Customer Reviews

Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions

5 star:		(4)
4 star:		(5)
3 star:		(1)
2 star:		(0)
1 star:		(0)

 

 

Hacking Exposed Cisco Networks" (HECN) by Vladimirov, Gavrilenko, Vizulis and Mikhailovsky is the first book of it's kind to focus entirely on hacking the Cisco product line. The book offers a novel concept, and goes into some undocumented areas, but please do not expect to be seeing the enable-mode router prompt by page 50.

My first impression of Hacking Exposed Cisco Networks is that the book was simply 'rushed' to market. The book begins with an intro by Michael Lynn, who made a name for himself at the 2005 Black Hat Briefings by 'publicly demonstrating the ability to reliably exploit buffer overflows on Cisco routers.' My feeling is that after the Black Hat Briefings, a rush was put on HECN to have it published simply to ride on this wave.

The book is divided into 3 Parts and 1 Appendix and includes a total of 14 chapters. The first section, Foundations, gives a review of Cisco design models, different security elements (firewall, IDS, VPN and AAA) and examples of real world security issues.

The second section (and the main section of the book) is titled `Hacking the Box' and dives into various methods of penetrating Cisco devices. The first chapter in this section discusses using different information sources to develop a profile (what to search for on a web search engine, autonomous system discovery, Internet routing servers and tables, etc..). Next, a 50 page chapter discusses enumerating and fingerprinting Cisco devices. Subsequent chapters discuss password attacks, SNMP community string attacks, wardialing, IOS exploitation and password cracking. After penetrating a device, the next chapter shows how to exploit and preserve access.

The last section discusses protocol exploitation, which needs not be focused solely on Cisco devices; most of these attacks are common across all vendors. This includes chapters on exploiting Vlans, GRE packet injection, EAP-LEAP cracking. The last chapter discusses routing protocol exploitation including exploits for RIP, EIGRP and BGP. The Appendix includes listing undocumented Cisco commands. While these commands can also be found on the web, the book discusses ways to use the commands in context of a hacking exploit.

Some of the items I found useful from HECN:
* Chapter 4 provides a respectable list of AS profiling techniques. Starting on page 108 is an excellent introduction to a tool to help sniff routing updates (the autonomous system scanner).
* Chapter 5 provides a great chart on Cisco specific protocols (page 124). The chapter also has a very good discussion on Cisco fingerprinting.
* Chapter 8 provides a one-of-a-kind discussion on IOS memory dissection. I was extremely impressed by the discussion on stack heaps. The TFTP buffer overflow on page 281 is a great example of where the future of Cisco IOS hacking may lie. While some believe buffer overflows are soooo 2005, I think believe there is amply room to further explore this within the context of Cisco devices.

HECN also has some weak areas:
* page 24 - mentions all routers support NTP - not true, some of the lower-end IOSs only support SNTP.
* page 28 - mentions `extra flags' for UDP connections. UDP has no flags, but certainly TCP does.
* page 133 - mentions a tool, the "ST-divine tool", as available on the book's website, but the tool is not listed at the book's website.
* Chapters 1 and 3 really don't offer anything new, and only distract from the overall quality of the book.

These and other such typos/editorial mistakes don't distract too much from the overall focus of HECN. The book tries to be a proof-of-concept with many different exploits. One feels that the authors were huddled around a few Cisco boxes, trying whatever exploits they could find to bust the box. It would be very easy to rack up some routers and switches, copy the configurations provided in the book, and follow them page by page as they perform various hacking techniques.

As an owner of over 50 books dedicated to Cisco, this book goes into an area not covered by any other book in my library. And, for that fact alone, I have to respect the book. However, I have to believe that if HECN had only gone through a further round of editing, that the overall structure of the book would be much better. In the end, I do recommend this book, simply because of the novelty of the subject and due to the amount of effort that is apparent throughout the text.

I give this book 4 pings out of 5:
!!!.!

I've always been a fan of Osborne's Hacking Exposed books (although subjects like "Computer Forensics" don't seem to fit the spirit of the series). I previously read Wi-Foo: The Secrets of Wireless Hacking by the same authors who wrote Hacking Exposed: Cisco Networks (HECN). Comparing the two books, I agree with previous reviewer Sean E. Connelly; I think HECN was rushed to market. The book needs better technical review, proofreading, and copyediting as well. Nevertheless, I still recommend reading HECN -- it's a unique book on a critical subject.

