Group 8
Vernon Guishard, Kelvin Aguebor
ECE4112 Internetwork Security
Proposed Lab: Cisco Router Hacking
Group Number: _________
Member Names: ___________________ _______________________
Date Assigned: ____________
Date Due: ____________
Last Edited: _____________
Authored by: Vernon Guishard, Kelvin Agebor
Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so
that you will have time to complete the lab. Answer ALL questions in the Answer Sheet and be sure you
turn in ALL materials listed in the Turn-in Checklist on or before the Date Due.
Goal: The goal of this lab is to introduce you to the concept of router hacking and to show how this
can prove disastrous to networks.
Summary: You will carry out various attacks on Cisco routers, examine their possible effects,
and identify solutions to vulnerabilities.
NOTE: Section 1 of this lab requires you to reserve slots to use the router equipment. The signup sheets
will be posted on the lab door. The equipment you need to sign up for will not be available at the last
minute. PLAN AHEAD.
Background: Although its market share has dropped in the recent years, Cisco Systems
still controls the majority (approximately 58%) of the router market share when concerned with
network routing. With such a larger market share, this makes networks extremely susceptible to
catastrophic failure in the event that Cisco routers were to become the target of a wide scale
attack, which proved successful. For this main reason, we will explore some of the know attacks
and suggest solutions to these problems.
Prelab Questions:
P.1. Name another major router manufacturer that has a significant amount of the
market share.
1
Group 8
Vernon Guishard, Kelvin Aguebor
Lab Scenario: For this lab you will compromise Cisco routers via several available
methods. In the first section, the console will be used to recover the enable password of a router.
The second section includes performing some known network exploits will be performed.
Section 1: Console Password Exploit
1.1 Setting up hyper terminal to access router
For this section you will need one of your existing Windows XP virtual machines, and one of the
router setups made available for this lab.
Windows Hyper Terminal is an example of a terminal emulator. A terminal emulator, terminal
application, term, or tty for short, is a program that emulates a "dumb" video terminal within
some other display architecture. Terminals are typically synonymous with a command line shell
or text terminal. A terminal emulator inside a graphical user interface is often called a terminal
window. A terminal window allows the user access to text terminal and all its applications such
as command-line interfaces (CLI) and text user interface applications. These may be running
either on the same machine or on a different one via telnet, ssh, or dial-up. On Unix-like
operating systems it is common to have one or more terminal windows connected to the local
machine [1].
In this case, HyperTerminal will be used to get access to the CLI of a Cisco router.
On your Windows XP machine, go to:
START All Programs Accessories Communications HyperTerminal
If asked for local information such as area code and phone number, this may be skipped by
selecting cancel.
Select a name (eg. Cisco Console) for the connection, select an icon, and then click OK. Again
cancel when asked for local information.
In the „Connect To‟ window, change the field „connect using‟ to COM1 or the lowest available
COM port on the computer. Click OK.
This should give a window which looks like the one in figure 1 below. Ensure that all the
settings are the same as those shown below. Click ok and ensure that the status shown in the
lower left says connected.
Now the console cable needs to be connected from the router to the computer. Obtain a cable
from the TA and connect it from the console port on the router to the COM port on the PC.
2
Group 8
Vernon Guishard, Kelvin Aguebor
Once done hit enter a few times on the keyboard. You should get a prompt from the router.
Once you receive this prompt, you have successfully configured HyperTerminal to be able to
access the router.
Screenshot 1: Take a screenshot of HyperTerminal connected to the router.
Figure 1. HyperTerminal Settings.
1.2 Cracking the enable and enable secret of the router
When you first log in to the router, you should be in user mode (Router>), which is mostly used
for viewing statistics. In order to perform higher functions such as configuration and
diagnostics, you must first enter privileged mode (Router#). Most system administrators use a
password, either an enable password or enable secret, to ensure that anyone entering privileged
mode is authorized to do so. However, there is a well know procedure for gaining or changing
the passwords on a router as long as physical access is available.
All Cisco router have a 16-bit software register called a configuration register. This register is
used during boot-up to set certain options such as the location of the Cisco IOS (usually flash
memory), and the configuration file to load and its location. The settings of the bits in this
register, are also used to set other option used at boot-up. The bit positions and their functions
can be seen in the table below, which was obtained from:
http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a008022493f.
shtml. Note that bit 15 represents the most significant bit.
