Part IV: Appendixes

Appendix A: Network Appliance Security Testing Template

Appendix B: Lab Router Interactive Cisco Auto Secure Configuration Example

Appendix C: Undocumented Cisco Commands

A long time ago on an Efnet server far, far away, two groups of script kiddies fought with each other to divide the power and presence of the 31337 skills on the Internet. The first group , CyberSw4gs, fought for the sake of dignity , fame, and 31337 packeteer skills and was very proud of every moment one of its members defaced a site or cracked into a poorly protected server. The other gang, Crypt0dUdz, was believed to be the best, the most elite gang in the whole Efnet galaxy, and always competed with CyberSw4gs in various hacking activities.

One shiny day, a bright little fellow from the CyberSw4gs massive, known by his mates as W1n-Manila, learned some wonderful news. His big brother, a computer science student at the local university who hung around Yahoo! chat sites and was known as slackerbourne, told him that the Internet was made up of not only Windows boxes, but actually comprised various fancy devices and gadgets that interlinked with one another to form a nice, little, hectic mesh of networks. W1n-Manila was shocked, as this news completely changed his whole view of the Net. He didn't know about the existence of Cisco Systems, a large company that made many of these fancy gadgets, which in turn passed the packets around from one place to another to reach their final destinations. That day, the little guy's life changed drastically. He realized that to be a "uber-h4x0r," he'd have to know much more about networks than the old familiar boxes running obsolete Windows versions.

The desire to be the best, the coolest hacker, the desire to be THE ONE, to show Crypt0dUdz who is "da real H4x0r" drove little W1n-Manila into the wilderness and truly dark depths of Google for more information. After spending a couple of months in front of his PC, he learned quite a bit. He found out what routers and switches are and what functions they perform on various networks. He found out how he could access these devices. Knowing all this, he decided to give it a try and find some Cisco routers to play with. Going to the Packetstorm security web site gave him some clues on how to find those mysterious creatures that help the Internet to exist, those devices that he read about on many sites and bulletins . His main objective was to find as many routers as possible and take them over to show that he could control and master a part of the Internet itself, not just some web server running for years without a single update. He desperately needed to control those routers to show that his group was the only group on the Net that had the real 31337 knowledge. W1n-Manila could feel fame approaching himit was so close he could practically reach it with his thumb.

Meanwhile, the Crypt0dUdz were not wasting their time, as their members, armed with Home Edition Windows XP boxes, were sending thousands of SYN packets in every direction to find web servers that could later be defaced by the best cracker in their team. Every day, their frag count was increasing, giving Crypt0dUdz a considerable advantage over CyberSw4gs. Their lead in the silly cybergames did not last for long, though.

On a Thanksgiving morning, the leader of the Crypt0dUdz woke up with a bad feeling: his guts were telling him that something was not right. His routine check of the frag count on the group's web site proved that something was wrong. His web site was taking a long time to load and eventually timed out. What the heck! The first thoughts of a server takeover had crossed his mind. "This can't be right! My server has to be there as I've patched it only a week ago!" said Crypt0Warri0r, while opening up his xterm . He was the only one in the whole group with a bit of knowledge. Using Mandrake for more than six months had actually paid off, as he was learning new stuff on a daily basis. A ping command to his server showed timeouts, while the traceroute stopped at a strange hop: http://www.router3-cisco.dreamnet.some-example.org instead of his usual http://www.crypt0dudz-example.net . Nmapping the last hop showed strange output that he'd never seen before. What might this be? Crypt0Warri0r wondered angrily, while staring at the following output:

 Interesting ports on router3-cisco.dreamnet.some-example.org:      Port       State       Service      7/tcp      open        echo      23/tcp     open        telnet      79/tcp     open        finger2001/tcp   open        dc      6001/tcp   open        X11:1      Remote operating system guess: Cisco Router/Switch with IOS 12.2 

