Routers HATE This One Neat Trick Exploiting Cisco Smart Routers HATE This

good afternoon everyone I have the pleasure of introducing Eric Arnold uh Eric is a network pen tester for a consultancy firm after spending a number of years in network support as an operations engineer and his tough days routers hate this one neat trick exploiting Cisco smart install hey welcome everybody thank you all for coming out today so yeah we're talking about one neat trick that routers hate and that one trick is Cisco smart install

so a little bit about me um I go by brood hacker on Twitter I've been a senior consultant at productivity for about 18 months working in the attack and Pen area I do Network pin testing social engineering engagements I also do physical security engagements um but before that I was a network engineer Network support and operations I did that for about 10 years in various forms for a logistics firm and uh I am proud to have an expired CCNA those Cisco tests are really hard so if you have a bunch of Cisco service more power to you um I wanted to take a little bit of time while I have a platform here to give uh

shout outs to our local meetups here uh obviously you're here at besides DFW this was the first uh local hacking um anything that I came to I got to see Philip Wiley talk about the pen testing blueprint uh really inspired me to make the move from networking into pen testing from there I met a lot of people um including the people from hack Fort Worth where I like to go monthly as often as possible I don't live in Fort Worth anymore but I still try and make it over there as often as possible um also Dallas hackers Association which is a a different Meetup over on the Dallas side as well as dc214 and 2600 Fort Worth

um I really want to stress that the community is really important and I think that it has a lot to do with why I'm employed right now like anybody in the audience raise your hand if you've got a job through the community so not a lot but uh I think it's still really important and you go and meet a lot of people and I've met some of the smartest people I've ever met at these meetups for sure so just an overview of the presentation what we're going to talk about uh unfortunately I do have to kind of lead you in on networking a little bit we're going to talk about Network layouts and router features some of the old ways

that we had to configure Network equipment before deploying it and then the the new ways as well and then we'll get into the Cisco smart install vulnerability and what kind of things happen with it in the wild uh who's using it how long has it been around then we'll also talk a little bit about business impact so just from the most basic that you can get what you know what's a router what's a switch well they can do transmit and receive uh data packets so that all of your devices can stay connected to a network or a domain they can hand out DHCP addresses they can hold VPN configurations um you know you can do segmenting of

your network in VLAN so that only certain devices can talk on certain IP spaces and you you know don't you want to segment your network as as much as possible so that you reduce your attack surface um in addition to that they also do access control such as Port security where you have to have a certain Mac address to be connected to a certain port or an access list where you can essentially do like packet level filtering all a firewall so this is kind of the old way of doing things uh the the ancient Magics of network engineering uh kind of had to get a a putty session with a USB dongle to a serial connector

and then I get a serial connector to an rj5 RJ45 rollover cable plug that into that little blue port on The Cisco switch and then you have a serial connection um and you better have the right driver for both of those little cords uh and your your serial driver on your on your host as well um and so the thing you have to do is you'd have to take your configuration which is basically just a big text file take your configuration you paste it in a few lines at a time really hope you didn't miss one in there or else your access controls aren't turned on at all or you uh you know like me I've done this a

hundred times I promise forget to turn on SSH and then you give your switch to someone who's taking it out into the tundra and they get out there and you're like well I can ping it but I can't manage it the new way of doing things is a lot cooler you can make configuration changes at scale using all of these you can make Python scripts with paramico and netmico libraries the older scripting languages like Pearl and Bash and expect are all still viable ways of making configuration changes at scale they get to be a little cumbersome and then you have to also think about like secure coding practices which network Engineers not not really on on the list

of things that you learn other things that can do these sorts of things I don't have as much experience with um include like ansible and puppet ansible basically functions with um like playbooks and yaml files where you build out your entire inventory into yaml and Json nonsense I'm just way over my head but I know that you have to build out a whole lot of files to be able to get to the point where you're managing a large-scale network with those protocols also Chef I here is something that people use for Network management but I have no experience with that at all the one that I've bullied and italicized and highlighted there is SNMP um so that is what a lot of

