digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

Exploiting Cisco Routers

securityfocus.com — This is a great walkthrough, worthy reading if you have any cisco routers you have yet to harden against these easy to hack vulnerabilities. The article is a little dated, but sadly still applicable to many routers.

Bury
show profanity settings
expand all
  • bsoric, on 10/12/2007, -10/+21Digg needs a Script Kiddie category.
    • gwjc, on 10/12/2007, -4/+10What's wrong with security?
    • westoncampbell, on 10/12/2007, -6/+7If script kiddie is ever introduced to the many current categories then I must say that PORN should also be added :-)
    • gwjc, on 10/12/2007, -6/+7though it'll have to be pr0n, to make the scriptkiddies happy
  • adml_shake, on 10/12/2007, -3/+8Well the only problem I see is that your probably not going to run accross very many cisco routers that use Vigenere, and if the admin is using clear text they are asking for it and should be fired. Heck the cisco training stuff even says to use MD5, and even sets up the simulations for it. After everyone has to be at least CCNA 3.1 certified, I don't know if this will be much of a problem.
    • gwjc, on 10/12/2007, -1/+4:) good avatar dude! Not sure what you mean by "everyone has to be at least ccna 3.1 certified"; there will always be techs handling cisco routers who are not certified. There are also a significant number of cisco routers in the world that sit on private networks and are running 11.x or whatever IOS they shipped with, and weren't configured beyond they day they were installed - they invariably have all their passwords set using type 7.
    • SuckMyDigg, on 10/12/2007, -0/+10I never had a lick of experience with cisco before I started my job. Now I use IOS on a daily basis. Certifications are nice, but I don't think they're all that necessary if you can get your hands on a book.
  • gkwait, on 10/12/2007, -10/+5Talk about old. "small services" (echo, discard, chargen etc...) have been disabled by default for about 4 years now. Give me a break. No Digg, and Lame as well.
    • trejrco, on 10/12/2007, -1/+7Well, it WAS written in 2003 ...
    • gkwait, on 10/12/2007, -3/+6I guess on the flip side, if someone is still running code from 4 years ago, they deserve to be hit.
    • WorldGroove, on 10/12/2007, -0/+4@gkwait
      Oh.... then we're all screwed ;-)
  • ipstacks, on 10/12/2007, -0/+5There are routers running code from the day they were installed, obviously. Not everyone is certified, nor do they care. Getting newer code requires you to spend money on the maintenance to qualify for the upgrades/updates, with Cisco anyway. Also some upgrades introduce different bugs, so some wait until it is proven before upgrading anything. There are a lot of routers for sale on ebay and I am sure though folks don't qualify for and upgrades/updates.
    • Kash04, on 10/12/2007, -1/+2routers require updates just as anything else.. major security updates are free... and theres no excuse for being a lousy system admin..
    • neozeed, on 10/12/2007, -0/+2Oh so true, if it isnt broken dont fix it. The last time I went thru this hell was after a serial card broke on the 7513, I had to upgrade the IOS to support the new version of the card... Unfortunatly the new version of code changed the distance calculations for IPX services... So it had screwed up quite a bit.

      People that jump on the new IOS because 'woohoo! its new' deserve to get screwed on the otherisde of this issue. The problem is that the drivers are tied into the code... One day they need to split IOS into drivers & routing code....

      At any rate, if you have 7200's you can now run the code in emulation http://www.ipflow.utc.fr/index.php/Cisco_7200_Simulator try before you fry! ;)
    • esalonia, on 10/12/2007, -0/+2Not true ipstacks. You can get security updates for your IOS free of charge. I recently got a newer IOS image for my router a few months back when that IOS Heap-based Overflow Vulnerability was around. All you would have to do is email tac@cisco.com. A tech will respond back to you and most likely ask you for a "show tech" output from your router, your Cisco.com username, and the serial number of your router. Once they review that information, if you are in fact vulnerable and not running the latest security patched version, they will publish the IOS image for you to their CCO checkout page. At which point you will have 3 days to download it. It is faster if you have a support contract with them but this way will work too as long as you are just looking for the latest patched release of the version you are currently running. They will not provide you with a feature version update, only patches.
    • osbjmg, on 10/12/2007, -0/+4ipstacks, that would be a pretty irresponsible network admin, and I would not want him to work for me. esalonia is right, cisco has security advisories and provides existing customers fixes. I work in TAC and I can say we will not charge for code if you hit a security vulnerability. Stay informed to the PSIRT fixes and you will not have to worry.

      neozeed - the right way to test is to either have a lab or have your account team do a proof of concept for you first.

