5. Final Steps and Covering Your Tracks

After gaining the ability to write to the heap, an attacker would then find the memory locations that correspond with starting a new process. Every command is stored in memory, and the trick is to find the proper location to execute the command. As discussed previously, this location is different for the different releases of Cisco IOS.

Setting up a TTY on a Cisco router basically tells the router that an additional connection can be made. Then a socket is created as sort of a loopback into that connection. This allows you to start the command shell, which gets you to the "enable" prompt. Lynn says that you can then kill the logger process to hide your tracks. This is similar to removing the sign-in book for a building.

Shellcode Check List Slide

What exactly can a attacker do after gaining administrator access?

Attackers who gain the "enable" prompt on a Cisco router can do almost anything with that router. For example, BGP (Border Gateway Protocol) is the main routing protocol used in directing traffic across the Internet. Lynn says that an attacker could change the BGP route metrics, causing traffic to either miss its destination or slow down the Internet. Depending on the skill of the network adminstrator, it may take a long time to discover the change, if it is discovered at all.

A router is an inherently trusted machine on the Internet. So Man-in-the-Middle attacks could also be performed, as a router is the ultimate man in the middle. After all, your email flows through several, if not dozens, of routers while traveling to its destination. Imagine if a router could be instructed to forward all packets to an alternate destination. Obviously this would be a horrible situation, especially if it were done to a router at a major network exchange.