[c-nsp] Obtaining MD signature

Jared Mauch jared at puck.nether.net
Fri May 7 17:34:06 EDT 2010


On May 7, 2010, at 4:48 PM, Judah Scott wrote:

> Distributing compromised images isn't all that useful either because
> it will be difficult to track down which routers the backdoors
> (presumably thats what a compromised image would go for) were
> installed to unless they send out packets notifying their installation
> location which would be easy to detect.

There are very few people that understand what packets are emited from their networks.  If you had the 'packet cops' sitting guarding your edge, you might be shocked at the level of data that is casually leaving your network.  Many vendors also don't understand what packets are emited from the devices in the first place, eg: cdp/lldp/etc which may lead to data leakage.

Very few people do analysis of this, so don't realize that their routers may by default emit decnet frames, or know enough to figure out how to disable it.

A heartbeat packet sent with critical information (in cleartext) would be plenty enough data to figure it out.

As for your reverse engineering of the software, look no further than the 7200 simulator software out there that would make it easier for someone to decipher what is going on.  Most images are actually zip files (-mz) you can get at and perform more detailed analysis on should you be interested in this space.

Sneaking a hypervisor in someplace, or in the loader part of the -mz image, may not be as hard as you think.  I've seen people here and elsewhere that have posted how to binary edit your IOS to enable/disable features.

- Jared


More information about the cisco-nsp mailing list