 I'll make it available on the DEF CON site afterwards and then you'll be out in there. My name's Rooster and I am a network engineer. I design and implement large scale networks, routers, switches, ATM, FITI, whatever you want to call it, deal with all different aspects of networking issues. So what we're talking about here today is insecurities in networking devices. But the question is, how did we come across a problem? The problem is back in the old days, like way back in the Stone Age when they were chopping wheels out of rock. They used to manage things through the console port, which was really cool when they only had like three routers to play with, no big deal. But then as time progressed and man became more advanced, they discovered other countries and they discovered need for offices in other countries. So they had to decide how they were going to actually manage these routers in other countries. So say you set up an office with like five people. You put a network connectivity there, but you don't have enough people there to make it worth getting a network administrator for every site. How do you take care of it? Hence the need for remote administration. The problem with remote administration, remote management, is that any time you leave a path for yourself to get into a device, you basically leave a path for somebody else as well. And the less you know about that path that you've opened, the other person is going to know how to get into it. One of the biggest problems with remote management is the lack of understanding of by the administrator what he's got. In fact, most networking devices actually come stock, I mean come regularly set up with remote management turned on. You plug it in, you turn it on, it's there. People won't even realize this. In fact, it's really basic configurations. Since there's no authentication for a lot of these, it's pretty easy to get through. So the things that we're talking about today, we're talking about routers, we're talking about Ethernet switches, we're talking about ATM switches, FIDI, basic network infrastructure, the stuff that you start with when you design your infrastructure. So just to make sure everybody's, you know, we're all on one page. We'll talk a little bit about what the difference between a router and a switch is. So we're talking about the different devices we're talking about. The problem with routers which is marketing has come through and they've totally redefined the way that people use these terms. They've got, you know, layer three switches and layer four switches and just a bunch of marketing mumble jumble. It means nothing. I mean, if you really want to come down to what most likely you're talking about, if you're talking layer three, you're talking a router and if you're talking layer two, you're talking a switch. Layer three, as a general rule, your router is what's going to go between two different networks. Layer two, you're going to segment the same network. That makes sense. Y'all look kind of bright. So I figured it was probably a waste of time telling you this stuff. All right. The methods that people use to manage these tools, the management for networking devices, the basic protocol for this is called SNMP. I'm sure everybody starts. By the way, if anybody has any questions, like if I go too fast by something, please feel free to talk to me and then we'll have a question at the end. So SNMP stands for Simple Network Management Protocol. This provides that management capability remotely. It's actually an amazing protocol. It's really, really simple and it can do a lot of amazing things. The problem is that it does a lot of amazing things very insecurely, as many people know. You can do just about anything, depending on the manufacturer of the device with it. For instance, Cisco has kind of a half-ass implementation of SNMP, so you can only do so much. I mean, you could do anything, but unlike, let's say, something like Bay, where it's just like everything is completely open to SNMP. It's UDP. So anything that's UDP-based is going to be insecure. UDP, as you know, they said, well, let's make the most basic protocol that we can and let the application worry about things like security and checksums and fragmentation and things like that. So UDP does nothing of that. Everything on SNMP does your crossing clear text. There's no encryption, nothing. No authentication, there's nothing involved at all. So you put a sniff on the wire, you're seeing exactly without the management systems working. And as such, it's completely insecure. It's probably one of the weakest protocols that we have on the internet that as important as it is, has become. The way SNMP works, it has a really, really basic kind of primitive method of authentication, passwords. But they're not really called passwords. They're called community strings. And what community strings are is basically a password that each device allows access to a different part of it. Community strings usually come in two variances. There's actually three, but the two important ones are read-only and read-write. Read-only allows you access to basically, you can look at the entire anything that's on the router. It says read-only. Read-write actually allows you to set to make changes on the switch of the router. I want to briefly address SNMP on your hosts, Unix boxes, things like that. There's actually not a lot you can do. The manufacturers of HP and all these