Synful Knock questions...
Paul Ferguson
fergdawgster at mykolab.com
Wed Sep 16 04:51:51 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Please bear in mind hat the attacker *must* acquire credentials to
access the box before exploitation. Please discuss liberally.
- - ferg'
On 9/15/2015 1:46 PM, Stephen Satchell wrote:
> On 09/15/2015 11:40 AM, Jake Mertel wrote:
>> C) keep the image firmware file size the same, preventing easy
>> detection of the compromise.
>
> Hmmm...time to automate the downloading and checksumming of the
> IOS images in my router. Hey, Expect, I'm looking at YOU.
>
> Wait a minute...doesn't Cisco have checksums in its file system?
> This might be even easier than I thought, no TFTP server
> required...
>
> http://www.cisco.com/web/about/security/intelligence/iosimage.html#10
>
> Switch#dir *.bin
>
> (Capture the image name)
>
> Switch#verify /md5 my.installed.IOS.image.bin
>
> The output is a bunch of dots (for a switch) followed by an output
> line that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the
> x's replaced with the MD5 hash.
>
> The command is on 2811 routers, too. Maybe far more devices, but
> I didn't want to take the time to check. You would need to capture
> the MD5 from a known good image, and watch for changes.
>
- --
Paul Ferguson
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iF4EAREIAAYFAlX49WcACgkQKJasdVTchbLjjgD/Rk1cUvT+qj/YzzN8lLpdmYIE
hcxlz1jT+PsBMpxsu8kA/jisyNpYa1zB5cUZq/p/C/c5cqfX9BAtBX6C98oXd0dS
=MV8U
-----END PGP SIGNATURE-----
More information about the NANOG
mailing list