Table of Contents

Case Study: The Black Hat Hasslexx
Part I Foundations
Case Study: eBay Surprise2
1 Cisco Network Design Models and Security Overview5
Cisco Network Design Models: A Security Perspective7
The Flat Earth Model7
The Star Model9
The Two-Tier Model10
The Ring Model11
The Mesh and Partial Mesh Model12
Network Security Zones14
IDS Sensor Deployment Guidelines17
Cisco Hierarchical Design and Network Security18
The Core Layer19
The Distribution Layer20
The Access Layer21
2 Cisco Network Security Elements23
Common Cisco Device Security Features24
Cisco Firewalls27
Packet-Filtering Firewalls27
Stateful Packet-Filtering Firewalls28
Proxy Filters29
PIX Firewall Failover30
Types of Cisco Firewall Hardware32
Cisco Secure IDS and Attack Prevention33
Hardware Standalone IDS Sensors34
Modular IDS Sensors36
Cisco IOS IDS Software37
Cisco PIX Firewalls as IDS Sensors39
Cisco Traffic Anomaly Detector XT 560040
Cisco Secure IDS Management Consoles41
Cisco VPN Solutions42
Cisco AAA and Related Services47
Overview of AAA Methodology47
Cisco and AAA48
Security Implications of Cisco Internetwork Design and Security Elements52
3 Real-World Cisco Security Issues57
Why Do Hackers Want to Enable Your Box?58
What Attackers Gain59
Cisco Appliances and Networks: an Attacker s Perspective62
Attacking Network Protocols66
Hiding Tracks and Forensics on Routers and Switches67
Cisco Network Device Security Auditing and Penetration Testing Foundations69
The Evaluation Process70
Part II I Am Enabled : Hacking the Box
Case Study: The One with a Nessus Report74
4 Profiling and Enumerating Cisco Networks77
Online Searching and Cisco Googledorks78
Basic Searching79
Searching Using Google Operators81
Googling for Enable82
Routing Enumeration84
Autonomous System Discovery and Mapping: BGPv4 Interrogation84
Internet Routing Registries, Route Servers, and Looking Glasses Querying86
Mapping IP Addresses to Autonomous Systems92
Enumerating an Autonomous System95
Finding Autonomous Systems That Belong to an Organization99
AS Path Enumeration, Building BGP Trees, and Finding Border Routers101
Routing Domain Number Discovery and Network Mapping for IGPs108
Mapping RIP, IGRP, and IRDP108
Enumerating OSPF114
Analyzing OSPF Enumeration Data116
5 Enumerating and Fingerprinting Cisco Devices123
Sniffing for Cisco-Specific Protocols124
Dissecting CDP Frames128
Passive Enumeration and Fingerprinting of Cisco Devices133
Active Enumeration and Fingerprinting of Cisco Devices135
Active Enumeration and Fingerprinting of Cisco Routers136
Active Enumeration and Fingerprinting of Catalyst Switches143
Active Enumeration and Fingerprinting of Other Cisco Appliances149
Using IOS 11.X Memory Leak to Enumerate Remote Cisco Routers156
6 Getting In from the Outside: Dead Easy171
Password Attacks172
Mass Guessing/Bruteforcing Attacks Against Open Cisco Telnet Servers173
Password Guessing and Bruteforcing Attacks Against Other Open Cisco Services180
SNMP Community Guessing, Exploitation, and Safeguards189
Cisco SNMP Basics189
SNMP Mass Scanning193
SNMP Bruteforcing and Dictionary Attacks196
SNMP Browsing and Cisco Device Reconfiguration199
Command-Line Remote Cisco Device SNMP Manipulation: IOS Hosts207
Command-Line Remote Cisco Device SNMP Manipulation: CatOS Switches213
Exploiting TFTP Servers to Take Over Cisco Hosts221
Enumerating TFTP Servers221
Sniffing Out Cisco Configuration Files223
Bruteforcing TFTP Servers to Snatch Configs224
Cisco Device Wardialing225
Cisco Router Wardialing 101: Interfaces, Configurations, and Reverse Telnet225
Discovering the Numbers to Dial In228
Getting into a Cisco Router or an Access Server230
7 Hacking Cisco Devices: The Intermediate Path237
A Primer on Protocol Implementation Investigation and Abuse: Cisco SNMP Attacks238
SimpleTester and SimpleSleuth243
Oulu University PROTOS Project247
From SNMP Fuzzing to DoS and Reflective DDoS251
From SNMP Stress Testing to Nongeneric DoS252
Hidden Menace - Undocumented SNMP Communities and Remote Access 253 Getting In via Observation Skills Alone256
Brief SNMPv3 Security Analysis259
A Primer on Data Input Validation Attack - Cisco HTTP Exploitation260
Basics of Cisco Web Con guration Interface260
Cisco IOS HTTP Administrative Access263
Cisco ATA-186 HTTP Device Configuration Disclosure264
VPN Concentrator HTTP Device Information Leakage265
Other Cisco HTTPd Flaws a More Sophisticated Approach265
Cisco IOS 2GB HTTP GET Buffer Over ow Vulnerability266
Assessing Security of a Cisco Web Service267
SPIKE and Its Relatives268
The Peach Fuzzer271
8 Cisco IOS Exploitation: The Proper Way273
Cisco IOS Architecture Foundations274
Cisco IOS Memory Dissection275
An Exploitation Primer: IOS TFTP Buffer Overflow281
Defeating Check Heaps284
The Curse and the Blessing of IOS Reverse Engineering291
