Monday, September 22, 2008

Cisco Switch (ethical) Hacking

The following article will demonstrate several ways of hacking a Cisco switch - please note that this article's purpose is not to teach you how to hack, but rather suggest ways of defense against such scenarios.
Almost any organization with multiple stations use managed switches ,good amount of clients and servers are connected via the switches which seperate them to VLANs by their functionality - this makes a switch to a crossroad of all LAN traffic and a good attack target for a hacker.

Attack #1 -Turn the switch into a HUB -you may ask yourself - what's the difference? I will refresh and remind that the hub consists of one broadcast domain - that means that the info broadcasted to all the ports, a great opportunity to sniff info (unlike the switch that every port is a separate broadcast domain) each and every port on a switch has a limited amount of addresses it can save to a memory - the amount depends on the model but generally it's something like 1000-2000 - that means that if we refer to the switch & change our MAC (with a proper script...) address every short amount of time the switch's buffer will overflow and will come to a state called "flooding" and will act as a hub - all the valuable info can be sniffed

Attack #2 - Change Admin Pass - this is actually very easy, the only obstacle is that you need a physical connection via a rollover cable to the serial port of the switch.
Shut down the switch, then long press on the mode button ,then turn on the switch and release - mode after while you will be prompted that the flash boot procedure has been interrupted - type:flash_init
This will restart the switch , after the switch finishes restarting type:dir flash
This will show the files on the flash - 2 files are critical:
& config.textFirst of all we will rename the config.text file :

rename flash:config.text flash:config.text.old

After that we will reboot the switch ,type bootand the switch will perform a reboot but without the configuration file
by default you will be asked if you want to run a setup wizard, chose NOthen enter the privileged mode by typing:enin privileged mode rename the files to their original form

rename flash:config.text.old flash:config.text
Now we need to be careful, we only want to change the administrator pass - not to delete the config files located in NVRAM, so we will copy the config files first in order to preserve them:

copy flash:config.text system:running-config
After the config is preserved and backed up we will type

configure terminal

To enter advance config. mode - now we can change the pass, simply type:

enable secret password

Next,type: exit..and save the settings:

copy running-config startup-config

 After you will restart the switch it will come up with the new password.

Ways of DefenseFirst of all remember to deny physical access to switches, routers - etc - as I showed you - it's very easy to hack a switch whenever one has a physical access and some knowledge of Cisco IOS.

Second, a good idea might be to secure the ports and enable access to certain mac address only, this will prevent connecting appliance that not supposed to be connected to a switch and will make hackers life more difficult - this is how it's done:

switch (config) mac-address-table static vlan1 int fa0/1
Pretty easy, just enter the relevant mac address, desired Vlan and interface
fa - means fast Ethernet , 0 means port line , 1 means number of port

Another option is to use the "switchport option" - the great thing about it is when someone tries to connect with other eth. card the port will automatically shut down
this is how it goes:

switch(config)#int fa0/1
switch(config-if)#switchport mode access
switch(config-if)#switchport port-security
switch(config-if)#switchport port-security maximum 1
switch(config-if)#switchport port-security mac address 00:11:22:33:44:55
switch(config-if)#switchport port-security violation shutdown
Some Cisco devices allow to prevent the recovery of passwords, this can be done via:
no service password-recovery command at the - config menu,

This prevents the hacker from accessing the original configuration and forces to reset the device to it's factory default form.

No comments: