Cisco IOS 12.0 Information Grabbing and Potential Vulnerabilities.
Written by: Semper
-----------
1. Introduction
2. Finger
daemon
3. snmp daemon
4. http daemon
5. Saving the
configuration
----------------------
ChangeLog
----------------------
This paper may
change alot over time.
----------------------
***The Below Text has been
tested with IOS 12.0(9) and 12.0(4)***
----------------------
Cisco IOS by
default has a finger daemon and httpd daemon running. The finger daemon while
not a huge security threat does give away some information about the router. The
httpd daemon on the other hand has had some vulnerabilities with crackers being
able to bypass the username/password prompt and have full access to the router
configuration which they can change as they see fit. Also Some ISP's that are
running snmp don't change their "community name" on the snmp daemon. This is a
very bad practice and allows crackers to see information about cisco routers
that Admins should not be letting people see.
-=Information
Grabbing=-
-----------------------
#Finger
daemon#
-----------------------
For
example.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
semper@geex:~$
telnet 123.123.123.1 79
Trying 123.123.123.1...
Connected to
123.123.123.1.
Escape character is '^]'.
Line User Host(s) Idle
Location
* 2 vty 0 idle 0 www.securitygeek.net
Interface User Mode Idle Peer Address
Se4/0 Sync PPP 00:00:00
111.111.111.111
Connection closed by foreign
host.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The
below section isn't much of anything. It tell's nothing, but what terminal
you
connected to and your hostname/ip address.
Line User Host(s) Idle Location
* 2 vty 0 idle 0 www.securitygeek.net
Below gives away more information about the router. It show's what interface
that
111.111.111.111 is on it show's what protocol is running. etc etc.
Interface User Mode Idle Peer Address
Se4/0 Sync PPP 00:00:00
111.111.111.111
The Finger daemon doesn't give away too much info, but still it's more and
likely info
that some network admin did not want to be made to the public. To
change this log
into your cisco router via telnet, or console. and type in
the following.
cisco>en
passwd:******
cisco#config t
cisco(config)#no ip
finger
-Explanation of what was done-
Basically it is a very simple fix. You login to your router and get in
enabled mode go to
configure terminal "no ip finger" turns off the finger
daemon.
----------------------------
#snmp
daemon#
----------------------------
The SNMP daemon is a network
monitoring protocol. Many ISP's and networks use SNMP on their routers to
collect data about bandwidth usage and other useful information about how their
network is working. The snmp daemon on cisco router have their community name
set by default set to "public". Why is this bad? This is bad because people can
use your own network monitor to gain information about your network and more
specifically about your router. Using a simple program such as WS_Ping Pack I
can gain information simply by typing in the IP of the router I'm wanting to
gain information about. Below are the results I get from running an snmp scan
with the default"public" community name.
sysName.0=GeeX
sysDescr.0="Cisco Internetwork Operating System Software
IOS (tm) 1005 Software (C1005-Y2-M), Version 12.0(9), RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Mon
24-Jan-00 23:10 by
bettyl"
sysContact.0=
sysLocation.0=
sysObjectID.0=cisco.1.49sysUpTime.0="2
days 00:47:04"
What exactly is this information? Let's see.
sysName.0=GeeX
- Is
the hostname of the router.
sysDescr.0="Cisco Internetwork Operating System Software
IOS (TM) 1005
Software (C1005-Y2-M), Version 12.0(9), RELEASE SOFTWARE (fc1)
Copyright (c)
1986-2000 by cisco Systems, Inc.
Compiled Mon 24-Jan-00 23:10 by bettyl"
-
Tells Information about the Router. What IOS and version is running on the
router and when it
was compiled onto the router.
sysObjectID.0=cisco.1.49sysUpTime.0="2 days 00:47:04"
- This bit of
information tell's us how long the router has been up and running.
How can I change the default community name? First off you need to log
into the router either via console or telnet and enter into enabled mode.
GeeX>en
passwd:******
GeeX#
Second type in "Configure Terminal"
GeeX# Configure Terminal
GeeX(config)#
Third Change the default community name.
GeeX(config)# snmp-server community communityname ro
Where "communityname" is change it to what ever you want it to be and
keep it secret so you don't have people grabbing information about your network
using your own network management tools.
-------------------------------
#httpd
daemon#
-------------------------------
The httpd daemon in Cisco IOS has had some known vulnerabilities that allows attackers to take complete control of Cisco IOS routers. The httpd daemon on the Cisco IOS is turned on by default and is used as a GUI configuration Page(s). In my opinion if you have enough experience to work with cisco routers then you really do not need a http GUID configuration so we need to turn the daemon off.
First thing we need to do is log into the router via telnet or console and enter a priviledged user environment.
GeeX>en
passwd:******
GeeX#
Second, Enter config t mode
GeeX# Configure Terminal
GeeX(config)#
Third, To turn off the httpd daemon enter the following command.
GeeX(config)# no ip http server
This will turn off the httpd daemon on the router. Now that we have gone through and change the router up turning off the finger and http daemon and renamed the community name on the snmp daemon we need to write the configuration to memory.
-------------------------------------
GeeX# copy running-config start-config
The above command will write the config to memory and will remain intact when you reboot your router.