      If you use IOS, bookmark this:
      http://newsroom.cisco.com/data/syndication/rss2/SecurityAdvisories_20.xml
    • zoom1928, on 10/12/2007, -2/+0esalonia, it's true Cisco will allow you to download a new image, but the vast majority of the time that image will not run on your equipment. Cisco ships their routers with the absolute minimum of RAM and flash that they can get away with. Within a couple of years that config will no longer be able to run the newer versions of IOS. It just keeps getting more and more bloated. They refuse to add security fixes to older versions. That leaves their customers stuck buying new hardware to fix software problems.

      Where I work we have nine Cisco routers. We've used a total of nine routers for nearly ten years, and the only time in that decade we have bought new routers was because of security problems. All of our older routers work just fine and we keep them as spares, but Cisco has intentionally made the hardware we own (nearly) useless by refusing to release fixed software for them. This is how you always get screwed when you buy proprietary, closed-source garbage.
    • CorpT, on 10/12/2007, -0/+1Nine whole routers? Wow, that certainly does make you an expert on Cisco routers. Especially 10 year old routers.

      Here's a clue: Just because your company doesn't value its network, doesn't mean other companies don't. Go back to your servers and leave the networking to people who know what they're doing.
    • neozeed, on 10/12/2007, -1/+1@osbjmg a lab.. lol I dont know how many times I hear that battle cry "it worked in the lab!" Sigh and so many CCIE's that cant go forward with plan b,c,d,e etc etc. Plus when you get thrown to new IOS for hardware reasons its unlikely you have time to play release games....

      Cisco sucks, but my god their 'competition' isnt anywhere near ready.
  • carpespasm, on 10/12/2007, -2/+1it's kinda funny that i'm actually reading this from my cisco 3 class now, having just taken the final exam...
  • esalonia, on 10/12/2007, -0/+3Part 2 of this post: http://www.securityfocus.com/infocus/1749
  • dhughes, on 10/12/2007, -1/+2 An interesting read, it's fun to see the steps involved, it's not something I do but I enjoy reading about and seeing the technique used.

    Most here probably won't admit they don't know what they hell it's all about but no one is born knowing this stuff, nobody knows everything about computers and someone always knows more than you.
  • masterT1021, on 10/12/2007, -0/+1You know its kinda funny reading this article after finishing semester four a couple months ago. Yea cisco can change there IOS a little here and there to make it a little user friendly. As far as security they are pretty good, offering differnt types of encryption. Trust me compared to 3com and Juniper cisco is way better. I actually have worked on them. AHH, it feels good to have my CCNA at only 18. going for my CCNP. wish me luck. lol
  • oyourmom, on 10/12/2007, -3/+1Exactly why i have a Juniper router.
    • bdbr, on 10/12/2007, -0/+3"Exactly why i have a Juniper router."

      ...because you can't break into a Juniper router that has dictionary-based passwords or community strings? Much of this has very little to do with Cisco. I hope you realize there's more to security than product selection.
    • gyrfalcon, on 10/12/2007, -0/+3More like...

      Exactly why you're an idiot. Not that Juniper products are bad, you're just stupid saying ludicrous crap without backing.
  • bdbr, on 10/12/2007, -0/+0What exactly is it that you guys think a new version will solve from this article? Will it make http secure? Will it require admins to use strong passwords and community strings?

    This article just presents a few very, very basic ways to get into routers where the administrators have completely ignored basic security practices. Its as applicable with current revs as it was with 11.2.
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.