Examination of the vulnerabilities of the Cisco IOS

cisco

Cisco’s IOS is multiplatform, so, runs on many different devices. It is compatible with file servers, routers, LAN and WAN switches, ATM switches, personal computers and hubs and any device that is used in an internetwork. There are four main sectors within enterprise internetworks that are dependant on Cisco devices and it is what Cisco focuses on. Cisco Support Community (2006) discuss this on their website.
1. The Core: The overall view of the internetworks. Where Cisco provide wide area connections spanning around the world.
2. The Workgroup: Cisco provides devices for end users, to utilise bandwidth capabilities.
3. The Remote Access: This provides users with cost effective and easily managed connectivity on mobile devices or PC’s.
4. The IBM Internetworking: Cisco also provides devices for, according to Cisco, “a safe and secure migration path for IBM SNA network applications.”

We will not be testing on a live network so we have set up the following topology in GNS3.

Topology

The router R1 is the c3700 model. We have placed a switch(sw1) in the network also, just for handiness. The switch will only be used to direct traffic. As we can also see, we have a cloud (c1). This represents our Backtrack attacking machine. Backtrack is running on VMWare Workstation and is bridged to this virtual network. R1 has been configured with an IP of 192.168.2.3 and an enable password, which for handiness we have configured as “cisco”. The switch does not require
an IP and therefore has none. Our virtual Backtrack machine has been configured with an IP of 192.168.2.10. For now we will concentrate on just the one router.

Now, it is a good idea to nmap the router from Backtrack to see what services are available to us on the router. Nmap comes as a default program on Backtrack.

nmap
Nmap results

There is, at present, just a basic configuration on the router. As we can see, some of the port that are open include port 25, for smtp, a mail transfer protocol. On port 110 we have pop3, this is a protocol for accessing email and so on.
Next, as an attacker might do, we will try to telnet into the router. Because anyone that deals with security knows that telnet is a notoriously unsecure protocol. Because we have configured a password on the router, we will be prompted to enter a password.

routerAccessThroughTelnet
Telnet session

There are currently no users on the router, so we are just asked for a password. As an attacker, there are a few ways to obtain the password of the router to gain access. One way is in Backtrack, if we choose Applications/Vulnerability Assessment/Network Assessment/Cisco Tools/cisco-auditing-tools. This tool has a dictionary built in to test the password,
but we can also add our own password list if we wish. In our case we will use our own wordlist to brute force the router to find the password.

Cisco auditing tool presents us with a few options. The command we want to use here is
./CAT -h 192.168.2.3 -a wordlist.txt.

auditingscan
Cisco auditing tool

The software goes through the wordlist, line by line, comparing the password of the router to each entry. And we can also see that it has guessed our password correctly. So if we telnet into the router from the command line again, this time entering the password, we gain access to the router.

Security wise, this tells us that configuring a router with users, good line passwords, vty passwords and auxillary passwords is the way to go, having these configurations in place makes it a lot harder for an attacker to gain access. As well as being so easy to telnet into the router, we can type 192.168.2.3 into our browser, enter the cisco password and we gain access this way too.

R1Access
Access to the router through our browser

Another tool in Backtrack we can use Xhydra. This gives us a GUI interface that gives us attack options.

xhydraattack
XHydra variables

For us to guess admin passwords, we simply add the ip in the space provided, use telnet as our protocol and check on port 23.

xhydrapasswordsguessed
Passwords found

And within seconds Xhydra has guessed both admin vty and line passwords for admin.

We are now going to look at a flooding tool called Yersinia, this tool gives us the option of flooding the router’s CDP table with CDP packets, another vulnerability of the Cisco router. To start the attack we choose Launch Attack and Yersinia gives us the following options.

yersiniaattack

To flood the router’s table we will choose the Flooding CDP table option and hit OK. Next we go to our router and see the results. By using the command:
R!# show cdp traffic

cdpflooding

Mitigating the problems posed in the last paragraph requires the router to use higher security measures. Now we will look at how we configure the router with usernames, and encrypted passwords.
Step 1. Configure a minimum password length on the router. The more characters that are used the more secure the password. We do this by typing the following command in global config mode on the router:
R1(config)# security passwords minimum-length 10
This sets the minimum length to ten characters. Next we configure the enable password on the router:
R1(config)# enable secret cisco12345
The secret command ensures that the password of cisco12345 is encrypted. Now we can configure the basic console with a password and to log out after 5 minutes of inactivity:
R1(config)# line console 0
R1(config-line)# password ciscoconpass
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
The exec-timeout command could be configured to never log out, but this would be bad security practice. To do so we would set it to 0 0. Now we can configure a password for the auxillary port on the router.
R1(config)# line aux 0
R1(config-line)# password ciscoauxpass
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
Next we want to configure the vty lines on the router:
R1(config)# line vty 0 4
R1(config-line)# password ciscovtypass
R1(config-line)# exec-timout 5 0
R1(config-line)# login
At this stage anyone trying to telent to the router will be asked to provide a password. If they get by that stage, any actions the attacker can do on the router, like escalating privileges, will be prompted for a password also. The next step is to encrypt plain text passwords. To do this we use the following command:
R1(config)# service password-encryption
And that is it. The console, vty line and auxillary line passwords are encrypted, rendering them useless to an attacker. At this point in time it’s probably a good idea to have a banner letting anyone who tries to log into the router know, that access is prohibited to unauthorised users:
R1(config-line)# banner motd $No unauthorised access.$
For more advanced security options we can also add user accounts on the router. This slows an attacker also as they may have to not only brute force passwords, but also the usernames associated with those passwords. To add a user with an MD5 encrypted password:
R1(config)# username user01 secret user01pass
For added security we can just set the AUX port to only use local login accounts. And also configure the line and console ports to do the same.
R1(config)# line aux 0
R1(config-line)# login local
A telnet to the router now and we are prompted with:

telnetsecuritybannertimeout
Telnet expired after 3 attempts

The banner saying no unauthorised access is shown and after a certain amount of time of inactivity, we can see that the telnet session times out. We can also try Xhydra again to try and brute force the password.

xhydrano password

So by adding usernames, encrypting passwords and using only local logins we have mitigated some of the vulnerabilities of basic Cisco router configuration.

This post is for educational purposes on how to harden your Cisco router and techniques used are not advised on any network.

By QuBits, 03/10/2015

1 Comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s