organizations use to manage networks at scale what is SNMP uh it's a protocol it's supposedly simple Network management protocol uh essentially you have uh you know a read write string that can set parameters on devices the monitored devices can send SNMP traps back to a centralized location so that you can see like hey my port went down here's an SNMP trap and then your management protocol or system knows about it and you can kind of take action as the knock or as the soccer whoever but it does that via get and set requests so another thing that we kind of need to go over before we really get into it is Cisco configurations so what are what's

in the config itself um Port information is in there the IP addresses the Mac addresses your Port security if you're going to lock it down to a particular Mac address that's in there your routing tables how one network gets to another Network and Via what devices if you're sending all your stuff to a firewall or a web filter like those kinds of rules make it into router configs in addition topographical information like kind of just what I was saying where you're separating two Geographic locations by IP space you want routing rules in there so that your Atlanta office can talk to your Los Angeles office in addition to those things access lists I only want to be able to speak to

Atlanta from Atlanta that sort of thing in the IP uh down to the port level as well so like a firewall but more packet filtering than uh than like deep packet inspection also in there are login usernames and passwords which are encrypted but as we'll go into in a little bit there are some good and good encryption standards and really bad ones that are instant decrypt in addition to those um you can have FTP or tftp servers that are hard-coded into your router configs so that um you know potentially you're sending back your router configs to a centralized FTP server something along those lines I'm addition to that are radius keys I haven't had a lot of success on the job

with um you know poisoning radius servers or anything but basically radius is a protocol which will let you uh authenticate to a router but it sends it back to a steel belted radius server so to do the actual like authorization um in addition to that you have SNMP Community strings in there so like we were saying like SNMP works by sending messages um to devices within your network that speak SNMP uh these messages are get requests but they also need this community string in there to be authorized to either read and pull the information or make actual changes to the config so one of the Cool Tools that I found out there in regards to Cisco configs if

you have a Cisco config or maybe you found one in a pen test this tool ccat Cisco cat is a nice analysis tool you know kind of dump passwords out of there still encrypted but it'll dump the passwords out of there it'll give you like topographical information and kind of map the network for you that sort of thing so it's a really nice tool I've found some use for it in in my professional work back to SNMP Morrison and P I sure called this talk SNMP something or other but it was more on SNMP than Cisco smart install for the most part uh so we've got three different versions of SNMP so the default version of SNMP that was

created in the 80s is snpv1 that's clear text it supports low level security sends data in the clear no encryption um you know it was supporting 32-bit counters so that there's a limit to the kind of data that you can get back from it um V2 uh created in the 90s it was a revision on V1 and it improved performance and a little bit insecurity but there's still no encryption here there's some md5 uh Community string hashing that can be uh configured but no one does it also introduced a few different ways of getting larger packets back from uh like a like a get bulk request from the SNMP device um but it still operates with Community

strings which are for the most part plain text in your config so that's something to think about SNMP is the newest version I believe it was also developed in the 90s so it's still it's kind of moldy at this point but nobody is using it I put in there when I initially made this presentation that I had never seen it in 10 years of networking but I saw it on an engagement this week and it made my week horrible I couldn't figure out how to get around like I was like I have so much experience messing with SNMP v2c and as soon as I ran into V3 I'm like my playbook is like not really fleshed out

for this three stuff the SNMP Community strings would like to think of them like uh passwords um you have to have a certain string to authenticate with the SNMP device for it to say like oh you want to do you want to again I'll give you some config if you have a read-only string but if you want to set anything on my SNMP config you need my read write string and something of note is that these are scanned for by nessus and I've seen a lot of testers see the nests results and they're like oh it's a 7.5 like throw it out nothing I can do with that but there is a whole lot that you can do with SNP

as I will repeatedly drill into your brains so you know why use it basically well it sends this trap it says my port is down to an SNP server or like a network management um platform uh and then you can build out logic to have any one of those traps trigger some kind of alert maybe it's a script maybe it's just the knock investigating or sending an email whatever but SNMP can also be used to send back full router configs so that you can keep them in a cmdb or you know more likely some server under a nerd's desk but um also you can do it use it for Network management using the tools that I put up

