Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cisco Router Forensics Thomas Akin, CISSP Director, Southeast Cybercrime Institute Kennesaw State University BlackHat Briefings, USA, 2002.

Published byNelson Allen Modified over 8 years ago

Similar presentations

Presentation on theme: "Cisco Router Forensics Thomas Akin, CISSP Director, Southeast Cybercrime Institute Kennesaw State University BlackHat Briefings, USA, 2002."— Presentation transcript:

1 Cisco Router Forensics Thomas Akin, CISSP Director, Southeast Cybercrime Institute Kennesaw State University BlackHat Briefings, USA, 2002

2 Hacking Cisco Cisco Bugtraq Vulnerabilities 1998- 3 1999- 5 2000-23 2001-46 2002 (Jan-Jul)-47

3 Hacking Routers Example Exploits: HTTP Authenitcation Vulnerability –using a URL of http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access. NTP Vulnerability –By sending a crafted NTP control packet, it is possible to trigger a buffer overflow in the NTP daemon SNMP Parsing Vulnerability –Malformed SNMP messages received by affected systems can cause various parsing and processing functions to fail, which results in a system crash and reload. In some cases, access-list statements on the SNMP service do not protect the device

4 Hacking Routers When a router is hacked it allows an attacker to DoS or disable the router & network… Compromise other routers… Bypass firewalls, IDS systems, etc… Monitor and record all outgoing an incoming traffic… Redirect whatever traffic they desire…

5 Cisco Routers in a Nutshell Flash Persistent Holds –Startup configuration –IOS files RAM Non-Persistent Holds –Running configuration –Dynamic tables (i.e) Arp Routing NAT ACL violations Protocol Statistics Etc…

6 Router Forensics v/s Traditional Forensics Traditional Forensics Immediately shutdown the system (or pull the power cord) Make a forensic duplicate Perform analysis on the duplicate Live system data is rarely recovered. Router Forensics Live system data is the most valuable. Immediate shutdown destroys all of this data. Persistent (flash) data will likely be unchanged and useless. Investigators must recover live data for analysis

7 Computer Forensics: The Unholy Grail The goal is to “catch the criminal behind the keyboard.” Not to find fascinating computer evidence. Computer evidence is never the smoking gun. Most often computer evidence either Provides leads to other evidence… Corroborates other evidence…

8 Chain of Custody Detailed, Methodical, Unquestionable…. Where you received the evidence… When you received the evidence… Who you received the evidence from… What your seizure methods were… Why you seized the evidence… How you maintained your chain of custody…

9 Incident Response DO NOT REBOOT THE ROUTER. Change nothing, record everything. Before you say it is an accident, make sure it isn’t an incident… Before you say it is an incident, make sure it isn’t an accident…

10 Accessing the Router DO Access the router through the console Record your entire console session Run show commands Record the actual time and the router’s time Record the volatile information DON’T REBOOT THE ROUTER Access the router through the network Run configuration commands Rely only on persistent information

11 Recording Your Session Always start recording your session before you even log onto the router Frequently show the current time with the show clock detail command

12 Volatile Evidence Direct Access show clock details show version show running-config show startup-config show reload show ip route show ip arp show users show logging show ip interface show tcp brief show ip sockets show ip net translations verbose show ip chache flow show ip cef show snmp user show snmp group show clock detail

13 Volatile Evidence Indirect Access Remote evidence may be all you can get if the passwords have been changed… Port scan each router IP nmap -v -sS -P0 -p 1- Router.domain.com nmap -v -sU -P0 -p 1- Router.domain.com nmap -v -sR -P0 -p 1- Router.domain.com SNMP scan each router IP snmpwalk –v1 Router.domain.com public snmpwalk –v1 Router.domain.com private

14 Intrusion Analysis IOS Vulnerabilities Running v/s Startup configurations Logging Timestamps

15 Logging Console Logging These will be captured by recording your session. Buffer Logging If buffered logging is turned on, the show logging command will show you the contents of the router log buffer, what level logging is performed at, and what hosts logging is sent to. Terminal Logging This allows non console sessions to view log messages. Syslog Logging Log messages are sent to a syslog server when logging is turned on and the logging servername command is set.

