Synful Knock questions...

[fergdawgster at mykolab.com (Paul Ferguson)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Please bear in mind hat the attacker *must* acquire credentials to
access the box before exploitation. Please discuss liberally.

- - ferg'


On 9/15/2015 1:46 PM, Stephen Satchell wrote:

> On 09/15/2015 11:40 AM, Jake Mertel wrote:
>> C) keep the image firmware file size the same, preventing easy
>> detection of the compromise.
> 
> Hmmm...time to automate the downloading and checksumming of the
> IOS images in my router.  Hey, Expect, I'm looking at YOU.
> 
> Wait a minute...doesn't Cisco have checksums in its file system?
> This might be even easier than I thought, no TFTP server
> required...
> 
> http://www.cisco.com/web/about/security/intelligence/iosimage.html#10
>
>  Switch#dir *.bin
> 
> (Capture the image name)
> 
> Switch#verify /md5 my.installed.IOS.image.bin
> 
> The output is a bunch of dots (for a switch) followed by an output
> line that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the
> x's replaced with the MD5 hash.
> 
> The command is on 2811 routers, too.  Maybe far more devices, but
> I didn't want to take the time to check.  You would need to capture
> the MD5 from a known good image, and watch for changes.
> 


- -- 
Paul Ferguson
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlX49WcACgkQKJasdVTchbLjjgD/Rk1cUvT+qj/YzzN8lLpdmYIE
hcxlz1jT+PsBMpxsu8kA/jisyNpYa1zB5cUZq/p/C/c5cqfX9BAtBX6C98oXd0dS
=MV8U
-----END PGP SIGNATURE-----