Testing Routers for Vulnerabilities

Firewalls and IDS devices are not the only devices on your network that you should be testing. You should also test routers, for without them, all your communication between your networks is lost.

Test against the following services and features on your target routers:

• Cisco Discovery Protocol (CDP)

• HTTP service

• Passwords

• Routing protocols

CDP

CDP is a data link layer proprietary protocol that is enabled on Cisco routers and switches and can be used to discover information about neighboring Cisco devices. Through CDP, you can collect information about network layer addresses, the Cisco IOS Software version, and the platform type of neighboring Cisco devices.

Example 10-1 shows output from the show cdp neighbors detail command, which is executed on a Cisco router to reveal information about a neighboring Cisco device. Relevant portions are highlighted.

Example 10-1. show cdp neighbors detail Command Output

Router#show cdp neighbors detail ------------------------- Device ID: RemoteRouter Entry address(es):   IP address: 192.168.12.5 Platform: cisco 1604R, Capabilities: Router Interface: Ethernet0, Port ID (outgoing port): Ethernet0 Holdtime : 114 sec Version : Cisco Internetwork Operating System Software IOS (tm) 1600 Software (C1600-sy-mz), Version 12.2(3)          Copyright 1986-2002 by Cisco Systems, Inc. advertisement version: 2 Duplex: full

From this command output, you can determine the IP address (192.168.12.5), platform (1604), and Cisco IOS version (12.2(3)) of a neighboring device. CDP is not encrypted, and it does not have mechanisms for authentication between devices. A malicious hacker or penetration tester can connect a rogue router or switch and discover information about devices on your network.

CDP advertisements are sent every 60 seconds by default. Therefore, if you are testing a router or switch, you might need to wait before receiving information from the neighboring device.

A malicious hacker can also crash or reboot a router that is running a release of Cisco IOS Software earlier than 12.2(3) by sending a large number of CDP frames to the router. This is documented in the following Cisco security notice:

http://www.cisco.com/warp/public/707/cdp_issue.shtml

To send multiple CDP frames, you can use the Linux-based CDP Sender tool from the Phenoelit IRPAS package (http://www.phenoelit.de/irpas). The syntax to flood a device with CDP frames is as follows:

Linux#./cdp -i eth0 -n 100000 -l -1480 -r -v

These are the options in this command:

• -i The interface on your computer that you want to send CDP frames out of. Typically, this is eth0.

• -n The number of CDP frames you want to send. In this example, 100,000 frames are being sent.

• -l The MTU size. For Ethernet networks, this should be set to 1480.

• -r Randomize the device ID. Without this option, the router sees the same device identifier and ignores any subsequent frames after it receives the first frame.

• -v Optional. This enables verbose output.

HTTP Service

You can manage a router in several ways:

• Through remote terminal sessions (Telnet, SSH)

• Through console sessions

• Through remote network management stations using SNMP (such as CiscoWorks2000)

• Through a web interface using the HTTP interface

With this last option, you access the router using the username of admin and the enable password. In Figure 10-1, you see the screen asking for authorization to access the web page.

Figure 10-1. HTTP Authentication

After you are authenticated, you can manage your router over the web. Figure 10-2 presents the web page on a Cisco 2500 series router after it is authenticated.

Figure 10-2. HTTP Router Interface

Certain Cisco IOS Software versions (see http://www.securityfocus.com/bid/2936 for list of versions) have a vulnerability that enables you to bypass the authentication of the web interface. A malicious hacker can bypass authentication and still view the running configuration. By typing a specially crafted URL, you can access the configuration where the password is stored. After you have the password, you have full access. To bypass the authentication, type the following into your web browser:

http://ip address/level/99/exec/show/config

On vulnerable platforms, this returns a configuration like that shown in Figure 10-3.

Figure 10-3. Bypassing Authentication Screen

After you have the configuration, you can attempt to crack the password.

