Part1 - Definitions
- General Security guidelines
- Physical security - devices placed in locked rooms, steadily mounted to rack, UPS, enough RAM etc.
- OS security - using the last stable OS, keeping backup copies of both OS and configuration files in a secure place
- Devices hardening
- hardening a system - steps taken to rid of system vulnerabilities by:
- upgrading to newer OS -> OS security
- applying current patches -> OS security
- turning off unnecessary applications
- perimeter - border between our locally managed private network and a public network - Internet.
Scenarios
1. Perimeter with one border router
Router secures perimeter - ACLs are configured there, only established connections are allowed to enter LAN from the Internet.
2. Perimeter with a border router and firewall
Border router /screening router/ passes all traffic from the Internet to firewall which inspects connections. This scenario is proffered to scenario with single router.
3. Perimeter with DMZ
Demilitarized zone is an intermediate area between our private LAN network and the Internet. Severs that need to be accessed from the Internet are placed in DMZ.
Note Perimeter can be easily broken by plugged unsecured Wireless Access point in campus, using VPN tunnels, encrypted traffic. Therefore the is need for Self-Defending network where all network devices are part of global security solution.
- IOS security features
- Devices loaded with IOS can provide security services such as:
- Stateful firewalling - in addition to basic traffic filtering using ACLs, IOS devices can perform stateful inspection of traffic CBAC (Context-Based Access Control).
- IPS - Intrusion Prevention System - detect malicious network traffic and stop it
- VPN Routing and Forwarding-aware (VRF aware firewall) - separate routing and forwarding table for each VPN
- Virtual Private Networks - IPSec tunnels between locations connected via Internet
- Cisco ISR routers
- models include 800, 1800, 2800, 3800 series
- provide integrated data, security, voice, wireless services
- 800 series (850, 870) - all features, except of IPS
- 1800 series (1800, 1841)
- 2800 series (2811, 2821, 2851)
- 3800 series (3825, 3845)
- All ISR series have built-in integrated VPN hardware acceleration - support for 3DES and AES encryption algorithm.
- All ISR series except of 850 model have one or two USB ports - IOS, config files, digital certificate can be stored here on USB flash drive.
- Advanced Integration module (AIM) - can be used for VPN encryption, for IPS, in 1800, 2800, 2800 ISR series
- Network modules (NM) - HWIC-AP (wireless module), IDS, Cisco Content Cache (DNS cache), Cisco Network Analyse Module (NAM) - analyse of traffic flow
- Administrative Access to Router
- vty (virtual tty) - telnet (plain text) connection or ssh (encrypted) - in-band management (if seperate management network exists it is out-of-band management)
- AUX - access via modem - in-band management
- tty - console port - out-band management
- Secure system password
- difficult to guess either using brute-force attack or dictionary attack.
- requirements:
- at least 10 characters
- mix of upper-case and lower-case characters
- special symbols and spaces (no leading space)
- not dictionary words
- password policy - determine when password should be changed.
Part2 - Configuration and Testing
1. Configuring passwords to tty, enable, AUX and vty access and creating local user
- Enforcing password length to 10 characters
Router(config)# security passwords min-length 10
- Configuring password to console
Router(config)# line console 0
Router(config-line)# login
Router(config-line)# password cisco12345
Password is stored in plain text in router's configuration file.
- Configuring password to privileged exec mode
Router(config)# enable password cisco12345
This is not secure method as password to enable mode is shown as plain-text in router's configuration file. Therefore it is not recommended way to configure any password and it is kept for backward compatibility if downgrade of IOS is needed.
- Configuring password to AUX port
Router(config)# line aux 0
Router(config-line)# login
Router(config-line)# password cisco12345
- Configuring password to vty lines
Router(config)# line vty 0 15
Router(config-line)# login
Router(config-line)# password cisco12345
- Creating a new local user
Router(config)# username admin password cisco12345
This command create a user admin with password cisco12345 with privilege level 0 permission. This user is allowed to get to user exec mode but cannot get to privileged exec mode without entering enable password. We have to specify a privilege level when a non-default privilege level 0 is required to be assigned for the user.
