Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions (Paperback)

by Andrew Vladimirov (Author), Konstantin Gavrilenko (Author), Andrei Mikhailovsky (Author) "The task of securing a corporate or organizational network with multiple routers, switches, servers, workstations, and other more exotic hosts is not easy to accomplish..." (more)
Key Phrases: echo request seq, rogue router, arp inspection, Risk Rating, Cisco Catalyst, Hacking Exposed (more...)

Editorial Reviews

Product Description
Here is the first book to focus solely on Cisco network hacking, security auditing, and defense issues. Using the proven Hacking Exposed methodology, this book shows you how to locate and patch system vulnerabilities by looking at your Cisco network through the eyes of a hacker. The book covers device-specific and network-centered attacks and defenses and offers real-world case studies.

From the Back Cover

Implement bulletproof Cisco security the battle-tested Hacking Exposed way

Defend against the sneakiest attacks by looking at your Cisco network and devices through the eyes of the intruder. Hacking Exposed Cisco Networks shows you, step-by-step, how hackers target exposed systems, gain access, and pilfer compromised networks. All device-specific and network-centered security issues are covered alongside real-world examples, in-depth case studies, and detailed countermeasures. It’s all here--from switch, router, firewall, wireless, and VPN vulnerabilities to Layer 2 man-in-the-middle, VLAN jumping, BGP, DoS, and DDoS attacks. You’ll prevent tomorrow’s catastrophe by learning how new flaws in Cisco-centered networks are discovered and abused by cyber-criminals. Plus, you’ll get undocumented Cisco commands, security evaluation templates, and vital security tools from hackingexposedcisco.com.

• Use the tried-and-true Hacking Exposed methodology to find, exploit, and plug security holes in Cisco devices and networks
• Locate vulnerable Cisco networks using Google and BGP queries, wardialing, fuzzing, host fingerprinting, and portscanning
• Abuse Cisco failover protocols, punch holes in firewalls, and break into VPN tunnels
• Use blackbox testing to uncover data input validation errors, hidden backdoors, HTTP, and SNMP vulnerabilities
• Gain network access using password and SNMP community guessing, Telnet session hijacking, and searching for open TFTP servers
• Find out how IOS exploits are written and if a Cisco router can be used as an attack platform
• Block determined DoS and DDoS attacks using Cisco proprietary safeguards, CAR, and NBAR
• Prevent secret keys cracking, sneaky data link attacks, routing protocol exploits, and malicious physical access

See all Editorial Reviews

Product Details

• Paperback: 400 pages
• Publisher: McGraw-Hill Osborne Media; 1 edition (December 15, 2005)
• Language: English
• ISBN-10: 0072259175
• ISBN-13: 978-0072259179
• Product Dimensions: 9.1 x 7.3 x 1.4 inches
• Shipping Weight: 2.2 pounds (View shipping rates and policies)
• Average Customer Review: 4.3 out of 5 stars See all reviews (10 customer reviews)
• Amazon.com Sales Rank: #551,056 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

14 of 14 people found the following review helpful:

4.0 out of 5 stars A strong book, with decent concepts, but needs some polishing, February 26, 2006

By	Sean E. Connelly "Just a bithead - CCIE#17085" (Alexandria, VA) - See all my reviews (REAL NAME)

Hacking Exposed Cisco Networks" (HECN) by Vladimirov, Gavrilenko, Vizulis and Mikhailovsky is the first book of it's kind to focus entirely on hacking the Cisco product line. The book offers a novel concept, and goes into some undocumented areas, but please do not expect to be seeing the enable-mode router prompt by page 50.

My first impression of Hacking Exposed Cisco Networks is that the book was simply 'rushed' to market. The book begins with an intro by Michael Lynn, who made a name for himself at the 2005 Black Hat Briefings by 'publicly demonstrating the ability to reliably exploit buffer overflows on Cisco routers.' My feeling is that after the Black Hat Briefings, a rush was put on HECN to have it published simply to ride on this wave.

The book is divided into 3 Parts and 1 Appendix and includes a total of 14 chapters. The first section, Foundations, gives a review of Cisco design models, different security elements (firewall, IDS, VPN and AAA) and examples of real world security issues.

The second section (and the main section of the book) is titled `Hacking the Box' and dives into various methods of penetrating Cisco devices. The first chapter in this section discusses using different information sources to develop a profile (what to search for on a web search engine, autonomous system discovery, Internet routing servers and tables, etc..). Next, a 50 page chapter discusses enumerating and fingerprinting Cisco devices. Subsequent chapters discuss password attacks, SNMP community string attacks, wardialing, IOS exploitation and password cracking. After penetrating a device, the next chapter shows how to exploit and preserve access.

The last section discusses protocol exploitation, which needs not be focused solely on Cisco devices; most of these attacks are common across all vendors. This includes chapters on exploiting Vlans, GRE packet injection, EAP-LEAP cracking. The last chapter discusses routing protocol exploitation including exploits for RIP, EIGRP and BGP. The Appendix includes listing undocumented Cisco commands. While these commands can also be found on the web, the book discusses ways to use the commands in context of a hacking exploit.

Some of the items I found useful from HECN:
* Chapter 4 provides a respectable list of AS profiling techniques. Starting on page 108 is an excellent introduction to a tool to help sniff routing updates (the autonomous system scanner).
* Chapter 5 provides a great chart on Cisco specific protocols (page 124). The chapter also has a very good discussion on Cisco fingerprinting.
* Chapter 8 provides a one-of-a-kind discussion on IOS memory dissection. I was extremely impressed by the discussion on stack heaps. The TFTP buffer overflow on page 281 is a great example of where the future of Cisco IOS hacking may lie. While some believe buffer overflows are soooo 2005, I think believe there is amply room to further explore this within the context of Cisco devices.

