An attacker who manages to take over a Cisco router can do quite a lot of damage. He can enumerate the network to which the router belongs, while avoiding detection by a system administrator for a while. Then he can launch further attacks using this router or reconfiguring it to pave the way for external traffic that would be launched to assume control over other hosts on the network. Alternatively, a cracker can use the router to attack external targets either directly from the router or by redirecting malicious traffic through it. Things are a bit more tricky when dealing with an "owned" switch without the routing functionality. Of course, controlling such a switch goes a long way toward enumerating its network. But to continue exploitation, the cracker will have to take over some other host plugged into the switch first. If he succeeds, the network will fall.
Probably the most interesting, if somewhat complex, part of this chapter is devoted to discussing the possibility of properly backdooring the overtaken device, either by patching its operating system or by abusing the TCL scripting functionality provided by the IOS. While the former can lead to the creation of a truly stealthy IOS backdoor and to the dissemination of infected IOS image binaries through the Internet, the latter allows the cracker to launch exploit code, basic vulnerability scanners , and so on from an IOS host. The worst possibility to consider is a multifunctional IOS worm creeping through the Internet when the TCL support on routers would become both more complete and more widespread. Of course, these topics demand more time and space, but this is an ongoing project, so do expect additional information and code at the book's companion web site.
Finally, this is probably the first literature source to outline the basics of Cisco network device forensics. While the best recommendation is, of course, to avoid being hacked in the first place, sometimes things go wrong and you must act to correct your own or someone else's mistakes as much as possible. We expect that many readers are IT security consultants , and such correction is your bread and butter. If you belong to this category, you must know what to do when encountering a hacked Cisco device, since at some point you will inevitably encounter it in your everyday practice.