How Jason Infiltrated the CubeFarm & Analyzing the TCPdump Log File

The Cisco Scanner v1.3, “ciscos.c” scans Class A, B, and C networks for Cisco routers which have telnet open, and are using a password of “cisco”. Jason executed the code scanning an address range of addresses beginning with 192.168.*.* and he outputted all of the results to a text document called cisco.txt.  He used a linux utility similar to the tail –f command in Unix, that monitors lines of a growing log file in real time, and he outputted the most recent logs in his cisco.txt file which can be found below.

Jason found 2 routers:
192.168.130.11
192.168.134.55

We can assume that earlier scans executed by Jason turned up the Cube Farm Milo router with address 192.168.130.1 as a potential attack target. 

Jason telnet into the Ethernet 0 interface of the CubeFarm Milo Router at IP Address 192.168.130.1, where he was able to view the running configuration on the router.  Jason initiated large packet pings from the FastEthernet interface 0 of the router to the 10.3.13.37 network, causing a denial of service attack.  By executing ping at the command line in the privileged EXEC mode, a menu of various options are made available.  Jason was able to specify a specific address to target, he could specify the packet size of the ping that he wanted to send.  Different IOS’s on the router can support a wide range of packet sizes.  The Cisco routers at the CubeFarm are running IOS images of version 12 image.  The Cisco IOS image version 12 supports a maximum packet size of 18024 bytes. 

From the tcpdump of the traffic report sent from the ISP it is obvious that the traffic was originating from the 192.168.130.1 network to the 10.3.13.37 network which consisted of packet fragments.  The log file consisted of 4 ICMP echo requests from the 192.168.130.1 network, each containing multiple fragmented packets.   This meant that the packets being sent were too large and had to be fragmented in to multiple smaller packets in order to be sent.  No ICMP each reply was recorded meaning that this resulted in a denial of service attack due to ping of death.