HECN also has some weak areas:
* page 24 - mentions all routers support NTP - not true, some of the lower-end IOSs only support SNTP.
* page 28 - mentions `extra flags' for UDP connections. UDP has no flags, but certainly TCP does.
* page 133 - mentions a tool, the "ST-divine tool", as available on the book's website, but the tool is not listed at the book's website.
* Chapters 1 and 3 really don't offer anything new, and only distract from the overall quality of the book.

These and other such typos/editorial mistakes don't distract too much from the overall focus of HECN. The book tries to be a proof-of-concept with many different exploits. One feels that the authors were huddled around a few Cisco boxes, trying whatever exploits they could find to bust the box. It would be very easy to rack up some routers and switches, copy the configurations provided in the book, and follow them page by page as they perform various hacking techniques.

As an owner of over 50 books dedicated to Cisco, this book goes into an area not covered by any other book in my library. And, for that fact alone, I have to respect the book. However, I have to believe that if HECN had only gone through a further round of editing, that the overall structure of the book would be much better. In the end, I do recommend this book, simply because of the novelty of the subject and due to the amount of effort that is apparent throughout the text.

I give this book 4 pings out of 5:
!!!.!

11 of 11 people found the following review helpful:

4.0 out of 5 stars A good first cut at Cisco-centric attack and defense, March 10, 2006

By	Richard Bejtlich "TaoSecurity.com" (Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

I've always been a fan of Osborne's Hacking Exposed books (although subjects like "Computer Forensics" don't seem to fit the spirit of the series). I previously read Wi-Foo: The Secrets of Wireless Hacking by the same authors who wrote Hacking Exposed: Cisco Networks (HECN). Comparing the two books, I agree with previous reviewer Sean E. Connelly; I think HECN was rushed to market. The book needs better technical review, proofreading, and copyediting as well. Nevertheless, I still recommend reading HECN -- it's a unique book on a critical subject.

One of the more striking aspects of HECN is the amount of original research committed to the book. Sure, the authors document already known Cisco vulnerabilities. However, they also developed a suite of tools to implement attacks discussed in HECN. They demonstrate how to apply various tools and when those applications are realistic. HECN's authors discovered a variety of new exploits (documented at the book Web site) which they submitted to Cisco's PSIRT. I appreciated this degree of originality.

HECN is on the leading edge of attacks happening right now. While reading the book I assisted with an incident response involving a Cisco switch. It appeared that bot net command-and-control traffic was originating from a switch on a client network. Upon closer inspection, I could tell that unknown intruders were bouncing IRC traffic through the management interface of the switch, probably using a variant of the ciscoBNC tool introduced in Ch 10. HECN also describes the possibilities offered by Tcl scripting on Cisco routers, which I expect to see intruders abuse.

I had two sorts of problems with HECN. First, the text can be somewhat confusing to follow. In some parts this is caused by the authors' writing style. In others confusion is caused by the authors' unwillingness to fully describe sensitive exploitation techniques. For example, they mention ways to reverse engineer and/or patch IOS binary images, but they are deliberately vague. This helps the authors stay out of trouble with Cisco, but it leaves the reader frustrated. The second problem with HECN involves the tone of the book. In some places I was left wondering why the authors made certain comments. A good example of material that should simply be dropped is the final "case study" at the end of the book.

Some minor technical issues should be fixed in future editions. In addition to those outlined by previous reviewers, I would add the item on p 460 that says AH is IP proto 49; it should be 51. I also thought the Nmap scanning recommendations on p 136 were somewhat silly. It's best to stick with the simplest scan possible and avoid the poorly-named "stealth" options Nmap offers. Finally, some of the screen shots were too fuzzy. Images taken from Ethereal in Ch 4 are examples of this problem.

Overall, I would still buy HECN. Administrators and security professionals must recognize that Cisco equipment (along with infrastructure from other vendors) are actively targeted, exploited, and abused by intruders. HECN explains how this happens and what you can do to prevent, or at least detect, these compromises. It's like 1999 all over again -- get the Hacking Exposed title that will help you mitigate a new class of threats!

4 of 4 people found the following review helpful:

5.0 out of 5 stars Excellent Book!!!, February 13, 2006

By	Niki Edwards "Niki" (Seattle, USA) - See all my reviews

I found this book super and rather helpful in my CCIE Security exam preparations. After all, this seems to be the only source on Cisco-related attacks available in print. The attacks are well-outlined and supplied with appropriate countermeasures; the fact that the authors did not dwell on common knowledge generic attacks like ARP injections (although the countermeasures against these are provided) is also good, since I can read about them elsewhere. I was also quite surprised to see the bold attempts at supplying two algorithms for constructing IOS worms. Perhaps, such data should not be put onto the public domain, but than, won't the Black Hats think along the same lines anyway ?

As to the comments above, the scans of devices are limited to a single chapter where they rightfuly belong. And "ip inspect tcp max-incomplete host block" is by no means a panacea. First of all, TCP scanning is not limited to the SYN scans. Second, before setting a limit on the TCP half-connects one has to baseline the network behavior first and find out how common the half-connects to the protected hosts are and why do they occur, otherwise there could be connectivity troubles. So, in my opinion, the methods of hiding your routers from attackers described in the book are quite sufficient.