Password Cracking

Authenticating to Cisco routers can take several forms. At the most basic level, you can configure passwords for accessing privileged exec mode using the enable password or enable secret command. Table 10-1 points out the differences between the two.

In Figure 10-3, an enable password has been encrypted by using the service password-encryption command. This is not a deterrent, however, because this password is easily cracked.

Passwords that are encrypted with the service password-encryption command are encrypted with type 5 encryption. Type 5 encryption uses MD5 hashing, which you cannot decrypt. Consider the following caveat, however: Cisco routers use the same variables in computing the hash in every implementation where the service password-encryption command is used. As a result, a malicious hacker can crack the password by trying to hash a list of passwords with the same MD5 hashing algorithm and variables and then comparing the hashed list with the current hashed password. If the attempts of the hacker result in a match, he can crack the password.

Boson GetPass! (http://www.boson.com) is a utility that shows you just how easy it is to crack these passwords. When you paste in the encrypted password, GetPass! quickly returns the plaintext version of the password. Figure 10-4 shows the GetPass! utility.

After you have the password, you can attempt to Telnet or go via the web interface to gain full access to the router. When you are inside the router, you can shut down interfaces, reconfigure passwords, change your access control lists (ACLs), or modify the configuration of any dynamic routing protocols in use.

Modifying Routing Tables

Dynamic routing protocols such as Open Shortest Path First (OSPF) or Routing Information Protocol (RIP) allow your packets of data to travel from one network to another. Routing protocols help determine the path of the packet through the network without having to manually configure each path. Popular routing protocols include the following:

• Interior Gateway Routing Protocol (IGRP)

• Enhanced IGRP (EIGRP)

• RIP

• OSPF

• Intermediate System-to-Intermediate System (IS-IS)

Note

For more information on how routing protocols operate, see CCNP Self-Study: Building Scalable Cisco Internetworks (BSCI), 2nd Edition and Optimal Routing Design, both from Cisco Press.

Routing tables exchange route information to learn of all available networks. From that information, an algorithm, such as the Dijkstra (OSPF, IS-IS), Bellman-Ford (RIP, IGRP), or DUAL (EIGRP) algorithm, is run. The routing algorithm determines what is considered the best path to get to each network also referred to as metrics. Some routing protocols, such as RIP, consider hop count, where the path that traverses the fewest number of routers is considered the best path. Other routing protocols, such as OSPF, consider the path with the fastest cumulative bandwidth. (OSPF actually factors the cost of each link, with cost being defined as 108/bandwidth.) OSPF enters the best path into the routing table, which the router uses to make routing decisions.

A direct correlation exists between the accuracy of your routing table and the stability of your networked environment. If your routing table is inaccurate, such as containing bogus entries, packets could end up being dropped as they are routed to invalid destinations. Dropped packets equates to user downtime, which nobody likes.

When performing a penetration test on a network, you should test to see if you can inject a bogus entry into the routing table of the corporation. This can be as easy as plugging in a router on the network and configuring it to inject routes, or using a utility such as Boson RIP Route Generator (http://www.boson.com).

Boson RIP Route Generator simulates a router on a network and allows you to inject fake networks and a hop count that you configure. Figure 10-5 shows the RIP Route Generator program along with the RIP networks that it has discovered.

Figure 10-5. Boson RIP Route Generator

Example 10-2 shows a sample routing table generated from the command show ip route rip.

Example 10-2. Before Running Boson RIP Route Generator

RIPRouter#show ip route rip R    172.16.0.0/16 [120/1] via 10.2.2.100, 00:00:06, Serial1/3      10.0.0.0/24 is subnetted, 3 subnets R       10.3.3.0 [120/1] via 10.2.2.100, 00:00:06, Serial1/3 R       10.1.1.0 [120/1] via 10.2.2.100, 00:00:06, Serial1/3 R    192.168.1.0/24 [120/2] via 10.2.2.100, 00:00:06, Serial1/3      192.168.2.0/28 is subnetted, 4 subnets R       192.168.2.64 [120/1] via 192.168.2.18, 00:00:01, Serial1/0                      [120/1] via 192.168.2.34, 00:00:01, Serial1/1 R    192.168.3.0/24 [120/2] via 10.2.2.100, 00:00:06, Serial1/3

Example 10-3 demonstrates what happens after injecting several new networks using Boson RIP Route Generator. These new networks are not legitimate networks, but fake networks sent to confuse the router.

