bh-us-02-akin-cisco
TRANSCRIPT
-
8/12/2019 bh-us-02-akin-cisco
1/23
Cisco Router Forensics
Thomas Akin, CISSPDirector, Southeast Cybercrime Institute
Kennesaw State University
BlackHat Briefings, USA, 2002
-
8/12/2019 bh-us-02-akin-cisco
2/23
Hacking Cisco
Cisco Bugtraq
Vulnerabilities
1998 - 3
1999 - 5
2000 - 23
2001 - 46 2002 (est) - 94
-
8/12/2019 bh-us-02-akin-cisco
3/23
Hacking Routers
Example Exploits:
HTTP Authentication Vulnerability using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an
integer between 16 and 99, it is possible for a remote user to gain full administrativeaccess.
NTP Vulnerability By sending a crafted NTP control packet, it is possible to trigger a buffer overflow in the
NTP daemon
SNMP Parsing Vulnerability Malformed SNMP messages received by affected systems can cause various parsing and
processing functions to fail, which results in a system crash and reload. In some cases,
access-list statements on the SNMP service do not protect the device
-
8/12/2019 bh-us-02-akin-cisco
4/23
Hacking Routers
When a router is hacked it allows an
attacker to
DoS or disable the router & network Compromise other routers
Bypass firewalls, IDS systems, etc
Monitor and record all outgoing an incomingtraffic
Redirect whatever traffic they desire
-
8/12/2019 bh-us-02-akin-cisco
5/23
Cisco Routers in a
Nutshell
Flash
Persistent
Holds
Startup configuration
IOS files
RAM
Non-Persistent
Holds
Running configuration
Dynamic tables (i.e)
Arp
Routing
NAT
ACL violations
Protocol Statistics
Etc
-
8/12/2019 bh-us-02-akin-cisco
6/23
Router Forensics v/s
Traditional Forensics
Traditional Forensics
Immediately shutdownthe system (or pull the
power cord) Make a forensic
duplicate
Perform analysis on the
duplicate Live system data is
rarely recovered.
Router Forensics
Live system data is themost valuable.
Immediate shutdowndestroys all of this data.
Persistent (flash) datawill likely be unchanged
and useless. Investigators must
recover live data foranalysis
-
8/12/2019 bh-us-02-akin-cisco
7/23
Computer Forensics:
The Unholy Grail
The goal is to catch the criminal behind the
keyboard. Not to find fascinating computer
evidence.
Computer evidence is never the smoking gun.
Most often computer evidence either
Provides leads to other evidence
Corroborates other evidence
-
8/12/2019 bh-us-02-akin-cisco
8/23
-
8/12/2019 bh-us-02-akin-cisco
9/23
Example CoC Form
-
8/12/2019 bh-us-02-akin-cisco
10/23
Example CoC Form
-
8/12/2019 bh-us-02-akin-cisco
11/23
Incident Response
DO NOT REBOOT THE ROUTER.
Change nothing, record everything.
Before you say it is an accident, make sure itisnt an incident
Before you say it is an incident, make sure it
isnt an accident
-
8/12/2019 bh-us-02-akin-cisco
12/23
Accessing the Router
DO
Access the routerthrough the console
Record your entireconsole session
Run show commands
Record the actual time
and the routers time Record the volatile
information
DONT
REBOOT THE
ROUTER
Access the routerthrough the network
Run configuration
commands Rely only on persistent
information
-
8/12/2019 bh-us-02-akin-cisco
13/23
Recording Your
Session
Always start recording your session before you even log onto the router
Frequently show the current time with the show clock detailcommand
-
8/12/2019 bh-us-02-akin-cisco
14/23
Volatile Evidence
Direct Access
show clock detail
show version
show running-config
show startup-config show reload
show ip route
show ip arp
show users
show logging
show ip interface show interfaces
show tcp brief all
show ip sockets
show ip nat translationsverbose
show ip cache flow
show ip cef show snmp user
show snmp group
show clock detail
-
8/12/2019 bh-us-02-akin-cisco
15/23
Volatile Evidence
Indirect Access
Remote evidence may be all you can get if
the passwords have been changed
Port scan each router IPnmap -v -sS -P0 -p 1- Router.domain.comnmap -v -sU -P0 -p 1- Router.domain.com
nmap -v -sR -P0 -p 1- Router.domain.com
SNMP scan each router IPsnmpwalkv1 Router.domain.com publicsnmpwalkv1 Router.domain.com private
-
8/12/2019 bh-us-02-akin-cisco
16/23
Intrusion Analysis
IOS Vulnerabilities
Running v/s Startup configurations
Logging
Timestamps
-
8/12/2019 bh-us-02-akin-cisco
17/23
Logging
Console LoggingThese will be captured by recording your session.
Buffer LoggingIf buffered logging is turned on, the show logging command will show you the
contents of the router log buffer, what level logging is performed at, and what hostslogging is sent to.
Terminal LoggingThis allows non console sessions to view log messages.
Syslog LoggingLog messages are sent to a syslog server when logging is turned on and thelogging servernamecommand is set.
-
8/12/2019 bh-us-02-akin-cisco
18/23
Logging
SNMP loggingIf SNMP is running, SNMP traps may be sent to a logging server.
AAA Logging
If AAA is running the check theaaa accounting
commands to see whatlogging is being sent to the Network Access Server.
ACL Violation LoggingACL can be configured to log any packets that match their rules by ending the ACLwith the logor log-inputkeywords. These log messages are sent the the
routers log buffer and to the syslog server.
-
8/12/2019 bh-us-02-akin-cisco
19/23
Real Time Forensics
After removing or collecting information from your compromised
router you can use the router to help monitor the network anditself by turning on logging if it wasnt previously.
Router#config terminal
Router(config)#service timestamps log datatime msec \localtime show-timezone
Router(config)#no logging console
Router(config)#logging on
Router(config)#logging buffered 32000
Router(config)#logging buffered informationalRouter(config)#logging facility local6
Router(config)#logging trap informational
Router(config)#logging Syslog-server.domain.com
-
8/12/2019 bh-us-02-akin-cisco
20/23
Real Time Forensics
Using AAA provided even greater ability to log information.
TACACS+ even allows you to log every command executed
on the router to your Network Access Server
Router#config terminalRouter(config)#aaa accounting exec default start-stop \
group tacacs+
Router(config)#aaa accounting system default stop-only \
group tacacs+
Router(config)#aaa accounting connection default \start-stop group tacacs+
Router(config)#aaa accounting network default \
start-stop group tacacs+
-
8/12/2019 bh-us-02-akin-cisco
21/23
Real Time Forensics
You can also use ACL logging to count packets and log specificevents. By configuring syslog logging and analyzing yoursyslog files in real time you can perform real time monitoring
The ACL
access-list 149 permit tcp host 130.18.59.1 any eq \161 log-input
will not block any packets, but will log all incoming SNMPrequests from 130.18.59.1 to any internal host.
The ACLsaccess-list 148 deny tcp 130.18.59.0 0.0.0.255 any \eq 53 log-inputaccess-list 148 deny udp 130.18.59.0 0.0.0.255 any \eq 53 log-input
will block and log any DNS packets from the subnet130.18.59.0/24 to any internal host.
-
8/12/2019 bh-us-02-akin-cisco
22/23
-
8/12/2019 bh-us-02-akin-cisco
23/23
Thank you!
Thomas [email protected]
http://cybercrime.kennesaw.edu
On you conference CD you will find:
A copy of this presentation
A router forensics checklist
A sample Chain of Custody form
A sample Evidence Receipt tag