on the screen there SNMP walk and then SNMP get and set are the tools that you can use to like send SNMP um queries to Any Given device network monitoring platforms a lot of times use SNMP to like do automated stuff if you want to run a check every day for a certain config line that's a lot of times done with SNMP um and I'll I put a note in here that there's also a lot of non-cisco usages for this snip is uh not a cisco-specific protocol it's used on basically every endpoint that's on your network um you know Mac windows and Linux alike all like to use SNMP you know there's some configuration there that's a little

bit out of scope and I just wanted to note that there are a lot of things that you can do with SNMP that are non-cisco like getting a disk utilization or like CPU utilization and then a lot of other things depending on the vendor of the of the product and um you know what kind of information you have configured to be monitored by SNMP so how do we secure SNMP uh there are a few different ways um these are the Cisco and the cisa guidelines and they tend to kind of match up a little bit I'm seeing some Trends here use a good Community string I saw a lot of guidance that was like treat them like passwords

put numbers in them make them really long make them hard to crack because then that would just slow down anybody who's trying to mess with SNMP on your network another thing that you can use with SNMP are called SNMP views which is basically like whitelisting for configuration commands so both organizations advise that you use SNMP views and you make sure that they don't let you reload a switch via SMP or things like that the recommendation is also to use snmpv3 use the highest level of security but like I said it is very rare for me to see snpv3 out in the wild snmpv2 is very prevalent um and the the only cesa said Patcher system so I guess you don't have to you

listen to Cisco here are some of the ways that you can use SNMP walk and set um this is just kind of an example this starts to get a little chunky and I decided not to talk about mibs in this talk because I figure half the rooms asleep by this point anyway but these numbers that are prepend all of these like string values those are SNMP mibs where um if you want to interact with SNMP you have to go and find the particular MIB for the configuration option that you want so the one down here is uh you know I think it's the uh operating system SNMP MIB so this one is this Vios at first and then they send an SNMP set

with a public Community string to that IP address attaching the MIB and setting it to the word hacked and that's kind of how you can change s p configuration options now that's just one that you could kind of uh demonstrate without impacting the uh impact in the switch itself but there are a lot more malicious options out there so talking about encryption types for passwords that are in your configs the DHS releases best practices for Cisco's passwords so I recommend that you if you are a network engineer or an architect or somebody to go out and check with DHS to see what they're saying and make sure that you're not using an encryption type that is way more crackable than you

think it is the examples here the the first table is straight out of the DHS document so they're saying type zero four and seven just don't use them at all and you'll see a little bit later like they are instant decrypt it's like not even you don't have to throw GPU power at it or anything um and on the table below there was a Blog by infosec matter where they mapped out uh hashing or cracking speeds of each of these encryption types and you can see like they don't even have like a a speed for the type zero and seven they're just like instant I mean you can well we did a lot of times

um was go to there's a website that will decrypt zero and seven passwords and sometimes when you're looking at configures like what is that you can throw it in that site and it's like oh it's type seven got it because it decrypt and instantly so the type 8 you can see is the uh you know a really hard hash type to use um the type nine is not nist to proved but it's the lowest uh number of attempts per second so I I anticipate that'll make it um into the standards at some point here 's what they look like in a config with different hash types you can see there's like a privilege option there and 15

privilege 15 for Cisco is basically root you can do whatever you want with privilege 15. it's kind of a weird system and not worth talking about but just know 15 is root um these are the ones you can see are things like username admin secret is just the Cisco config options like your secret password um and then they have it hashed in in plain text on the bottom are Community strings these are the options that you're looking for if you're looking for Community strings the RO and RW are for Rita land read write so if you find yourself an RW string you're in business so you can you know if you're looking for configs if you can find them on an

FTP share sometimes on the client Network or on your own network maybe it's on some users share maybe a network engineer has an open share so that he can more that they can more effectively manage their router configs or that they can you know do analysis on them at scale and say like oh how many instances of this particular command uh do I have out there in my giant 5000 node Network um maybe if you could get them from the router itself somehow that would be great

so we'll move into Cisco smart install now finally you know um so the network engineer ancient Magics were awful uh plugging in uh you know the serial cable to the router itself and dumping the config in line by line that sucks so what we like is zero touch provisioning that is pretty cool if you have a blank switch and you connect it to a network that has ztp configured on it it'll suck down a config in an iOS and everything and kind of configure itself based on your standards so that's really nice use cases for that are you know you're you're sending someone a a router but they have to travel out way far out somewhere else and they're just

going to plug it in and they might not really know what a computer does so it's going to be really hard to get them to you know screen share with you and help you paste in your configurations and everything or the other reason that you would use ztp is if you have a whole lot of switches that you're trying to deploy you've racked up 200 switches in a Data Center and you're the only one managing them so if you have ztp enabled you can kind of just get them all plugged in and they'll all get configured up and you don't have to do as much management that's really nice so one of the things that's important to

note is that Cisco devices need patched all the time you always are updating iOS Cisco says we release a new version and it's like all right the 7000 devices again here we go upload a new iOS device you got to reboot it every time that you update it I hope they come back because you don't want to make that drive so also things that it can do or is capable of is uploading new configuration files and executing CLI commands that's really nice at scale I'm telling you maybe copying a your files back to a tftp server or something but the problem with it is that it's vulnerable these are the two relevant cves for this

exploit and there's a lot of boring language in here about uh improper validation of packet data but at the end of the day um Cisco built this uh protocol without authentication in line so people were able to reverse engineer the packet and you know send something crafted to that Port 4786 which is the port that it runs on and make config changes to it or upload a new iOS device or something like the arbitrary code on the devices the the relevant line in in all this word soup uh and now a word from Cisco our sponsor Cisco smart install is a plug and play configuration and image management feature that provides zero touch deployment any of you people using this

are misusing the protocol it's not really a vulnerability or an exploit even though we have two CVS for it so how do you scan it and detect it or exploit it rather you want to detect vulnerable instances a pretty easy way is in map on Port 4786 not a whole lot of other things using that Port um and it's it's a pretty good bet that that um that that Port being open means that Cisco Smart Connect is running on it however it will return a banner that says Cisco smart install client installed um Cisco Talos did release a tool called SMI check which is a better validation way it'll actually kind of communicate with the protocol a little bit more

in addition to this there's an IMAP script that I didn't include on this slide there's an NSC script by the people who made siut um there's also a nessus plug-in and probably other other vulnerability scanners but uh you know I I only have as much experience with uh with nessus so I've seen it in essence quite a few times uh if you have access to the command line of a router your uh you're a network engineer you want to see or an admin and you want to see if smart installers running on your devices you could do that show TTP brief all and uh you know the pipe I which is basically a grip for

4786 so I'll tell you if that Port is listening you can also do the show v-stock config and again grep for that role it'll say like client or director for exploitation there are two main Frameworks here one is the Sie T Pi this was made by the original researchers and released the smart install exploitation toolkit and then a year year and a half later there's also a Metasploit module which is greater than its own in its own way so this talks a little bit about um the exploitation toolkit itself so these are the two researchers I'm not going to attempt to pronounce their names but their research is published there on this zero nights.ru site

um they released the exploitation toolkit along with the original research this is if you really wanted to get in the weeds of this um exploit these guys have all the packet level stuff in this presentation so I don't have any novel research here that's I'm pointing directly at them for that so the capabilities of this tool are remote code execution they have a scanner in it they can upload configs with it you can upload iOS images with it it's got a tftp server integrated for downloading configs it's threaded you can do RC on multiple devices at once it's awesome I mean it I can't believe that they released this along with the research and everything you'd think that

it'd be like two or three teams in two or three years working on this kind of stuff to come out with a question so to learn more about this I need to go to a Russian website that's right and uh yeah and Download a pdf that's right direct link the Link's legit guys I promise uh you know dot Ru domains are not that expensive got another question in the back uh the question was uh what if you need to bypass an ACL on the switch um there's if you have 4786 acl'd off you're not getting to it uh so this this exploitation does stop with acling it off or firewalling off that kind of thing that gets into the the detection

can you bypass Cisco Ackles uh that sounds like something that's possible that I have not researched so I can't speak to it myself but I'd love to talk to you after the presentation for sure