3
Group 8
Vernon Guishard, Kelvin Aguebor
Bit
Hex Meaning
Number
Boots Field Parameters
0x0000
Stays at the system bootstrap
prompt 0x0001
0x0000-
00-03 Boots system image on
0x000F
EPROM 0x0002-0x000F
Specifies a default netboot
filename
Ignore NVRAM contents
06 0x0040
Disable boot messages
07 0x0080
Break disabled
08 0x0100
IP broadcast with all zeros
10 0x0400
0x0020, Console line speed
5,11,12 0x0800,
0x1000
Boots default ROM software if
13 0x2000 network boot fails
IP broadcasts do not have net
14 0x4000 numbers
Enables diagnostic messages
15 0x8000 Ignores NVRAM contents
The default configuration register value for Cisco routers is 0x2102. If you already knew the
privileged mode password on the router, you could type show version in order to see the current
setting of the configuration register.
Q.1.2.1. Based on the table above, what does the default setting of the configuration register
tell the router to do?
Since you do not know the password, you will use a technique referred to by Cisco as password
recovery to get the privileged mode password. You will make use of the configuration register
settings to do this.
4
Group 8
Vernon Guishard, Kelvin Aguebor
Reboot the router by simply turning the power switch off and then back on.
During the first 60 seconds of boot-up, press the break key on the keyboard. You may need to
press ctrl + break. This should put the router into ROMMON (rommon 1>). If it does not work,
you will need to repeat the power down step and try other know break key sequences.
Once the rommon prompt appears, type confreg 0x2142, to change the value of the configuration
register.
Q.1.2.2. What does this change to the configuration register cause?
Type reset at the rommon prompt to reboot the router once again. Answer no to all of the
question asked when the router reboots, or press Crtl-C to bypass this initial configuration stage.
This router should now be at the initial prompt (Router>). Type enable to enter privileged mode
after which the prompt should change to (Router#).
Type copy startup-config running-config to reload the configuration of the router. Once this is
done, you should be able to view and change all the configuration of the router.
Type show running-config to view the current configuration file. You should be able to see
where the enable password and enable secret have been set.
Screenshot 2: Take a screenshot of the enable password and enable secret of the router.
You should be able to tell what the enable password is but the enable secret is just represented by
a string of seemingly random characters.
Q.1.2.3. Why does the enable secret appear this way?
Q.1.2.4. When is the enable password used as opposed to the enable secret?
Since the enable secret cannot be recovered in this way, the only option is to change it. To do so
type configure terminal to enter configuration mode.
To change the secret, type enable secret . Use enable as the new password.
Once done, you need to change back the configuration register to its original setting so that the
router will boot as normal. While still in configuration mode, type config-register 0x2102.
Type end to exit configuration mode.
Type sh version and record the line that shows the value of the configuration register.
Q.1.2.5. What is the output on the line that shows the value of the configuration register?
5
Group 8
Vernon Guishard, Kelvin Aguebor
Next type copy running-config startup-config in order to save the new password. Restart the
router and ensure that it boots as normal. One booted, type enable and enter the password you
changed.
Although this procedure is listed by Cisco as a way for system administrators to recover
passwords, it can also be used by hackers to gain access to a router.
Q.1.2.6. List two ways that a system administrator may quickly notice such an attack?
Q.1.2.7. How can such an attack be easily prevented?
Q.1.2.5. Why does the eighth bit on the configuration register not prevent a hacker from
being able to execute the break sequence?
Section 2: Identifying Cisco Routers
2.1 Using NMAP to Identify Routers
For this section you will need, your RedHat 4.0 Host machine.
Routers can be configured to look just like any other system on the network. For this reason, they
can often be mistaken as Unix systems. Probably the easiest and most accurate way of
identifying a host on the network as a router is by using Nmap which has very accurate OS
fingerprinting.
Your Linux machine already has Nmap pre-installed. To access Nmap, type nmapfe & in a
terminal window. This should open a separate window in which the Namp scan will be
performed. The IP addresses listed below will be scanned to try and identify any Cisco systems
on the given subnets.
138.210.228.0/24
138.210.231.0/24
138.210.240.0/24
In order to first identify which IP addresses are active a simple ping scan can be performed. To
do this, enter the first IP address range in the target field and select ping scan. Select scan and
wait for Nmap to return a list of IP addresses found. This may take a while.
Once the IP addresses are returned, rerun a Nmap scan on each address found to be alive, this
time performing a SYN scan and select the version probe option. Use the results to identify the
routers in the above subnets.
Repeat this for all of the above listed subnets.
Q2.1.1 List the IP addresses that were found to be Cisco routers.
6
Group 8
Vernon Guishard, Kelvin Aguebor
Q2.1.2 How can an administrator prevent such network reconnaissance?
Another way of identifying Cisco routers is by looking at the banner that they produce when you
try to access them via telnet or ssh.
To test this theory, try connecting to one of the identified routers that have the telnet port (23)
open by typing telnet .
By default, Cisco routers display the banner “User Access Verification” which is a trademark
Cisco telnet banner, before prompting for the password.
Screenshot 3: Take a screenshot of the banner presented by the router.
Q2.1.3 What can an administrator do to prevent system identification by banner checking?
Section 3: Network Exploits
Your RedHat 4.0 Host machine will be used for this section.
3.1 Using the Cisco Global Exploit Tool
Cisco Global Exploiter is a script that targets vulnerabilities in the Cisco Internetwork Operating
System (IOS) and Catalyst products. When the script is run against a host it gives menu choices
for the user to perform. The script was written by blackangels.it and published on 3.24.04.
Information on the vulnerabilities that this tool attempts to exploit can be found at the links
referenced in Appendix A.
Q3.1.1 Briefly describe one of the vulnerabilities presented in Appendix A?
Connect to the NAS server and copy the file Cisco Global Exploit Tool (cisco.zip) to the
\home\tools\ directory of your RedHat 4.0 Host machine. This tool can be obtained from
http://www.milw0rm.com/exploits/169.
Go to the \home\tools\ directory, and type unzip cisco.zip in order to unzip the copied file.
In the same directory type chmod +x cisco.pl in order to turn on the Linux execute permissions
for this script.
In order to see a list of options for the Cisco Exploit tool, type perl cisco.pl. You should get a list
of option identical to those shown in figure 3 below.
7
Group 8
Vernon Guishard, Kelvin Aguebor
Figure 3. Cisco Exploit Options.
Q3.1.2 Which of the options do you think can be run on the devices discovered in the
previous section?
Using the options identified, try to exploit two of the possible vulnerabilities on two of the Cisco
routers that you found using the command.
perl –h -v
Q3.1.3 List the commands you used to perform the exploits, showing the IPs and options
chosen.
Q3.1.4 Were the commands successful, if so list which ones were.
A very useful exploit is the Cisco IOS HTTP Auth Vulnerability. If this was not already done,
perform it by typing perl –h -v 3.
Q3.1.5 What was the result of performing this exploit (give the response)?
If the exploit was successful, it should give a url that can be used to compromise the router. To
test this, open an internet browser and go to http:///level/xx/exec/show/config
where xx represent the numbers obtained from the previous command.
8
Group 8
Vernon Guishard, Kelvin Aguebor
If the above command is successful, you should now have a web page containing the entire
configuration of the router.
Screenshot 4: Take a screenshot of the compromised router’s configuration.
Q3.1.6 Give three ways that a hacker can use this information to their benefit?
3.2 Protecting against Cisco Global Exploit Tool
Many of the exploits used by this tool have existed for a while and have already been identified
by Cisco Systems. As a result patches and upgraded firmware are available for these. More
information on the upgraded firmware and other workarounds for these vulnerabilities can be
found at the links given in Appendix A. In the cases where these exploits can still be performed
today, it is as a result of poor system administration (ie. Administrator fails to keep informed of
current security issues and as a result does not resolve vulnerabilities).
Q3.2.1 Give one of the workarounds, other than upgrading the firmware, which can be
used to prevent exploitation of these vulnerabilities.
Turn-in checklist
You need to turn in:
Answer sheet.
4 screenshots
Any corrections or additions to the lab.
Lab Additions and Improvements
Explain additions, improvements that can be made to this lab. Please be a detailed as possible
and include sections and subsections where applicable.
9
Group 8
Vernon Guishard, Kelvin Aguebor
ECE4112 Internetwork Security
Proposed Lab: Cisco Router Hacking Answer Sheet
Group Number: _________
Member Names: ___________________ _______________________
Date Assigned: ____________
Date Due: ____________
Last Edited: _____________
Prelab Questions:
P.1. Name another major router manufacturer that has a significant amount of the
market share.
Section 1: Console Password Exploit
Q.1.2.1. Based on the table above, what does the default setting of the configuration register
tell the router to do?
Q.1.2.2. What does this change to the configuration register cause?
10
Group 8
Vernon Guishard, Kelvin Aguebor
Screenshot 2: Take a screenshot of the enable password and enable secret of the router.
Q.1.2.3. Why does the enable secret appear this way?
Q.1.2.4. When is the enable password used as opposed to the enable secret?
Q.1.2.5. What is the output on the line that shows the value of the configuration register?
Q.1.2.6. List two ways that a system administrator may quickly notice such an attack?
Q.1.2.7. How can such an attack be easily prevented?
Q.1.2.5. Why does the eighth bit on the configuration register not prevent a hacker from
being able to execute the break sequence?
11
Group 8
Vernon Guishard, Kelvin Aguebor
Section 2: Identifying Cisco Routers
Q2.1.1 List the IP addresses that were found to be Cisco routers.
Q2.1.2 How can an administrator prevent such network reconnaissance?
Screenshot 3: Take a screenshot of the banner presented by the router.
Q2.1.3 What can an administrator do to prevent system identification by banner checking?
Section 3: Network Exploits
Q3.1.1 Briefly describe one of the vulnerabilities presented in Appendix A?
12
Group 8
Vernon Guishard, Kelvin Aguebor
Q3.1.2 Which of the options do you think can be run on the devices discovered in the
previous section?
Q3.1.3 List the commands you used to perform the exploits, showing the IPs and options
chosen.
Q3.1.4 Were the commands successful, if so list which ones were.
Q3.1.5 What was the result of performing this exploit (give the response)?
Screenshot 3: Take a screenshot of the compromised router’s configuration.
Q3.1.6 Give three ways that a hacker can use this information to their benefit?
Q3.2.1 Give one of the workarounds, other than upgrading the firmware, which can be
used to prevent exploitation of these vulnerabilities.
13
Group 8
Vernon Guishard, Kelvin Aguebor
General Questions
How long did it take you to complete this lab? Was it an appropriate length lab?
What corrections and/or improvements do you suggest for this lab? Please be very specific and if
you add new material give the exact wording and instructions you would give to future students
in the new lab handout. You may cross out and edit the text of the lab on previous pages to make
minor corrections/suggestions. General suggestions like add tool xyz to do more capable
scanning will not be awarded extras points even if the statement is totally true. Specific text that
could be cut and pasted into this lab, completed exercises, and completed solutions may be
awarded additional credit. Thus if tool xyz adds a capability or additional or better learning
experience for future students here is what you need to do. You should add that tool to the lab
by writing new detailed lab instructions on where to get the tool, how to install it, how to run it,
what exactly to do with it in our lab, example outputs, etc. You must prove with what you turn in
that you actually did the lab improvement yourself. Screen shots and output hardcopy are a good
way to demonstrate that you actually completed your suggested enhancements. The lab addition
section must start with the form “laboratory Additions Cover Sheet”.
14
Group 8
Vernon Guishard, Kelvin Aguebor
Appendix A
Obtained from
http://www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml#details
Cisco Security Notice: Exploit for
Multiple Cisco Vulnerabilities
Document ID: 50220
Revision 1.3
Last Updated 2004 May 07 at 17:30 UTC (GMT)
For Public Release 2004 March 27 19:30 UTC
Please provide your feedback on this document.
Contents
Summary
Details
Workarounds
Status of This Notice: INTERIM
Revision History
Cisco Security Procedures
Summary
Proof-of-concept code has been publicly released by an external group that exploits multiple
previous vulnerabilities in various Cisco products.
Details
Proof-of-concept code has been publicly released by an external group that exploits multiple
previous vulnerabilities in various Cisco products. The following list of vulnerabilities taken
verbatim from the exploit code are affected. Included after each is a URL which may be
referenced for more information regarding each vulnerability where Cisco has previously
released a security advisory or response to address the issue. Customers should take steps to
15
Group 8
Vernon Guishard, Kelvin Aguebor
ensure that they have addressed each of these either via a software upgrade or workarounds in
place as appropriate in order to mitigate any risk from this new exploit code.
