Upload
technical-dude
View
1.518
Download
2
Embed Size (px)
Citation preview
Router Skullduggery
The Utility of Network Devices for Attack and
DefenseChris DavisHivercon 2003
Contents
1.1. Philosophical PreliminariesPhilosophical Preliminaries
2.2. Network Devices as AttackersNetwork Devices as Attackers
3.3. Network Devices as DefendersNetwork Devices as Defenders
4.4. JitneyJitney
5.5. CountermeasuresCountermeasures
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
1.1 Medieval Security
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
Viral epidemicsDetermination of
risk is unscientific
Users can be fools
1.2 Understanding Risk
Risk is a function of the Risk is a function of the likelihoodlikelihood of a given of a given threat-source’sthreat-source’s exercising a particular exercising a particular potential potential vulnerabilityvulnerability, and the resulting , and the resulting impact impact of that adverse event on the of that adverse event on the organizationorganization
NIST SP 800-30, Risk Management Guide for Information Technology SystemsNIST SP 800-30, Risk Management Guide for Information Technology Systems
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
1.3 Reducing Risk
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
Internet
Application
Database
Eth
ern
et
Inherent risk is the risk of a system in the absence of mitigating controls.
Risk is reduced through the implementation of mitigating controls.
The amount by which risk is reduced is determined by the control’s effectiveness against known vulnerabilities.
Firewall
allow any to any
InternetFirewall
Eth
erne
t
Application
FirewallMinicomputer
1.4 Control EffectivenessA control’s effectiveness is measured by its A control’s effectiveness is measured by its
ability to reduce an attack’sability to reduce an attack’s probability probability of successof success..
An attack’s probability of success is based An attack’s probability of success is based uponupon– Cost (cracking strong encryption)Cost (cracking strong encryption)– Time (brute-force password guessing)Time (brute-force password guessing)– Visibility (Internet-accessible tcp/139)Visibility (Internet-accessible tcp/139)– Prerequisite knowledge (obfuscation)Prerequisite knowledge (obfuscation)
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
2.1 Skullduggery
skullduggery skullduggery (n. see also Scots (n. see also Scots sculduddery)sculduddery) 1. a devious device 1. a devious device or trick, 2. underhanded or or trick, 2. underhanded or unscrupulous behavior.unscrupulous behavior.
Merriam-Webster Online DictionaryMerriam-Webster Online Dictionary
((http://www.m-w.com))
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
2.2 Brief History of Attacks Part IARP PoisoningARP Poisoning
Target:Target: Network switches. Network switches.
Operating Layer: Operating Layer: EthernetEthernet
Method:Method: Falsified ARP packets are frequently broadcasted to the local Falsified ARP packets are frequently broadcasted to the local network, thereby causing hosts to send packets to the attack host.network, thereby causing hosts to send packets to the attack host.
Effect:Effect: The attacking host can read and modify data. The attacking host can read and modify data.
Tools:Tools: dsniff, Ettercap, Cain dsniff, Ettercap, Cain
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
LimitationsLimitationsViewpoint:Viewpoint: Local Local
Necessary Precision:Necessary Precision: Low Low
Detectability:Detectability: High High
Bandwidth:Bandwidth: Moderate – High Moderate – High
Latency:Latency: Moderate Moderate
2.3 Brief History of Attacks Part IIRoute ManipulationRoute Manipulation
Target:Target: Network routers. Network routers.
Operating Layer:Operating Layer: TCP/IP TCP/IP
Method:Method: The route table is modified to redirect packets through the The route table is modified to redirect packets through the attack host.attack host.
Effect:Effect: The attacking host can read and modify data. The attacking host can read and modify data.