He googled for Cisco and router to see millions of results indicating various devices made by Cisco Systems. How odd, he had thought, as he had never seen these in real life. He also noticed an open Telnet service, which gave him a clue to launch telnet http://www.router3-cisco.dreamnet.some-example.org . His jaw dropped and his eyes reddened as his worst nightmare became reality. This is what he saw:

 ++++++++++++++++++++++++++++++++++++++++++      +         Welcome to the turf of         +      +               CyberSw4gs               +      +   All your routers are belong to us    +      +      Our 31337 skillz are da best      +      ++++++++++++++++++++++++++++++++++++++++++      User Access Verification      Password: 

He desperately tried to wake up from this hell, but unfortunately this was the new dark reality. Not knowing what to do next , he e-mailed all the members of his gang to meet in the park downtown immediately.

W1n-Manila's networking knowledge had drastically improved, as he'd been unsociably reading and experimenting in the dark without a single glimpse at sunshine for more than a month. Over this time, the only thing that had connected him to the scary outside world was a pizza delivery guy from an Italian takeaway place down the road.

The Cisco scanning utility that he used to find a few thousand routers with default passwords had finished the third class A subnet. He was so happy to see so many routers that could be easily taken over; he remembered times when it had been difficult to find a single vulnerable server from thousands of nmap -iR scans . Searching through the generated vulnerable devices list, W1n-Manila realized that he'd just won the cracker lottery. All of his attempts to prove himself and the team to be the best had been realized, as he found out that one of the routers with guessable passwords had been responsible for providing connectivity for their enemy, the puny Crypt0dUdz group. "At last!" he shouted as he jumped around the room. "I am THE ONE! It's my destiny to free the CyberSw4gs from the shameful slavery of the Crypt0dUdz!" Not a single second of his time had been wasted as he effortlessly obtained enable access on the router just a hop away from his arch-enemy's grounds.

With a quick search on the Net, he was able to change the default password and the login message of the router, and write a standard access list that would block all packets destined to the enemy's web server. Within 20 minutes from the first login to the router, W1n-Manila had carefully crafted a bragging e-mail that would soon be sent to all of the members of his mega-31337 team. A few days later, with the help of his brother, most of the routers in his list had a similar login banner and a changed enable password. The greatest achievement of the CyberSw4gs had been carried out by W1n-Manila, the youngest member of the team, who was praised and worshiped by his mates.

The emergency meeting of Crypt0dUdz ended with an urgent agenda to bring back their beloved web server and avenge themselves and their scorched egos. This was not an easy task, as not so many members knew exactly what had happened and how their enemy managed to exploit those devices of which they had little knowledge. Their immediate actions were to research more about Cisco devices and contact their web server's hosting company.

A few days later, Crypt0Warri0r managed to find out what exactly had happened by making friends with an administrator of the hosting provider that had been responsible for their web site. The administrator realized his mistake of not changing the default passwords and corrected it without delay for all the routers for which he was responsible, thus bringing back the beloved team site. He also tipped Crypt0Warri0r that apart from the default passwords, many routers are administered via SNMP, a protocol developed to ease the mass administration of network devices, and that many of the devices had default or guessable community names with read/write permissions. This tip ended up being the way Crypt0Warri0r would gain advantage over the CyberSw4gs, who were so cheeky to attack laterally.

After spending a week studying the implementation of SNMP within the Cisco devices, Crypt0Warri0r and his team had managed to locate and claim back some of the routers that had been previously "0wn3d" by CyberSw4gs by changing the running configuration of the routers using guessable SNMP RW community names (including cable-docsis , ciscoworks2000 , and tivoli ) and exploiting the VACM vulnerability. To reconfigure these unfortunate devices, a pirated copy of CiscoWorks downloaded from one of the many peer-to-peer networks was employed. Even though some of the routers had been successfully overtaken from the competing group, that first Cisco- related attack of the CyberSw4gs had not been forgotten in the kids ' hearts.