Saturday 7 May 2011

Attacking and defending virtual Cisco routers on Backtrack (part 2 - Web and SSH)

In part one of this article (available here) I talked about using GNS3 to replicate and test virtual router networks. I also showed how the default setup of telnet on many Cisco products can be vulnerable to both sniffing and brute-force attacks, and how SSH can easily be implemented to provide more protection.

In this article, I will show how the default web UI on many Cisco routers can be a serious liability, and how to disable it, and also talk about a risk associated with SSH (demonstrating SSH brute-force).

Please remember to use these techniques only for legitimate educational and testing purposes and not maliciously.

So first let's talk about router Web UIs...


Cisco's horrible old Web UI

It's getting very old now, but it is a default on many router models. Yes, it's the Cisco hideous "pretend to be a console" Web UI.


This UI was designed years ago, when security was not seen as so much of an issue. This is a really nasty interface (which I find slower and more difficult to use than the command line). This UI is enabled by default, on many Cisco router models, with no security.

Due to the sticky nature of router and switch infrastructure (it is costly, and time-consuming to replace, and requires downtime) routers of this age and type are very common.

With this example, by default if you click on "15" you end up with an unauthenticated login, at Exec level 15, i.e. with full access to view and change the configuration, and with complete control of the router.

Even if this router is only accessible internally, I would say that this MUST be locked down from the defaults. As I described in the previous article you can add an enable password for some basic configuration security.

R0(config)#enable secret mypassword

This is a global change to the router, affecting multiple protocols, and will enable HTTP basic authentication. Though this is a slight improvement, there still some serious issues with that.


Issues with HTTP basic authentication

There are various issues with HTTP basic authentication which include; No lockout, no session limits or expiry, and the password is sent base64 encoded (i.e.in clear-text) so it can be sniffed of the wire.

Couple that with the fact that there is a known username (of "enable") and only the password needs to be guessed, this is a problem.

To show the plain text nature of this authentication method, we can issue either use a sniffer like tcpdump or Wireshark to intercept the HTTP headers. Below is an extract from the header including the base64 encoded password.

...
Keep-Alive: 300
Proxy-Connection: keep-alive
Authorization: Basic ZW5hYmxlOm15cGFzc3dvcmQ=


Encoding, is NOT encryption. Base64 encoding is designed simply to protect and represent binary data within text-based protocols. Decoding is trivial. Here is a useful site: http://www.opinionatedgeek.com/dotnet/tools/base64decode/

(Pasting in the "ZW5hYmxlOm15cGFzc3dvcmQ=" above, we get the username and password "enable:mypassword" as expected)

To brute-force a HTTP basic password with Hydra is trivial, and can be quick with targeted dictionaries. See the example below:

hydra -l enable -P rockyou100.txt 192.168.50.254 http-get /
WARNING: Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
Hydra v5.9 (c) 2010 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2011-05-07 11:33:53
[DATA] 16 tasks, 1 servers, 100 login tries (l:1/p:100), ~6 tries per task
[DATA] attacking service http-get on port 80
[80][www] host: 192.168.50.254   login: enable   password: secret
[STATUS] attack finished for 192.168.50.254 (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2011-05-07 11:34:05


Ok, so you may say, "I will lock this service down to just the IP addresses of my admin machines". I would say no; It's a pain to use, it's very insecure, just turn off this web UI completely with the following command.

R2(config)#no ip http server


Confirm this is done with nmap:

nmap 192.168.50.254

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-05-07 12:30 BST
Nmap scan report for 192.168.50.254
Host is up (0.0019s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: C0:00:2A:5A:00:01 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 7.03 seconds


Just SSH, that's better.


Cisco's Secure Device Manager (SDM)

Cisco made an effort to produce an improved GUI called SDM. Granted, it does look a lot better.

However, although it looks nicer and adds helpful ease-of-configuration, it suffers from some of the same HTTP basic authentication issues above so my advice is to switch it off, and learn how to configure a router properly, i.e. from the command line.

(Also SDM prerequisites may mean you have to use an insecure browser and java-plugin version and it can be a real pain to install, and get it working with your browser - It's really not worth the hassle)


SSH brute force

So, all we have open  is SSH, but that is not the end of the story. SSH can still be insecure as well.

Brute force is more difficult, because now an attacker needs to find a username password combination, but if this is an external router, an attacker still has as long as it takes to attack the SSH port to brute-force the password. There are many tools that can try hundreds of millions of attempts over an extended period of time until the username and password are guessed.

