE SERVICE      7/tcp open echo      9/tcp open discard      13/tcp open daytime      19/tcp open chargen      23/tcp open telnet      MAC Address: 00:0E:84:EF:F5:C0 (Cisco Systems)      Device type: router      Running: Cisco IOS 12.X      OS details: Cisco router running IOS 12.1.5-12.2.13a      TCP Sequence Prediction: Class=truly random      Difficulty=9999999 (Good luck!)      TCP ISN Seq. Numbers: A4C1F3F8 49892BF3 6426CB1E A69DB9F2 AEDC5A5D BD1CFC3D      IPID Sequence Generation: All zeros 

The precision of the scans increased dramatically as we got closer to the target. Note that in all cases, the device type was defined as router this is something we have con-stantly seen when fingerprinting IOS-based Catalysts.

The dependence of scan results on the amount of separating hops was not limited to the IOS-based Catalyst or Catalyst switches in general. We have seen perhaps the most outstanding example of this phenomenon when UDP scanning a Cisco 2503 router.

One hop away:

 arhontus# nmap -sU -vvvv 192.168.30.50 -O      Interesting ports on 192.168.30.50:      (The 1473 ports scanned but not shown below are in state: closed)      PORT STATE SERVICE      67/udp openfiltered dhcpserver      161/udp openfiltered snmp      781/udp openfiltered hp-collector      835/udp openfiltered unknown      2042/udp openfiltered isis      Too many fingerprints match this host to give specific OS details 

Same subnet:

 arhontus# nmap -sU -vvvv 192.168.30.50 -O      Interesting ports on 192.168.30.50:      (The 1475 ports scanned but not shown below are in state: closed)      PORT STATE SERVICE      67/udp openfiltered dhcpserver      161/udp openfiltered snmp      1407/udp openfiltered dbsa-lm      Device type: routerswitch      Running: Cisco IOS 10.X11.X      OS details: Cisco 2501/2504/4500 router with IOS Version 10.3(15) -      11.1(20), Cisco Router/Switch with IOS 11.2 

As you can see, while the remote UDP scans (including the UDP scan from two hops' distance shown when we were evaluating Cisco 2503 fingerprinting) could not deter-mine device type and OS version; when Nmap is run on the same LAN it is possible to fingerprint the device with a reasonable level of precision.

Let's return to our IOS-based Catalyst switch. Grabbing banners with Nmap -A has also demonstrated the Cisco telnetd (IOS 12.X) banner, commonly encountered in differ -ent types of Cisco switches. Interestingly, as in the case of the CatOS-based switch tested, the ACK scans were terminated with the very same error ( Unexpected port state: 6 ). Window TCP scans were fruitless. The UDP scans have demonstrated a variety of open services, two of them unknown:

 arhontus#nmap -sU -vvvv -O 192.168.20.254 -p0-65535      Interesting ports on 192.168.20.254:      (The 1469 ports scanned but not shown below are in state: closed)      PORT STATE SERVICE      7/udp open echo      9/udp openfiltered discard      19/udp open chargen      67/udp openfiltered dhcpserver      146/udp openfiltered iso-tp0      161/udp openfiltered snmp      162/udp openfiltered snmptrap      793/udp openfiltered unknown      948/udp openfiltered unknown      MAC Address: 00:0E:84:EF:F5:C0 (Cisco Systems)      Too many fingerprints match this host to give specific OS details 

Again, the output of the scan did not correspond well to the output of the show ip sockets command:

 molotov#sh ip sockets      Proto Remote Port Local Port In Out Stat TTY        17 --listen-- 192.168.20.254 67 0 0 489 0        17 --listen-- 192.168.20.254 2228 0 0 89 0        17 192.168.20.100 38085 192.168.20.254 161 0 0 1 0        17 0.0.0.0 0 192.168.20.254 162 0 0 9 0        17 0.0.0.0 0 192.168.20.254 52349 0 0 9 0 

Even when launched from the same LAN, UDP portscans were not able to provide any guesses regarding the OS running. The supported protocols scan run against the tested switch worked fine:

 arhontus#nmap -sO -vvvv -O 192.168.20.254      Interesting protocols on 192.168.20.254:      (The 250 protocols scanned but not shown below are in state: closed)       PROTOCOL STATE SERVICE      1 openfiltered icmp      6 openfiltered tcp      17 openfiltered udp      53 openfiltered swipe      55 openfiltered mobile      77 openfiltered sun-nd      MAC Address: 00:0E:84:EF:F5:C0 (Cisco Systems)      Too many fingerprints match this host to give specific OS details 

Finally, Xprobe v1 determined the switch OS to be Cisco IOS 11.x-12.x , while Xprobe v2 reliably indicated Cisco IOS 12.2 with a guess probability up to 91 percent when sup-plied with an open TCP port.

To summarize, the following properties may give away IOS-based Catalyst switches and distinguish them from Cisco routers:

  • The presence of a fingerprint, but no open/closed ports in NULL, FIN, and XMAS scans

  • ACK scans terminating with an error

  • Xprobe v1 producing a meaningful result

  • Supported protocols scan working and not showing Generic Routing Encapsulation (GRE) and routing protocols

Not surprisingly, there were significant differences between scanning and finger-printing results of IOS- and CatOS-based Catalyst switches, making these device classes easily distinguishable from each other by remote attackers. While we could determine the IOS version of the tested switch with a reasonable precision, it was not possible to determine the switch type. Of course, now it is time to provide the correct answer:

 molotov#show version      Cisco Internetwork Operating System Software      IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA1, RELEASE SOFTWARE (fc1)      System image file is "flash:c2950-i6q4l2-mz.121-22.EA1.bin"      cisco WS-C2950T-24 (RC32300) processor (revision M0) with 20873K bytes of memory. 

Active Enumeration and Fingerprinting of Other Cisco Appliances

Attack 

Popularity:

10

Simplicity:

6

Impact:

9

Risk Rating:

8

Considering the variety of networking devices manufactured by Cisco, limiting this chapter only to routers and switches would have been an unforgivable mistake. Thus, it is time to turn to more specific Cisco appliances commonly encountered on modern-day networks, emphasizing the security relevance of such hosts. One such appliance type is, of course, Cisco PIX firewalls. Apart from the low-end 501/506 models (the latter being deprecated), PIX firewalls usually possess three interface types: private, public, and DMZ. For the purposes of this chapter, we are interested in scanning from the public interface side, since this is where the external attackers are positioned. For the purposes of a complete security audit, a firewall should be assessed from all of its interfaces, since internal malcontents can be as large a threat and servers in the DMZ can be broken into by external hackers and used to launch further attacks.

When enumerating and fingerprinting a PIX firewall, we follow the standard scheme used in the preceding examples. The firewall we are using has port 22 open to the out-side. This is not a default configuration, but it is not uncommon in the wild, and we wanted to demonstrate the difference a service exposed to the public side can make when fingerprinting a PIX.

  1. NULL, FIN, and XMAS scans have shown all ports as open and did not provide any OS guesses.

  2. SYN and full-connect scans could demonstrate only the Secure Shell Daemon (SSHd) running. The OS guesses were rather informative, thoughsee the example scan output in the next paragraph.

