-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Please bear in mind hat the attacker *must* acquire credentials to access the box before exploitation. Please discuss liberally. - - ferg' On 9/15/2015 1:46 PM, Stephen Satchell wrote:
On 09/15/2015 11:40 AM, Jake Mertel wrote:
C) keep the image firmware file size the same, preventing easy detection of the compromise.
Hmmm...time to automate the downloading and checksumming of the IOS images in my router. Hey, Expect, I'm looking at YOU.
Wait a minute...doesn't Cisco have checksums in its file system? This might be even easier than I thought, no TFTP server required...
http://www.cisco.com/web/about/security/intelligence/iosimage.html#10
Switch#dir *.bin
(Capture the image name)
Switch#verify /md5 my.installed.IOS.image.bin
The output is a bunch of dots (for a switch) followed by an output line that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the x's replaced with the MD5 hash.
The command is on 2811 routers, too. Maybe far more devices, but I didn't want to take the time to check. You would need to capture the MD5 from a known good image, and watch for changes.
- -- Paul Ferguson PGP Public Key ID: 0x54DC85B2 Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlX49WcACgkQKJasdVTchbLjjgD/Rk1cUvT+qj/YzzN8lLpdmYIE hcxlz1jT+PsBMpxsu8kA/jisyNpYa1zB5cUZq/p/C/c5cqfX9BAtBX6C98oXd0dS =MV8U -----END PGP SIGNATURE-----