people haven't really put a lot of functionality for SNMP in their hosts. There are a few exceptions, and it's good to know that there are definitely some bugs with SNMP in hosts. I mean, the obvious ones are going to be buffer overflows for root. I mean, I saw five of them just the other day. In fact, there was one that Sun had, that a good friend of mine, Alhambra, came up with. Where Sun had a SNMP community string hard-coded into the SNMP, so that it didn't matter what you set it at, it was always, this one would always work. Nice little back door that they provided for everybody. Something to always watch out for. Actually, there's a side note. Backdoors are something always to watch out for. Does anybody use 3Com? Do we use the 3Com routers? You realize that with the 3Com router or hub, that if you have a MAC address and you're on another 3Com hub, you can automatically gain full access to any other 3Com hub on the network. So if I come into your network and I plug it in and I have your community string and I have your MAC address, I just remote into your router, just like that. It's very simple. In fact, this was 3Com's wonderful management system versus Telnet. Okay, another method that they use for management is called TFTP, Trivial File Transfer Protocol. Once again, this is GDP and it has no authentication. It doesn't even have passwords. If you're lucky, you have to use community strings. TFTP was originally designed to make it so that machines that were booting up our network would be able to get their configuration off of the server. So they wouldn't have any way of authenticating because they wouldn't even be fully booted up yet. So now network vendors will use this protocol to actually move configs on and off of a router. The main part that's important of SNMP is what's called MIBS. MIBS stands for Management Information Base. MIBS are the actual data that are on each networking device that provides the information that you can query. The amount that they have MIBS is dependent on the manufacturer and it varies everywhere from... Most manufacturers now have just about everything you could possibly think of in the mid, from the temperature of the box to how many interfaces are to the serial number that the box is. I mean, everything. You find out the IP addresses, the switch. If you're on a switch, you can see how many ports there are. You can even find out the text that's on the port, how you've got it defined. So like an ATM switch, you have a text with each port that defines where this particular OC3 is going. With that, when they first started, when they came up with SNMP, they developed this thing called Enterprise MIBS. One of the Enterprise MIBS is a way for the huge standard for MIBS. So basically, in a way, you can consider it like DNS in a way. You start at the very root, which is 1. And it's actually a string of eight numbers, depending on the manufacturer, but the first six numbers have to do with starting with the word, going through the fact that it's DoD, Internet, it's a private network. All those are always the same in every MIB. And then every organization is provided with a number. And this number signifies that organization. So Cisco's number is nine. So I'll have to read this to you because you can't see it. But the actual beginning of a MIB number for Cisco is 1.3.6.1.4.1, which basically means ISO.org.DoD.Internet.Private.Enterprise.9, which signifies Cisco. This is a basic standard structure to the whole system. When I provide the sites, I actually have some FTP sites that provide the entire list of everybody's organization. Now, the standard ends there because on one side, if I have the number for how many interfaces exist on the router, is 41. That's not true across manufacturers. But all manufacturers provide documentation on their MIBs. In fact, if you want Cisco's, you go to ftp.cisco.com. They've got this huge directory with every MIB that they have. Now, the question is, at this point, what do you do with SNMP? How can you use this to do any kind of exploit? So there's tools that are actually provided for you on most UNIX boxes. They're called SNMP Get, SNMP Set, SNMP Walk. So SNMP Walk. What SNMP Walk does is you put in SNMP Walk, you put in the community string, and all it does is it goes and it walks the entire MIB tree. Now, this may not seem like such a big deal, but this will completely take out any router you find on the internet. It will DOS it, no doubt. It actually tries to walk the entire up table and routing table. So if this is a router that takes BGP routes, for instance, it's going to try to walk off 60,000 routes, including, like I said, it's up table, so all it's internal network as well, which is more than any router can handle. And so we will actually just take it out. The other ones are actually a little more insidious, SNMP Get and SNMP Set. These are the tools that you can use to access the MIBs that are available on these particular routers. All right. Well, I have this list of really cool MIBs. Trust me on this one. And what these particular MIBs are, if you could see them, are the, on a Cisco, because, you know, I just pulled Cisco out randomly, no real reason. There are two particular MIBs that are your best friend. They go through the whole center part and host config set and write net. What host config set does is you pass it a particular configuration, and it will change that configuration on the router, whatever