Cisco Router Forensics Thomas Akin, CISSP Director, Southeast Cybercrime Institute Kennesaw State University BlackHat Briefings, USA, 2002.

Slides:



Advertisements
Similar presentations
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Advertisements

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
Forensics Book 4: Investigating Network Intrusions and Cybercrime Chapter 4: Router Forensics.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition
Chapter 9 Managing a Cisco Internetwork Cisco Router Components Bootstrap - Brings up the router during initialization POST - Checks basic functionality;
COEN 252: Computer Forensics Router Investigation.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Sybex CCNA Chapter 7: Managing a Cisco Internetwork Instructor & Todd Lammle.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
Introduction to OSPF Campus Networking Workshop These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license.
Routers A router is a computer Computers have four basic components:
Basic Router Configuration Warren Toomey GCIT. Introduction A Cisco router is simply a computer that receives packets and forwards them on based on what.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Basic Router Configuration Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
NMS Labs Mikko Suomi LAB1 Choose SNMP device managment software Features: –Gives Nice overview of network –Bandwith monitoring –Multible.
COEN 252 Computer Forensics
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
Instructor & Todd Lammle
Access Control List ACL. Access Control List ACL.
Windows 7 Firewall.
1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public Remote access typically involves allowing telnet, SSH connections to the router Remote requires.
Cisco S2 C4 Router Components. Configure a Router You can configure a router from –from the console terminal (a computer connected to the router –through.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
User Access to Router Securing Access.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Access Control List ACL’s 5/26/ What Is an ACL? An ACL is a sequential collection of permit or deny statements that apply to addresses or upper-layer.
1 What Are Access Lists? –Standard –Checks Source address –Generally permits or denies entire protocol suite –Extended –Checks Source and Destination address.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
Module 3 Configuring a Router.
Configuring AAA requires four basic steps: 1.Enable AAA (new-model). 2.Configure security server network parameters. 3.Define one or more method lists.
IST 228\Ch7: Managing Cisco...1 Router Components: ROM Read-only memory (ROM) Stores: –the bootstrap program, also called the ROM Monitor, that initializes.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Router Initialization steps.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Chapter 2: Configure a Network Operating System
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
Role Of Network IDS in Network Perimeter Defense.
What are the two types of routes used by network administrators? Static Dynamic.
CHAPTER 3 Router CLI Command Line Interface. Router User Interface User and privileged modes User mode --Typical tasks include those that check the router.
Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Introduction to networking (Yarnfield) Configure a router.
Lab 12 – Cisco Firewall.
100% Exam Passing Guarantee & Money Back Assurance
Working at a Small-to-Medium Business or ISP – Chapter 8
Cisco IOS Firewall Context-Based Access Control Configuration
CCNA Routing and Switching Routing and Switching Essentials v6.0
Introduction to Cisco IOS -(Internetwork Operating System)
Chapter 10: Device Discovery, Management, and Maintenance
CCNA Routing and Switching Routing and Switching Essentials v6.0
Introduction to Networking
NAT , Device Discovery Chapter 9 , chapter 10.
– Chapter 3 – Device Security (B)
Chapter 10: Device Discovery, Management, and Maintenance
Intrusion Detection Systems (IDS)
– Chapter 3 – Device Security (B)
CS580 Special Project: IOS Firewall Setup using CISCO 1600 router
Lecture9: Embedded Network Operating System: cisco IOS
Lecture9: Embedded Network Operating System: cisco IOS
Presentation transcript:

Cisco Router Forensics Thomas Akin, CISSP Director, Southeast Cybercrime Institute Kennesaw State University BlackHat Briefings, USA, 2002

Hacking Cisco Cisco Bugtraq Vulnerabilities (Jan-Jul)-47

Hacking Routers Example Exploits: HTTP Authenitcation Vulnerability –using a URL of where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access. NTP Vulnerability –By sending a crafted NTP control packet, it is possible to trigger a buffer overflow in the NTP daemon SNMP Parsing Vulnerability –Malformed SNMP messages received by affected systems can cause various parsing and processing functions to fail, which results in a system crash and reload. In some cases, access-list statements on the SNMP service do not protect the device

Hacking Routers When a router is hacked it allows an attacker to DoS or disable the router & network… Compromise other routers… Bypass firewalls, IDS systems, etc… Monitor and record all outgoing an incoming traffic… Redirect whatever traffic they desire…

Cisco Routers in a Nutshell Flash Persistent Holds –Startup configuration –IOS files RAM Non-Persistent Holds –Running configuration –Dynamic tables (i.e) Arp Routing NAT ACL violations Protocol Statistics Etc…

