"Introduction to Cisco IOS analysis" - Adrian Justice

our next speaker which is Adrian from a CSD and he's going to be speaking about introduction to change that you don't like so I'm going to be talking today about how to get started with analyzing Cisco IOS for images and memory dumps in the hope of sort of lowering the entry bar and starting to finally do a form L where they decided to come out the finds a major injustice of maintenance members wondering with the Australian cybersecurity centers in 2015 and the last year ago Phil to need to separate in doing his normal Idaho work and start doing some research into how we can potentially do for anything else devices so what appeals is something started

doing this school that we thought we thought that route to metal there was a theoretical thing I mean historic units are reasonable human mental issues car drumming arm but there was a study accomplished and like such a high entry mob stop developing their self that changed in 2015 when in Cisco on borrow I cannot announce that simply not debate about so simple enough was a full iOS need replacement which essentially is the other one is replacing like it works affected those provided for back door functionality admin access also essentially a rat so saying that this was now being figured it's only a matter of time before everyone starts to get more into this sort of no way

element I mean if you can comprehend corporations or rather you've got access to their everything you can breathe those use more containers they can see you can redirect webpages it's good for any taco that really know they're going to be covering what iOS looks like both on disk and in memory how to acquire memory comic diversity and continued analysis a bit of how the mangled iOS images to make them sort of a bit more friendly to the standard analysis tools and we'll finally go through some current attack centuries the just so runs up to the day we're talking Cisco IOS like original one here not the Apple imitation we came out years later so first off when I'm talking about an iOS

image I'm talking either the file you download Francisco if you're an official been there on a license I offer all the one you rip off your dodgy ground you got a second hand on the event all of this research on this is the thing that is stored on the internal storage OCR target and extracted into make actually that's all but the down boil required by various names is a fairly standard Linux help looking thing that might run on normal winnings but I still have the same feel so you got an old elf hit this hole decompression program a bit of elevation information to verify that the chicks on an aside with what you've acquired and finally that impressed

party of iowa's this is a normal structure I can okay - no I'm not really going to miss the one thing of interest is the machine ID feel which is typically used to confirm the person to talk that is fineries being too powerful but whatever is in the Cisco don't use the right value that useful Oh use the person types of turn exist so this can have some issues when you start trying to analyze the compression code is not used wonders for verifying sort of the integrity of what you've actually done so if you took for the magic string of feed face you've got the size both I'm compressing impressed of the data the checksum of the compressed and I prefer

Stella which can be calculated using that Python function off the top there and finally the action is this data which is highlighted in blue at the bottom of it didn't come out - it's set to its top standards in better behaved was the very end of the disk there's this mate that couple numbers with an empty five after it I cannot work out this is an md5 hole and according to this coders website it is a md5 hash of some sections of the file and I'm probably tell you which ones he can actually verify this yourself the only way you can't verify that I've found is to use the inbuilt iOS verify command which is great because you have to

verify the integrity of a compromised system on the compromise system yeah so if anyone does know what this is happy to find out those are these CW strengths with kind of a bit of an informational sort of thing if you just make even a random image to analyze so they contain information such as the feature set on the device like what would encryption it has the bottle it has whether it has IP because you know that's functional one grabbers the mobile number at the device the version number that you're dealing with and various other things it's there all the strings sitting there's the nice ability to extract the filter for down the bottom they are in green move on to

what this looks like once it's in memory because I mean if you're dealing with a bit of nowhere they take that kind of where's it more interesting just bit of a full disclosure so that's in here this is being pieced together by reading like sixteen year old exploitation white papers and like reading through people's really poorly documented code it's also it should be known as I'm talking about my OST north in your iOS XP lalala ranges which tend to be running under a more winning solar system which I walked into this that theoretically sort of standard Linux memory forensic techniques against the Welcome process memory a delicated has this struct wrapped around it and there's a lot of

stuff here so I'm not gonna go through it always quite frankly folks that's pretty boring that I would not recommend putting the magic string of a be one two three four CA into a hex editor because there is hundreds of thousands of these things across the memory doll things have interests about the process ID because you can use this dot to piece together all you sections of memory that allocate are allocated to a specific persist but keep the kind of boring but I can't want to see the names you can use the allocation name field which is just a pointer to a section of memory that contains a null ten-minute string for that process this

whole structure is a doubly linked list so you're also able to walk up and down every three the process allocation and start to build your own tree up and we books like ie cup the size of the doctor the doctor itself and this written value at the end which is best I can tell is sort of like a sort of the equivalent of stack cookie heels that sort of thing so if you go to another module memory allocation you overwrite this value the next time the integrity checking comes through it sees that the freaks out when iOS freaks out it total panic sent the whole grounded previews which is kind of good from a defense point because if

someone screws up their exploit and so by the whole intelligence no response so if I control into a network misspoke command history of all someone's down on the ground that's awesome these things are ridiculously easy to extract out of memory you can which we just drop strings and grip the CMD and you'll get the full time part of the command that was running everything unfortunately this isn't persistent so as soon as you log out of the costs and what the memory is free so it's not zeros and don't stick around for they have minimal to be depending on how how I typically use the router is but it still plays push this afterwards this folks that if you have

access to this stuff this is a rough example what you can pull out of a device so you're able to see of running like the Chevron command I configured it some exception don't we dumping stuff I talked about the copy run command throughout trying to connect to something wrong start for some reason why we actually managed to so you can also extract the device's configuration from memory so little bit off-topic but you can change interfere with what get outputs that Cisco command-line there's like filters you can built into it to sort of use regex queries to determine what the user actually sees so it is possible to write things become B and then filter out them

actually then print it back to the screen so if you suspect someone screwed with you won't be it might be useful to extract it or Ana memory it's sitting in memory in the same format that you would normally get from running the show by the start command so you can just actually run fancy you can just search the last configuration change string and you'll see the entire thing just sitting there so enough about what you can do with iOS memory or how do we actually get a copy over to stop playing we're gonna go through some of the more official ways and since we've got to be more of a technical work I'll go through

some of my more experimental ways it sort of your eyes even haven't had a chance to test out yet so the official way is Walt on on that Cisco's website if you want to configure one of these you can figure the the exception handler you tell it to dump it out to a TFTP server and you just go in the right role in command support compression relatively straightforward to do if you just want to start playing with this stuff this is pretty good way to start it also is the official way so anyone that's actually trying to do some forward and forensics with a Binny mill there is gonna know about this command it's gonna do something to screw this or

give you false results or just kind of pack the router they are they going out of memory as well so you can also call the individual segments of memory this sort of like a pseudo small point is exposed to the individual regions of memory that you're able to use to copy up no one that is relatively well-known though so I don't these processes filtered out and so the woods kept secret in iOS is the last 15 years whatever it's had a GD base of it built into it so you can only access it through the front console hole which means you're now running everything out of cereal at the speed of 9600 board once you do this

you've got full read/write access to memory so it is possible to dump the entire contents of memory on my 2800 rather that has 256 Meg of RAM it was going to take two or three days the dark memory if you walk into an actual organization with a job like I ran aground on a decent half rack sort of switch and you say I need to take that a hyper mom or do a dump of my cereal good luck see it burns really good memory access cons really freaking slaughter it's also being disabled in the newer versions of iOS although it can be relabeled through a pompom which is products according to the fact but what

are the models but doing that does require rebooting the router so you lose and I think that's potentially sitting in memory it also don't skip the whole graph while I'm doing this yeah so when you cut some of these older devices open they using a fairly standard PC hardware there's got a nice because saying it the times gonna apply it so my old 2800 series reality uses old a dram theoretically there's no protection against a tollbooth attacking the big protection is that's really freaking hard to find an old Pentium holy and Chuck this stop injury to test it on but we don't want my TV around and thankfully I've managed for the because I'm you know I'm still wage actually

receive in those so I can't play around with this I don't want that good luck convincing someone to let them do this for their sorrows like an active investigation because you're cracking up in the wrong crowd and spring for a spray inch lip and then yanking the ran out while still running - then I also to be careful that the toddler you putting this into dumb support VCC as low as grant does and zeroing the RAM that you think has stuff in it when you boot it up is not a good thing go to the other side if you exploit they'd rather they're sitting there running everything is a single process so any running process on it has direct memory access

what starting to see more and more Seabees coming out for routers and switches and quite a few of these devices in a demagogy package again my 2800 was ended locked in 2016 and there's still tools coming out forever there's a reason why my key is an MP server and stuff like that so give it a sufficient amount of effort if you could easily write your own so that meaty graphs or implant that can dump memory out over the network there's a slight issue that all these devices have quite a broad range of hardware that they run also you sit there and write your shellcode to do a memory dump for the Calla PC model then you've got a

thousand different bits models and stuff like that so not really a scalable solution more of a it's almost you get a PhD out there and write this then that asleep so you want like for we are protected on these classes there are a decent dollar in protections that are asked a decent number of bypasses for the protections as well so there is depth built into these routers so the stack of the router as well as like the IR memory where your packets are stored is protected and I can't send a packet that has executable shell code if you don't haven't been just jump to it unfortunately it is quite by possible so there's well-known rob gadgets out there

so if you can get in some form toward execution you can disable it's also current integrity checking that it doesn't basic checksum over there the various segments of the current memory to make sure that you haven't like overwritten any older it is a fairly basic checks on those that's directly possible just to brute force your shellcode so that it matches that you check something or you just wipe off debt and don't overwrite the correlation what some time is not really intended as a security mechanism is for the stuff work and we don't want to like take the rabbit down so any process on the ground that doesn't return control back to iOS periodically will be killed by the

watchdog time it just means if you scrub the shellcode and aren't returned thanks to the controller then your shelter gets killed as well ok again it's really about that way I'd like to hold the sleep function it's fairly straightforward there is actual ASLR but only on newer browsers with newer updates my for 2800 is going to be horrible forever and there's a thing that I found in an old console by FX about the fake day or so on so every version violists of every individual device subversion hardware that configuration is an individual compilation which means the as these are giant statically linked binary everything played out in memory is called like different offsets every time that means there's about well back

in 2009 there was 300 thousand different iOS images out there probably a few more in the last 10 years of people doing this that's well over three hundred thousand different memory layouts it actually provides a better protection than actually is along so the olds of you may have brought something on your router using a fixed offset that you jump to and then throw against my router mark pretty dates not you're just going to crash my router not actually gain control so I always to be weird I don't know Cisco is trying to stop you analyzing it or if this is just like parts of the image that they don't use for like they have for control the systems they don't

need to worry none but idea the course bit punky and does make some tools freak out so first up if you want to analyze this stuff you've got it actually extracted as I mentioned before it is just a stop standard zip file at the end of it so thankfully the winning sunset command yeah it will strip the whole bit I'll hit a crap up a song to speed up an octave in computer otherwise so if you do want to stop poking around inside is probably what you cannot want to work this into this is where they come back to that machine ID field I mentioned in the old head of the throne so when you

load this into either it's gonna read it say it's an old feather jump to the machine ID field to work out what sort of what sort of instructions that you use to disassemble this and freak out what's doing research what this class actually uses of rice I go on patch pile and everything would be good to go but what a visit they can learn any is either properly and just like the drop-down menu si is designed for our PC I didn't see that drop down making the first time so when you deal with the convoluted way here's what you can get I said write an exit to live in the original one you can see the bottom

