Intro to hacking routers and other nifty bits

By: Octet

Contents:
1.) Intro
2.) Routers/routing
3.) Switches,hubs.
4.) The beauty of the insecure bus topology.

Basic text to hacking/manipulating routers,how switches and hubs work and some other shit composed by octet. I just figured that I haven`t anything to do so why not write this text?

To keep kiddies and whatever form of idiots that may read this text clueless i`m not describing (a) what a router is (b) what a router does and (c) how to identify a router.Note: I never mentioned "how a router routes"

Getting down to business!

Placing routers on a network to connect several smaller router forms a network entity known as an internetwork(thus the name internet). Routers get thier information about possible routes from files called routing tables. You can have a look at your routing table by typing "route" at the console. I`m assuming you`re using some unix distro that has the "route" command.

Read the manual for "route" and scope out the things you can do. Manually Adding/Deleting/updating every network into the routing table is called static routing which is time consuming on a network with many segments.

Dymanic routing is different from static routing (DUH!) because dynamic routing uses routing protcols such as RIP to request and send information/updates about what computers and other routers, are attached to that router.The lack of the need for manual entry into the routing tables makes Dynamic routing popular!

Where as,as we mentioned above,in static routing the routing tables are updated manually.

There are 2 categories of routing protocols.

(1) distance vector and (2) link state,eg. RIP is an example of a distance vector while NLSP(IPX) and OSPF(TCP/IP) are two examples of link state.

Distance vector:The router sends out its routing table when it is brought online. When another router recieves it, it increments the hop count by 1 for each route in the list of routes, then re-broadcast the list. Distance vector routing protocols sends out its routing table every 60sec.

Link State: Sends out its routing table every 5 min therefore being more efficient. Also if there is an update only the update is sent and not the entire routing table.

Some protocols are unroutable i.e.they have no route discovery protocol/routing protocol. NetBEUI is an example of a non routable protocol however IPX,TCP/IP and XNS are routable protocols! IPX and TCP/IP use RIP when refering to the link state category but uses OSPF(TCP/IP) and NLSP(IPX) when talking about the distance vector category.

OSPF stands for Open Shortest Path First which leads nicely to the other topic.

Manipulating the path of the router(remote and local).

Note: This is theory and not tested,but according to THEORY it WILL work!

Q: Why manipulate the route you ask?

A: Simple..Say you have a packet sniffer running on host A and you want to sniff all or as many as the packets you can on the network/subnet you simply get the router to route all the packets throught host A providing host A is an entry in the routing tables on the router that you`re manipulating the chosen route of.If this sounds confusing then its because i`m not explaining it properly because the concept is fairly simple to grasp.

The router will make its decision based on the shortest path/least laggy path with the least ICMP ping reply in ms.In other words the routers makesan intelligent decision based on performance.

Getting the router to route its packets throught a host(we`ll call it host A).

*Remote:

The trick is figuring out the routing tables(routes the packets can take). traceroute can help with this..

Part of a traceroute..The IPs/host are fake!

4 routa.host.net (207.84.201.7) 220.005 ms 200.382 ms 230.260 ms

5 207.84.201.45 (207.84.201.45) 229.328 ms * 191.390 ms

Notice how routa.host.net routes the packet through 207.84.201.45

Heres how traceroute works:

Traceroute utilizes the IP protocol `time to live' field and attempts to invoke an ICMP TIME_EXCEEDED message response from each gateway along the path to some host.Traceroute uses UDP datagrams to send its information however theres a flag (again i`m assuming you`re using a unix distro. I care not about winNT/win9x/windows or DOS commands in this text) to send ICMP echo request instead.When an ICMP "port unreachable" message is returned then traceroute ASSUMES that the host is reached or you`ve reached the maximum amount of hops..Which is 30.If you got port unreachable from a host other than the one you tracerouted and max. amount of hops wasnt reached then you know something`s wrong.