IOS Features and Commands That Can Be (Ab)used by Reverse Engineers292
A Minimalistic Reverse Engineering Arsenal293
9 Cracking Secret Keys, Social Engineering, and Malicious Physical Accessi297
Cisco Appliance Password Cracking298
Cracking Type-7 Passwords298
Cracking MD5 Password Hashes301
Social Engineering Attacks304
Local Device Access308
Local Router Password Reset or Recovery308
Local Switch Password Reset or Recovery310
Local PIX Firewall Password Reset or Recovery313
Local Cisco VPN Concentrator Password Reset or Recovery315
10 Exploiting and Preserving Access317
Common Cisco Router, Switch, or Firewall Reconfigurations by Attackers318
Is Anyone Here?318
Covering Tracks320
Looking Around323
Using a Hacked IOS Router to Hide Tracks327
Using a Hacked IOS Router or PIX Firewall to Allow Malicious Traffic Through328
Using a Hacked IOS Router to Mirror, Capture, and Modify Bypassing Traffic330
Sniffing Traffic from a Hacked PIX Firewall332
Sniffing the Network Using a Cisco Catalyst Switch333
(Ab)using Remote SPAN336
The Secret CatOS Enable Engineer Mode337
Further IOS Exploitation and Device Access Preservation340
IOS Binary Patching: Myth and Reality340
TCLing the Router for Fun and Profit353
11 Denial of Service Attacks Against Cisco Devices361
DoS Attack Motives362
Types of DoS Attacks363
Consumption of Resources363
Disruption of Information Flow364
Disruption of Communication364
Cisco DoS Assessment Tools364
Cisco Global Exploiter365
Cisco TCP Test Tool366
Well-Known Cisco DoS Vulnerabilities367
Cisco Devices Generic DoS367
ICMP Remote DoS Vulnerabilities367
Malformed SNMP Message DoS Vulnerability369
Examples of Specific DoS Attacks Against Cisco Routers370
Cisco IOS Malformed IKE Packet Remote DoS Vulnerability370
Cisco 44020 Bug370
Examples of Specifc DoS Attacks Against Catalyst Switches and Other Cisco Networking Devices372
Cisco Catalyst Memory Leak DoS Vulnerability372
Incorrect TCP Checksum Attack Disrupting Communication Through a
PIX Firewall373
Cisco Broadband OS TCP/IP Stack DoS Vulnerability373
Cisco Aironet AP1x00 Malformed HTTP GET DoS Vulnerability374
Cisco Catalyst Nonstandard TCP Flags Remote DoS Vulnerability375
Abusing Cisco Appliances for Nasty DDoS Deeds376
Mass Cisco Pinging, the SNMP Way376
Mass Cisco Pinging, the Telnet Way MK I376
Mass Cisco Pinging, the Telnet Way MK II378
Mass Cisco Flood, the SNMP Way379
DDoS Massive: Revenge of the Kiddies382
Direct DDoS Attacks382
Reflective DDoS Attacks382
Part III Protocol Exploitation in Cisco Networking Environments
Case Study: The Flying OSPF Hell394
12 Spanning Tree, VLANs, EAP-LEAP, and CDP397
Spanning Tree Protocol Exploitation398
Inserting a Rogue Root Bridge402
Modifying a Traffic Path Without Becoming Root410
Recalculating STP and Data Sniffing411
STP DoS Attacks412
Exploiting VLANs415
DTP Abuse412
802.1q and ISL Exploitation416
Double Tagging VLAN Hopping419
Private VLAN Hopping420
Making Unidirectional Attacks Bidirectional421
VTP Exploitation422
VLAN Query Protocol (VQP) Attacks423
Lateral Means of Bypassing VLAN Segmentation426
Cisco EAP-LEAP Cracking431
EAP-LEAP Basics432
EAP-LEAP Cracking432
Attacking CDP438
A Sneaky CDP Attack438
13 HSRP, GRE, Firewalls, and VPN Penetration443
HSRP Exploitation444
GRE Exploitation447
An MTU-Based Attack Against GRE447
GRE Packet Injection448
Cisco Firewall Penetration453
Attacking PIX Protocol Fixups453
Attacking PIX MailGuard453
Attacking PIX FTP Fixup454
TCP RESET Attacks Against PIX Firewalls456
Cisco VPN Hacking459
IPSec-Related Attacks460
Cisco PPTP Hacking467
14 Routing Protocols Exploitation471
Introduction to Routing Attacks472
Setting Up a Rogue Router474
Attacking Distance-Vector Routing Protocols474
Attacking RIP475
Malicious Route Insertion via RIP475
RIP Downgrading Attack481
RIP MD5 Hash Cracking Attack482
Attacking IGRP486
Malicious Route Insertion via IGRP487
Attacking EIGRP488
Malicious Route Insertion via EIGRP488
DoS Attacks Against EIGRP Networks492
Attacking Authenticated EIGRP494
Attacking Link State Routing Protocols498
Malicious Route Insertion via OSPF499
Becoming a Designated or Backup Designated OSPF Router504
OSPF MD5 Hash Cracking Attack506
Direct Attack Against an OSPF Router: The OoopSPF Exploit507
Possible DoS Attacks Against OSPF509
Attacking BGPv4512
Malicious BGP Router Reconfiguration513
Attack Scenarios for Malicious BGP Router Reconfiguration516
BGP Router Masquerading Attack519
Man-in-the-Middle Attacks Against BGP Routers520
Cracking BGP MD5 Authentication522
Blind DoS Attacks Against BGP Routers523
Part IV Appendixes
Case Study: The Epic Battle530
A Network Appliance Security Testing Template533
B Lab Router Interactive Cisco Auto Secure Configuration Example539
C Undocumented Cisco Commands549
About authors
Related info
Table of Contents
Introduction (pdf)
Sample Chapter (pdf)
Sponsored by: