http://blogs.cisco.com/security/synful-knock
This is an attack that is successful only if you do not change default passwords on Cisco Routers. But… see below.
In Mid September: { Today, Mandiant/FireEye published an article describing an example of this type of attack. This involved a router “implant” that they dubbed SYNful Knock, reported to have been found in 14 routers across four different countries. }
I include these steps as they are useful in a lot of hardening scenarios:
- Step 1: Harden devices – use Cisco’s guidance to harden Cisco IOS devices
- Step 2: Instrument the network – follow recommendations Telemetry-Based Infrastructure Device Integrity Monitoring
- Step 3: Establish a baseline – ensure operational procedures include methods to establish a baseline
- Step 4: Analyze deviations from the baseline by leveraging technical capabilities and recommendations for Cisco IOS Software Integrity Assurance.
Sure we can change the passwords and think we are safe?
No now the attacker can use other tools to attack and try to capture the machine with
http://www.commonexploits.com/cisc0wn-cisco-snmp-script/
This script (CISC0WN) zero not o
Does an attack to the routers using
- Checks SNMP is enabled
- Brute forces the SNMP Read Only and Read Write community strings (can edit which wordlist it uses in script header)
- It then enumerates things like IOS, hostname, Arp table, Routing table, interface list and IP addresses using the RO or RW.
- If RW community was found it will then download the router config automatically.
- It then searches and displays any enable or telnet passwords in clear text.
- If it finds Cisco type 7 encoded enable or telnet passwords it will auto decode them.
- It will display the Enable secret type 5 password and attempt to crack the MD5. It uses John first with its built in wordlist for speed. If this fails it will try and full crack.\
And that is a script put together by someone who is willing to share it.
At http://www.infosecisland.com/blogview/10400-New-Metasploit-351-Release-Includes-Cisco-Exploits.html
There is a list of 29 metasploit exploits…
So now if you do not have a decent password, did not update your IOS software you are just waiting for the day of the hack.
So what before was a handful of routers on the Internet (200 were compromised according to Cisco/Mandiant).
Now the net of vulnerable routers will catch more for the hacker..
And this is just a cursory and quick Google search, imagine a hacker with some programming skills attacking …
Remember – just because you can’t program does not mean a hacker also can’t – and they can use their skills in ways you do not even imagine.
We recommend test,test,test your infrastructure – and keep your IT folks honest.
#testforsecurity