oh true yeah so the the the comment was uh to be careful if you're downloading this kind of stuff on your work machine so they can't come back and say like hey you're you know you're downloading an exploitation toolkit on your work machine I would recommend for that you might go with the Cisco Talos tool the SMI check which doesn't have actual exploitation capability

oh sure yeah now the the sit uh the exploitation toolkit itself is hosted on GitHub this is just the research um but they released uh they released the tool itself on GitHub as well um so in 2019 they up updated it to Python 3 and are also released an NSC script so that was very kind of them here's an example of this script being run uh they're running it on an entire slash eight and dumping all of the uh relevant IP addresses into a list and then for all of the ones in the list they're running the exploitation toolkit on it and repping Out usernames um so you can see some of them are in

plain text there and some of them you know you got a lot of zeros and sevens in that list which is great compared to you know because of our last slide this is what the metaspoint module looks like uh it also runs its own tftp server it'll copy down the config for you it'll let you upload things as well um and a cool thing about this is it will do the decryption in line so that you can see the ones that I've I've uh redacted there are usernames and passwords that it figured out on its own uh in addition there we've got it pulling out the SNMP Community strings for you also nice so um you know if you're given an inch I'd

like you all to take a mile uh one of the things about this uh exploit is that a lot of the research stops at the point of exploitation but I think that a lot of the things that come out of the config are more important than the actual vulnerability like depending on the encryption standards that you're using in your configs your community string usage if you have snmpv3 if you're acling stuff off like all that stuff is really valuable information to an attacker so you've got some router and switch configs now what well let's try and decrypt the passwords probably got a few that decrypted instantly cool let's try them everywhere I'm a pen tester not a red teamer so I'm

going to try them everywhere if you're able to log into network devices you can verify your access with something like configuration t for terminal which is basically like admin mode for a Cisco device another thing but don't change anything please if this is on a client you can also verify your SNMP Community strings with SNMP walk make sure to use a read write one to display the most serious impact and remember all the the hours I had to bore you about Community strings to show how important these are to your client or your company um also try and use your new FTP creds you probably found some in your config let's go look at that server see what's

on there maybe they've got a few uh admin management scripts on there that left their Network admin password in there I've seen it before I'll see it again um also there's a a field in Cisco configurations to say this was last configured by so and so and uh you know maybe you don't have any way to gather usernames uh on the rest of the network but you found yourself a new username and you know that they're at least uh able to configure routers so that's probably some some pretty good targeting there so if you're a red teamer um I think that this has real value to help you identify sensitive networks um one of the cool things is that since

we have remote code execution we can do things like adding ourself a GRE tunnel um for C2 so you know consider the implications of that um if you're a state actor maybe you have the resources to develop custom iOS images maybe you can embed C2 in the image bin itself and make it you know past the the hash validation done by Cisco at the hardware level um in addition to that C2 and X fill via new GRE tunnel as well like it it's it's happened before um so how do you get your client or your company to care well um you need to emphasize all these things that I've talked about with SNMP like you might not be able to

demonstrate this kind of value in a really short pen test uh because a lot of these changes are dangerous um I I really I need to stress like if you're messing with read write on network devices there's a real possibility that you're going to mess it up uh you know I think I saw a figure yesterday while I was doing more research that 30 percent of outages are caused by human error and that's by you know the the trained Network people who manage this network every day if you're making config changes on an unfamiliar Network there's a pretty good chance you're going to break something so just kind of stress that to your company um

if you did you decrypt the passwords uh you know try those creds everywhere sometimes that can be like D.A in that you have control over all the network devices that's really valuable uh did you ID any new networks uh you know maybe you can pivot to another place maybe you can add yourself a route to uh to get to a new network you didn't know about like a CDE or something like that would you ID any new accounts to Target and uh remember that you could do actually actually get these things rebooted into uh you know new configuration which is basically just a text file of garbage and it turns your uh your router into a five thousand dollar

doorstop so here are a few exploitation scenarios um the first one is that Cisco smart install is everywhere I have it turned on everywhere on every device externally and internally well that's rce everywhere that's bad you have active risk of sabotage active risk of Espionage you know regardless of your security controls this is going around uh almost all of them um if you only have it on one switch externally you're still at risk of getting your config exposed I really hope that you're using radius or Tech ax or ACL link stuff off or firewalling stuff off the third scenario is that you only have it on one switch internally but you have great security controls that's cool uh