Router(config)# username enable_admin privilege 15 password enable_cisco123456
The command create a user admin with password cisco123456 with privilege level 15. Once users enter correct credentials they are redirected directly to privileged exec mode.
-Authentication to console against local database
Router(config)# line console 0
Router(config-line)# login local
In this case, username/password is required to get access to console. They are two users configured - admin and enable_admin. If the combination of admin/cisco12345 is entered, user gets access to user exec mode. If the enable_admin/cisco123456 is entered, user is redirect to privileged exec mode.
In this case password is set for 16 simultaneous vty (telnet) sessions. Password is stored in plain-text.
2. Password encryption with service-password encryption command
According to configuration examples we have done, passwords are stored in plain-text in router's configuration file. To encrypt them we can call the command:
Router(config)# service password-encryption
This command encrypts all plain-text passwords stored in configuration file and any other passwords set after the command. Now let's have a look on how passwords are stored in router's configuration file.
Router# show running-config | begin line
line con 0
password 7 045802150C2E1D1C5A4D50
login
stopbits 1
line aux 0
password 7 045802150C2E1D1C5A4D50
login
stopbits 1
line vty 0 4
password 7 045802150C2E1D1C5A4D50
login
line vty 5 15
password 7 045802150C2E1D1C5A4D50
login
!
end
Router# show running-config | include enable
enable password 7 02050D4808095E731F1A5C
The number 7 tells us that passwords are encrypted with Vigenere algorithm. Passwords are not really encrypted as it was not encryption key used but they are not in stored readable form. At least none can inspected them causally looking over admin shoulder. But do not have false feeling of security they can be easily retrieve in few seconds regardless of length of password. Below are two screenshots from from site for on-line Cisco 7 type password cracking:
Password was cracked almost immediately after hitting Submit Query button.
There is also perl script for cisco 7 password cracking available here:
http://wiki.nil.com/Deobfuscating_Cisco_IOS_Passwords
3. Password encryption using MD5 algorithm
1. Theory behind MD5 algorithm
Obviously, it must be a better way to get passwords encrypted as with standard type 7. When a keyword "secret" instead of "password" is used in configuration, passwords are encrypted with stronger MD5 algorithm. It is preferred method to type 7 encryption.
Router(config)# enable secret cisco123456
Router# show run | include enable
enable secret 5 $1$/SCP$nZ3543lVyoLQOasViGBQH0
enable password 7 02050D4808095E731F1A5C
In the previous example we secured access to privileged exec mode with enable password command. Now we have both enable password and enable secret configured. In this case, only enable secret is valid to get to privileged exec mode, enable password is ignored.
When a password is encrypted with MD5 algorithm, it is usually stored as 128 bit MD5 hash or digest in configuration file. Before computing MD5 hash, randomly generated characters are added to plain text password. Those extra characters are called salt therefore we have salted MD5 digest. Salt is 24-bit and it is stored together with MD5 hash in configuration file.
Using salt brings two main benefits:
Firstly, the same passwords are never stored as same MD5 hash because salt is randomly generated and should be unique
for each password. In other words, two users have different MD5 hashes in configuration file even their plain-text passwords match.
Secondly, using 24 bit salt is considered to be defence against rainbow attack. The attack uses computed database of hashes. Adding extra 24 bits increases hashes database by 224. It requires more resources and bigger disk capacity to compute database.
Explanation:
enable secret 5 $1$/SCP$nZ3543lVyoLQOasViGBQH0
5 - password is encrypted with MD5 salted hash method
1 - hash is salted
/SCP- 24 bit salt.
nZ3543lVyoLQOasViGBQH0 - computed MD5 hash
Password can be entered either in plain-text or in encrypted form. They are two options how can we enter password in unencrypted form:
Router(config)# enable secret cisco123456
what is same as
Router(config)# enable secret 0 cisco123456
0 indicates that unencrypted password follows. If we want to have enter a secret password cisco123456 in encrypted form we must indicate it withoption 5.