One of the more striking aspects of HECN is the amount of original research committed to the book. Sure, the authors document already known Cisco vulnerabilities. However, they also developed a suite of tools to implement attacks discussed in HECN. They demonstrate how to apply various tools and when those applications are realistic. HECN's authors discovered a variety of new exploits (documented at the book Web site) which they submitted to Cisco's PSIRT. I appreciated this degree of originality.

HECN is on the leading edge of attacks happening right now. While reading the book I assisted with an incident response involving a Cisco switch. It appeared that bot net command-and-control traffic was originating from a switch on a client network. Upon closer inspection, I could tell that unknown intruders were bouncing IRC traffic through the management interface of the switch, probably using a variant of the ciscoBNC tool introduced in Ch 10. HECN also describes the possibilities offered by Tcl scripting on Cisco routers, which I expect to see intruders abuse.

I had two sorts of problems with HECN. First, the text can be somewhat confusing to follow. In some parts this is caused by the authors' writing style. In others confusion is caused by the authors' unwillingness to fully describe sensitive exploitation techniques. For example, they mention ways to reverse engineer and/or patch IOS binary images, but they are deliberately vague. This helps the authors stay out of trouble with Cisco, but it leaves the reader frustrated. The second problem with HECN involves the tone of the book. In some places I was left wondering why the authors made certain comments. A good example of material that should simply be dropped is the final "case study" at the end of the book.

Some minor technical issues should be fixed in future editions. In addition to those outlined by previous reviewers, I would add the item on p 460 that says AH is IP proto 49; it should be 51. I also thought the Nmap scanning recommendations on p 136 were somewhat silly. It's best to stick with the simplest scan possible and avoid the poorly-named "stealth" options Nmap offers. Finally, some of the screen shots were too fuzzy. Images taken from Ethereal in Ch 4 are examples of this problem.

Overall, I would still buy HECN. Administrators and security professionals must recognize that Cisco equipment (along with infrastructure from other vendors) are actively targeted, exploited, and abused by intruders. HECN explains how this happens and what you can do to prevent, or at least detect, these compromises. It's like 1999 all over again -- get the Hacking Exposed title that will help you mitigate a new class of threats!

I found this book super and rather helpful in my CCIE Security exam preparations. After all, this seems to be the only source on Cisco-related attacks available in print. The attacks are well-outlined and supplied with appropriate countermeasures; the fact that the authors did not dwell on common knowledge generic attacks like ARP injections (although the countermeasures against these are provided) is also good, since I can read about them elsewhere. I was also quite surprised to see the bold attempts at supplying two algorithms for constructing IOS worms. Perhaps, such data should not be put onto the public domain, but than, won't the Black Hats think along the same lines anyway ?

As to the comments above, the scans of devices are limited to a single chapter where they rightfuly belong. And "ip inspect tcp max-incomplete host block" is by no means a panacea. First of all, TCP scanning is not limited to the SYN scans. Second, before setting a limit on the TCP half-connects one has to baseline the network behavior first and find out how common the half-connects to the protected hosts are and why do they occur, otherwise there could be connectivity troubles. So, in my opinion, the methods of hiding your routers from attackers described in the book are quite sufficient.

It's good to have all-in-one reference to Cisco-related attacks, and generally the book seems to be quite useful to all kinds of pentesters, especially if internal security audits are on the list of services offered. The description of how to write an IOS exploit is still a bit over my head, but was rather helpful in understanding "classical" presentations by FX and Co. It is, indeed, "FX in a nutshell". Also, the idea and description of a TCL IOS worm is somewhat bold, but may well be an important future threat to consider.

I work with Cisco routers and switches every day and never considered them to be insecure as long as strong usernames and passwords are set. However, after reading this book I had to change my mind and spend more time on hardening our Cisco-based infrastructure. In particular, this applied to the network protocols on the second and third OSI layers, which are rarely looked after by both in-house and external security engineers/consultants. To say, many of the protocol-related attacks and countermeasures described in the book apply to non-Cisco gear networks just as well. So, if you are concerned about internal attackers, whether they are crackers who made their way in or rogue employees, you will find this book rather helpful in fending them off.

"Hacking Exposed: Cisco Networks" is not bad but then again not great. What caused it to only get 4 out 5 stars was that many of the tools and links no longer work and this review is being written in March 2006 for a book published in Jan 2006!

One example of many:
- page 521: Cisco's tcphijack
I would then have to Google to see if the tool was now elsewhere - sometimes successfully, sometimes - not.

Another example of bad tooling - page 519 - Arpworks. Yes it is still there but they fail to mention that it only works on Windows 95/98. I could go on and on.

The thing that really annoys me on this book is the binding. The softcover binding is made of some very cheap paper which curls up. For a $50 list-price book (I paid $50 for ordering it 1st and not waiting 2 months for the price to drop to $30), I would think that Osborne could have popped for an extra $1 on a good jacket quality - which would never happen with O'Reilly.

I did pick up a few tools I was not aware of, but was it worth $50?! Nope. Is it worth now $30? Questionable. If you live and breath Cisco security there won't be much new to learn here, but it does give you a reference to lend to others that keep asking you the same questions. :-)

Hank Nussbacher

If you are a cisco security expert maybe this book will not have any new information for you, but since most of us are not, I would recommend it for anyone who is trying to protect a Cisco infrastructure. The author covers a lot of material, and as with any internet resources, some move and disappear but it still puts you on the right path to know what needs to be hardened. The language is not as smooth as it could be, but it certainly better than most and the subject matter can get pretty complicated at times so some tolerance is reasonable. Overall I would recommend it to someone wanting to know more about practical Cisco security.

I really nice first attempt at zeroing in on and attacking Cisco devices, something I do for a living. The book, however, is NOT really a "Hacking Exposed" line from the Scambray, Kurtz and McClure camps. It is funny how fast people will buy anything tagged with "Hacking Exposed." This book does deliver some VERY good hardening and attacking techniques and I would suggest it for anyone that is in the network security field, especially those that are directly involved with the routers/switches.

This book is pretty informative, however I feel that it is incomplete in more than a few ways. While I have absolutely NO doubt that the authors are very well versed in using penetration tools to test cisco devices, many mitagation techniques are missing. For an untrained user (aka "lazy admin") this would leave a "the sky is falling, or oh oh cisco is such an insecure platform" feeling, when in reality alot of these attack attempts can be totally avoided.

case in point
unless i missed it, i saw tcp based nmap and xprobe scans all over the book but i did not see (and i apologize if overlooked) one instance of 'ip inspect tcp max-incomplete host block [block-time]' that would throw off the tcp scans

also
as far as routing protocol injection, it is never mentioned to simply apply acls and static arps to the interfaces where the route advertisements are recieved/sent (and i apologize if overlooked). the author will leave you feeling "well anyone can just inject routes into the routers table or perform a DoS even if md5 authentication is used to protect it". The worst that could happen is someone spoofs the ip and mac address of the peer. if security is of extreme importance then just run a gre/ipsec tunnel to tunnel the route advertisements between the routers.

in contrast
i feel the coverage of ike-scan and the insecurities of ike aggressive mode is excellent as well as issues with wireless. beyond that all the old historical attacks that affect pix 4.x - 5.x and ios 11.x shouldn't matter as if you are still running pix 5.x, you probably are not concerned enough with security to pick up the book

I think that it is difficult, perhaps impossible, to build a modern network that does include at least some Cisco equipment. Following the general set up rules in the various manuals produce a system architecture that is generally considered to be at least reasonably secure.

Basically this book may well change your mind on just how secure your Cisco system really is. As the major supplier of network equipment, Cisco is also the major target of the bad guys that are out there.

The information in this book is presented through the eyes of the penetrator. It discusses in a step-by-step way how to break into various Cisco devices on a network. By knowing how to break into the network, you can then go plug the holes in your system to keep other people from doing the same thing.

Much of the material here is available in bits and pieces around the web, in various postings, even in publication form. What this book does is bring all of the information together in one place. If you're already an expert on the subject, you might get a point or two here and there. If your just beginning to think about this kind of situation, here is a great way to get started.