Tools:Tools: VIPPR, IRPAS, RPAK, Policy Routing, IP Tunneling (GRE / IPIP) VIPPR, IRPAS, RPAK, Policy Routing, IP Tunneling (GRE / IPIP)
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
LimitationsLimitationsViewpoint:Viewpoint: Local / Remote Local / Remote
Necessary Precision:Necessary Precision: ModerateModerate
Detectability:Detectability: High High
Bandwidth:Bandwidth: High High
Latency:Latency: High High
2.4 Traffic Detectionrouter# conf t
router(config)# access-list 101 permit tcp any any
router(config)# exit
router# debug ip packet 101 detail
router# no debug ip packet 101 detail
Initialize logging
Confmode
Exit Confmode
Start Detection
Stop Detection
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
3w0d: IP: s=172.24.221.131 (Ethernet0), d=172.24.221.193 (Ethernet0), len 41, rcvd 33w0d: TCP src=36836, dst=23, seq=1517999349, ack=1908502442, win=12320 ACK PSH3w0d: IP: s=172.24.221.193 (local), d=172.24.221.131 (Ethernet0), len 41, sending3w0d: TCP src=23, dst=36836, seq=1908502442, ack=1517999350, win=3929 ACK PSH3w0d: IP: s=172.24.221.131 (Ethernet0), d=172.24.221.193 (Ethernet0), len 40, rcvd 33w0d: TCP src=36836, dst=23, seq=1517999350, ack=1908502443, win=12320 ACK
2.5 Sniffing via Syslog
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
router# conf t
router(config)# logging trap debuggingrouter(config)# logging facility local6router(config)# logging <syslog server>
router(config)# access-list 101 permit icmp any any echo echo-reply
router(config)# exit
router# debug ip packet 101 dump
router# no debug ip packet 101 dump
Initialize logging
Configuration Mode
Set ACLs
Exit ConfmodeStart Sniffing
Stop Sniffing
2.6 Sniffing on a Cisco (Ethernet)
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
router# router# debug ip packet <ACL> dumpdebug ip packet <ACL> dump
2w3d: IP: s=172.24.221.193 (local), d=172.24.221.10 (Ethernet0), 2w3d: IP: s=172.24.221.193 (local), d=172.24.221.10 (Ethernet0), len 84, sendinglen 84, sending
00607060: 0010 7B385DF6 ..{8]v00607060: 0010 7B385DF6 ..{8]v00607070: 020006E3 66BA0800 45000054 00004000 ...cf:[email protected]: 020006E3 66BA0800 45000054 00004000 ...cf:[email protected]: FF0168AB AC18DDC1 AC18DD0A 0000EB86 ..h+,.]A,.]...k.00607080: FF0168AB AC18DDC1 AC18DD0A 0000EB86 ..h+,.]A,.]...k.00607090: 950A0100 F4A6963F FA840E00 08090A0B ....t&.?z.......00607090: 950A0100 F4A6963F FA840E00 08090A0B ....t&.?z.......006070A0: 0C0D0E0F 10111213 14151617 18191A1B ................006070A0: 0C0D0E0F 10111213 14151617 18191A1B ................006070B0: 1C1D1E1F 20212223 24252627 28292A2B .... !"#$%&'()*+006070B0: 1C1D1E1F 20212223 24252627 28292A2B .... !"#$%&'()*+006070C0: 2C2D2E2F 30313233 34353637 86 ,-./01234567.006070C0: 2C2D2E2F 30313233 34353637 86 ,-./01234567.
2.7 Sniffing on a Cisco (Token-Ring)router# router# debug ip packet <ACL> dumpdebug ip packet <ACL> dump
2w3d: IP: s=10.20.40.1 (Virtual-TokenRing0), d=10.20.40.1 2w3d: IP: s=10.20.40.1 (Virtual-TokenRing0), d=10.20.40.1 (Virtual-TokenRing0), len 100, rcvd 3(Virtual-TokenRing0), len 100, rcvd 3
00630620: 0040 40000000 00074000 .@@[email protected]: 0040 40000000 00074000 .@@.....@.
00630630: 00000007 AAAA0300 00000800 45000064 ....**......E..d00630630: 00000007 AAAA0300 00000800 45000064 ....**......E..d
00630640: 00630000 FF01570C 0A142801 0A142801 .c....W...(...(.00630640: 00630000 FF01570C 0A142801 0A142801 .c....W...(...(.
00630650: 0000F0AF 21B52663 00000000 57E5F59C ..p/!5&c....Weu.00630650: 0000F0AF 21B52663 00000000 57E5F59C ..p/!5&c....Weu.
00630660: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M00630660: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
00630670: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M00630670: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
00630680: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M00630680: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
00630690: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M00630690: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M
006306A0: 20006306A0: 20
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
2.8 Passive Firewall Ruleset Enumeration
Method:Method: Track any of the following: Track any of the following:•Successful TCP handshakesSuccessful TCP handshakes•Matching ingress and egress UDP trafficMatching ingress and egress UDP traffic•ICMP packets (and their associated ICMP packets (and their associated
responses)responses)
•IP protocolsIP protocols
Effect:Effect: The attacking host can passively The attacking host can passively
determine a good portion of the firewall’s determine a good portion of the firewall’s
ruleset.ruleset.
Detectability:Detectability: Very low Very low
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
2.9 Firewall State Table Determination
Method:Method: Track the following Track the following•Source and destination IP addressesSource and destination IP addresses•TCP header data: flags, sequence TCP header data: flags, sequence numbers,numbers,
window sizes, source and destination window sizes, source and destination portsports
•UDP source and destination portsUDP source and destination ports•ICMP types and codesICMP types and codes
Effect:Effect: The attacking host can determine The attacking host can determine thethe
active connections permitted by theactive connections permitted by the
firewall, including internally originatedfirewall, including internally originated
traffic.traffic.
Detectability:Detectability: Very low Very low
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
2.10 Stealthy Network Mapping
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
Method:Method:• Reroute any valid connection through theReroute any valid connection through the
attacking host using IP tunneling andattacking host using IP tunneling and
policy routing.policy routing.• Initially set the TTL on any ingress packetInitially set the TTL on any ingress packet
to one and send to the destination host.to one and send to the destination host.• Sniff any ICMP type 11 (time exceeded)Sniff any ICMP type 11 (time exceeded)
messages destined for the client host,messages destined for the client host,
increment the TTL, and resend.increment the TTL, and resend.• Once the destination responds, Once the destination responds,
shutdown the tunnel.shutdown the tunnel.
Effect:Effect: The attacking host can map the internal The attacking host can map the internal
network using authorized connections.network using authorized connections.
Detectability:Detectability: Low Low
2.11 Packet Injection
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
Method:Method:• Reroute any valid connection through theReroute any valid connection through the
attacking host using IP tunneling andattacking host using IP tunneling and
policy routing.policy routing.• Modify packet contents as needed forModify packet contents as needed for
either the client or server.either the client or server.• Teardown tunnel when done.Teardown tunnel when done.
Effect:Effect: The attacking host can replace The attacking host can replace
data with false information or maliciousdata with false information or malicious
code.code.
Detectability:Detectability: Moderate Moderate
2.12 Connection Hijacking
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
Method:Method:• Reroute any valid connection through theReroute any valid connection through the
attacking host using IP tunneling andattacking host using IP tunneling and
policy routing.policy routing.• Track session parameters.Track session parameters.• Block client access at the router orBlock client access at the router or
attack host.attack host.• Using last-known good sessionUsing last-known good session
parameters, continue the connectionparameters, continue the connection
with the destination host.with the destination host.
Effect:Effect: The attacking host can take complete The attacking host can take complete
control of a connection.control of a connection.
Detectability:Detectability: Moderate - High Moderate - High
2.13 Sniffing via Telnet
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
router# conf t
router(config)# logging monitor debugging
router(config)# access-list 101 permit icmp any any echo echo-reply
router(config)# service nagle
router(config)# exit
router# terminal monitor
router# debug ip packet 101 dump
router# no debug ip packet 101 dump
Configuration ModeTerminal
MonitoringSet
ACLs
Exit Confmode
Start sniffingStop Sniffing
Terminal Monitoring
Telnet Efficiency
2.14 Blocked Tunnels
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
Limitations: The border firewall blocks GRE (47) and IPIP (94) protocols, thereby preventing simple route manipulation attacks.