line you want to. What's even better is write net, which basically tells it to do to pull from your TFTP server a config. So you put yourself a nice little config out on a TFTP server, send that to a router, it will go to that unit's box and pull the config off. Okay, so, let's say you get inside of a router. The question is, most people don't seem to understand what advantages they have by gaining access to the infrastructure. One of the big things you can do inside of infrastructure is you can map the entire network. Those routers have ARP tables, they have routing tables, they know where everything is. If you're in a Cisco environment, it's got what's called Cisco to 7 protocol, which, turn on, provides every router, every information that's right next to that router. For instance, one of the benefits of this is most people don't actually have switches. You cannot see the switch. So say you want to get access to a switch to find out what servers are on that. Well, when you trace it out through a box, you can't actually see the switch, because obviously it's later too, and it just passes over the top of it. When you have access, you show a CDP on that, you will see the switches as well as the routers. So, getting access to the switch, at that point it's a cakewalk, because most people don't put passers on their switches. It's simply amazing. But they do put up IP addresses, so that's really nice of them to do that. So, one of the beautiful things about getting control of the network infrastructure is that the inside of somebody's network is always the soft underbelly. Nobody ever does anything to say, oh, I got my routers in front of me, I got maybe some firewalls, nobody can touch me inside. So there's not much point in putting things like, oh, tough passwords that I'm going to change all the time, any kind of real authentication or anything. I mean, who's going to be able to get access to that? So, I mean, you're in. Probably, it's the same kind of thing about when people have an inside job, which they don't really pay much attention to, but you can make changes to routing at this point. You can make changes in Layer 2. One of the big things you could do, if you were so inclined, is Layer 2, like say ATM, and you've got a site, you've got another site that you're attacking. You can very easily, when you have control, redirect all their traffic to you at a Layer 2 level, which means that you don't even need IP connectivity anymore. You're just pumping data at yourself that you can capture out of the ATM unit. There are things that are coming out, or there have been design specs to do, to try to alleviate this. SNP version 2 has respect. It's never used, and it probably never will be. I would be very surprised if it's ever used. It provides authentication, it's more streamlined, it's much more secure, but it's a little bit tougher to implement and it's really expensive. Anytime you have to change a big sand like that, it's really expensive. Most people don't seem to realize the importance of things like security. Cool figure. I wouldn't think on that being really used very much. Oops. I don't want to screw myself up. Okay, so now you're the network, and you really don't want people accessing your router. What can you do to protect yourself? One of the most important things to protect yourself, one of several. First of all, don't use private and public as your community strength. This is like the biggest mistake that, you know, people laugh and it's funny, but I cannot tell you how many routers I find out there with these as their community strengths. They turn on their routers, they don't even think about the fact that SNMP is set up, and they just like walk away from it. And that is what all manufacturers put standard as their community strengths. So you can pretty much just walk through the internet and find dozens upon dozens of people who have not changed their configuration. Of course, you know, you could probably find dozens where the password is Cisco, but... Access lists. Now, this is going to believe out mostly the ankle biters, especially with UDP, access lists are not exactly the toughest thing to bypass, but you know, you might as well use them because they're there and provided. Cisco, for instance, provides two different kinds of access lists. They provide with the standard access lists where you can actually block who is allowed to do SNMP queries, SNMP ports, and who is allowed to do TFTP services. And you can also, you can do talented and things like, in our login and things like that. But might as well pull them up. It's got the extended access lists on it so that you can, you can filter even more tightly than that. I don't know what else to say. Sorry, it's a slow computer. How much more granularity do the extended access lists give you? Extended access lists give you the granularity of using ports, the status of the packet, meaning send or act, and by host or by range of hosts. So, for instance, standard access lists do not give you the option of doing by network. It can only do by host. But the extended one gives you the access to the host. I mean, to the network. Oh, proper logging. Proper logging is really, really important. You really should need to know who's doing changes on your routers and who's not. And we're talking off-host logging as well. Not leaving the logging on your host and reading it from the host and hoping that you catch the person