field pitstop CPU type of unknown off the patching it it's now caliphate see and pilot Hathaway sees it so I have a moment go to the drive there's something every tool you want to use for this so there's other random stuff that tends to pre guys well I've had picked at it is to try to order pop up what I won't feel hit or miss that and not be infinite loops because they don't understand what the ND it is and well maybe this is not an iOS specific problem it's a I'm analyzing anything that's not x86 and little-endian there's a lot of tools that just assume that you're analyzing an x86 binary and while they will work with a little bit

of tweaking it's not nice so the best i've come up with a short of rewriting that also actually a baby nurse flag in the old header is to read all of the bellies out within this right the old feather back obviously this breaks the binary but at least you can analyze the property then section head is quite a useful one so it defeats out of all the different conditions and names of the sections within the file that you're analyzing again for whatever is that cisco didn't label one of the regions right and the region the label right is the offset of the string table that contains the names of all the sections fairly intensive to fix this one you

need to go and track down the correct stream table using that overhead screens you'll be able to see them again you know that a sh SDR going down there once you find out you have demand after the section pity or second table yourself and find which entry points to that and finally you can patch the other the type of that thing to say this is actually a string table which goes from the belly looks on the left where everything is just no names or the right we can see here the text section well at the very long the number 12 is the actual string table States having a value of str tab rather than going to be

on the web the all all stuff we did financial nowhere that sort of actually happening out there on the internet it's all just on a basic start point of using things that are baked into these devices so twelve months ago the big thing with SNMP confidential traction so this is just you brute force the right the right community stringing these devices use that degree configure that can the TFTP server of the device and finally by SNMP you say hey right you're currently running config out for TFTP server because you know that's a thing you can go over to FTP fairly straightforward about to fix this up like a SNMP is just essentially like a community strength

either password but it's also at you only have to type in wants to a device make this thing really freakin strong and no one's going to be brute forcing it over the Internet well then you don't need right access to the Internet don't expose right access to the Internet it feels basic but still happens there's not a bonus you can also overwrite the current configuration or the current running an image of the device using this so if someone's out there doing since we're not sockets type stuff again they can overwrite your or drops in for not on your device so the newest thing is disco smart install so we have wait last year at one of the our Russian

security conferences they sort of dropped that you can use Cisco smartest or to exfiltrate device configurations slow again it's not a bug it's a feature this being support that supports zero touch configuration poverty rate much as you can't type in credit so that no case you built into this thing either by default its intended so that you can just close the switch off to the other side of the world open up to some form of IP connection and you can send it a config and that's going to work it up it will power zero indication here the governor who is requesting this so a very learned they call the secure filament director so you are you doing

director that can both center the new configuration as well as teletoon send it back its current configuration so that's not one get how much you're gonna play with it please don't I'm just showing rather so I don't want have to clean it off so turn it off the pics it'll just good as a parent thing is it's on by default because it will use it no no timetable use the please tentacle so that was a regionally gonna be the end of this presentation and then last Saturday someone do this so there's someone did work after that same key public school can go in the other direction and overwrite the car configuration of the device again no

authentication they use that to go home wiped out whole switches in Iran and replace it with a dark mess with our elections and there's lovely ask us why they will see in the screenshot there's just someone putty section they're actually running the sheriff stop in command no way this was showed an actual Iowa's like commands to convey the device but they just replace the whole thing a text file because there's also no validation all the configuration file you've got to this thing so this thing literally just boots off saying both which is it's no confit again just it tries to actually execute each line of DST off live which is a lot of fun then it freaks out what is the default

concierge and all of a sudden Iran's knocked off the internet for a while also someone reports or because a motherboard saying that they also targeted by the US and the UK but in that one they just went into turned off smart install and all devices so they're sort of calling them vigilante hackers now as well so yeah really easy to do script kitty level assault buzzes emphasis on github at which we point-and-click and my life completely off it you've got it it's also a big person to be there [Laughter] [Applause]