-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Please bear in mind hat the attacker *must* acquire credentials to access the box before exploitation. Please discuss liberally.
- - ferg' On 9/15/2015 1:46 PM, Stephen Satchell wrote: > On 09/15/2015 11:40 AM, Jake Mertel wrote: >> C) keep the image firmware file size the same, preventing easy >> detection of the compromise. > > Hmmm...time to automate the downloading and checksumming of the > IOS images in my router. Hey, Expect, I'm looking at YOU. > > Wait a minute...doesn't Cisco have checksums in its file system? > This might be even easier than I thought, no TFTP server > required... > > http://www.cisco.com/web/about/security/intelligence/iosimage.html#10 > > Switch#dir *.bin > > (Capture the image name) > > Switch#verify /md5 my.installed.IOS.image.bin > > The output is a bunch of dots (for a switch) followed by an output > line that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the > x's replaced with the MD5 hash. > > The command is on 2811 routers, too. Maybe far more devices, but > I didn't want to take the time to check. You would need to capture > the MD5 from a known good image, and watch for changes. > - -- Paul Ferguson PGP Public Key ID: 0x54DC85B2 Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlX49WcACgkQKJasdVTchbLjjgD/Rk1cUvT+qj/YzzN8lLpdmYIE hcxlz1jT+PsBMpxsu8kA/jisyNpYa1zB5cUZq/p/C/c5cqfX9BAtBX6C98oXd0dS =MV8U -----END PGP SIGNATURE-----