  3. Grabbing banners was even more interesting:

 arhontus# nmap -A -O -vvvv 192.168.66.108      Interesting ports on 192.168.66.108:      (The 1662 ports scanned but not shown below are in state: filtered)      PORT STATE SERVICE VERSION      22/tcp open ssh Cisco SSH 1.25 (protocol 1.5)      MAC Address: 00:90:27:99:11:8F (Intel)      Device type: switchfirewall      Running: Cisco embedded, Cisco NmpSW, Cisco PIX 6.X      OS details: Cisco Catalyst switch, Cisco Catalyst 4006 Switch running NmpSW      7.4(2), Cisco PIX Firewall Version 6.1(2), Cisco PIX Firewall Version 6.2(1)      TCP Sequence Prediction: Class=truly random                               Difficulty=9999999 (Good luck!)      TCP ISN Seq. Numbers: AC8CE25B F2C1853D 713E4DBB 821E3731 5C9EBFB0 6FF1F11E      IPID Sequence Generation: Incremental 

The banner showing both the Cisco origin of the device and the version of SSHd and SSH protocol running just shouldn't be there, especially if you take into account the vul-nerability of SSH protocol versions below 2 to man-in-the-middle attacks. Also, the incremental IPID sequence generation (idle scans!) and Intel Organizationally Unique Identifier (OUI) MAC address are shown when scanning on LAN. The latter fact is de-monstrative for PIX firewalls using Intel, rather than native Cisco Ethernet network cards or interfaces.

  1. Window, ACK, and supported protocol scans did not provide any useful output. All UDP ports were shown as filtered.

  2. Both versions of Xprobe have identified our firewall's OS as some version of Linux kernel 2.2.X.

Despite the absence of useful data brought in by Xprobe and all scans, apart from SYN and full connect, we were able to identify the host as a likely PIX firewall running PIX OS 6.1.(2)-6.2.(1). Catalyst switches are not very likely to run SSHd (though it is pos-sible!) and would show a different fingerprinting profile to Nmap and Xprobe, as demonstrated by the examples reviewed already. To avoid breaking the tradition, here comes a correct description of the tested PIX:

 pixfirewall# show version      Cisco PIX Firewall Version 6.3(3)      Cisco PIX Device Manager Version 3.0(1)      Compiled on Wed 13-Aug-03 13:55 by morlee      pixfirewall up 132 days 4 hours      Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz      Flash E28F128J3 @ 0x300, 16MB      BIOS Flash AM29F400B @ 0xfffd8000, 32KB 

Cisco VPN concentrator is next in our logical sequence of evaluated devices. As with the PIX, the 3000 series Cisco VPN concentrators have public, private, and DMZ inter-faces (apart from the low-end models in the 3015 series). And as in the PIX firewall case, we are more interested in scanning from the exposed public side and follow the same enumeration/fingerprinting plan.

  1. NULL, FIN, and XMAS scans have shown all ports as open or closed, depending on the amount of hops from the concentrator, and did not provide any OS guesses.

  2. Half-and full-connect TCP scans have only demonstrated the Point-to-Point Tunneling Protocol (PPTP) port open:

 arhontus# nmap -sT -O -vvv -p0-65535 192.168.77.240      Interesting ports on 192.168.77.240:      (The 65535 ports scanned but not shown below are in state: filtered)      PORT STATE SERVICE      1723/tcp open pptp      MAC Address: 00:03:A0:8A:00:F9 (Cisco Systems)      Device type: encryption accelerator      Running: Cisco embedded      OS details: Cisco 3000-series VPN concentrator (OS ver 4.1.2)      TCP Sequence Prediction: Class=random positive increments                               Difficulty=1543284 (Good luck!)      TCP ISN Seq. Numbers: 9A4442DD 99D1DDAF 99EF863F 99ED7B73 9A0328ED 9A70FF87      IPID Sequence Generation: Incremental 

Nevertheless, the OS fingerprinting results were rather precise (also note the incre-mental IPID sequence generation). For the sake of comparison, here is the scan of the same concentrator (also in default configuration) from the private interface side:

 arhontus# nmap -A -vvv -p0-65535 192.168.77.240      Interesting ports on 192.168.77.240:      (The 65526 ports scanned but not shown below are in state: closed)      PORT STATE SERVICE VERSION      21/tcp open ftp?      22/tcp open ssh Cisco VPN Concentrator SSHd (protocol 1.5)      23/tcp open echo      80/tcp open http?      443/tcp open ssl/unknown      988/tcp open smtp      993/tcp open ssl/unknown      995/tcp open ssl/pop3      1723/tcp open pptp?      5054/tcp open unknown      MAC Address: 00:03:A0:8A:00:F8 (Cisco Systems)      Device type: encryption accelerator      Running: Cisco embedded      OS details: Cisco 3000-series VPN concentrator (OS ver 4.1.2)      TCP Sequence Prediction: Class=random positive increments      Difficulty=3689871 (Good luck!)      TCP ISN Seq. Numbers: C59F2D9D C4D1C499 C56369F7 C589CD49 C4E9FAB6 C552B034      IPID Sequence Generation: Incremental 

Do you really trust all users and all hosts on your LAN?

  1. The only banner, grabbed on the private side, is shown on the preceding scan output. In our humble opinion, naming the device and the SSH protocol version in a banner is not a good security practice. But things get worse when we look at the SSHd in more detail:

     arhontus# ssh -v admin@192.168.66.240      debug1: Connecting to 192.168.66.240 [192.168.66.240] port 22.      debug1: Connection established.      debug1: identity file /root/.ssh/id_dsa type -1      debug1: Remote protocol version 1.5, remote software version X      debug1: no match: X      debug1: Local version string SSH-1.5-OpenSSH_3.8.1p1      debug1: Waiting for server public key.      Warning: Server lies about size of server public key: actual size is 767      bits vs. announced 768.      Warning: This may be due to an old implementation of ssh.      Warning: Server lies about size of server host key: actual size is 2047 bits      vs. announced 2048.      Warning: This may be due to an old implementation of ssh.      debug1: Received server public key (767 bits) and host key (2047 bits).      debug1: Host '192.168.66.240' is known and matches the RSA1 host key.      debug1: Found key in /root/.ssh/known_hosts:11       debug1: Encryption type: 3des      debug1: Sent encrypted session key.      debug1: Installing crc compensation attack detector.      debug1: Received encrypted confirmation.      debug1: Doing password authentication. 

    In contrast, a Linux SSHd with enabled version 1 SSH protocol support will show something like this:

 debug1: Connecting to dyno [192.168.77.6] port 22.      debug1: Connection established.      debug1: identity file /root/.ssh/identity type -1      debug1: identity file /root/.ssh/id_rsa type -1      debug1: identity file /root/.ssh/id_dsa type -1      debug1: Remote protocol version 1.5, remote software version OpenSSH_3.8.1p1      debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*      debug1: Local version string SSH-1.5-OpenSSH_3.8.1p1 Debian-8.sarge.4      debug1: Waiting for server public key.      debug1: Received server public key (768 bits) and host key (1024 bits).      debug1: Host 'dyno' is known and matches the RSA1 host key.      debug1: Found key in /root/.ssh/known_hosts:9      debug1: Encryption type: 3des      debug1: Sent encrypted session key.      debug1: Installing crc compensation attack detector.      debug1: Received encrypted confirmation.      debug1: Doing challenge response authentication.      Password:      Response:      debug1: Requesting pty.      debug1: Requesting X11 forwarding with authentication spoofing.      Warning: Remote host denied X11 forwarding.      debug1: Requesting shell.      debug1: Entering interactive session. 