As we have seen Hydra a few times already, here is an example with Medusa:


medusa -h 192.168.50.254 -u bob -P ./passlist.txt -M ssh -F -m BANNER:SSH-2.0-ssh-client -v 4
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks


ACCOUNT FOUND: [ssh] Host: 192.168.50.254 User: bob Password: blah [SUCCESS]


The more usernames and passwords configured on the system, the higher the risk that one combination will be found, and there are many bots on the web that will trawl for Telnet and SSH servers, and try to brute-force them with commonly used passwords. Choose strong and long passwords.

The answer is to lockdown SSH to just the administrative systems IP addresses, and on Cisco routers this can be done with extended access-lists to lock-down the vty lines, as follows (the administrators systems here are 192.168.206.128 and 192.168.206.130)


R3(config)#access-list 101 permit tcp host 192.168.206.128 any eq 22 log
R3(config)#access-list 101 permit tcp host 192.168.206.130 any eq 22 log
R3(config)#access-list 101 deny ip any any log
R3(config)#line vty 0 4
R3(config-line)# access-class 101 in
R3(config-line)# transport input ssh
R3(config-line)# login local


Lockdown guidelines

There are some really useful and easy to follow lockdown guidelines for Cisco routers and switches (and much more besides) at the following location:

http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml

6 comments:

  1. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete


  2. I was searching for loan to sort out my bills& debts, then i saw comments about Blank ATM Credit Card that can be hacked to withdraw money from any ATM machines around you . I doubted thus but decided to give it a try by contacting { cchacker0002@gmail.com} they responded with their guidelines on how the card works. I was assured that the card can withdraw $5,000 instant per day & was credited with $20,000 so i requested for one & paid the delivery fee to obtain the card, after 24 hours later, i was shock to see the UPS agent in my resident with a parcel{card} i signed and went back inside and confirmed the card work's after the agent left. This is no doubts because i have the card & has made used of the card. This hackers are USA based hackers set out to help people with financial freedom!! Contact these email if you wants to get rich with this Via: cchacker0002@gmail.com

    ReplyDelete
  3. Before making any bitcoin investments, always exercise caution and undertake careful study. On the internet, I came across a post regarding a cryptocurrency trading platform. They had a pleasant conversation before investing and displaying early profits. After investing with the company I discovered there is no withdrawal option and that you must get their permission to make withdrawals after investing with the firm. On deciding to retire my profits, they provided multiple excuses which included paying huge taxes to activate my withdrawals. I promptly asked a buddy for advice, and she suggested Captain WebGenesis, a qualified professional that could assist me in recovering my money. In the end,COINSRECOVERYWORLDWIDE was successful in recovering 80% of my stolen Bitcoin. If by any means you’re also a victim of online scam kindly send a message across to the Expert via:
    Mail Add; ; (COINSRECOVERYWORLDWIDE@GMAIL.COM]

    ReplyDelete
  4. Jeanson James Ancheta wizard, I will like to appreciate this organization, all the gratitude and appreciation goes to this organization,they are the best, I can’t appreciate them enough I don’t know how or where to start from, first of all I will like to say am so grateful and thankful for this organization for being part of my progress over the years they have help me to recover my $55, 000 worth of stolen cryptocurrency, this would not have been possible without their help and support, at first I didn’t believe they will be able to help me recover the money but later on I was astonished, and amazed on how they were able to help me recover my money without stress it was very easy for him help me to recover my money am super excited and grateful to them, for their help. Contact him using email:(jeansonjamesanchetawizard62@gmail.com) or WhatsApp number: +44 (7440) 105166 or +44 (7506) 216101.

    ReplyDelete
  5. Looking for a reliable recovery expert to help you reclaim lost funds from scams or fraudulent activities? Look no further than Wizard Asset Recovery. With a proven track record of success and a commitment to client satisfaction, Wizard Asset Recovery is your go-to partner in recovering your hard-earned money.

    Contacting Wizard Asset Recovery is easy and straightforward. You can reach out to them through their official website or via WhatsApp for immediate assistance. Simply send them an email at Wizardassetrecovery@gmx.us or message them on WhatsApp at +13157561228.

    Their team of experts is dedicated to providing personalized and effective solutions tailored to your specific situation. Whether you've fallen victim to a binary options scam, cryptocurrency fraud, or any other type of financial deception, Wizard Asset Recovery has the knowledge, experience, and resources to help you recover what's rightfully yours.

    Don't let scammers get away with your money. Take action today and contact Wizard Asset Recovery for professional assistance in recovering your lost funds.

    ReplyDelete