well I hope your SNMP security strings are are good I hope that you have snmpv3 and SNMP views configured because otherwise you still have right access to all your network devices um and then the last scenarios that you only have it on one switch and you have really bad security controls um in my opinion this is as bad as having Cisco smart install everywhere you're able to decrypt an admin password I've probably got execution on all of your devices anyway so detection and hardening uh in 2017 there were 215 000 nodes exposed this is around the time that the initial research came out when I first started doing research on this in April we were

at about 15 000 nodes and I checked yesterday and it was up to nearly twenty thousand I don't know why we've gone up it seems like it should be going down but you know data doesn't lie here so one of the notes that I had is that 3000 of them are tagged as honey pots and Showdown I don't know how that works but I just wanted to note it um more detection suspicious logins suspicious configuration changes um here's some relevant config entries hardening and best practices honestly turn it off there are better ways to manage your network you use authentication controls use tacx use radius use MFA to configure your network devices you'd use the good

password encryption consider changing SNMP strings based on what region of the network you're in and then finally the The Cisco and the cisa guidelines are to ACL at off so there's an ACL to have only a certain config hosts be able to access that port at all um only have a couple minutes left but um I want to talk about some of the ways that it's been used in the wild so what this this attack by a a group called jht um doorstopped about 3 500 switches in Russia and Iran they restored fairly quickly but uh you know I think we can guess their politics there's also an apt named Grizzly step that is alleged to have used this for

making GRE Tunnels for their x-fill uh redirecting DNS and doing C2 through their GRE tunnels there's a long note here about the attribution of this I put Ru state sponsored question mark I'm not in threat hunting and I don't really have any say in threat attribution so there are a lot of people who have argued about this and there's also a hacktivist campaign last year in May Lumen Technologies released some research that showed a hacktivist group doorstopped about 100 routers that were online they loaded a Manifesto into the startup config I downloaded it I read it I wish I hadn't but now I know what psychotronic weapons are Cisco has also alleged that the dragonfly crouching Yeti energetic bear

group has used this situationally in their 2017 campaign but I really couldn't find a whole lot more documentation to support this Cisco just kind of says their ttps match this vulnerability so um the last thing here is about business impact how much does downtime cost your org Wills this cause downtime in your org in 2016 the The ponemon Institute said about 500k an hour um which is 618k now yikes the point being that this kind of sabotage needs to be in your Dr plan this is kind of like has the capability to be the kind of wiper bot that you've seen other malwares take at like Windows systems but on your network devices so what

happens if someone wipes your whole network and then wipes your network too it wipes your network devices too so you're trying to restore from a cyber incident and you you know start plugging into switches and you're like oh our switches are down too like that makes this so much worse um here's stores online right so here's some uh some more figures here uh 2015 Apple Store outage of 12 hours was 25 million dollar cost you know Delta Airlines was down for five hours that resulted in like 2 000 canceled flights cost them 150 million Facebook took 14 hours uh turned that into 90 million dollar eat so you know this is all org base uh

every organization is different um downtime can mean a lot of different things for a lot of different companies so how much is it going to cost your org for you to put this in your Dr plan at least plan for this kind of stuff um this is destructive and sabotagy and kind of Skitty like but it's a real threat and has been used in the wild uh Time After Time so here's a bunch of memes uh just to wake you all up after all that these are terrible that's why I labeled them terrible Network memes my favorite one is the it's not the network it's your application because it's not the network and other than that I've got time for QA

so any more questions I know we had some during the presentation what you got right here have I ever knocked down any network equipment with uh with the exploit no on the job yes uh plenty of times I've made the news in three states not not for good reasons any other questions with this exploit you've knocked you've knocked uh devices down by uh were you uploading new configs to them or

so yeah right so the person in the audience said that they have used this uh exploit and triggered a Reload in the device which is a bad day for uh for you know convincing them they can do a pen test next year too like that's a that's a bad that's a resume generating event right like

so so in this scenario there was no redundancy in the switch and it brought down everything that's great glad to hear it thank you uh any other questions