Getting Into Cisco Routers
by Grandmaster Plague
Cisco routers are some of the most fascinating machines on the Internet.
It is almost assured that if you send a packet to a random machine on the Internet, your packet will pass through a Cisco router. The prevalence of these beauties on the net is mind boggling. But how do you break in?
Well, this requires a little explaining first.
Standard Disclaimer: The information in this article is meant for educational purposes only. I do not advocate doing anything mentioned in this article. I also take no responsibility if you do anything mentioned in this article.
Some Background Info First
Cisco routers are great at passing packets from network to network.
However, they are shitty at directly receiving packets sent at them. If they could receive packets as well as they could route them, then Cisco would sell an all-in-one superduper Internet server-router gee-whiz-it-doeseverything machine. Keep this in mind for the attack that will come later.
Now, if you try to Telnet to a properly configured Cisco router you will get one of two things.
The first is that your connection will be denied (or will time out) based on a firewall ruleset, or because TCP/IP access is not allowed to the router (serial only). Either way, bypassing this first case is beyond the scope of this article. (Hint: Combine the info to be learned in this article with my spoofing article "Myths About TCP Spoofing" in 18:3 for your answer.)
The second possible thing is you get a password prompt. If you get this (just a password prompt) you're most likely at a router, and it's on to the rest of the article.
Conceptualizing the Attack
The attack boils down to this.
First, you flood the router from one host, causing it to default to a sort of "safe mode" wherein only the barest of routing functions are executed. Cisco routers have been made to keep on routing until they can't possibly route anymore. This is why critical system access goes before routing functionality goes.
Now, Cisco builds in a little safety net for admins who this happens to by letting them still get access to their system to shut down a router-gone-haywire. So, if the system is overloaded, you can Telnet in and enter the default password to get complete enable (root!) access to the router. You then will transmit the router's password file to your machine and crack it.
Now you have full enable access and can do whatever you please with the router.
The Attack Itself
The first thing you'll need for this attack is at least one valid SOCKS (or WinGate) proxy or a shell on some system - anything to make your access come from another host. I would recommend at least two such hosts to do this.
First, you want to initiate a Denial-of-Service (DoS) attack that will flood the router, such as a huge password in the password field, or an ICMP flood.
For the purposes of this article, we will use a huge ping command (as root on a Linux/BSD box):
Get that started and wait for a bit.
Then, after a minute or so, you Telnet to cisco-host.example.net from a different IP address (another NIC with its own IP address, not one behind the same NAT router, or through a WinGate).
Now, you get a nice prompt and type the default password in (usually enable or admin... otherwise check www.mksecure.com/defpw).
Now you're logged in with full enable access. We want to keep access and not be noticed, so we find either the encrypted or (if lucky) the unencrypted password. This is usually simple.
Start logging your terminal session and type in: sh conf
When you see a line that starts with enable secret or enable password grab that line. If you only see three arguments to either of these commands, the third argument is the password.
Still, if you get the enable password line, then be happy, because even if it's encrypted, it's a Cisco Type 7 password (whose encryption has been broken hundreds of times). See hackersplayground.org/papers/crack-cisco-passwords.txt for code and explanation on how to break Type 7 passwords.
If you're not so lucky, you'll see something like enable secret md5 +949a8(%0xCV8. That's a MD5 encrypted password. You can dump it into John the Ripper (after some formatting).
Let it run for a little while and you'll get a nice password to use to get access to the router. Congratulations, you should have full enable access at this point.
Disconnect from the router and stop your ping flood.
What Do I Do Now?
Well, I'd be surprised if people reading this article didn't have ideas of things they can do once they get full enable access on a Cisco router. But, for those of you who don't, I'll give you some ideas, like modifying the route tables to go through another machine which can sniff data.
Tunnelx is the best project I've seen to do this. It was featured in Phrack, Issue 56 (www.phrack.org/issues/56/1.html) in the article "Things To Do In Cisco Land When You're Dead" by gauis.
That article covers installation of tunnelx.
If you realize that a significant bit of traffic goes through routers, you'll realize that you need to set up a script to check the packets you sniff for key terms and discard as they come in, so you don't waste ten gigs of disk space in two minutes.
Another fun thing about routers is that they're often connected directly (through serial) to mainframes at NOCs. These machines are super fun to play with and are often otherwise inaccessible to the outside.
Ciscos that are the primary router for a network are almost always trusted machines on that internal network. You can get to machines that are not visible to the Internet.
Denial-of-Service is also really easy. Just change the route table of the router to send all packets received to 127.0.0.1. The possibilities are endless.
Conclusion
Cisco routers are some of the most prevalent machines on the Internet.
The security of these machines is crucial to the survival of the Internet and corporate networks around the globe. It is often unbelievably easy to get full enable access on a Cisco router with very little work.
There are many ways to secure your system. (See Hardening Cisco Routers by Thomas Akin, or Improving Security on Cisco Routers by Cisco Systems, or a host of other sites.)
But Cisco has a lot of problems that they need to fix before your router will be secure out of the box.
Hopefully this article has moved that along a bit.
Hi again Mary (Nary).