Example 10-3. After Running Boson RIP Route Generator

RIPRouter#show ip route rip R    192.168.120.0/24 [120/2] via 192.168.2.18, 00:00:06, Serial1/0                       [120/2] via 192.168.2.34, 00:00:06, Serial1/1 R    192.168.150.0/24 [120/2] via 192.168.2.18, 00:00:06, Serial1/0                       [120/2] via 192.168.2.34, 00:00:06, Serial1/1 R    192.168.180.0/24 [120/2] via 192.168.2.18, 00:00:06, Serial1/0                       [120/2] via 192.168.2.34, 00:00:06, Serial1/1 R    192.168.110.0/24 [120/2] via 192.168.2.18, 00:00:06, Serial1/0                       [120/2] via 192.168.2.34, 00:00:06, Serial1/1 R    192.168.130.0/24 [120/2] via 192.168.2.18, 00:00:06, Serial1/0                       [120/2] via 192.168.2.34, 00:00:06, Serial1/1 R    192.168.160.0/24 [120/2] via 192.168.2.18, 00:00:06, Serial1/0                       [120/2] via 192.168.2.34, 00:00:06, Serial1/1      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks        R       172.16.0.0/16 [120/1] via 10.2.2.100, 00:00:25, Serial1/3  R    192.168.200.0/24 [120/2] via 192.168.2.18, 00:00:06, Serial1/0                       [120/2] via 192.168.2.34, 00:00:06, Serial1/1 R    192.168.140.0/24 [120/2] via 192.168.2.18, 00:00:06, Serial1/0                       [120/2] via 192.168.2.34, 00:00:06, Serial1/1 R    192.168.190.0/24 [120/2] via 192.168.2.18, 00:00:06, Serial1/0                       [120/2] via 192.168.2.34, 00:00:06, Serial1/1      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks           R       10.3.3.0/24 [120/1] via 10.2.2.100, 00:00:25, Serial1/3     R       10.1.1.0/24 [120/1] via 10.2.2.100, 00:00:25, Serial1/3     R    192.168.170.0/24 [120/2] via 192.168.2.18, 00:00:14, Serial1/0                       [120/2] via 192.168.2.34, 00:00:14, Serial1/1      192.168.2.0/28 is subnetted, 4 subnets                         R       192.168.2.64 [120/1] via 192.168.2.18, 00:00:14, Serial1/0                                      [120/1] via 192.168.2.34, 00:00:14, Serial1/1 R    192.168.100.0/24 [120/2] via 192.168.2.18, 00:00:14, Serial1/0                       [120/2] via 192.168.2.34, 00:00:14, Serial1/1 R    192.168.3.0/24 [120/2] via 10.2.2.100, 00:00:06, Serial1/3

A malicious hacker can also use this tool. For example, perhaps you have a network of 10.0.0.0/8 that your routing table states is five hops away through Serial 1/0. Using Boson RIP Route Generator, a malicious hacker can inject the same route (10.0.0.0/8) but make it only one hop away through Serial 1/3. Being fewer hops, the latter would be the preferred path. However, this information is inaccurate and would cause the router to reroute the packets to the wrong interface.

Note

You can accomplish a similar result to Boson RIP Route Generator by using the routed daemon on Linux machines. The routed daemon supports the injection of RIP routes. To accomplish the same thing with OSPF or BGP networks, you can use the gated daemon. Review the Linux man pages for more information on routed and gated.

Other routing protocols are susceptible to these types of attacks. You should always use authentication when running routing protocols to prevent these types of attacks. Authentication is discussed later in the "Securing the Network" section.