1. Cisco 677/678 Telnet Buffer Overflow Vulnerability
CBOS - Improving Resilience to Denial-of-Service Attacks
http://www.cisco.com/warp/public/707/CBOS-DoS.shtml
2. Cisco IOS Router Denial of Service Vulnerability
Cisco IOS HTTP Server Vulnerability
http://www.cisco.com/warp/public/707/ioshttpserver-pub.shtml
3. Cisco IOS HTTP Auth Vulnerability
IOS HTTP Authorization Vulnerability
http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
4. Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
IOS HTTP Authorization Vulnerability
http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html
5. Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
Cisco Catalyst SSH Protocol Mismatch Vulnerability
http://www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml
6. Cisco 675 Web Administration Denial of Service Vulnerability
Multiple Vulnerabilities in CBOS
http://www.cisco.com/warp/public/707/CBOS-multiple.shtml
7. Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
Catalyst 3500 Issue
Report: http://www.securityfocus.com/archive/1/141471
Cisco Response: http://www.securityfocus.com/archive/1/144655
8. Cisco IOS Software HTTP Request Denial of Service Vulnerability
Cisco IOS HTTP Server Query Vulnerability
http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml
9. Cisco 514 UDP Flood Denial of Service Vulnerability
A Vulnerability in IOS Firewall Feature Set
http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml
10. CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
Web Interface Vulnerabilities in Cisco Secure ACS for Windows
http://www.cisco.com/warp/public/707/ACS-Win-Web.shtml
16
Group 8
Vernon Guishard, Kelvin Aguebor
11. Cisco Catalyst Memory Leak Vulnerability
Cisco Catalyst Memory Leak Vulnerability
http://www.cisco.com/warp/public/707/catalyst-memleak-pub.shtml
12. Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
Cisco CatOS Embedded HTTP Server Buffer Overflow
http://www.cisco.com/warp/public/707/catos-http-overflow-vuln.shtml
13. %u Encoding IDS Bypass Vulnerability (UTF)
Cisco Secure Intrusion Detection System Signature Obfuscation Vulnerability
http://www.cisco.com/warp/public/707/cisco-intrusion-detection-obfuscation-vuln-
pub.shtml
14. Cisco IOS HTTP Denial of Service Vulnerability
Cisco IOS HTTP Server Query Vulnerability
http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml
Workarounds
Possible workarounds for each of the vulnerabilities may be found in the advisories referenced in
the Details section.
Status of This Notice: INTERIM
This is an interim notice. Although Cisco cannot guarantee the accuracy of all statements in this
notice, all of the facts have been checked to the best of our ability. Cisco does not anticipate
issuing updated versions of this notice. Should there be a change in the facts, Cisco may update
this notice.
A stand-alone copy or paraphrase of the text of this security notice that omits the distribution
URL in the following section is an uncontrolled copy, and may lack important information or
contain factual errors.
17
Group 8
Vernon Guishard, Kelvin Aguebor
Revision History
Updated notice to include
Revision
2004-May-07 exploits 11-14 in the
1.3
Details section.
Revision Updated #6 in the Details
2004-April-06
1.2 section.
2004-April-02- Updated notice to include
Revision
0000 UTC exploit #10 in the Details
1.1
(GMT) section.
Revision
2004-March-26 Initial public release.
1.0
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco products, obtaining
assistance with security incidents, and registering to receive security information from Cisco, is
available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This
includes instructions for press inquiries regarding Cisco security notices. All Cisco security
advisories are available at http://www.cisco.com/go/psirt.
18
Group 8
Vernon Guishard, Kelvin Aguebor
REFERENCES
[1] http://en.wikipedia.org/wiki/Terminal_emulator
[2] http://www.securityfocus.com/infocus/1734
[3] http://www.securityfocus.com/infocus/1749
[4] http://secure-o-gram.blogspot.com/2005/11/ios-exploit-and-auditing-tools.html
[5] http://www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml#details
[6] http://www.milw0rm.com/exploits/
[7]http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a00802249
3f.shtml
19