CREED (Cisco Router Evidence Extraction Disk)

Tuesday, March 4, 2008

This disk was created at the request of Jesse Kornblum at the Air Force OSI
who wanted a way to have non-invesigative personnel be able to collect forensic
information from a Cisco router automatically. (And I have to admit, Jesse
came up with the name...)

This disk was created at the request of Jesse Kornblum at the Air Force OSI
who wanted a way to have non-invesigative personnel be able to collect forensic
information from a Cisco router automatically. (And I have to admit, Jesse
came up with the name...)


Download
--------
Here is a raw image of the CREED floppy: creed-0-2.dd
MD5 (creed-0-2.dd) = db1f69c1b990be87fae379b0e9d5b8bf


Install
-------

You need to have a /dev/fd0u1722 device on your system. Under linux
you can create this device with 'mknod /dev/fd0u1722 b 2 60'. Next
format your floppy to 1.7 MB with 'fdformat /dev/fd0u1722'. Finally
put a floppy in the drive and dd the image to that floppy with
'dd if=creed-0-2.dd of=/dev/fd0u1722'


How to use it
-------------
- Put the CREED boot floppy into a: and boot your system
- Connect your Serial 1 to the router's console port
- Remove the boot floppy and insert a DOS formated evidence floppy
- Type 'acquire'
- Login to the router
- Type 'enable' and the correct password to enter privileged mode
- The system will take over from there!


Commands run and Information Collected
--------------------------------------
The following commands are run to collect as much useful dynamic information
from the router as possible. This list is an expanded version of the one
in my Hardening Cisco Routers book...

# terminal length 0
# dir /all
# show clock detail
# show ntp
# show version
# show running-config
# show startup-config
# show reload
# show ip route
# show ip arp
# show users
# show logging
# show interfaces
# show ip interfaces
# show access-lists
# show tcp brief all
# show ip sockets
# show ip nat translations verbose
# show ip cache flow
# show ip cef
# show snmp users
# show snmp groups
# show clock detail
# exit


How it's done
--------------
I took a recent tomsrtbt (www.toms.net/rb) image and customized it by:
- Removing some binaries to create space
- getting the source for the miterm binary and customizing it to
connect and extract information from a cisco router automatically
- adding a script called acquire that connects to the router with miterm,
and after you log into privileded mode will automatically run commands
to collect information. The script then saves this information to a DOS
formatted floppy in /dev/fd0


Caveats
--------
- The script assumes that a "#" is the prompt that indicates priviledged
mode
- When the evidence file is tranfered to the floppy is it truncated to 8
characters


TODO
-----
- build miterm with libc5 instead of six, that way it doesn't have to be
built statically and won't take up so much darn space
- create a nice make package around it that makes it easy to modify the commands you want run.

Download Creed

-- Anish

0 comments:

  © Blogger templates Newspaper by Ourblogtemplates.com 2008

Back to TOP