Avariety of methods can allow a script kiddie type of attacker without any serious knowledge to take over a Cisco box. These methods are widely used on the modern Internet and lead to regular compromise of hundreds, if not thousands, of routers and switches. This chapter focuses primarily on password and Simple Network Management Protocol (SNMP) community guessing as well as searches for open Trivial File Transfer Protocol (TFTP) servers. This may not sound very exciting, but it is the most common approach used by remote attackers here and now, so it's important for you to know how to deal with such attacks.
An attacker can also wardial to search for routers with dial-in access. In addition, attackers often use easy lateral means for obtaining remote access to Cisco devices, such as password/community name sniffing, Telnet session hijacking, and man-in-the-middle attacks against the first version of Secure Shell Protocol (SSHv1). These methods are lateral, since they usually require that the attacker gain root-level access on some server or workstation in a close proximity to the attacked Cisco machine.
The spread of cable and wireless networks makes these methods even more of a threat, since the attackers on such networks can use their own machines for the attacks. Alternatively, an attacker can be internal (a rogue employee) or can use some form of a rogue device to obtain local access to the network. We already discussed these possibilities when describing network enumeration via interior routing protocols.
Finally, flaws in older IOS versions allow easy remote exploitation of routers via the management web interface. All these simple and efficient Cisco cracking methods are discussed in this and the next chapter in great detail.