Thus, SSH connections with debug option turned on for the client can be a reliable way of identifying remote Cisco VPN concentrators and other Cisco appliances supporting the SSH protocol. Pay close attention to all the warnings in the debug, key sizes, remote software ver-sion, and all output related to the X server.

  1. So far, this is the first Cisco appliance evaluated against which the ACK scan has worked, showing the unfiltered PPTP port. However, the OS guessing that accompanied our ACK scan wasn't correct:

 arhontus# nmap -sA -O -vvvv 192.168.77.240      Interesting ports on 192.168.77.240:      (The 1662 ports scanned but not shown below are in state: filtered)      PORT STATE SERVICE      1723/tcp UNfiltered pptp       MAC Address: 00:03:A0:8A:00:F9 (Cisco Systems)      Device type: broadband routergeneral purposefirewall      Running (JUST GUESSING): Elsa embedded (85%), HP HP-UX 10.X (85%), Secure      Computing embedded (85%)      Aggressive OS guesses: ELSA LANCOM DSL/10 office router (85%), HP-UX B.10.20      9000/897 (85%), Secure Computing SECUREZone Firewall Version 2.0 (85%) 

To the contrary, the Window scan has shown port 1723 as closed, while providing exactly the same OS guesses as the ACK scan. At the same time, UDP scans indicated that all UDP ports are openfiltered without providing any OS guesses or even basic fin-gerprints. It appears that all UDP packets sent by Nmap were dropped. The supported protocols scan wasn't very fruitful either, showing all 256 checked protocols as enabled and running.

  1. Both versions of Xprobe incorrectly determined the OS of our concentrator as either FreeBSD 4.6 or HP UX 11.0 with low guess probability percentage.

And now for the usual summary. SYN and full-connect TCP scans with a fingerprint-ing ( -O ) option turned out to be quite good at enumerating the test Cisco VPN concentrator (besides not many Internet hosts have a single PPTP TCP port open). In ad-dition, the pattern of response to ACK and Window scans was rather unusual and different from the output we saw when auditing other Cisco appliances. We conclude that the remote discovery of Cisco 3000 VPN concentrators is not a difficult and daunting task. As for the real version of our concentrator's OS at the time of testing, it is vpn3000-4.1.7b-k9.bin. So the Nmap OS guess wasn't 100 percent correct. (Well, nothing in this world is perfect.)

While on that note we could have ended this section, we just love wireless too much! Would a Cisco Aironet access point (AP) running IOS differ from routers and IOS-based Catalyst switches? Just as in the Cisco router's case, NULL, FIN, and XMAS scans launched against our AP did not bear any useful information. SYN and half-connect scans disclosed telnetd (open by default) and HTTPd (opened by us to monitor the AP). As an example here, we provide Nmap -A scan output, which shows open ports, ban-ners, OS guesses, and other useful data disclosed by the wonderful Fyodor tool:

 arhontus# nmap -A -vvv 192.168.77.235      Interesting ports on 192.168.77.235:      (The 1661 ports scanned but not shown below are in state: closed)      PORT STATE SERVICE VERSION      23/tcp open telnet Cisco telnetd (IOS 12.X)      80/tcp open http Cisco IOS administrative webserver      MAC Address: 00:0D:BD:A7:13:BB (Cisco Systems)      Device type: router      Running: Cisco IOS 12.X      OS details: Cisco 801/1720 router running IOS 12.2.8      TCP Sequence Prediction: Class=truly random                                Difficulty=9999999 (Good luck!)      TCP ISN Seq. Numbers: F639ED85 A38FAB91 EB6F734C CF2E5AAF CCFB3D4E E638F829      IPID Sequence Generation: All zeros 

Indeed, this looks like a Cisco router, with a telnetd banner being the same as the one observed when scanning Cisco 2611 router and Catalyst 2950 switch. Just as though we were scanning a router, Window and ACK scans weren't informative. However, UDP scans demonstrated that ports are open on the Aironet access point that are not open on a typical Cisco routernamely, old RADIUS and RADIUS accounting services:

 arhontus## nmap -sU -O -vvvv 192.168.77.235      Interesting ports on 192.168.77.235:      (The 1472 ports scanned but not shown below are in state: closed)      PORT STATE SERVICE      67/udp openfiltered dhcpserver      123/udp openfiltered ntp      161/udp openfiltered snmp      162/udp openfiltered snmptrap      1645/udp openfiltered radius      1646/udp openfiltered radacct 

It deserves to be said that this data does not correspond to the show ip sockets command output:

 ap#sh ip sockets      Proto Remote Port Local Port In Out Stat TTY         17 --listen-- 192.168.77.235 123 0 0 1 0         17 0.0.0.0 0 192.168.77.235 67 0 0 489 0         17 --listen-- 192.168.77.235 2887 0 0 9 0         17 192.168.77.5 47638 192.168.77.235 161 0 0 1 0         17 --listen-- 192.168.77.235 162 0 0 1 0         17 --listen-- 192.168.77.235 55001 0 0 1 0 

Apart from different open UDP ports, the protocols scan ( nmap -sO ) of the AP has discovered support for "unknown protocol 159" from the unassigned 92254 protocol number range (RFC 1060) that was not seen while scanning Cisco routers. In addition, Xprobe v1, which could not correctly determine the OS of both 2503 and 2611 Cisco routers in the examples we previously used, worked fine when fingerprinting the Ai-ronet AP:

 arhontus# xprobe -v -p 31337 -i eth0 192.168.77.235      X probe ver. 0.0.2      ------------------      Interface: eth0/192.168.77.5      LOG: Target: 192.168.77.235      LOG: Netmask: 255.255.255.255      LOG: probing: 192.168.77.235      LOG: [send]-> UDP to 192.168.77.235:31337      LOG: [98 bytes] sent, waiting for response.      TREE: Cisco IOS 11.x-12.x! Extreme Network Switches.Linux      2.0.x!2.2.x!2.4.x.TREE: Cisco IOS 11.x-12x! Extreme Network Switches.      FINAL:[ Cisco IOS 11.x-12.x ] 