The above was just a briefing what traceroute really does as to help you figure out the routing tables. You may not figure it all but you may figure out enough to accomplish the task! If you`re attempting to manipulate a router that doesn't route your packets then you`ll have to traceroute a host that the router routes the packets of. Otherwise if the router routes your packets you can traceroute to anywhere.Note: The router that your packet is routed through depends on where you`re tracerouting. Just as it depends on performance. Also many routers can be
connected and are responsible for routing packets through whatever segment
its incharge of. I hope I made it quite obvious that your packets dont take the same route all the time! (DUH,thats why we are attempting to manipulate
the route!)

WARNING: Routers are a complicated! Some say its the most complicated network device so if you dont understand SHIT in this text dont blame me..

So anyways,getting back to the topic. I`ll use an example in the remote attack.

Say a router R1 is attached to router R2 and R3.You want your packets to be routed through host 3A which is a member of R3`s segment but according to R3`s routing tables host 3B and host 3C are possible alternatives that the packet
can be routed through. Simply lag the host 3B or 3C, therefore the ICMP ping reply should take the least for host 3A. The router will then choose host
3A to route its packets through. Note that host 3A doesnt have to be the host it is intented for.

I hope you have understood. It may take a while to sink in!

*Local: The local attack involves you having access to a shell on the computer that the router`s server is installed on.Simply type "route" at the console to scope the routing tables and attack the most as described in 'remote' above. Also if you have/hacked root on the machine you can "route add","route del" etc.(IDEA: You can add a host that has a fast connection and you have root access on). I never said i`ll describe how to hack ROOT on a shell in this text... Thats another text by itself.(Refer to remote to see what R3 etc. is defined as)An alternative to having a shell on R3 you can also have an account/shell/whatever you want to call it on 3B and 3C.Its easier this way where you can LAG 3B and 3C internally without root! Again i`m not going to tell you how to DoS/lag them internally... You should KNOW because this text wasnt intended for idiots. R3`s decision will then be non other than host 3A.

Basic hacking of routers.

You can try default passwords because many dumb admins leave them as the default. Also you can freeze the router in which period the password will be temporarily reset to its default.The default depends on the type of router.

For example the default password for a cisco router may be "admin". While the router is frozen,connect to it and try the defaults.In v4.1 cisco software a HUGE password string is/was enough to freeze the router. Not sureif this bug is fixed. Also you can try other DoS attacks(much of which the router may filter ;-( anyways)...

Once the first password phase is cracked what lies next is getting the enable pass which I would not describe how to do in detail because it all depends onthe software running, type of router etc. Simply get the password file and crack
it!

Switches and hubs

I shall first refer to Layer 2 switches. Again i`m not to be blamed if you`re confused!

Layer 2 switches understands the data that passes through it to an extent. It reads the MAC address and associates them with the ports. The MAC address and port association is then cached (cache removed/reset if the switch is turned off).The entire name for switch is hub switch. A hub broadcast all signals to all ports where as a switch broadcast the signal only to the port in which the corresponding machine with the intended MAC address lies.

This uses a virtual port which uses the full bandwidth of the topology. An entire star topology network can be brought down by spoofing the MAC address of a packet. Imagine the chaos in a switch reading two of the same MAC addresses from two different machines and tries to cache it to identify two different ports.

A hub is lamer than a switch in the sense it doesnt properly utilize the bandwidth as to recieve the full amount. It shares it! A switch is better because it uses virtual connections to the ports using full bandwidth of the cable. A hub and switch are only used with twisted pair cable whether it be UTP or STP. Some hubs also allow you to create a hybrid network by merging star topology with bus topology. In that case the hub would have a port to connect the coax instead of just merely having RJ-45 ports.

A BUS network is the worst type of network there is... Most insecure and least fault tolerant. Similar to a hub a bus network broadcast the signal to every other host on the network therefore every computer sees the signal but only the intended computer ACCEPTS it! Killing ANY cable or NIC on the network will result in the entire network topology crashing.

Thus endth my little tutorial. I do hope you have learned something today. Class dismissed!

1.) Code Red
OP-ED - madirish
2.)
An Introduction to the SirCam Virus - Manic Velocity
3.) Hardening
your Windows 2000 Server - madirish
4.) End of the
gravy train - Dinesh Nair
5.) Intro to
hacking routers and other nifty bits - octet
6.) Broadband
in Malaysia: A hard look at your options - L33tdawg