Target: Internal routers.
Method: Sniff packets on internal router by dumping packets to the terminal.
Effect: Traffic on internal networks can be sniffed directly or via compromised hosts.
Detectability: Moderate
2.15 Remote Switch Sniffing
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
Limitations: Router security prevents compromise.
Target: Network switches.
Method: Sniff packets on switch by dumping packets to the terminal.
Effect: Traffic on internal networks can be sniffed directly or via compromised hosts.
Detectability: Moderate
2.16 Switch Sniffing
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
00:20:08: IP: s=169.254.151.9 (VLAN1), d=169.254.255.255, len 246, rcvd 100:20:08: IP: s=169.254.151.9 (VLAN1), d=169.254.255.255, len 246, rcvd 17004FF50: FFFF ..7004FF50: FFFF ..7004FF60: FFFFFFFF 00096B86 FFB60800 450000F6 ......k..6..E..v7004FF60: FFFFFFFF 00096B86 FFB60800 450000F6 ......k..6..E..v7004FF70: 050C0000 801149E5 A9FE9709 A9FEFFFF ......Ie)~..)~..7004FF70: 050C0000 801149E5 A9FE9709 A9FEFFFF ......Ie)~..)~..7004FF80: 008A008A 00E2069E 110E80CD A9FE9709 .....b.....M)~..7004FF80: 008A008A 00E2069E 110E80CD A9FE9709 .....b.....M)~..7004FF90: 008A00CC 00002046 41454945 4D455046 ...L.. FAEIEMEPF7004FF90: 008A00CC 00002046 41454945 4D455046 ...L.. FAEIEMEPF7004FFA0: 44464443 41434143 41434143 41434143 DFDCACACACACACAC7004FFA0: 44464443 41434143 41434143 41434143 DFDCACACACACACAC7004FFB0: 41434143 41434100 20464845 50464345 ACACACA. FHEPFCE7004FFB0: 41434143 41434100 20464845 50464345 ACACACA. FHEPFCE7004FFC0: 4C454846 43455046 46464143 41434143 LEHFCEPFFFACACAC7004FFC0: 4C454846 43455046 46464143 41434143 LEHFCEPFFFACACAC7004FFD0: 41434143 41434142 4E00FF53 4D422500 ACACACABN..SMB%.7004FFD0: 41434143 41434142 4E00FF53 4D422500 ACACACABN..SMB%.7004FFE0: 00000000 00000000 00000000 00000000 ................7004FFE0: 00000000 00000000 00000000 00000000 ................7004FFF0: 00000000 00000000 00001100 00320000 .............2..7004FFF0: 00000000 00000000 00001100 00320000 .............2..70050000: 00000000 000000E8 03000000 00000000 .......h........70050000: 00000000 000000E8 03000000 00000000 .......h........70050010: 00320056 00030001 00000002 0043005C .2.V.........C.\70050010: 00320056 00030001 00000002 0043005C .2.V.........C.\70050020: 4D41494C 534C4F54 5C42524F 57534500 MAILSLOT\BROWSE.70050020: 4D41494C 534C4F54 5C42524F 57534500 MAILSLOT\BROWSE.70050030: 010080FC 0A005048 4C4F5353 00006600 ...|..PHLOSS..f.70050030: 010080FC 0A005048 4C4F5353 00006600 ...|..PHLOSS..f.70050040: 74000000 35000501 03120100 0F0155AA t...5.........U*70050040: 74000000 35000501 03120100 0F0155AA t...5.........U*70050050: 476F6F64 206F7261 6C206879 6765696E Good oral hygein70050050: 476F6F64 206F7261 6C206879 6765696E Good oral hygein70050060: 65002070050060: 650020 e. e.