As to the second version of Xprobe, it defined the AP IOS as 12.2 in all cases apart from the closed TCP port probe (in which case the OS was defined as HP-UX 11.0i). This is similar to probing a Cisco 2611 router. Thus, it is quite difficult to distinguish a Cisco Ai-ronet AP from a Cisco router remotely, but some subtle differences may still allow it. These differences pertain to open UDP ports (but as you have seen, UDP portscans aren't incred-ibly reliable), supported protocols scan, and Xprobe v1 output. Our tools of the trade have defined the AP OS as some version of IOS 12.2, perhaps 12.2.8. This is a close shot:

 ap#show version      Cisco Internetwork Operating System Software      IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(11)JA3, RELEASE SOFTWARE (fc1)      Technical Support: http://www.cisco.com/techsupport      Copyright (c) 1986-2004 by cisco Systems, Inc.      Compiled Mon 12-Apr-04 14:36 by kellmill      Image text-base: 0x00003000, data-base: 0x004D4834      ROM: Bootstrap program is C1200 boot loader      BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY         DEPLOYMENT RELEASE SOFTWARE (fc1)      cisco AIR-AP1220-IOS-UPGRD (PowerPC405GP) processor with 14326K/2048K bytes      of memory.      Processor board ID FHK0741K0DH      PowerPC405GP CPU at 196Mhz, revision number 0x00C4      Last reset from power-on      Bridging software.      1 FastEthernet/IEEE 802.3 interface(s)      1 802.11 Radio(s) 

Using IOS 11.X Memory Leak to Enumerate Remote Cisco Routers

Attack 

Popularity:

8

Simplicity:

8

Impact:

9

Risk Rating:

8

If you have discovered a router with open UDP port 7 (ECHO) and some version of IOS 11, it's your lucky day. IOS 11 has a memory leak that allows remote dumping of data from router interface buffer queues. Unfortunately for the attacker, it is not possible to dump the data constantly; here we are dealing with getting the discrete chunks of data about 20K in size.

The tool to exploit the leak is written by FX and is called IOSniff. It decodes received packets and keeps packet checksums in a cache to prevent repeating output. One of our testing routers provides a perfect target for IOSniff:

 arhontus#iosniff -i eth0 -d 192.168.30.50 -v      Cache hit       Added packet buffer with next = 0x0013D308 and cs = 0x2CFB      Packet, 1680 bytes of potatial data:      [0x0013D308]: FF:03:00:21:45:C0 -> 00:00:00:00:00:00       pure Ethernet stuff       ...Y.F...........0..B............................(..........       .d............are .IOS (tm) C2600 Software (C2600-IK9O3S3-M)       , Version 12.3(6), RELEASE SOFTWARE (fc3).Copyright (c) 1986       -2004 by cisco Systems, Inc..Compiled Wed 11-Feb-04 19:24 by       kellythw....cisco 2611.....................Serial0/0.......       .qqqqqqqqqqqqqqqqqqqqqndication LSA 1...Number of DoNotAge L       SA 0...Flood list length 0.. Area 0.0.0.1...Number of int       erfaces in this area is 1...Area has no authentication...SPF         algorithm last executed 3w1d ago...SPF algorithm executed 1      3 times...Area ranges are...Number of LSA 11. Checksum.      Added packet buffer with next = 0x0013608C and cs = 0xDBED      Packet, 1680 bytes of potatial data:      [0x0013608C]: FF:03:00:21:45:00 -> 00:00:00:00:00:00       pure Ethernet stuff      @.>.i...Be...2..#)r.EW...P........Z.......6.,...........      .:................4.............(CONNECT_DATA=(COMMAND=versi      on))rsion 12.3(6), RELEASE SOFTWARE (fc3).Copyright (c) 1986      -2004 by cisco Systems, Inc..Compiled Wed 11-Feb-04 19:24 by      kellythw....cisco 2611.....................Serial0/0.......      .bbbbbbbbbbbbbbbbbbbbb0/1..R 192.168.11.0/24 [120/1] via      192.168.66.100, 00:00:12, Ethernet0/0..R 192.168.20.0/24      [120/1] via 192.168.66.100, 00:00:12, Ethernet0/0.. 192.      168.66.0/24 is variably subnetted, 3 subnets, 2 masks..R         192.168.66.9/32 [120/1] via 192.168.66.100, 00:00:1...... 

Of course, what you are likely to see are the PDUs most frequently sent and received by the attacked router. These may include Cisco Discovery Protocol (CDP), Hot Standby Router Protocol (HSRP), or Virtual Router Resilience Protocol (VRRP), and various rout-ing protocol updates and hellos. By looking at the captured packets for a sufficient amount of time, you can gather nearly complete information about the architecture of the remote network, including the subnet ranges, types of Cisco devices deployed, and their operational systems. In the preceding example output, we can identify neighboring Cisco 2611 router via CDP and see some fragments of Open Shortest Path First (OSPF) link state updates. From these fragments , we can gather the OSPF area in which the rout-ers are positioned, the absence of OSPF authentication in this area (!), and a partial routing table. Waiting for a longer time period would have provided us with a full rout-ing table and more information about the interfaces of routers involved. In vain, we have tried multiple Telnet and enable logins to/on the attacked router in hopes of capturing the login passwords with IOSniff. Sometimes, though, things just don't work the way you want them to.

Just for your referencethis is what happens if IOSniff is run against an invulnerable router:

 arhontus#/iosniff -i eth0 -d 192.168.66.202 -v      --==[ Phenoelit IOSniff ]==--      Cisco IOS 11.x UDP echo memory leak remote sniffer      Timeout - may be lost packet?      Your target does not seem to leak data. 

The tool will simply timeout and quit.

Hiding Your Machine from Prying Eyes: Enumeration and Fingerprinting Countermeasures

Countermeasure 

The recommendations to prevent attackers from enumerating and fingerprinting your Cisco appliances are as mundane as they are efficient. The first thing you should con-sider is using the latest version of the IOS or other operational system your hardware can support. If you have another look at the scans we've discussed and generalize beyond the examples shown, the following points are obvious:

  • Newer IOS versions have fewer ports open. In particular, this applies to those annoying "unknown" services.

  • Newer IOS versions are more difficult to fingerprint.

TCP sequence prediction on the newest IOS versions is practically impossible . The supported protocols scan against newer IOS versions tends to fail ( this is important ). In addition, newer IOS or CatOS versions would be freer from bugs that can assist in finger-printing and enumeration. A typical example of such a bug is the IOS 11.X memory leak described earlier.

The next thing is, of course, turning off all unnecessary services. Small TCP and UDP services (ECHO, Chargen, and others) should always be turned off. They are a part of networking history and have no place in the modern world. To turn them off, use the commands no service tcp-small-servers and no service udp-small-servers . To turn off finger, use the no service finger command; no ip bootp server switches off the bootp server we constantly saw on UDP portscans of routers. If you don't use SNMP, you can get rid of the service by issuing the no snmp-server command.

Of course, we are going to discuss SNMP security in more detail in the next chapter. Turning off the administrative web interface is done via the no ip http server com-mand, even though we didn't find the Cisco web interface, with its plain request for a username/password pair, to be very useful in fingerprinting. Exploitation is, surely, an-other story. On the other hand, the necessity of open services should also be considered in great detail. If the system administrator wants to enable access from the outside to, for example, SSHd, such access should be restricted to a specific IP address (or at least a limited IP range):

 2611a(config)#access-list 101 permit tcp host 10.1.1.1 any eq 22 log 
Tip 

While many Cisco security sources show examples of restricting Telnet access to the appliance from the Internet side, we completely discourage using Telnet to administer any device across a public network. You never know who is sniffing.

