92%(13)12 out of 13 people found this document helpful
This preview shows page 18 - 20 out of 22 pages.
Cisco routers, the document at access/800/850/software/configuration/guide/routconf.pdfwill be a great help.Types of Router AttacksRouters can be vulnerable to several types of attacks, including router table poisoning. Router table poisoning is one of the most common and effective attacks. To carry out this type of attack, an attacker alters the routing data update packets that the routing protocols need. This results in incorrect entries in the routing table. This, in turn, can result in artificial congestion, can overwhelm the router, or can allow an attacker access to data in the compromised network by sending data to a different destination or over a different route than anticipated.Getting Evidence from the RouterEven though a router is just a special-purpose computer running a routing program, getting evidence from a router is quite different from getting evidence from a PC, laptop, or server. The first major difference is that with a router, you do not shut down the device and image it. The reason is that once you shut it down, you will have potentially lost valuable evidence. For this reason, router forensics requires a great deal of care. You must make absolutely certain not to alter anything, and you must be meticulous in documenting your process.The first step is to connect with the router so you can run certain commands. HyperTerminal is a free tool that can be used to connect to and interact with your routers. Because the router is live, it is important to record everything you do. Fortunately, HyperTerminal makes this easy, as shown in Figure 12-5.Several commands are important to router forensics. The most important and most commonly used commands from Cisco routers are described here. The commands for different brands of routers, or even different Cisco routers, may be different, but there are equivalent commands:FIGURE 12-5Recording with HyperTerminal.Courtesy of HILGRAEVE250PART 2|Technical Overview: System Forensics Tools, Techniques, and Methods
The show versioncommand provides a significant amount of hardware and software detail about the router. It displays the platform, operating system version, system image file, any interfaces, the amount of RAM the router has, and the number of network and voice interfaces there are.The show running-configcommand provides the currently executing configuration.The show startup-configcommand provides the system’s start-up configurations. Differences between show startup-configand show running-configcan be indicative of a hacker having altered the system.The show ip route commandshows the routing table. Manipulating that routing table is one primary reason hackers infiltrate routers.You will probably find the preceding commands useful in your forensic examination. However, you may find several other commands useful as well, including the following:•show clock detail•show reload•show ip arp•show users•show logging•show ip interface•show interfaces•show tcp brief all•show ip sockets•show ip nat translations verbose•show ip cache flow•show ip cef•show snmp user•show snmp groupThe release of version 11.2 of Cisco IOS (operating system) introduced the new command