Router Vulnerabilities

**thatch** · July 15th, 2006, 01:59 PM

In my organisation we have a number of routers. These are configured via telnet (which i know sends in clear text) and are not updated with security patches after vulnerabilties are released. Although these are secured with passwords, no logging is set up on these to monitor access. some of these accept dialup connections and other are used to router traffic between sites.

Can anyone tell me what attacks are these routers vulnerable to? i'm guessing DOS attacks through people sniffing the clear test password and then screwing the config up, but could these also be vulnerable to someone diverting certain traffic elsewhere and operating at man-in-the-middle attack? or are there other types of attack that i should be more worried about?

Thanks

Thatch

**576869746568617** · July 15th, 2006, 02:23 PM

What brand and model of router are we talking about, and what software/firmware version are they running? We can speculate all day long, but with specifics, we can give you a more thorough analysis that will be a targeted more to what you would actually be potentially vulnerable to.

For example a Netopia R2020 router running firmare v4.11.3 will have different vulnerabilities than a Cisco 1720 running IOS v11.0.2, etc.

CC

**thatch** · July 15th, 2006, 02:35 PM

mostly cisco, but many different models.

all i really need to know at this stage is the types of attack that are possible rather than specifics. i have a meeting soon which i would like to use the information i'm gathering to make my bosses aware that vulnerabilities exist even though we are beind a firewall. hopefully this will support my argument for proper training, policies and a user awareness programme.

***morganlefay*** · July 15th, 2006, 03:40 PM

why dont you just do a google search and do some reading

http://www.google.ca/search?hl=en&sa...lities&spell=1

MLF

***thehorse13*** · July 15th, 2006, 04:08 PM

Off the bat, you're vulnerable to sniffing attacks on the router's credentials. Isn't that bad enough? Cisco recommends that you use SSH instead of telnet. There are tons of documents that can help you set this up.

Personally, I use a management rail for infrastructure management.

--TH13

***phishphreek*** · July 15th, 2006, 06:16 PM

Originally posted here by thehorse13
Off the bat, you're vulnerable to sniffing attacks on the router's credentials. Isn't that bad enough? Cisco recommends that you use SSH instead of telnet. There are tons of documents that can help you set this up.

--TH13

Yes. That is the first thing that came to my mind.

Also, do you have ACLs that only allow access from certain machines/subnets?

Cisco has quite a few vulnerabilities that allow compromise of the configs and DoS attacks depending on your featuresets.

Security Forrest and Metasploit both have quite a few point and click or ready to run exploits in their databases.

http://www.securityforest.com/wiki/index.php/Main_Page
http://www.metasploit.com/

Backtrack has a bunch of footprinting/enumeration/exploits already included in their live cd for various routers.

http://www.remote-exploit.org/index.php/BackTrack

**thatch** · July 15th, 2006, 08:30 PM

Thanks for pointing me in the right direction guys, now i have a better idea what i'm looking for, i can go away and do some reading.

Thread: Router Vulnerabilities

Thread Tools

Display

Router Vulnerabilities

Posting Permissions