Re: Synful Knock questions...

[Paul Ferguson <fergdawgster () mykolab com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Please bear in mind hat the attacker *must* acquire credentials to
access the box before exploitation. Please discuss liberally.

- - ferg'


On 9/15/2015 1:46 PM, Stephen Satchell wrote:

> On 09/15/2015 11:40 AM, Jake Mertel wrote:
> > C) keep the image firmware file size the same, preventing easy
> > detection of the compromise.
>
> Hmmm...time to automate the downloading and checksumming of the
> IOS images in my router.  Hey, Expect, I'm looking at YOU.
>
> Wait a minute...doesn't Cisco have checksums in its file system?
> This might be even easier than I thought, no TFTP server
> required...
>
> http://www.cisco.com/web/about/security/intelligence/iosimage.html#10
>
>  Switch#dir *.bin
>
> (Capture the image name)
>
> Switch#verify /md5 my.installed.IOS.image.bin
>
> The output is a bunch of dots (for a switch) followed by an output
> line that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the
> x's replaced with the MD5 hash.
>
> The command is on 2811 routers, too.  Maybe far more devices, but
> I didn't want to take the time to check.  You would need to capture
> the MD5 from a known good image, and watch for changes.


- -- 
Paul Ferguson
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlX49WcACgkQKJasdVTchbLjjgD/Rk1cUvT+qj/YzzN8lLpdmYIE
hcxlz1jT+PsBMpxsu8kA/jisyNpYa1zB5cUZq/p/C/c5cqfX9BAtBX6C98oXd0dS
=MV8U
-----END PGP SIGNATURE-----