This tome is written in the best tradition of the Hacking Exposed series. However, we've included a few differences, such as the way risk ratings are handled.
The topic of Cisco- related hacking isn't exactly the most researched topic. Many potential security threats and attack algorithms described here are little-known or new and were discovered during the process of writing this book. To do this, we assembled a tiny testing and research Cisco network, consisting of three 2500 and two 2600 series routers, Catalyst 2950 and 5000 series switches, PIX 515E and PIX 501 firewalls, a 3000 series VPN concentrator, and an Aironet 1200 wireless access point. We have also employed a couple of Gentoo and Debian Linux machines running Quagga and various attack and network monitoring/analysis tools mentioned through the book. A maximum effort was made to test all the presented methods and techniques on this network. In addition, some of the published data, of course, is based on our hands-on experience as penetration testers, network security administrators, and architects .
Also, when working on the book, we discovered that the current arsenal of open source Cisco security auditing tools is rather limited. So we had to write some new tools and scripts to close such gaps and make the theoretical practical (an old L0pht motto, for those who don't remember). They are available under the GPL license at the book's companion web site, http://www.hackingexposedcisco.com , to anyone interested. The time for the entire project was restricted, and it was not possible to complete everything that was initially planned. Thus, some of the code had to join the TODO list queue and will hopefully be finished by the time this book hits the shelves , or soon afterward. So, do visit the site for the updates, including new security tools and research observations.
A standard tested and tried Hacking Exposed format is used through this book:
This icon identifies specific penetration testing techniques and tools. The icon is followed by the technique or attack name and a traditional Hacking Exposed risk rating table:
So, what are the exceptionally high Impact values supplied in some specific cases in Chapters 10 and 14? Imagine an attack that may lead to thousands of networks being compromised or large segments of the Internet losing connectivity or having their traffic redirected by crackers. It is clear that the impact of such an attack would be much higher than gaining enable on a single host or redirecting and intercepting network traffic on a small LAN. At the same time, attacks of such scale are neither common nor easy to execute without having a significant level of skill and knowledge. Thus, their Popularity and Simplicity values would be quite low, and even if the Impact value equals 10, the overall Risk Rating is going to be lower, as compared to easier to execute attacks that do not present a fraction of the threat. This does not represent a real-world situation, and a logical solution to rectify this problem is to inflate the underrated Impact field value, so that the overall Risk Rating is at the maximum or, at least, close to it.
We have also use these visually enhanced icons to highlight specific details and suggestions, where we deem it necessary:
Where appropriate, we have tried to provide different types of attack countermeasures for different Cisco platforms, not just the IOS routers. Such countermeasures can be full (upgrading the vulnerable software or using a more secure network protocol) or temporary (reconfiguring the device to shut down the vulnerable service, option, or protocol). We always recommend that you follow the full countermeasure solution; however, we do recognize that due to hardware restrictions, this may not be possible every time. In such a situation, both temporary and incomplete countermeasures are better than nothing. An incomplete countermeasure is a safeguard that only slows down the attacker and can be bypassedfor example, a standard access list can be bypassed via IP spoofing, man-in-the-middle, and session hijacking attacks. In the book, we always state whether the countermeasure is incomplete and can be circumvented by crackers.
Expressing great care about the precious time of the reader, we have created a separate online resource specifically for the book. It contains the collection of the new code mentioned in the book and not available anywhere else. As to the rest of the utilities covered in the book, each one of them has an annotated URL directing you to its home site. In case the future support of the utility is stopped by the maintainer, we will make the latest copy available at http://www.hackingexposedcisco.com , so you won't encounter a description of a nonexisting tool in the book. We also plan to post any relevant future observations and ideas at this web site.