To illustrate how removing unnecessary services can be efficient at confusing remote attackers, here are some scan results for some of the hosts we have used when illustrat-ing fingerprinting:

  • Cisco 2611:

     arhontus#nmap -sT -vvvv 192.168.66.202 -O      Interesting ports on 2611b.dmz.arhont.com (192.168.66.202):      (The 1662 ports scanned but not shown below are in state: closed)      PORT STATE SERVICE      23/tcp open telnet      No exact OS matches for host. 
  • Cisco 2503:

     arhontus#nmap -sT -vvvv 192.168.30.50 -O      Interesting ports on 192.168.30.50:      (The 1658 ports scanned but not shown below are in state: closed)      PORT STATE SERVICE      23/tcp open telnet      57/tcp open priv-term      2001/tcp open dc      6001/tcp open X11:1      Device type: general purposefirewall      Running: IBM AIX 4.X, Linux 1.X, Microsoft Windows NT/2K/XP, Symantec Solaris 8      Too many fingerprints match this host to give specific OS details 
  • PIX 515E:

     arhontus# nmap -sT -vvvv -O 192.168.66.108      All 1663 scanned ports on 192.168.66.108 are: filtered      MAC Address: 00:90:27:99:11:8F (Intel)      Too many fingerprints match this host to give specific OS details 
  • Aironet 1200 access point:

     arhontus# nmap -sT -O -vvvv 192.168.77.235      All 1977 scanned ports on 192.168.77.235 are: closed      MAC Address: 00:0D:BD:A7:13:BB (Cisco Systems)      Too many fingerprints match this host to give specific OS details 

Compare this output to the outputs of the very same scans when the assessed net-work appliances had more open ports, and note how dramatically the OS fingerprinting efficiency of Nmap has decreased. Of course, "closed port" mode tests with Xprobe won't be affected. However, in general, these mode scans are less precise than tests, in which known open ports are supplied to the tool.

"Knock, Knock! Who's There?" Portscanning, OS Fingerprinting, and Their Detection on Cisco Machines

Countermeasure 

Detecting these annoying scanners pondering your Cisco hosts is an important task. The first thing you will need to do is to timestamp the logs:

 cisco-2611a(config)#service timestamps log datetime localtime msec           show-timezone year 
Tip 

Synchronizing the router with a remote NTP server is a very good idea and will be described in Chapter 10.

Then create a local buffer for logs stored on a router or switch and set the logging severity level:

 cisco-2611a(config)#logging buffered 4096 debugging 

Don't forget to set a general logging severity level and count for all logs, as well as stamp the logs with sequence numbers:

 cisco-2611a(config)#logging trap debugging      cisco-2611a(config)#logging count      cisco-2611a(config)#service sequence-numbers 

Of course, logging to a remote syslog server needs to be considered, since a router or switch crashed (by the attack?) will lose the logs stored in its buffer. If you have many routers, labeling the logs sent by each router using a unique string, router IP, or host- name (whatever rocks your boat) is more than helpful:

 cisco-2611a(config)#logging facility syslog      cisco-2611a(config)#logging host 10.1.1.5      cisco-2611a(config)#logging origin-id string Testing2611a 

Then you can turn on all logging (using the logging on command). Afterward, don't forget to add log at the end of every access list you write ( log-input to log the interface to which the packets come as well). If you are using Context Based Access Con-trol (CBAC) instead of the casual Cisco access lists, or you are configuring a PIX firewall, IDS and logging can be done via the ip audit set of commands. However, as you will see very soon, CBAC IDS on its own is less than perfect for portscan detection.

On CatOS switches, logging is done via the set logging command:

 Gromozeka (enable) set logging ?      Usage: set logging server <enabledisable>             set logging server <ip_addr>             set logging server facility <server_facility_parameter>             set logging server severity <server_severity_level>              set logging history <syslog_history_table_size>      (server_facility_parameter = local0local1local2local3local4      local5local6local7syslog             server_severity_level = 0..7             syslog_history_table_size = 0..500)             set logging <consolesession> <enabledisable>             set logging level <facility> <severity> [default]           (facility = allcdpdtpdripdvlanearlfddifilesysipmcast           mgmtmlspagpprotfiltpruningsecuritysnmpspantreesystactcp           telnettftpvmpsvtp             severity = 0..7)             set logging timestamp <enabledisable>             set logging buffer <buffer_size>            (buffer_size = 1..500)            (severity levels:                     emergencies(0), alerts(1), critical(2), errors(3),                     warnings(4), notifications(5), information(6),                     debugging(7)) 

Now let's evaluate whether IOS access lists and CBAC IDS are efficient at detecting and thwarting portscanning and OS fingerprinting attempts. We are going to use a Cisco 2611 router to illustrate the point. The relevant router security configuration fragments include all logging settings we have described, extended Access Control Lists (ACLs) that block invalid TCP packets, and basic CBAC IDS:

 ip audit protected 192.168.66.202      ip audit signature 1107 disable      ip audit name ironcurtain info action alarm      ip audit name ironcurtain attack action alarm      access-list 101 deny tcp any any fin syn log-input      access-list 101 deny tcp any any rst syn log-input      access-list 101 deny tcp any any fin rst log-input      access-list 101 deny tcp any any ack fin log-input      access-list 101 deny tcp any any ack psh log-input      access-list 101 deny tcp any any ack urg log-input      access-list 101 deny tcp any any fragments log-input      access-list 101 deny tcp any any log-input      access-list 101 deny udp any any fragments log-input      access-list 101 deny udp any any log-input      access-list 101 permit icmp any any echo-reply log-input      access-list 101 permit icmp any any unreachable log-input      access-list 101 permit icmp any any time-exceeded log-input      access-list 101 permit icmp any any echo log-input      access-list 101 deny icmp any any log-input       interface Ethernet0/0      ip address 192.168.66.202 255.255.255.0      ip access-group 101 in      ip audit ironcurtain in 

We use only the CBAC IDS to log the attack attempts. Signature 1107 is disabled since we are using RFC 1918 addresses. For the purposes of this example, all TCP and UDP connections to the router are explicitly denied, but pings , ping replies, ICMP unreach-able, and ICMP time-exceeded packets are permitted. To dissect the process of detection, we have enabled the IDS first without adding ip access-group 101 in to the inter-face and recorded all log messages:

 arhontus#nmap -sT -vvv 192.168.66.202      048928: Dec 4 2004 16:56:25.450 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP        Echo Request - from 192.168.77.5 to 192.168.66.202      arhontus#nmap -sT -vvv -O 192.168.66.202      048923: Dec 4 2004 16:54:02.208 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP      Echo Request - from 192.168.77.5 to 192.168.66.202      048924: Dec 4 2004 16:54:35.188 GMT: %IDS-4-TCP_NO_FLAGS_SIG: Sig:3040:TCP        - No bits set in flags - from 192.168.77.5 to 192.168.66.202      048925: Dec 4 2004 16:54:35.192 GMT: %IDS-4-TCP_SYN_FIN_SIG: Sig:3041:TCP -      SYN and FIN bits set - from 192.168.77.5 to 192.168.66.202      048926: Dec 4 2004 16:54:35.192 GMT: %IDS-4-TCP_FIN_ONLY_SIG: Sig:3042:TCP        - FIN bit with no ACK bit in flags - from 192.168.77.5 to 192.168.66.202 