16 Logging SNMP logging If SNMP is running, SNMP traps may be sent to a logging server. AAA Logging If AAA is running the check the aaa accounting commands to see what logging is being sent to the Network Access Server. ACL Violation Logging ACL can be configured to log any packets that match their rules by ending the ACL with the log or log-input keywords. These log messages are sent the the routers log buffer and to the syslog server.

17 Real Time Forensics After removing or collecting information from your compromised router you can use the router to help monitor the network and itself by turning on logging if it wasn’t previously. Router#config terminal Router(config)#service timestamps log datatime msec \ localtime show-timezone Router(config)#no logging console Router(config)#logging on Router(config)#logging buffered 32000 Router(config)#logging buffered informational Router(config)#logging facility local6 Router(config)#logging trap informational Router(config)#logging Syslog-server.domain.com

18 Real Time Forensics Using AAA provided even greater ability to log information. TACACS+ even allows you to log every command executed on the router to your Network Access Server Router#config terminal Router(config)#aaa accounting exec default start-stop \ group tacacs+ Router(config)#aaa accounting system default stop-only \ group tacacs+ Router(config)#aaa accounting connection default \ start-stop group tacacs+ Router(config)#aaa accounting network default \ start-stop group tacacs+

19 Real Time Forensics You can also use ACL logging to count packets and log specific events. By configuring syslog logging and analyzing your syslog files in real time you can perform real time monitoring The ACL access-list 149 permit tcp host 130.18.59.1 any eq \ 161 log-input will not block any packets, but will log all incoming SNMP requests from 130.18.59.1 to any internal host. The ACLs access-list 148 deny tcp 130.18.59.0 0.0.0.255 any \ eq 53 log-input access-list 148 deny udp 130.18.59.0 0.0.0.255 any \ eq 53 log-input will block and log any DNS packets from the subnet 130.18.59.0/24 to any internal host.

20 Summary Hacking Cisco Routers Router Hardware & Software Router Forensics v/s Traditional Forensics Computer Evidence & Chain of Custody Incident Response Accessing the Router Gathering volatile evidence—internal & external Gathering logging evidence Performing Real Time Network Forensics

21 Thank you! Thomas Akin takin@kennesaw.edu http://cybercrime.kennesaw.edu On you conference CD you will find: A copy of this presentation A router forensics checklist A sample Chain of Custody form A sample Evidence Reciept tag

Download ppt "Cisco Router Forensics Thomas Akin, CISSP Director, Southeast Cybercrime Institute Kennesaw State University BlackHat Briefings, USA, 2002."

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
Forensics Book 4: Investigating Network Intrusions and Cybercrime Chapter 4: Router Forensics.

Forensics Book 4: Investigating Network Intrusions and Cybercrime Chapter 4: Router Forensics.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition

CCNA Guide to Cisco Networking Fundamentals Fourth Edition
Chapter 9 Managing a Cisco Internetwork Cisco Router Components Bootstrap - Brings up the router during initialization POST - Checks basic functionality;

Chapter 9 Managing a Cisco Internetwork Cisco Router Components Bootstrap - Brings up the router during initialization POST - Checks basic functionality;
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.


Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Sybex CCNA 640-802 Chapter 7: Managing a Cisco Internetwork Instructor & Todd Lammle.

Sybex CCNA Chapter 7: Managing a Cisco Internetwork Instructor & Todd Lammle.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.

Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.
Introduction to OSPF Campus Networking Workshop These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license.

Introduction to OSPF Campus Networking Workshop These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license.
Routers A router is a computer Computers have four basic components:

Routers A router is a computer Computers have four basic components:
Basic Router Configuration Warren Toomey GCIT. Introduction A Cisco router is simply a computer that receives packets and forwards them on based on what.

Basic Router Configuration Warren Toomey GCIT. Introduction A Cisco router is simply a computer that receives packets and forwards them on based on what.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Basic Router Configuration Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.

Basic Router Configuration Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
NMS Labs Mikko Suomi LAB1 Choose SNMP device managment software Features: –Gives Nice overview of network –Bandwith monitoring –Multible.

NMS Labs Mikko Suomi LAB1 Choose SNMP device managment software Features: –Gives Nice overview of network –Bandwith monitoring –Multible.

Similar presentations

Ads by Google