Comments on: Aiming at Higher Network Security Through Extensive Penetration Tests

By: anestisb

anestisb — Tue, 30 Oct 2012 07:15:09 +0000

@surya IP ACLs (operating on Layer 3 & 4) are vulnerable to IP spoofing attacks if no mitigation methods are implemented on the network.

tftp-server-list for cisco IOS is an ACL protection for the SNMP request IP sources (sources is bold for a reason: ACL checks only the incoming IP source address and not the outgoing because command supports only standard ACLs).

The get-config SNMP oid contains the target TFTP server string (and the TFTP IP can be different from the SNMP request’s IP address).

Consequently, an attacker can spoof an allowed IP address to bypass the standard ACL protection and execute a get-config request to an other IP address that he owns.

Always speaking for network configurations with weak or no IP spoofing protection layers.

By: surya

surya — Tue, 30 Oct 2012 01:27:10 +0000

Hi Anestis ! in your article you have mentioned about copying router config through SNMPrequest to TFTP services….. but the same can be protected by tftp-server-list command

please offer your comments

By: anestisb

anestisb — Thu, 11 Oct 2012 17:01:36 +0000

The scenario examined in the paper is implemented solely with simulated (GNS3 Cisco Simulator) and virtualized (VMWare) hosts/nodes. Of course our lab also includes some actual hardware involved directly into our tests, mainly for the network processing nodes (because simulators lack of some features). A very good resource on simulating Cisco devices with GNS3 in linux hosts is blindhog.net. Unfortunately a lab video can not be provided according to our policy.

By: surya

surya — Thu, 11 Oct 2012 12:11:39 +0000

is entire lab setup is simulated on physical hosts are also involved ?
if possible can u share demo video

thank you

By: Ion

Ion — Tue, 09 Oct 2012 23:22:52 +0000

Hey Anestis, great article! Make sure to share similar activities in twitter, etc in the future, so we get notified sooner *grin*. Have a nice day!