Exactly the same log messages were seen with SYN scans. Since the Nmap finger-printing mechanism ( -O ) is the same for different Nmap scan types, this option was omitted in the future scans to avoid message repetition.

 arhontus#nmap -sN -vvv 192.168.66.202      048932: Dec 4 2004 17:01:04.928 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP         Echo Request - from 192.168.77.5 to 192.168.66.202      048933: Dec 4 2004 17:01:31.901 GMT: %IDS-4-TCP_NO_FLAGS_SIG: Sig:3040:TCP         - No bits set in flags - from 192.168.77.5 to 192.168.66.202      048934: Dec 4 2004 17:02:01.904 GMT: %IDS-4-TCP_NO_FLAGS_SIG: Sig:3040:TCP         - No bits set in flags - from 192.168.77.5 to 192.168.66.202      arhontus#nmap -sF -vvv 192.168.66.202      048935: Dec 4 2004 17:03:31.046 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP         Echo Request - from 192.168.77.5 to 192.168.66.202      048936: Dec 4 2004 17:03:31.146 GMT: %IDS-4-TCP_FIN_ONLY_SIG: Sig:3042:TCP         - FIN bit with no ACK bit in flags - from 192.168.77.5 to 192.168.66.202      048937: Dec 4 2004 17:04:01.197 GMT: %IDS-4-TCP_FIN_ONLY_SIG: Sig:3042:TCP         - FIN bit with no ACK bit in flags - from 192.168.77.5 to 192.168.66.202      arhontus#nmap -sX -vvv 192.168.66.202      048938: Dec 4 2004 17:05:28.853 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP         Echo Request - from 192.168.77.5 to 192.168.66.202      048939: Dec 4 2004 17:05:28.957 GMT: %IDS-4-TCP_FIN_ONLY_SIG: Sig:3042:TCP         - FIN bit with no ACK bit in flags - from 192.168.77.5 to 192.168.66.202      048940: Dec 4 2004 17:05:58.971 GMT: %IDS-4-TCP_FIN_ONLY_SIG: Sig:3042:TCP         - FIN bit with no ACK bit in flags - from 192.168.77.5 to 192.168.66.202       arhontus#nmap -sA -vvv 192.168.66.202      048946: Dec 4 2004 17:09:10.378 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP         Echo Request - from 192.168.77.5 to 192.168.66.202      arhontus#nmap -sW -vvv 192.168.66.202      048947: Dec 4 2004 17:10:06.076 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP         Echo Request - from 192.168.77.5 to 192.168.66.202      arhontus#nmap -sO -vvv 192.168.66.202      048948: Dec 4 2004 17:14:21.074 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP         Echo Request - from 192.168.77.5 to 192.168.66.202      048949: Dec 4 2004 17:14:21.174 GMT: %IDS-4-IP_UNKNOWN_PROTO_SIG:      Sig:1101:Unknown IP Protocol - from 192.168.77.5 to 192.168.66.202      048950: Dec 4 2004 17:14:23.910 GMT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps:      rec'd IPSEC packet has invalid spi for      destaddr=192.168.66.202, prot=50, spi=0x0(0), srcaddr=192.168.77.5      048951: Dec 4 2004 17:14:25.661 GMT: %OSPF-4-BADLENGTH: Invalid length 0 in      OSPF packet type 0 from 192.168.77.5 (ID 0.0.0.0), Ethernet0/0      048952: Dec 4 2004 17:14:26.298 GMT: %IDS-4-TCP_NO_FLAGS_SIG: Sig:3040:TCP         - No bits set in flags - from 192.168.77.5 to 192.168.66.202      048953: Dec 4 2004 17:14:26.947 GMT: %IDS-4-UDP_IOS_BOMB_SIG: Sig:4600:UDP      IOS Bomb - from 192.168.77.5 to 192.168.66.202      048954: Dec 4 2004 17:14:27.376 GMT: %IDS-4-ICMP_ECHO_REPLY_SIG:      Sig:2000:ICMP Echo Reply - from 192.168.77.5 to 192.168.66.202      arhontus#nmap -sU -vvv 192.168.66.202      048955: Dec 4 2004 17:15:35.247 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP         Echo Request - from 192.168.77.5 to 192.168.66.202      048956: Dec 4 2004 17:15:35.351 GMT: %IDS-4-UDP_IOS_BOMB_SIG: Sig:4600:UDP      IOS Bomb - from 192.168.77.5 to 192.168.66.202      048957: Dec 4 2004 17:16:05.365 GMT: %IDS-4-UDP_IOS_BOMB_SIG: Sig:4600:UDP      IOS Bomb - from 192.168.77.5 to 192.168.66.202 

As you can see, only the initial ping was detected with plain full-connect and SYN scans, and if we ran those scans with the -P0 option, they would have gone unmen-tioned. With CBAC, it is possible to add additional configuration-detecting SYN scans via a number of incomplete TCP connections using the ip inspect tcp max-incom-plete command set.

Detection of full-connect scans, though, presents a problem. ACK and Window TCP scans also slip in undetected, which is not good news. NULL, FIN, and XMAS scans are detected, but there are no means to distinguish FIN and XMAS in logs. To the contrary, the supported protocols scan ( -sO ) leaves an easy-to-spot, telltale signature. A UDP scan is detected and flagged as a UDP DoS attack (UDP IOS Bomb).

Now let's have a look at the Xprobe:

 arhontus#xprobe2 -v -c /etc/xprobe2.conf -p tcp:23:open 192.168.66.202      048958: Dec 4 2004 17:21:42.942 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP         Echo Request - from 192.168.77.5 to 192.168.66.202      048959: Dec 4 2004 17:21:43.227 GMT: %IDS-4-ICMP_TIME_SIG: Sig:2007:ICMP      Timestamp Request - from 192.168.77.5 to 192.168.66.202      048960: Dec 4 2004 17:21:43.227 GMT: %IDS-4-ICMP_MASK_SIG: Sig:2011:ICMP      Address Mask Request - from 192.168.77.5 to 192.168.66.202      048961: Dec 4 2004 17:21:43.231 GMT: %IDS-4-ICMP_INFO_SIG: Sig:2009:ICMP      Information Request - from 192.168.77.5 to 192.168.66.202 

Exactly the same signature set is seen when a closed TCP port is supplied.

 arhontus#xprobe2 -v -c /etc/xprobe2.conf -p udp:161:open 192.168.66.202      048970: Dec 4 2004 17:42:12.117 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP          Echo Request - from 192.168.77.5 to 192.168.66.202      048971: Dec 4 2004 17:42:12.126 GMT: %IDS-4-UDP_IOS_BOMB_SIG: Sig:4600:UDP          IOS Bomb - from 192.168.77.5 to 192.168.66.202      048972: Dec 4 2004 17:42:22.126 GMT: %IDS-4-ICMP_TIME_SIG: Sig:2007:ICMP          Timestamp Request - from 192.168.77.5 to 192.168.66.202      048973: Dec 4 2004 17:42:22.130 GMT: %IDS-4-ICMP_MASK_SIG: Sig:2011:ICMP          Address Mask Request - from 192.168.77.5 to 192.168.66.202      048974: Dec 4 2004 17:42:22.142 GMT: %IDS-4-ICMP_INFO_SIG: Sig:2009:ICMP          Information Request - from 192.168.77.5 to 192.168.66.202 

Just as well, the same signature is seen when a closed UDP port is supplied. The se-quence of ICMP packets received appears to be rather typical for the tool. In addition, when UDP probes are used a flood is detected. Unfortunately, when Xprobe v1 was run against the router, no alarms were triggered.