as they're doing it. Syslogs provide a tremendous amount of information. And they would tell you exactly if people were making configurations to your blocks or your routers, and it would tell you what configuration changes they're making. Having nice tools that go through your syslogs and pull out any possible security violations is a huge help. Because 99% of the people out there, the people who are trying to get in don't really understand syslogs. So you access this. And that's pretty much it for scaring. Yeah. So that pretty much covers it. My quick version of this. Make sure we can get the experts done. Is there any questions? Sure. The ISO? ISL. Oh, the Cisco bridging stuff? Yeah. Oh, oh. Well, I mean, it's actually not quite the focus is, but I know what you're talking about. And whenever you're talking VLANs, you have insecurity problems. And when you map so many, trying to map VLANs to different ports like that and adding extra protocols, you're adding insecurities. I don't know of anything in particular with ISO, but I wouldn't be surprised if something exists. Especially because there's no authentication of ports, right? So if I'm on a host and I send the correct command to the port, a lot of switches will actually let me change VLANs. Which is, you know, another really bad thing. Especially if people are using VLANs to, you know, try to segment their network in such a way. Actually, I almost forgot. That's what I forgot. Segment your network. One of the big problems with this is that it's clear text. So you can put access this into an unknown shine. You can put the most incredibly strong key string that exists. But if anybody per chance owns any box on your DMZ. And I'm sure most people have a machine or two that sits outside of their firewall and outside of their normal infrastructure. Probably on parallel with the routers. They own one of those boxes. They set up a sniffer. They're going to have it. So it's good to segment out your network. I mean throw away the hubs and put switches in because it's the best thing. One of the best things there is for security. I'm not keeping you from sniffing. I'm sorry. Go ahead. Actually, switches wouldn't provide much protection against sniffing because all you have to do is generate the back addresses of the machines that you want to sniff. Yeah. There's ways around it, sure. But as a general rule, I mean you have to know enough about the switch to be able to pull that off. And you have to know what kind of switch they're running to pull that off. Because I don't even think that'll work on a Cisco. I know it works on 3Com, but they're always around it. But it's definitely better than putting a hub up. Can you give us send ISTN routers? What about? Say it again. Send ISTN routers. Send ISTN routers. Ascent. I'm sorry. Ascent. Do you want to know about those? Ascent actually has quite a bit of security problems. A lot has to do with SNMP because they actually allow a lot of functionality with their SNMP MIBS. Beyond that, I know there's problems in the dial-up part of it, but do you want to say something about it? I don't want to lose my job there. Yeah, I know they have problems. All right. Yeah, they don't have access to like a Cisco router does. And I mean, the really Right, which is why most people don't really have that motor configuration in their sense. I think you understand the importance of being able to listen to and be able to walk fast. Because it gives you urgent information and it gives you time to work with usage. Oh, absolutely, but usually when you do it you're not going to get any information because you're going to take the router down. I learned this the hard way, actually, legitimately. Taking my board of routers down by SNMP walking them. You're right. That's very true. You don't, but that's I think with the good information off of the router. Oh, that's very valuable information for getting more access to the router. You learn a version of code that they're running and do a search of which out bugs in that one. Go ahead. Yeah. Oh, okay. It's kind of a bit, but do you want to just let this keep you on for a while? Yeah. Is there a way to find out what you're doing? Sniffing. Sniffing, yep. If it's on a if it's on a shared network you'll be able to find it that way. Because basically what's happening is you can be on a shared network where people are passing data back and forth over the router. Which does happen because I've seen people administer routers over the internet and it does exist. Well, I don't know about those since I don't really deal with host all that much, but it's a good question. Yes. And SNP3 is like in the stage of being an ITF standard and not, or it's in draft stage if I remember correctly. Has it? Yes. You got a question? Yeah. CPC. CPC? Oh, oh, you know to be honest I don't really use those app parts of Cisco because I don't really trust them. So, I use their access to this, I don't use their firewalls to see which time but I don't really get involved. Small services, shut them off pretty much back down to what Cisco router is supposed to be doing, which is running traffic. So, it's an application proxy. I don't really use it because I use other application proxies so I've never really played with them. Do you have a mentioned facility and everything and you can directly look at the information on it? You're going to love this. Pearl. I have to say I'm a little bit jaded because one of