bh-us-02-akin-cisco

8/12/2019 bh-us-02-akin-cisco

1/23

Cisco Router Forensics

Thomas Akin, CISSPDirector, Southeast Cybercrime Institute

Kennesaw State University

BlackHat Briefings, USA, 2002


2/23

Hacking Cisco

Cisco Bugtraq

Vulnerabilities

1998 - 3

1999 - 5

2000 - 23

2001 - 46 2002 (est) - 94


3/23

Hacking Routers

Example Exploits:

HTTP Authentication Vulnerability using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an

integer between 16 and 99, it is possible for a remote user to gain full administrativeaccess.

NTP Vulnerability By sending a crafted NTP control packet, it is possible to trigger a buffer overflow in the

NTP daemon

SNMP Parsing Vulnerability Malformed SNMP messages received by affected systems can cause various parsing and

processing functions to fail, which results in a system crash and reload. In some cases,

access-list statements on the SNMP service do not protect the device


4/23

Hacking Routers

When a router is hacked it allows an

attacker to

DoS or disable the router & network Compromise other routers

Bypass firewalls, IDS systems, etc

Monitor and record all outgoing an incomingtraffic

Redirect whatever traffic they desire


5/23

Cisco Routers in a

Nutshell

Flash

Persistent

Holds

Startup configuration

IOS files

RAM

Non-Persistent

Holds

Running configuration

Dynamic tables (i.e)

Arp

Routing

NAT

ACL violations

Protocol Statistics

Etc


6/23

Router Forensics v/s

Traditional Forensics

Traditional Forensics

Immediately shutdownthe system (or pull the

power cord) Make a forensic

duplicate

Perform analysis on the

duplicate Live system data is

rarely recovered.

Router Forensics

Live system data is themost valuable.

Immediate shutdowndestroys all of this data.

Persistent (flash) datawill likely be unchanged

and useless. Investigators must

recover live data foranalysis


7/23

Computer Forensics:

The Unholy Grail

The goal is to catch the criminal behind the

keyboard. Not to find fascinating computer

evidence.

Computer evidence is never the smoking gun.

Most often computer evidence either

Provides leads to other evidence

Corroborates other evidence


8/23


9/23

Example CoC Form


10/23

Example CoC Form


11/23

Incident Response

DO NOT REBOOT THE ROUTER.

Change nothing, record everything.

Before you say it is an accident, make sure itisnt an incident

Before you say it is an incident, make sure it

isnt an accident


12/23

Accessing the Router

DO

Access the routerthrough the console

Record your entireconsole session

Run show commands

Record the actual time

and the routers time Record the volatile

information

DONT

REBOOT THE

ROUTER

Access the routerthrough the network

Run configuration

commands Rely only on persistent

information


13/23

Recording Your

Session

Always start recording your session before you even log onto the router

Frequently show the current time with the show clock detailcommand


14/23

Volatile Evidence

Direct Access

show clock detail

show version

show running-config

show startup-config show reload

show ip route

show ip arp

show users

show logging

show ip interface show interfaces

show tcp brief all

show ip sockets

show ip nat translationsverbose

show ip cache flow

show ip cef show snmp user

show snmp group

show clock detail


15/23

Volatile Evidence

Indirect Access

Remote evidence may be all you can get if

the passwords have been changed

Port scan each router IPnmap -v -sS -P0 -p 1- Router.domain.comnmap -v -sU -P0 -p 1- Router.domain.com

nmap -v -sR -P0 -p 1- Router.domain.com

SNMP scan each router IPsnmpwalkv1 Router.domain.com publicsnmpwalkv1 Router.domain.com private


16/23

Intrusion Analysis

IOS Vulnerabilities

Running v/s Startup configurations

Logging

Timestamps


17/23

Logging

Console LoggingThese will be captured by recording your session.

Buffer LoggingIf buffered logging is turned on, the show logging command will show you the

contents of the router log buffer, what level logging is performed at, and what hostslogging is sent to.

Terminal LoggingThis allows non console sessions to view log messages.

Syslog LoggingLog messages are sent to a syslog server when logging is turned on and thelogging servernamecommand is set.


18/23

Logging

SNMP loggingIf SNMP is running, SNMP traps may be sent to a logging server.

AAA Logging

If AAA is running the check theaaa accounting

commands to see whatlogging is being sent to the Network Access Server.

ACL Violation LoggingACL can be configured to log any packets that match their rules by ending the ACLwith the logor log-inputkeywords. These log messages are sent the the

routers log buffer and to the syslog server.


19/23

Real Time Forensics

After removing or collecting information from your compromised

router you can use the router to help monitor the network anditself by turning on logging if it wasnt previously.

Router#config terminal

Router(config)#service timestamps log datatime msec \localtime show-timezone

Router(config)#no logging console

Router(config)#logging on

Router(config)#logging buffered 32000

Router(config)#logging buffered informationalRouter(config)#logging facility local6

Router(config)#logging trap informational

Router(config)#logging Syslog-server.domain.com


20/23

Real Time Forensics

Using AAA provided even greater ability to log information.

TACACS+ even allows you to log every command executed

on the router to your Network Access Server

Router#config terminalRouter(config)#aaa accounting exec default start-stop \

group tacacs+

Router(config)#aaa accounting system default stop-only \

group tacacs+

Router(config)#aaa accounting connection default \start-stop group tacacs+

Router(config)#aaa accounting network default \

start-stop group tacacs+


21/23

Real Time Forensics

You can also use ACL logging to count packets and log specificevents. By configuring syslog logging and analyzing yoursyslog files in real time you can perform real time monitoring

The ACL

access-list 149 permit tcp host 130.18.59.1 any eq \161 log-input

will not block any packets, but will log all incoming SNMPrequests from 130.18.59.1 to any internal host.

The ACLsaccess-list 148 deny tcp 130.18.59.0 0.0.0.255 any \eq 53 log-inputaccess-list 148 deny udp 130.18.59.0 0.0.0.255 any \eq 53 log-input

will block and log any DNS packets from the subnet130.18.59.0/24 to any internal host.


22/23


23/23

Thank you!

Thomas [email protected]

http://cybercrime.kennesaw.edu

On you conference CD you will find:

A copy of this presentation

A router forensics checklist

A sample Chain of Custody form

A sample Evidence Receipt tag

bh-us-02-akin-cisco

Documents