Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Router, Cable Modem and Firewalls Module XXXV Page | 2787 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Ethical Hacking and Countermeasures Version 6 Module XXXV Hacking Routers, Cable Modems and Firewalls Ethical Hacking and Countermeasures v6 Module XXXV: Hacking Routers, Cable Modems, and Firewalls Exam 312-50 Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Router, Cable Modem and Firewalls Module XXXV Page | 2788 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News Source: http://www.channelregister.co.uk/ News Security researchers have found a design flaw in home routers. This design fault allows the attackers to perform a phishing attack. It also enables an attacker to remotely control the device and direct the victims to the fake destinations that appear to be trusted sites such as banks, e- commerce companies, or health care organizations. It works irrespective of the connected computer’s operating system or the browser. It just needs the latest version of the adobe flash player installed. The attackers make use of Universal Plug and Play (UPnP), a feature which is built-in to home routers. UPnP does not use any authentication. An attacker can modify the server PCs connected to the router, open the ports on a victim’s router, and change the router’s settings which are using version 8 or higher of adobe flash. The UPnP is turned on with most of the routers by default. It should be turned off to prevent from these kinds of attacks. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Router, Cable Modem and Firewalls Module XXXV Page | 2789 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Identify Router • Identifying Vulnerabilities • Exploiting Vulnerabilities in Cisco IOS • Brute-Forcing Services • Analyzing the Router Config • Cracking the Enable Password • Attacking Router • Types of Router Attacks • Reconfigurations by Attackers • Pen-Testing Tools • Cable Modem Hacking • Bypassing Firewalls This module will familiarize you with : Module Objective This module will familiarize you with: Identifying Routers Identifying Vulnerabilities Exploiting Vulnerabilities in Cisco IOS Brute-Forcing Services Analyzing the Router Config Cracking the Enable Password Attacking Router Types of Router Attacks Reconfigurations by Attackers Pen-Testing Tools Cable Modem Hacking Bypassing Firewalls Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Router, Cable Modem and Firewalls Module XXXV Page | 2790 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Identify Router Identifying Vulnerabilities Exploiting Vulnerabilities In Cisco IOS Brute-Forcing Services Analyzing the Router Config Cracking the Enable Password Attacking Router Types of Router Attacks Reconfigurations by Attackers Pen-Testing Tools Cable Modem Hacking Bypassing Firewalls Module Flow Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Router, Cable Modem and Firewalls Module XXXV Page | 2791 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Devices Computer networking devices are units that mediate data in a computer network • It is used to route data packets between two networks Router: • Device that modulates an analog carrier signal to encode digital information, and also demodulates such a carrier signal to decode the transmitted information Modem: • Type of modem that are primarily used to deliver broadband Internet access, taking advantage of unused bandwidth on a cable television network Cable modem: • A firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from other network users Firewall: Network Devices Computer networking devices transfer data to and from one computer to another in a network. Router According to searchnetworking.techtarget.com, a router is a device or, in some cases, software in a computer, that determines the next network point to which a packet should be forwarded toward its destination, in packet-switched networks such as the Internet. A router may create or maintain a table of the available routes and their conditions and use this information along with distance and cost algorithms to determine the best route for a given packet. Modems A modem (Modulator and DEModulator) is a device that receives digital signals and converts it to analog signals, and vice versa. The signals from the computer are in digital form and signals that are transferred over the telephone lines are in analog form. This conversion is done by the modem. Before sending the data, modulation is performed on the data and demodulation is done after receiving the data. Cable Modems A cable modem is a device that helps user to connect to the computer system with a cable TV line; which has two connections (cable wall outlet and a connection to PC). It comes in internal and external mode, and can receive data at a rate of 1.5Mbps. It is attached to standard 10BASE-T Ethernet card in the computer. The key components of a cable modem are: Microprocessor. Demodulator/Modulator. Tuner for fine tuning. Media access control (MAC) device. Firewall A firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from other network users. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Router, Cable Modem and Firewalls Module XXXV Page | 2792 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hacking Routers Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Router, Cable Modem and Firewalls Module XXXV Page | 2793 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Identify Router Routers can run Webserver, SSH Daemon, chargen, and even run multiple X servers The easiest way to identify a router on network is by using Nmap Nmap is a vulnerable port scanner which does very accurate OS fingerprinting Figure: Port Scanning of a Cisco Router Identify Router Source: http://www.securityfocus.com/infocus/1734 Routers can be configured to look just like any other system on the network. They can run a web server, an SSH daemon, charger, and they can even appear to be running multiple X servers. Common way for identifying the router is to use Nmap. Nmap is a port scanner that can give accurate OS fingerprinting. Below is the port scan for a typical Cisco router: Using a login service like Telnet or SSH, connect to the appropriate port by using a standard client. A basic Cisco router will look like this: Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Router, Cable Modem and Firewalls Module XXXV Page | 2794 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SING: Tool for Identifying the Router SING stands for 'Send ICMP Nasty Garbage’ SING is a command line tool that can send customized ICMP packets With ICMP packets netmask request of ICMP type 17 can also be included Routers reply to this type of ICMP packets Figure: Output of SING Command SING: Tool for identifying the Router Source: http://linux.softpedia.com/ SING stands for 'Send ICMP Nasty Garbage’. SING is the command line tool that sends customized ICMP packets. With ICMP packets, netmask request of ICMP type 17 can also be included. Routers are the devices that reply to this type of ICMP packets. Features: Sends fragmented packets (Linux and BSD) Sends monster packets > 65534 (Linux and BSD) Sends/reads IP spoofed packets Sends/reads Ethernet spoofed packets Sends many ICMP Information types in addition to the ECHO REQUEST type sent by default as Address Mask Request, Timestamp, Information Request, Router Solicitation, and Router Advertisement Sends many ICMP error types: Redirect, Source Quench, Time Exceeded, Destination Unreach, and Parameter Problem Sends to host with loose or strict source routing Uses fingerprinting techniques to discover remote OOSS Sends ICMP packets emulating certain OSs: Cisco, Solaris, Linux, Shiva, Unix, and Windows Figure: Output of the SING Command Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Router, Cable Modem and Firewalls Module XXXV Page | 2795 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Identifying Vulnerabilities Poor system administration is more vulnerable to router attacks than software bugs Vulnerability scanners can be used to find out the vulnerability in routers Attacker can use the brute-force services to access the router Identifying Vulnerabilities Source: http://www.securityfocus.com/infocus/1734 The router is the most crucial component in the infrastructure of the Internet. It is the backbone of any network infrastructure. For this reason, the router is becoming the primary target of any attacker who is trying to intrude or attack a particular network. Vulnerability scanners typically do a great job in identifying known vulnerabilities, but can often miss significant configuration errors. For example, Nessus has a list of about 44 community strings to brute-force the SNMP daemon, which may be enough to catch the usage of common default community strings such as public, and private, but cannot take site-specific strings into account that might be in use. As with most penetration tests, vulnerability scanners can be a good start, but are simply inadequate in matching the human element that goes into a penetration test. Some vulnerability scanners are: X-scan SAINT Retina MBSA Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Router, Cable Modem and Firewalls Module XXXV Page | 2796 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Exploiting Vulnerabilities in Cisco IOS . Ethical Hacking and Countermeasures Version 6 Module XXXV Hacking Routers, Cable Modems and Firewalls Ethical Hacking and Countermeasures v6 Module XXXV: Hacking. Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Hacking Router, Cable Modem and Firewalls Module XXXV Page | 2787 Ethical Hacking and