Chapter 7: Hacking Cisco Devices--The Intermediate Path

OVERVIEW

As stated in the introduction, the main focus of this book is methodology rather than description of security holes and related exploitswhich are likely to be laughed at by the time the book hits the shelves . In Chapter 6, we covered all aspects of remote password related attacks against various Cisco devices. Since the human factor will always be the weakest link, such tools, methods , and attacks will never go out of fashion. This chapter is about black box testing. That's it; no (or minimal) access to the attacked device, no debugger and strace (system call tracer), no core file dump and throwing everything but the kitchen sink at the target to see whether we can get anywhere . In a sense, black box testing is similar to bruteforcing, but buffers and data input validation mechanisms are attacked instead of usernames and passwords. While the example vulnerabilities discovered this way come and go, techniques and tools used to find such flaws remain relatively the same and only build upon the existing approach. Thus, we hope you will find the information presented here useful for years to come.

We also consider this chapter to be somewhat in between the mass scanning and password/community guessing that were described in the previous chapter and proper device exploitation and exploit writing outlined in the next chapter. Mind that black box buffer smashing during the attack can only produce a denial-of-service (DoS) condition, and further research is needed to determine whether access to the device can be achieved via the discovered flaw. To the contrary, data input validation errors, such as long, malicious URLs fed to a remote web server, can lead to enable. Another high threat condition that could be uncovered during black box testing is hidden backdoors present on the target system for a variety of reasons.

We cover all these situations using two example areasnamely exploiting Simple Network Management Protocol (SNMP), as opposed to the simple community guessing, and web servers. Both running snmpd and httpd services are commonplace on all types of Cisco devices and are frequently scanned for and abused by crackers.