Chapter 10: Exploiting and Preserving Access

OVERVIEW

Most Hacking Exposed books include sections devoted to what the attackers do after gaining full access to a system. Because each book in the series reviews different systems, this information is distributed among multiple corresponding chapters. In this book, we've condensed everything into this chapter, which examines routers, Catalyst switches, and PIX firewalls. We cover the topic from the most basic system reconfiguration up to the possibility of backdooring the IOS itself through some intermediate sections, such as traffic mirroring from a hacked router.

Many beginner crackers wonder, "What do I do with this router now that I have managed to guess the passwords or SNMP communities?" Then they end up using the router to pingflood a rival "crew" with whom they had a recent philosophic argument on IRC about the eternal dilemma of "who is more 31337?" The problem is that some system administrators also wonder , "What are the crackers going to do with this router or switch if they take it over remotely? Do a write erase ? Well, this would be spotted immediately, and we have backups !" Or they may wonder how an attacker would preserve his or her access to the device. Again, many system administrators will say, "A cracker can always change the Cisco device passwords, add another account, or set up a RW SNMP community. But this is easy to see in the device configuration file, and even if the administrative access is blocked, there is always a console port, power button, and a break signal." Unfortunately, this way of thinking is incorrect, and underestimating the ability of your opponents is the worst security sin of all.

However incomplete it may be, this chapter aims to provide a variety of realistic answers to these crucial questions.