This really was born as a typo when writing “Native Admins” and as a result, it was very well received by many people wanting to hear stories about some Naive Admins or equally very poor best practice guidance (Might we say… WORST Practices?!) So with that said, welcome to the first installment of the Naive Admins Guide…
Over time entire stories will be shared, sometimes just some snippets, some of these stories will come from you and some are areas I’ve personally been involved in. It should be exciting… so to kick off this Installment… Let’s go with…
Of course our routers are secure…
This story takes us back a number of decades, the names have all been forgotten to protect the innocent…
The scene sets on a Friday night in the late 90s or early 2000s… All the house was asleep, except for the Security Auditor and Pen Tester working away investigating a customers environment. Friday nights were always particularly helpful as Operations weren’t 24/7 in those days, and if something were to go ‘wrong’, it would offer the weekend to go about resolving matters.
Scan-Scan-Scan, Test-Test-Test, there were even some automated tools being used! Something which was relatively foreign at the time, unless you happened to have been an amazing well-established or being-established firm like @stake or L0pht Heavy Industries for those who remember those days…
But something is odd… Something is off. We have an output! scrolling across one of the screens… We have a Cisco Router Configuration File!
Okay, perhaps not the most abnormal thing in the world, we’ve all gotten a dump of a Cisco router config before, no big deal…, certainly no reason to stop the project now…
Wait. That’s even more odd. The password is stored in “password 7” mode. Cisco IOS type 7 password vulnerability (SANS)
For anyone who has Pentested before, and performed general security audits, some of the most exciting things happen when you make “Discoveries” often ‘hidden’ in plainsight, and this was an exciting one at that! And sometimes these discoveries are enough to stop the project at that moment and start digging, investigating, and where appropriate start making some calls.
I’ve been in the situation where your expected to ‘run a tool, produce an output; it’s not your problem’. But just like a house on fire, I’m not just going to stand there and watch it burn like, “this is fine”
So after a little digging. Yep. Cisco Password 7 password, check. NO passwords in actually ‘secured’ Cisco Password 5. (But also fortunately none in plaintext… we’ll save that for another time ;))
It’s Friday night though, it’s 11PM at this point. With some rattling and banging, I was able to get the customer executive on the phone.
“Did you know that your Router configurations and passwords are accessible publicly from the Internet? This is a huge problem!”
Executive: “We don’t manage those routers, that’s the carrier.”
And that information hit like a lead balloon. Indeed, what the executive said was true, and we discussed matters while we also woke up an executive from this nationwide / global carrier and got THEM on the phone.
It turned out, the customer was NOT safe from attack, not in the least. But worst of all, these credentials, available nearly in plaintext, were the same credentials used on every router, at every location, at every site… Nationwide and Worldwide…
At this point, it was around 2AM and I did my time. I passed on the information, I raised the appropriate red alerts and could go back to resuming my normal Pentesting and scanning operations. I walked away from this situation hoping that I helped improve the security just a LITTLE bit more for my customer and hopefully touching and impacting so many other customers indirectly in the long term.
So what did you think?
This is just the first installment of this type of thing. Some won’t always have ‘positive’ and ‘uplifting’ stories like this at the end… Some are downright devastating and scary. Do you have your own stories you want to share? Mention so in the comments. If you can tell the story but are unsure how you would go about writing it, you can even narrate the story and I can write it up for you all the same. Let’s share our stories… whether it is the discoveries of Naive admins or when we are ourselves are the Naive Admins…
Some stories will be very short paragraphs and one-liners, clumped together, because we’ve all made some mistakes before…
I’m not saying I’ve ever not ensured a CPU was fully seated, pulled the bar to slide into place and shattered every pin…
Feel free to comment, email or contact via Twitter, Facebook or Linkedin! Thanks! <3