Router and Infrastructure Hacking

While the overall flow of systematically attacking a network's infrastructure is similar to attacking any network -- recon, find vulnerable points, gather data, harvest authentication credentials, attack, recurse -- there are several useful vectors still not common among network engineers or penetration testers. This talk will outline some useful lateral techniques for backbone and infrastructure device hacking, as well as discussing how to assess a network and develop your own attacks if there are no known ones to be found.

When in the reconnaissance phase, there are several differences between infrastructure analysis and normal network mapping that are useful to know. Stack fingerprinting is a bit spottier, making OS identification somewhat more difficult. The proliferation of varying code trains on popular network devices makes using traditional scanners a bit more uncertain, though efforts are being made to address this. However, default passwords are much more widely deployed on infrastructure devices, and brute-force tools are starting to become more common. While many of these tools are still young (cisco_torch, for example), they are easily extensible and will often yield good results when properly tweaked. Add to this the network admin's toolkit

• • BGP looking glasses, for example -- and old-school techniques such as

war-dialing, which has new life in finding the out-of-band access modems so often deployed for high-availability network maintainence. Poor security practices and the reliance on poorly authenticated protocols or their fragile dependencies (services with known DoS conditions, unauthenticated UDP transactions in the clear) allow authentication tokens to be gleaned, sniffed, and in many cases, faked. Wireless sniffing has yielded management and authentication backbone data in 1% of networks sampled, and password reuse makes it easier to put that data to privilege escalation usage. In addition, the ability to knock an authentication server off the wire and replace it with a compromised authentication server of your own has been an effective technique in previous pen-testing engagements. However, the Holy Grail of backbone attack is finding bugs in the devices themselves. While denial of service is relatively easy, and useful if that's your aim (plenty of extortionists are happy with that, and ditto corporate saboteurs), device takeover is still more likely by attacking the authentication credentials. If the devices you're attacking don't have any known bugs, fear not -- a reasonable grasp of protocol analysis can often help, and fuzzing the protocols that are available on the device can often cause DoS bugs at the least to fall out. A still more useful attack vector is to authenticate to, join, and inject routes into the routing protocol in use, and we'll discuss several easy ways to do that, and the results that can be achieved. Finally, this talk will look at common audit and logging behaviours of infrastructure devices, and how that affects the likely long-term success of the attacks described above.