The final step is to enable the extended ACLs on the interface ( ip access-group 101 in ) and rerun the tests. Now we can spot both full-connect and SYN scans by ob-serving a long list of denied connections:

 arhontus#nmap -sT -vvv 192.168.66.202      049300: Dec 4 2004 23:43:35.354 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP         Echo Request - from 192.168.77.5 to 192.168.66.202      049301: Dec 4 2004 23:43:35.358 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(46096) (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202(80),         1 packet      049302: Dec 4 2004 23:43:36.572 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(56722) (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202(23),         1 packet      049303: Dec 4 2004 23:43:37.573 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(56822) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(3306), 1 packet      049304: Dec 4 2004 23:43:38.583 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(56922) (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202(39),         1 packet      049305: Dec 4 2004 23:43:39.585 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(57022) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(828), 1 packet      049306: Dec 4 2004 23:43:40.586 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(57126) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(27001), 1 packet      049307: Dec 4 2004 23:43:41.592 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(57222) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(784), 1 packet      <snip> 

Note that the packets are sent from random high ports to random ports on a router.

 arhontus# nmap -sS -vvv 192.168.66.202      049318: Dec 4 2004 23:45:15.915 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP         Echo Request - from 192.168.77.5 to 192.168.66.202      049319: Dec 4 2004 23:45:15.919 GMT: %SEC-6-IPACCESSLOGDP: list 101          permitted icmp 192.168.77.5 (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202 (8/0), 1 packet      049320: Dec 4 2004 23:45:17.125 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(58923) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(22), 1 packet      049321: Dec 4 2004 23:45:18.191 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(58923) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(22305), 1 packet      049322: Dec 4 2004 23:45:19.261 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(58923) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(1530), 1 packet      049323: Dec 4 2004 23:45:20.262 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(58922) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(450), 1 packet      049324: Dec 4 2004 23:45:21.300 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(58922) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(18187), 1 packet      049325: Dec 4 2004 23:45:22.322 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(58923) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(336), 1 packet      049326: Dec 4 2004 23:45:23.327 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(58923) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(1529), 1 packet 

While both scans look very similar, only two high source ports (58922 and 58923) are in use when the SYN scan is running. If we rerun the scan, the source ports would be different, but still only two of them will exist. This was applied to two different versions of Nmap tested, namely 3.75 and 3.45. It provides a clear distinction between Nmap full-connect and half-connect TCP scans in router logs. Looking into the further scan types, it is clear that the "only-two-high-source-ports phenomenon" also applies to NULL, FIN, XMAS, ACK, and Window Nmap scans. Of these scans, NULL, FIN, and XMAS are go-ing to be picked up by the IDS (signatures 3040 and 3042). NULL scans are not going to show up in the ACL logs, but you are likely to see the %SEC-6-IPACCESSLOGRL: ac-cess-list logging rate-limited or missed X packets message, common for all portscans. ACK and Window scans, however, can be confused with half-connects; so to distinguish between ACK, Window, and SYN or between FIN and XMAS scans, you will have to look at the packets using the debug ip packet <appropriate ACL number> <detail> command.

How about UDP scans? The log messages look quite similar to what we saw before with IDS alone:

 049221: Dec 4 2004 20:16:52.402 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP         Echo Request - from 192.168.77.5 to 192.168.66.202      049222: Dec 4 2004 20:16:52.410 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(35650) (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202(80),         1 packet      049223: Dec 4 2004 20:16:52.506 GMT: %IDS-4-UDP_IOS_BOMB_SIG: Sig:4600:UDP         IOS Bomb - from 192.168.77.5 to 192.168.66.202      049224: Dec 4 2004 20:16:59.654 GMT: %SEC-6-IPACCESSLOGRL: access-list         logging rate-limited or missed 4 packets      049225: Dec 4 2004 20:17:22.508 GMT: %IDS-4-UDP_IOS_BOMB_SIG: Sig:4600:UDP         IOS Bomb - from 192.168.77.5 to 192.168.66.202 

Nevertheless, note the additional line showing the TCP ping to port 80. This line opens all Nmap portscans following an ICMP ping. But since there are no more TCP packets to send, it stands out like a sore thumb when a UDP scan is detected.

To dot the i , lets have a look at Xprobe detection and its blocking by the current router settings:

 arhontus# xprobe2 -v -c /etc/xprobe2.conf -p tcp:23:open 192.168.66.202      [+] Primary guess:[+] Host 192.168.66.202 Running OS: "HP UX 11.0i" (Guess        probability: 38%)      [+] Other guesses:      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.4" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 12.2" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 12.0" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.3" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.2" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.1" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.3" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.2" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.1" (Guess probability: 35%) 

Router logs:

 049240: Dec 4 2004 20:21:47.046 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP         Echo Request - from 192.168.77.5 to 192.168.66.202      049241: Dec 4 2004 20:21:47.050 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(16756) (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202(23),         1 packet      049242: Dec 4 2004 20:21:59.924 GMT: %SEC-6-IPACCESSLOGDP: list 101         permitted icmp 192.168.77.5 (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202         (0/0), 1 packet      049243: Dec 4 2004 20:21:59.928 GMT: %SEC-6-IPACCESSLOGDP: list 101         permitted icmp 192.168.77.5 (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202         (8/0), 3 packets      049244: Dec 4 2004 20:21:59.928 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(39868) (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202(80),         1 packet      049245: Dec 4 2004 20:22:00.281 GMT: %IDS-4-ICMP_TIME_SIG: Sig:2007:ICMP         Timestamp Request - from 192.168.77.5 to 192.168.66.202      049246: Dec 4 2004 20:22:00.285 GMT: %IDS-4-ICMP_MASK_SIG: Sig:2011:ICMP         Address Mask Request - from 192.168.77.5 to 192.168.66.202      049247: Dec 4 2004 20:22:00.297 GMT: %IDS-4-ICMP_INFO_SIG: Sig:2009:ICMP         Information Request - from 192.168.77.5 to 192.168.66.202049248: Dec 4         2004 20:26:00.133 GMT: %SEC-6-IPACCESSLOGP: list 101 denied tcp         192.168.77.5(15273) (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202(65535),         1 packet      049249: Dec 4 2004 20:26:00.137 GMT: %SEC-6-IPACCESSLOGDP: list 101         permitted icmp 192.168.77.5 (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202         (8/123), 2 packets      049250: Dec 4 2004 20:26:00.137 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(20139) (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202(23),         1 packet      049251: Dec 4 2004 20:28:00.235 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(50273) (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202(23),         1 packet       049252: Dec 4 2004 20:28:00.239 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(50273) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(65535), 1 packet      049253: Dec 4 2004 20:28:00.239 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(2711) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(23),         1 packet      arhontus#xprobe2 -v -c /etc/xprobe2.conf -p tcp:22:closed 192.168.66.202[+]         Primary guess:      [+] Host 192.168.66.202 Running OS: "HP UX 11.0i" (Guess probability: 38%)      [+] Other guesses:      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.4" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 12.2" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 12.0" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.3" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.2" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.1" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.3" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.2" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.1" (Guess probability: 35%) 

Router logs:

 049697: Dec 5 2004 01:27:43.795 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(2895) (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202(22),         1 packet      049698: Dec 5 2004 01:27:55.975 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(39086) (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202(22),         1 packet      049699: Dec 5 2004 01:27:56.011 GMT: %IDS-4-ICMP_TIME_SIG: Sig:2007:ICMP         Timestamp Request - from 192.168.77.5 to 192.168.66.202      049700: Dec 5 2004 01:27:56.019 GMT: %IDS-4-ICMP_MASK_SIG: Sig:2011:ICMP         Address Mask Request - from 192.168.77.5 to 192.168.66.202      049701: Dec 5 2004 01:27:56.027 GMT: %IDS-4-ICMP_INFO_SIG: Sig:2009:ICMP         Information Request - from 192.168.77.5 to 192.168.66.202      049702: Dec 5 2004 01:28:16.069 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(57464) (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202(20),         1 packet      049703: Dec 5 2004 01:28:16.073 GMT: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp      192.168.77.5 (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202 (8/0), 3 packets      049704: Dec 5 2004 01:28:16.073 GMT: %SEC-6-IPACCESSLOGDP: list 101         permitted icmp 192.168.77.5 (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202         (8/123), 2 packets      049705: Dec 5 2004 01:28:16.073 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(59382) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(65535), 1 packet      049706: Dec 5 2004 01:30:16.180 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(62548) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(65535), 1 packet       049707: Dec 5 2004 01:30:16.184 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(23964) (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202(23),         1 packet      049708: Dec 5 2004 01:33:16.331 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(39086) (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202(22),         1 packet      049709: Dec 5 2004 01:33:16.335 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(36385) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(65535), 1 packet      arhontus#xprobe2 -v -c /etc/xprobe2.conf -p udp:22:closed 192.168.66.202[+]         Primary guess:      [+] Host 192.168.66.202 Running OS: "HP UX 11.0i" (Guess probability: 38%)      [+] Other guesses:      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.4" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 12.2" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 12.0" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.3" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.2" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.1" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.3" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.2" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.1" (Guess probability: 35%) 

Router logs:

 049710: Dec 5 2004 01:37:12.701 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP         Echo Request - from 192.168.77.5 to 192.168.66.202      049711: Dec 5 2004 01:37:12.705 GMT: %IDS-4-UDP_IOS_BOMB_SIG: Sig:4600:UDP         IOS Bomb - from 192.168.77.5 to 192.168.66.202      049712: Dec 5 2004 01:37:16.544 GMT: %SEC-6-IPACCESSLOGDP: list 101         permitted icmp 192.168.77.5 (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202         (8/0), 1 packet      049713: Dec 5 2004 01:37:22.798 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(60764) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(65535), 1 packet      049714: Dec 5 2004 01:37:22.830 GMT: %IDS-4-ICMP_TIME_SIG: Sig:2007:ICMP         Timestamp Request - from 192.168.77.5 to 192.168.66.202      049715: Dec 5 2004 01:37:22.834 GMT: %IDS-4-ICMP_MASK_SIG: Sig:2011:ICMP         Address Mask Request - from 192.168.77.5 to 192.168.66.202      049716: Dec 5 2004 01:37:22.846 GMT: %IDS-4-ICMP_INFO_SIG: Sig:2009:ICMP         Information Request - from 192.168.77.5 to 192.168.66.202      049717: Dec 5 2004 01:38:16.597 GMT: %SEC-6-IPACCESSLOGDP: list 101         permitted icmp 192.168.77.5 (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202         (8/123), 1 packet      arhontus#xprobe2 -v -c /etc/xprobe2.conf -p udp:161:open 192.168.66.202      [+] Primary guess:       [+] Host 192.168.66.202 Running OS: "HP UX 11.0i" (Guess probability: 38%)      [+] Other guesses:      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.4" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 12.2" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 12.0" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.3" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.2" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Cisco IOS 11.1" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.3" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.2" (Guess probability: 35%)      [+] Host 192.168.66.202 Running OS: "Linux Kernel 2.4.1" (Guess probability: 35%) 

Router logs:

 049718: Dec 5 2004 01:40:32.009 GMT: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP         Echo Request - from 192.168.77.5 to 192.168.66.202      049719: Dec 5 2004 01:40:32.017 GMT: %IDS-4-UDP_IOS_BOMB_SIG: Sig:4600:UDP         IOS Bomb - from 192.168.77.5 to 192.168.66.202      049720: Dec 5 2004 01:40:42.022 GMT: %IDS-4-ICMP_TIME_SIG: Sig:2007:ICMP         Timestamp Request - from 192.168.77.5 to 192.168.66.202      049721: Dec 5 2004 01:40:42.026 GMT: %IDS-4-ICMP_MASK_SIG: Sig:2011:ICMP         Address Mask Request - from 192.168.77.5 to 192.168.66.202      049722: Dec 5 2004 01:40:42.038 GMT: %IDS-4-ICMP_INFO_SIG: Sig:2009:ICMP         Information Request - from 192.168.77.5 to 192.168.66.202      049723: Dec 5 2004 01:40:42.146 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(10014) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(65535), 1 packet      049724: Dec 5 2004 01:42:16.810 GMT: %SEC-6-IPACCESSLOGDP: list 101         permitted icmp 192.168.77.5 (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202         (8/0), 1 packet      049725: Dec 5 2004 01:43:16.863 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(60764) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(65535), 1 packet      049726: Dec 5 2004 01:43:16.867 GMT: %SEC-6-IPACCESSLOGP: list 101 denied         tcp 192.168.77.5(23073) (Ethernet0/0 0002.b365.bd03) ->         192.168.66.202(65535), 1 packet      049727: Dec 5 2004 01:43:16.867 GMT: %SEC-6-IPACCESSLOGDP: list 101         permitted icmp 192.168.77.5 (Ethernet0/0 0002.b365.bd03) -> 192.168.66.202         (8/123), 1 packet 

The main conclusions from these tests are as follows :

  • The Xprobe fingerprinting capability is significantly decreased. The primary guess is never Cisco IOS and the guess probability is low.

  • Xprobe commonly sends TCP packets to port 65535 when fingerprinting.

  • It is easy to distinguish Xprobe TCP and UDP tests by the presence of signature 4600 and first TCP packets being sent to the open or closed port supplied to the tool prior to any ICMP probes.

We probably could have found more differences between the Xprobe modes but didn't dig any further, leaving this exciting task to all interested readers.

Unfortunately, Xprobe v1 tests again did not show in router logs.



Hacking Exposed Cisco Networks
Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions
ISBN: 0072259175
EAN: 2147483647
Year: 2005
Pages: 117

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net