The final area in which exploitation of network infrastructure equipment differs significantly from exploitation of network leaf nodes is the attacker provided code.
It is common practice within exploitation of network leaf nodes to spawn a shell back to the attacker, either by making it available on a TCP port or by connecting back to the attacker's host. Similar shellcode has been shown for specific IOS images.
An alternative method, which proved to be more reliable than a “bind shell”, is to rely on the fact that almost any Cisco IOS router will already have a remote shell service configured, either via Telnet or SSH. By removing the requirement to authenticate on said shell, either through patching the code that performs the validation or by modifying entries in the data structures that hold the authentication configuration for remote terminals, it is easy to use the existing service for obtaining a remote shell.
Once a privileged interactive shell is obtained on a Cisco IOS router, the attacker can use all the functionality provided by IOS to fulfill his goals. Alternatively, the attacker provided code can already implement the desired application of IOS functionality, without requiring the attacker to connect to a shell and manually change the configuration.
However, this brings up the question of what could be of interest to an attacker?
0 comments:
Post a Comment