EXPLOITING TFTP SERVERS TO TAKE OVER CISCO HOSTS

Nearly every device in the Cisco product range has some form of support for TFTP, either deploying a server on itself or using a client version to connect to a remote one. TFTP is a simple but useful "old-timer" protocol that was developed at the dawn of the Internet. Its main usability lies in transferring files from one device to another, and that's where it takes its name Trivial FTP.

On a large network with lots of Cisco devices, you would frequently find at least one central TFTP server. Upon bootup , some Cisco devices would connect and load designated OS images or grab their config files. TFTP is great for central management of a large device pool, but what about its security?

From the security viewpoint, the biggest interest presents a potential of obtaining the config file from a TFTP server. As you most probably know, TFTP does not have an authentication mechanism, and the only security measures available are the perfect example of "security through obscurity," where an attacker must know the name of the file that resides on the TFTP server. Although this might sound easy, the catch is that you cannot request the directory/file listing on the server.

Enumerating TFTP Servers

Attack 

Popularity:

3

Simplicity:

9

Impact:

2

Risk Rating:

5

There are known difficulties with enumeration of the UDP-based services. One of the best tools specifically developed to try and solve the banner- grabbing problem is Amap by Van Hauser. However, it does not have the triggers to identify correctly the TFTP service running and reports it as unidentified port. The following example shows Amap output against Cisco 2611 running IOS 12.3(6):

 arhontus / # amap 192.168.66.202 -u 69      amap v4.7 (www.thc.org) started at 2005-03-01 00:19:24 - APPLICATION MAP mode      Unidentified ports: 192.168.66.202:69/udp (total 1).      amap v4.7 finished at 2005-03-01 00:19:30 

The older Cisco implementations of the TFTP server reply to any garbage sent to the port with OpCode "05" (error) and Error Code "0" (not defined see error message). The actual error message differs , because IOS 10/11 contains Error Message "Illegal operation," while Cisco Windows TFTP server replies with "Illegal TFTP operation".

The newer implementations, such as 12.x IOS, simply ignore improperly constructed TFTP requests , thus presenting a more challenging target.

You can obviously try connecting with a standard TFTP client, but to accommodate lazy human nature, we have automated and added this functionality in our favorite Cisco Torch. It sends out a properly constructed TFTP read request to a UDP port and will await for the OpCode 05 with ErrorCode "1" (file not found) to identify the running TFTP service:

 ###############################################################      #   Cisco Torch Mass Scanner                                  #      #   Because we need it...                                     #      #   http://www.arhont.com/index-5.html                        #      ###############################################################      List of targets contains 1 host(s)      16726:  Checking 192.168.20.30 ...      *** Found  TFTP server      --->      - All scans done. Cisco Torch Mass Scanner  -      ---> Exiting. 

Alternatively, you can employ a sample piece of Perl code that will do the same job in your own script:

 sub tftp_installed {      my $port = 69;   # TFTP port        my $retries=2;  # Retries       my $timeout=2; # UDP receiving Timeout 2 sec        my $file="Rand0mSTRING";       my $MAXLEN=2;  # Receive max length        my $op=01; # TFT opcode       my $mode = "netascii"; # TFT mode       my $pkt  = pack("n a* c a* c", $op, $file, 0, $mode, 0); # Build #TFTP "RRQ"packet       while ( $retries != 0) {                   my $sock = IO::Socket::INET->new(Proto => 'udp');                      # Open UDP socket            undef($treturn);                   undef ($rpkt);                    # Send TFTP "RRQ" read request                   send($sock,$pkt,0,pack_sockaddr_in($port,inet_aton($target)));              eval {          local $SIG{ALRM} = \&timed_out; # Handle timed out          alarm $timeout;            $sock->recv($rpkt, $MAXLEN); # Receive          close $sock;          alarm 0;      }  ;          $retries--;      @rets = split( //, $rpkt );      foreach $currentret (@rets) { $treturn .= ord($currentret); }            if ($treturn == "05" ) # If first 2 bytes Error opcode                                   # TFTP found                       {                      log_print("*** Found  TFTP server  \n", "c");                      return (1);                  }       }      } 