the people I work with is a just a scripting God. I've never seen anybody who can do the things they can do with a script. So, I've seen pretty much full infrastructures based on scripts that will go through and all the configurations match it against TACX logs compared to who's actually logging into routers and who's making changes all possible through standard pearl tools. If you go to the pearl sites they have tons and tons of scripts available and I'm not sure what commercial tools are available to do that kind of thing. Do you have a scripting order to go across there? Do you have any vulnerabilities with those special communities that are like my GSM system? No, I actually haven't found any. I've done spanning before but I've actually never said I wonder how I could break this thing. Other than the fact that just by having that available somebody gains access to the switch they can then span the entire switch. I want to point out, it seems like of course you're going to gain access. Giving access to the switch is trivial because nobody ever puts passwords on these things. I'm spoofing. Especially when you're talking about something like UDP you're sending UDP packets out you're not expecting to answer back so I wouldn't say it's trivial to construct a script that would basically build UDP packets on the fly that would make configuration changes with spoofed IP addresses. One thing you can do, one thing it's really important to do in a Cisco router is basically put up an anti spoofing type access list. Also as it says on the outside interface I don't accept addresses coming from the inside. Very important. One thing I want to mention about the standard port of Cisco is that currently you can only scan the ports that are running in your box. You've got a network of switches so we're working our chunks together you can't see the traffic that's on them. That's supposed to be a feature around the stage that's going to be in 4.5. Oh that's beautiful. I mentioned on the right side you can get a system of your web release in the previous version of iOS and then I was there was a package for VLog and somebody was logging everything that an access list denied and the router was done I think it was a long time ago. Which kind of points to the importance of making sure that you have the latest and greatest code. And I don't mean the latest like 12. I mean the latest code with the bug fixes and the security fixes on them to the stuff that's been fixed but I've seen people run 10.9 Cisco out there and you know everybody knows the problems with those. Right exactly. Hence the problem with Cisco source. I mentioned that the network routers were heavily asked to be managed which was very true. Are there a lot of additional weaknesses compared to VLog? With any with any of them you can change the configuration. It's not as much as weaknesses it makes actually manage melody a little bit easier. But any of them you can use to break in that. If you're using Cisco for an ACL block a majority of the street kidneys or whatever then I would suggest putting an out-tem filter on the external interface so that it actually doesn't even respond back to the top of the screen. Oh. Yeah or don't send TCP or was it will refuse don't send any packets back what you can do with the Cisco to just let it die. Well the benefit of TechX in radius is our login authentication. TechX provides a one time power theoretically a one time password doesn't work that effectively but it provides a way for you to have an authentication for when you do logins. It won't do anything for SNMP at all but it will stop login type of tips. Radius allows you to have a central database of users and their authentication. Yeah. Oh well. No comments. You're going to make God have mercy on you. Yeah. UNMT is an operating system for your router. Well you know the problem is it's funny because there's this one router that I saw out there that's like probably the fastest router that exists and it runs NT as its operating system. It's kind of a tone down version of it. It's kind of it's more of an embedded version of NTCE and it's like but it's the fastest router that I've seen existing and Berkeley Networks I believe is the router name. Yeah. It's fast because of the hardware not the operating system it's probably should make that clear. So it's yeah I mean there's many problems in that when you're doing the benefit of using something like the Cisco in the base they don't really have a real operating system they're just this loader with some protocols. Oh, okay. Real quick folks if anyone knows a Brett Bresler or a Roman Israel they need to go immediately to the second floor and talk to anybody who's sharing there's an urgent family emergency. Mr. Israel is wearing an Amish hat so if you spot him please kick him into play and make sure he goes upstairs. And by the way there's a gentleman in the back a yellow hard hat. This gentleman is from Linux world is that correct? And would love to talk to anyone who loves Linux or not? And sir, I'm running into you on a router may God have mercy on your soul. Okay one last quick question I don't really know a lot about Armand that's kind of new for me I would love to tell you more but I can't. Alright well thank you very much for coming Oh, my email address is roosteredresentment.org if anybody has any questions I liked it Spot the Fed What's that? Yeah, ftp.cisco.com Alright thank you very much Thank you