312-50V13 · Question #149
The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below: You are hired to conduct security testing on their network. You successfully
The correct answer is B. Run a network sniffer and capture the returned traffic with the configuration file from the router D. Send a customized SNMP set request with a spoofed source IP address in the range -. Given a successfully brute-forced SNMP community string but an access-list preventing direct connection from the attacker's IP, an attacker could either sniff network traffic for configuration data or send spoofed SNMP requests from a permitted IP range.
Question
Options
- AUse the Cisco's TFTP default password to connect and download the configuration file
- BRun a network sniffer and capture the returned traffic with the configuration file from the router
- CRun Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router
- DSend a customized SNMP set request with a spoofed source IP address in the range -
How the community answered
(46 responses)- A26% (12)
- B63% (29)
- C11% (5)
Why each option
Given a successfully brute-forced SNMP community string but an access-list preventing direct connection from the attacker's IP, an attacker could either sniff network traffic for configuration data or send spoofed SNMP requests from a permitted IP range.
Cisco routers do not have a universally known 'TFTP default password' for configuration downloads, and even if TFTP were enabled, the existing access-list would likely block unauthorized access.
If SNMP traffic, including configuration data, is transmitted unencrypted across a network segment accessible to the attacker, a network sniffer can capture these packets. This allows the attacker to retrieve the configuration without directly connecting to the router from their blocked IP.
Running Generic Routing Encapsulation (GRE) tunneling requires the router to be specifically configured to accept such tunnels from the attacker's IP, which is unlikely given a security-focused access-list and would be a complex method not directly bypassing the SNMP ACL.
If the attacker can identify an IP address range that the access-list permits, they can craft SNMP 'get' requests with a spoofed source IP address from within that range. If the router processes the request and sends the response to the spoofed IP (which might be possible if the ACL only filters incoming source IPs), and the attacker can capture traffic destined for that spoofed IP, they can obtain the configuration.
Concept tested: SNMP exploitation, ACL bypass techniques (sniffing, IP spoofing)
Source: https://www.cloudflare.com/learning/ddos/ip-spoofing/
Topics
Community Discussion
No community discussion yet for this question.