You got me on the packet cops argument. But, I don't think you can compare enabling features (possibly as simple as changing a couple je ops to jmp ops or a couple bytes here/there) to writing a whole block of IOS assembly code to facilitate a backdoor ...
... but, uh oh, my ignorance is showing again ;-). -J Scott On Fri, May 7, 2010 at 2:34 PM, Jared Mauch <ja...@puck.nether.net> wrote: > > On May 7, 2010, at 4:48 PM, Judah Scott wrote: > >> Distributing compromised images isn't all that useful either because >> it will be difficult to track down which routers the backdoors >> (presumably thats what a compromised image would go for) were >> installed to unless they send out packets notifying their installation >> location which would be easy to detect. > > There are very few people that understand what packets are emited from their > networks. If you had the 'packet cops' sitting guarding your edge, you might > be shocked at the level of data that is casually leaving your network. Many > vendors also don't understand what packets are emited from the devices in the > first place, eg: cdp/lldp/etc which may lead to data leakage. > > Very few people do analysis of this, so don't realize that their routers may > by default emit decnet frames, or know enough to figure out how to disable it. > > A heartbeat packet sent with critical information (in cleartext) would be > plenty enough data to figure it out. > > As for your reverse engineering of the software, look no further than the > 7200 simulator software out there that would make it easier for someone to > decipher what is going on. Most images are actually zip files (-mz) you can > get at and perform more detailed analysis on should you be interested in this > space. > > Sneaking a hypervisor in someplace, or in the loader part of the -mz image, > may not be as hard as you think. I've seen people here and elsewhere that > have posted how to binary edit your IOS to enable/disable features. > > - Jared _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/