Router(config)# enable secret 5 $1$/SCP$nZ3543lVyoLQOasViGBQH0
Note Salted MD5 hashes of passwords can be generated in Linux OS using openssl. We are going to recreate MD5 hash of password cisco123456 manually specifying the same salt /SCP. As you can see the result is the same salted MD5 hash as it was generated with IOS command.
[brezular@COM-8510p ~]$ openssl passwd -1 -salt /SCP cisco123456
$1$/SCP$nZ3543lVyoLQOasViGBQH0
Theory behind MD5 password hashing is explained in this excellent tutorial:
http://wiki.nil.com/MD5_Password_Hashing_in_IOS
2. Cracking salted MD5 hashes
We will use John the Ripper a fast password cracker to detect weak passwords. Launching an offline brute force attack using John on saved MD5 salted hashes we will show importance of using strong passwords.
First, we will try to break 5 characters password without any special character, numbers and upper-case characters. Then we will configure 5 character password with one leading upper-case character and try to break it.
We have two computers for testing. John's configuration is left to default settings.
- Notebook PC Compaq 8510w with CPU Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80 GHz
- Desktop PC with CPU Intel(R) Pentium(R) 4 CPU 3.20 GHz, Prescott
a) Install John the Ripper with yum on both computers from repository
[brezular@COM-8510p ~]$ sudo yum install john
Check the version of John.
[brezular@COM-8510p ~]$ john | grep version
John the Ripper password cracker, version 1.7.8
b) Cracking an easy 5 character password
Firstly, we are going to crack an easy password "cisco". Copy salted MD5 hash from IOS configuration file to md5_hash file and run John above this file.
Router(config)# enable secret cisco
Router(config)# do show run | incl enable
enable secret 5 $1$sSWq$CGWilSWbR821tNBqcnFTo.
[brezular@COM-8510p ~]$ echo '$1$sSWq$CGWilSWbR821tNBqcnFTo.' > /home/brezular/md5_hash
Start John.
Notebook
[brezular@COM-8510p ~]$ john /home/brezular/md5_hash
Loaded 1 password hash (FreeBSD MD5 [32/32])
cisco (?)
guesses: 1 time: 0:00:00:38 (3) c/s: 4689 trying: cisco
Use the "--show" option to display all of the cracked passwords reliably
Desktop PC
[brezular@Prescott ~]$ john /home/brezular/md5_hash
Loaded 1 password hash (FreeBSD MD5 [32/32])
cisco (?)
guesses: 1 time: 0:00:00:25 (3) c/s: 7107 trying: cisco
Use the "--show" option to display all of the cracked passwords reliably
You can see it took about 40 seconds to crack password cisco on notebook and 25 seconds on desktop PC.
Salted MD5 hashes with results are stored in file ~/.john/john.pot.
[brezular@COM-8510p ~]$ cat ~/.john/john.pot
$1$sSWq$CGWilSWbR821tNBqcnFTo.:cisco
c) Cracking an easy 5 characters password with leading uppercase character
Router(config)# enable secret Cisco
Router(config)# do show run | incl enable
enable secret 5 $1$H.ML$ro5Nx3t2mweRBnXpqUNlK/
[brezular@COM-8510p ~]$ echo '$1$H.ML$ro5Nx3t2mweRBnXpqUNlK/' > /home/brezular/md5_hash
Start John on both computers.
John was able to guess a right password after 14 hours 20 minutes and 59 seconds running on notebook and it took 11 hour and 31 seconds on Desktop PC. Now we might have a real feeling of importance of using strong passwords - changing one letter in a password extends cracking time at least by 11 hours.
guesses: 1 time: 0:14:20:59 (3) c/s: 4847 trying: Cisco
Use the "--show" option to display all of the cracked passwords reliably
guesses: 1 time: 0:11:00:31 (3) c/s: 6319 trying: Cisco
Use the "--show" option to display all of the cracked passwords reliably
End.
good and very informative post
http://www.golubev.com/hashgpu.htm
Try this, in case you have a nice GPU. Pfuu ... I was amazed ...
it is definitely worth to try. Thanks!