Skip to main content

Attacking Network Device PART - 3


Walkthroughs on Hacking Network Devices


Tutorial 1 – Attack Methodology

   Welcome to module three of this workshop. We believe the previous two modules gave you more knowledge in “Attacking Network Devices”. This workshop has taken you through the core principles, and now we are in the module where you will gain some hands-on experience in attacking network devices. 

  However, before you just start using the tools we mentioned in the previous module, you should understand the overall methodology in launching the attack. This methodology will take you from the initial steps to the launching of designated attacks. The attack vectors are different and there are many of them, however, we will be focused on what has been so far presented in the workshop.

Attack Methodology 

 Attack methodology is basically the designated steps to follow, these steps in a collective way are called the methodology. This is presented by many frameworks and industry standards certifications.

  Methodological steps are also called phases which cover different tasks at each phase to be executed and these tasks have certain objectives that are supposed to be achieved in order to move to next phase. Presented below are the phases covered in the Attack Methodology.

 Phases of Attack Methodology 

● Passive Information Gathering 

● Active Information Gathering 

● Attacking Network Devices

Passive Information Gathering 

 Passive information gathering starts by looking for the live network nodes within the targeted scope of work and in this workshop, it’s the virtual lab we have built in GNS3. There are different methods of gathering information in this method of passive information collection. We will use a selected tool to achieve this goal. 

 The key in this phase is that the attacker doesn’t directly interact with the targeted network, that is why it is called passive information gathering. 

Active Information Gathering 

  The key in this phase is that the attacker will be directly interacting with the targeted network in order to achieve certain tasks. This generally includes: 

● Port Scanning 

● Banner Grabbing 

● Detection of Services 

● Vulnerability Scanning 

  These above tasks are generally covered by the cutting edge scanning tools, and we will be using a couple of tools in this phase in order to attack the network and achieve these goals.

Attacking Network Devices 

   This phase is basically the last and the most sensitive phase of the attack methodology. This phase basically initiates the target on the network devices, which can lead to the compromise of the network devices. This phase also requires different tools for execution of attacks based on the type of network device on which you will be executing the network attack.

   Walkthrough of Network Attack

    In the previous module we mentioned the tools that can be used to perform different types of attacks. Let’s first perform passive information gathering and find out how many network devices are running on the virtual lab environment and then how many of them are Cisco Switches or Routers. Unfortunately, GNS3 doesn’t emulate switches IOS hence this lab will not cover Cisco Switches, however, you can buy a small Cisco switch from eBay for a cheap price e.g. 100 bugs. 

  Anyhow, let’s run the Kali Linux and run the following tool to find out about available devices. 

  Updated lab diagram as we have added more devices in the lab. 

     Kali Linux is running and we should be able to find six Cisco devices by means of passive information gathering. You can see the following Kali Linux as shown below. 


  The above snapshot shown covers the usage of the “netdiscover” tool, let’s run and see the results. Tool executed shows that it discovered the following devices running in the virtual lab. 



This is the passive information gathering. Now let’s move towards the next step and find how many of these devices are Cisco Devices. 

Tool: nmap 

 “nmap” is the most famous network scanning tool that performs the active information gathering and covers the port discover, service detection and banner grabbing tasks of active information gathering. In the workshop virtual lab, this tool will be executed to discover devices and available open ports on each device that will give us more detailed information to look for Cisco Devices.



  The above snapshot shows port scan that has detected telnet and a web server running, however, no information about device has been discovered. Let’s run a more extensive scan and find out device level information. 

  

  Cool, in the above snapshot you can see that we have discovered a Cisco device running IOS version 12.x and the remote device hardware detected is a router. 

  So far it is confirmed that the device running is a Cisco router and only has two services enabled for remote access. Now, let’s execute another attack and discover some more information.

SNMP Attack 
  
   In this attack, SNMAP Walk will be performed in the lab to discover more information about the target device. If the attack succeeds, some useful information can be further discovered. 

Tool: snmapcheck / snmpwalk 

  The below snapshot shows the attack details and the outcome of the SNMP Walk performed with the mentioned tool.


  So what is discovered further is basically more about the device, its uptime, hostname, TCP/IP information, and interfaces, but no configuration or user level information is discovered. But what is discovered so far is enough to exploit and get hold of this router if successfully exploited. 

  Let’s move towards Cisco exploitation tool, it’s a Cisco Global Exploiter and see if the IOS running on this router has exploitable vulnerabilities.


  The above snapshot is the Cisco Global Exploiter, well it is not really a global exploiter and has many outdated vulnerabilities, but it’s good to present the concept of attacking IOS devices.

  Let’s check for vulnerability 7 if this is exploitable.


And you can see that the device is exploited and complete configuration is downloaded.


You can see that telnet password is not set but SNMP communities’ strings are shown which are public and private, respectively. This shows that this device has been compromised,, which can lead to complete network compromise, or in further DOS or DDOS attacks, which is a separate topic.

   In this module, tools like Nessus, NeXpose and Metasploit Framework were not used but still if the router is misconfigured then you can easily download the running configuration and play with it further and can compromise the network further. 

  We will bring another workshop on Cisco attacks that will cover extended attacks with broader picture on network and how you can compromise network running behind the router. If you are interested in the workshop, do post on the forum so that we can present the next workshop on request 

 Thank you for completing module three and we hope to see you in the last module.

Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more