It is naïve to assume that a router under an attacker's control can easily be turned into the ultimate password sniffer. Referring back to the packet handling of IOS discussed in 2.3, only a fraction of the traffic is ever visible to the main CPU, which is the context of the executed attacker code.
shellcode to obtain packets that contain information relevant to the attacker, with the strict limitation that the first packet in the conversation must already contain that information of interest. Since the first packet is very likely to get “punted” anyway, the performance impact should be minimal.
As an example, any protocol that relies on a sequence number, query ID or other value only known to sender and receiver to prevent spoofing (e.g. TCP, DNS) could be matched and the relevant number pushed out to the attacker. In this scenario, the attacker would be able to arbitrarily spoof DNS replies or inject data into TCP sessions, since the secret value is now know to him.
0 comments:
Post a Comment