Router Forensics v/s Traditional Forensics Traditional Forensics Immediately shutdown the system (or pull the power cord) Make a forensic duplicate Perform analysis on the duplicate Live system data is rarely recovered. Router Forensics Live system data is the most valuable. Immediate shutdown destroys all of this data. Persistent (flash) data will likely be unchanged and useless. Investigators must recover live data for analysis

Computer Forensics: The Unholy Grail The goal is to “catch the criminal behind the keyboard.” Not to find fascinating computer evidence. Computer evidence is never the smoking gun. Most often computer evidence either Provides leads to other evidence… Corroborates other evidence…

Chain of Custody Detailed, Methodical, Unquestionable…. Where you received the evidence… When you received the evidence… Who you received the evidence from… What your seizure methods were… Why you seized the evidence… How you maintained your chain of custody…

Incident Response DO NOT REBOOT THE ROUTER. Change nothing, record everything. Before you say it is an accident, make sure it isn’t an incident… Before you say it is an incident, make sure it isn’t an accident…

Accessing the Router DO Access the router through the console Record your entire console session Run show commands Record the actual time and the router’s time Record the volatile information DON’T REBOOT THE ROUTER Access the router through the network Run configuration commands Rely only on persistent information

Recording Your Session Always start recording your session before you even log onto the router Frequently show the current time with the show clock detail command

Volatile Evidence Direct Access show clock details show version show running-config show startup-config show reload show ip route show ip arp show users show logging show ip interface show tcp brief show ip sockets show ip net translations verbose show ip chache flow show ip cef show snmp user show snmp group show clock detail

Volatile Evidence Indirect Access Remote evidence may be all you can get if the passwords have been changed… Port scan each router IP nmap -v -sS -P0 -p 1- Router.domain.com nmap -v -sU -P0 -p 1- Router.domain.com nmap -v -sR -P0 -p 1- Router.domain.com SNMP scan each router IP snmpwalk –v1 Router.domain.com public snmpwalk –v1 Router.domain.com private

Intrusion Analysis IOS Vulnerabilities Running v/s Startup configurations Logging Timestamps

Logging Console Logging These will be captured by recording your session. Buffer Logging If buffered logging is turned on, the show logging command will show you the contents of the router log buffer, what level logging is performed at, and what hosts logging is sent to. Terminal Logging This allows non console sessions to view log messages. Syslog Logging Log messages are sent to a syslog server when logging is turned on and the logging servername command is set.

Logging SNMP logging If SNMP is running, SNMP traps may be sent to a logging server. AAA Logging If AAA is running the check the aaa accounting commands to see what logging is being sent to the Network Access Server. ACL Violation Logging ACL can be configured to log any packets that match their rules by ending the ACL with the log or log-input keywords. These log messages are sent the the routers log buffer and to the syslog server.

Real Time Forensics After removing or collecting information from your compromised router you can use the router to help monitor the network and itself by turning on logging if it wasn’t previously. Router#config terminal Router(config)#service timestamps log datatime msec \ localtime show-timezone Router(config)#no logging console Router(config)#logging on Router(config)#logging buffered Router(config)#logging buffered informational Router(config)#logging facility local6 Router(config)#logging trap informational Router(config)#logging Syslog-server.domain.com

Real Time Forensics Using AAA provided even greater ability to log information. TACACS+ even allows you to log every command executed on the router to your Network Access Server Router#config terminal Router(config)#aaa accounting exec default start-stop \ group tacacs+ Router(config)#aaa accounting system default stop-only \ group tacacs+ Router(config)#aaa accounting connection default \ start-stop group tacacs+ Router(config)#aaa accounting network default \ start-stop group tacacs+

Real Time Forensics You can also use ACL logging to count packets and log specific events. By configuring syslog logging and analyzing your syslog files in real time you can perform real time monitoring The ACL access-list 149 permit tcp host any eq \ 161 log-input will not block any packets, but will log all incoming SNMP requests from to any internal host. The ACLs access-list 148 deny tcp any \ eq 53 log-input access-list 148 deny udp any \ eq 53 log-input will block and log any DNS packets from the subnet /24 to any internal host.

Summary Hacking Cisco Routers Router Hardware & Software Router Forensics v/s Traditional Forensics Computer Evidence & Chain of Custody Incident Response Accessing the Router Gathering volatile evidence—internal & external Gathering logging evidence Performing Real Time Network Forensics

Thank you! Thomas Akin On you conference CD you will find: A copy of this presentation A router forensics checklist A sample Chain of Custody form A sample Evidence Reciept tag

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.