Do you have things in the networks your responsible for that needs to be made more secure? The answer to that question is obvious, but tends to go without much priority. You see, no matter what it is, most of the time fixing these items introduces change. The old saying comes in to play here: “If it isn’t broke, don’t fix it!”. Many times the question comes back from your boss or some change approval committee – Is this change really necessary and what will I gain from it? Many times an answer stating ‘a more secure network’, is not enough to get approval for doing the needed work.

Let’s look at this another way: What kind of damage could someone do to your network if all they were armed with was a standard pc and access to the internet. The answer is obvious, however let’s get more specific. What if your network contained an unsecured switch port, a routing protocol running with no type of authentication, or what about a gateway redundancy protocol (HSRP, VRRP, etc.) that was unsecured? How about a lan without a proper spanning tree configuration? Well, the answer should still be obvious, there are a gazillion sites with utilities that run on a PC with the capability of interacting/disrupting a network with the previously stated issues. With all of that said, let’s ask ourselves a different question:

How much easier (than the previous scenarios) would it be to damage my network if someone walked into the office with a Cisco router under their arm and was able to sit down and plug it into the network? Again, without wanting to sound like a broken record, the answer should be jumping out of the screen at you – but maybe at a little more alarming rate than before. How about a little demonstration? I am about to show you in less than 10 easy steps how that Cisco router can be carried through the door and plugged into the network. Before you ask, no magic will be taught here, that will be left to the experts. Let’s get started:

1. Download Dynagen from http://dynagen.org/ and install
2. From the start button (Windows) , In the newly created Dynagen folder, click on Network Device List
3. From the generated list, Pick out the installed network adapter that connects your computer to the Local Area Network. Once found, copy the appropriate device string to the clipboard, beginning with NIO_ and select all the way out to the end of the line before copying.
4. Download this file and unzip it into the \Program Files\Dynagen\sample_labs folder. Open the sw1.net file in a text editor and do a search for the string NIO. Once found, select and replace the entire existing string in the file beginning with NIO by pasting your computers specific string from the clipboard. Save this file and exit the editor.
5. Download from Cisco’s website the IOS file named c3640-js-mz.124-18.bin . The simplest way to do this is to login to the Cisco site with your CCO ID (required), go to the download area and type in this file name in the Software Search box. Once downloaded, browse to the Dynamips installation directory and move this file into the sample_labs\XpressLearn\ios folder
6. Fire up the Dynamips Server by clicking on Start –> Dynagen –> Dynamips Server (We are getting close, feel the anticipation?).
7. Go back to the folder containing the sw1.net configuration file and right click on the file –> Open with –> dg-local
8. In mere moments, a new window should appear and you should see a greater than prompt (=>) below the words ‘Dynagen management console for Dynamips’. At the prompt, type start SW1 and when returned back to the prompt, type telnet SW1.
9. A telnet window should appear and within a few seconds wallah! A Cisco router is booting inside the telnet window.

Now, in less than 10 easy steps, you have a Cisco router that is bridged to a network that the PC your sitting in front of is connected to. Again, you have a bridged connection between the ‘virtual’ Cisco router and the network which the hosting pc is connected to. What does this mean you ask? For all practical purposes, there is a Cisco router (which is completely under your control) plugged directly into the network your PC is connected to. The virtual router is not using the hosting PC to hide behind, there is no natting, routing, etc. going on to get this router communicating to the live network. Dynamips uses a shim that sits between the network adapter in your PC and the operating system. This same shim is what is commonly used by sniffer programs to provide full viability to all traffic on the network. Why am I making such a fuss about this? There is a layer2 connection between the network switch in a wiring closet somewhere and your virtual Cisco router.

Some may ask, well what can I do with this after all the trouble of setting it up? The answer: just about anything you could if it were a real Cisco router connected to the network with direct console connection to it. Let me show you something ‘real’, but before I do, I must stress no networks were harmed in the making of this article. This was a highly trained individual performing a precise exercise to demonstrate the realities of what is described in this article. Ok, with no further jabbering:

SW1#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

BNADC-SW-01.xxx.net

                 Fas 1/0            140         T S       WS-C3548- Fas 0/45

Hmmm, this virtual Cisco router is swapping CDP information with an access switch. That’s pretty interesting…