3.1 Poor Man’s NIDS
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
Applicability:Applicability: Small remote networks Small remote networks where it is cost-prohibitive to install a where it is cost-prohibitive to install a dedicated NIDS sensor.dedicated NIDS sensor.
Method:Method: Sniff all traffic matching the Sniff all traffic matching the ‘default deny’ rule on the border router.‘default deny’ rule on the border router.
Security BenefitSecurity Benefit An attacker’s initial An attacker’s initial attempts will be caught by a NIDS sensor.attempts will be caught by a NIDS sensor.
Bandwidth Consumption:Bandwidth Consumption: 2*(Attack 2*(Attack Traffic)Traffic)
Effectiveness:Effectiveness: Will only provide early Will only provide early waning signs such as port scans, waning signs such as port scans, traceroutes.traceroutes.
Increasing Effectiveness:Increasing Effectiveness: Dynamically Dynamically reroute traffic through NIDS based on reroute traffic through NIDS based on early warning signs.early warning signs.
Limitations:Limitations: Cannot inspect authorized Cannot inspect authorized traffic.traffic.
3.2 Backtracking DoS
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
Applicability: Bandwith-consumption DoS attacks.
Method: Start with the routers nearest to the DoS target. Reroute DoS target traffic to an analysis host using GRE or IPIP tunnels. Determine which router forwards the most DoS traffic, then proceed to analyze the next hop beyond that router. Continue until the source of the attack is determined.
Security Benefit: The DoS source network can be identified and traffic flow can be blocked. Normal operations can thereby resume.
Effectiveness: Depends on analysis engine implementation. Theoretically, the DoS source could be identified within minutes.Limitations: Does not identify DoS traffic.
3.3 Attack Reciprocation
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
Applicability: Targeted attacks.
Method: Once an attack is identified, reroute the attacker through the reciprocating host. Provide bogus data to the attacker, possibly even malicious code that the attacker may execute.
Security Benefit: Valuable information about the attacker can be captured for the purposes of investigation.
Effectiveness: Depends on the effort given to make reciprocation transparent to the attacker. This type of response should is only feasible for very high criticality systems.Limitations: Depends heavily on the ability to identify active attacks and the creativity of the reciprocating security team.
4.1 Jitney
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
5.1 Management Interface Exposure
Block Unauthorized Block Unauthorized ConnectionsConnectionsDeny access to management Deny access to management interfaces at the border and at interfaces at the border and at any access point (router, switch, any access point (router, switch, firewall, etc).firewall, etc).
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
Block All ConnectionsBlock All ConnectionsOnly allow network management Only allow network management connections via a terminal server.connections via a terminal server.
5.2 Protecting Data
Encrypt Sensitive Encrypt Sensitive TrafficTraffic
What more needs be said?What more needs be said?
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
5.3 Wishful Thinking
Signed ConfigurationsSigned ConfigurationsHigher TrustHigher Trust
Strong AuthenticationStrong Authentication
PKI integration (inter-ISP traffic PKI integration (inter-ISP traffic control?)control?)
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense
Reduced IOS BuildsReduced IOS BuildsExcludes debugging functionalityExcludes debugging functionality
Cisco Internetwork Operating System SoftwareIOS (tm) 2500 Software (C2500-IO-L-NODEBUG),
Version 12.0(9), RELEASE SOFTWARE (fc1)Copyright (c) 1986-2000 by cisco Systems, Inc.Compiled Mon 24-Jan-04 23:45 by bettylImage text-base: 0x030325B0, data-base: 0x00001000
Linkshttp://www.giac.org/practical/Joshua_Wright_GCIH.zip
http://www.phenoelit.de/tools/
http://www.phrack.org/show.php?p=56&a=10
Chris DavisChris Davis
Hivercon 2003Hivercon 2003
Router Skullduggery: Router Skullduggery:
The Utility of Network Devices for Attack and The Utility of Network Devices for Attack and DefenseDefense