Sniffing Out Cisco Configuration Files

Attack 

Popularity:

10

Simplicity:

9

Impact:

10

Risk Rating:

10

Which possibilities are available? First of all, you can sniff out the config name if you are on the same network segment (ARP spoofing, switch CAM table flooding, wireless). Expanding the previous example of the Cisco devices grabbing the files from the TFTP server, you can even get the config "by accident " via broadcast traffic. An "idiot-proof" mechanism is built into the IOS, so if the administrator forgot to specify the address of the TFTP server explicitly, a router would obtain the IP address through BOOTP/DHCP and send the request for the config file to the broadcast address of the network to the UDP port 69, awaiting response from one of the servers ready to fulfill the request. You could simply wait with a tcpdump running until such event occurs or trigger it by launching a DoS attack against a router. The name of the file will be shown in the upcoming request:

 arhontus / # tcpdump -n -i eth0 port 69      23:39:34.142149 IP 192.168.30.25.34098 > 192.168.30.255.69: 25 RRQ       "2611b-config" netascii 

Providing that a sloppy administrator forgot to specify the name of the config file, a router would send requests to the network broadcast address querying the default config names , one after another. What stops you from pretending to be the legit TFTP server and serving the request before the legitimate server does?

Bruteforcing TFTP Servers to Snatch Configs

Attack 

Popularity:

8

Simplicity:

10

Impact:

10

Risk Rating:

9

If the waiting option is not the one to consider, and you don't care about staying stealthy and the possibility of leaving huge log files, you can revert to an active attack through bruteforcing the TFTP server for correct filenames. You know what type of files you are after and you also know the default names for these files as used by Cisco devices. The dictionary attack functionality against the TFTP server is also included in Cisco Torch. The default names for Cisco config files are already saved in the brutefile.txt , but you can generate more and add them if you want.

Run Cisco Torch and wait for it to go through the dictionary file. When the filename is found, the config will be automatically fetched and placed into the directory from which the tool was launched:

 arhontus / # perl cisco-torch.pl -g -j -b 192.168.30.20      <snip>      ###############################################################      #   Cisco Torch Mass Scanner                                  #      #   Because we need it...                                     #      #   http://www.arhont.com/index-5.html                        #      ###############################################################      List of targets contains 1 host(s)      17470:  Checking 192.168.30.20 ...      *** Found  TFTP server      *** Found  TFTP server remote filename : cisco-config      *** Fetch  TFTP remote file : cisco-config      ***Local file :192.168.30.20.cisco-config  download complete      --->      - All scans done. Cisco Torch Mass Scanner  -      ---> Exiting 

If you want to go through a large list of default names, check out another tool written during the process of compiling this chapter, tftp-brute.pl ( http://www.arhont.com/index-5.html at the moment), which runs a large number of parallel processes and does the job faster.

The most common Cisco router default config names are as follows :

 cisconet.cfg      router.cfg       ciscortr.cfg       ifIndex-table      router-config     startup-config   private-config     persistent-data 

Countermeasures Against TFTP- Related Attacks

Countermeasure 

The best way to avoid TFTP-related attacks is not to use TFTP at all. It can be successfully replaced with FTP and, in some fortunate cases, Secure FTP (SFTP). If you do need to employ TFTP because there are older appliances on your network, choose unguessable names for the configuration files stored on the TFTP server and restrict access to the server to those legitimate appliances only. You can do this using the firewalling capabilities of the host on which the TFTP server is running. In some cases, as with the SolarWinds TFTPd, basic access control functionality is built in to the server and should be used. Also, it is very unlikely that you need to use TFTP all the time and, therefore, keep the server up and running. Once the configuration or operation system file upload or download is finished, turn the TFTP server off.



Hacking Exposed Cisco Networks
Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions
ISBN: 0072259175
EAN: 2147483647
Year: 2005
Pages: 117

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net