Just by looking at the IP address of the PC running Dynamips you already know the subnet allocation for the vlan your virtual switch is connected to. This means you can try and pick out a static IP on the same subnet that is not used by anything else or, let’s try this instead of guessing:

SW1(config)#interface Vlan1
SW1(config-if)#ip address dhcp
SW1(config-if)#end
SW1#
*Mar  1 00:04:50.611: %SYS-5-CONFIG_I: Configured from console by console
*Mar  1 00:04:54.715: %DHCP-6-ADDRESS_ASSIGN: Interface Vlan1 assigned DHCP
address 10.32.20.238, mask 255.255.255.0, hostname SW1

Yeah, that will do it… Now my virtual router/switch has a valid IP assigned on the network. Gee wiz, is there much more I can figure out on my own? Dynamips can sniff the traffic flowing through interfaces inside of Dynamips instances. Let’s turn on capturing for a couple of minutes and see what happens:

After giving a few minutes to capture, you can stop the capture so that the file can be opened and viewed in a sniffer program. To stop the capture simply type: no capture SW1 F1/0. Open up the sw1.dmp inside of your sniffer program, the first thing I see is some EIGRP hello packets – Let’s take a look:

Here is the EIGRP packet which came from our default gateway (which of course is the router) and if we look closely, the Autonomous system number is contained inside the hello packet. So, we have discovered EIGRP running in autonomous system 20. What do you want to be there is no authentication being used in the routing protocol process? Let’s give this a shot:

SW1(config)#router eigrp 20
SW1(config-router)#network 10.32.20.0 255.255.255.0
SW1(config-router)#no auto-summary
SW1(config-router)#end
SW1#
*Mar  1 00:16:39.179: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 10.32.20.1 (Ethernet1/0)
is up: new adjacency
*Mar  1 00:16:39.871: %SYS-5-CONFIG_I: Configured from console by console
SW1#
SW1#sh ip eigrp nei
IP-EIGRP neighbors for process 20
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.32.20.1            Vl1               11 00:00:47  441  3969  0  26626
SW1#
SW1#sh ip route summary
IP routing table name is Default-IP-Routing-Table(0)
IP routing table maximum-paths is 16
Route Source    Networks    Subnets     Overhead    Memory (bytes)
connected       1           0           72          136
static          0           1           72          136
eigrp 20        77          831         65376       123488
internal        106                                 122536
Total           184         832         65520       246296
SW1#

Wow, all of a sudden I have a route table with 831 more routes in it. At this point it would be very easy to inject a host route into the EIGRP routing process. The purpose of this would be so that a host could be impersonated by another computer. By injecting this specific route, you can direct all traffic to an unintended destination, which allows you to capture all sorts of sensitive data.  Even by taking just a passive approach by not manipulating EIGRP at all, it has provided us a map of the entire network with the route table.

The possiblities are endless – maybe the virtual switch get’s configured for HSRP after you figure out what group number is being used. Then set a priority that allows all the traffic to flow through your router before it goes back out to it’s destination. Granted, the Dynamips instance probably wouldn’t hold up because of the low forwarding rate, but there could be some damage done before it dynamips crashed.

Enough about layer3 stuff, what about spanning tree? We do have a switch module installed, thus we are running spanning-tree. Assuming Per-Vlan spanning tree running on the network, we could at least become the root bridge for the access vlan we are a member of.

SW1#sh spanning-tree root
VLAN1
  Root ID    Priority    8273
             Address     00d0.636e.cc00
             Cost        23
             Port        41 (FastEthernet1/0)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Wow, all we have to do it set our spanning tree priority for the vlan1 that is configured on the virtual switch to a priority less than 8273. Once that change is made, now all the traffic on that vlan is flowing through a port on the virtual switch to get to it’s destination. Oh, and hopefully there is no way to get connected to a port on the network that allows trunking and especially one that allows trunking with no restrictions on vlans passing through that trunk port. My My, once a trunk port was established to our virtual switch, we could really get crazy by setting up a VTP server and manipulate the version to a really high number, then wipe out all the vlans on the entire network (assuming vtp is running on the network).

When this article began, the point was to sell making your network more secure. The entention of this entire exercise was to enlighten on how much easier it becomes to be disruptive when you have (and control) a router/switch that can be plugged into a network. Please, don’t take this article as a how-to for disrupting networks – that is certainly not the intention.

In another article, I will specifically describe how to configure a network to combat against every one of the examples mentioned in this article.