Dynamips as a penetration testing tool
By stretch | Tuesday, August 26, 2008 at 4:06 a.m. UTC
It's a safe bet that most people reading this are already aware of Dynamips and its ability to emulate Cisco IOS devices on commodity PC hardware. Used in conjunction with the Dynagen hypervisor and GNS3 GUI front-end it provides an invaluable study tool, with the ability to configure and run entire CCIE-level labs on a single desktop computer. I've used these tools countless times to setup quick test labs or create scenarios for blog posts and packet captures. This is what these tools were designed for.
But consider what use they might provide in another area: penetration testing. Instead of relying on a collection of tools hacked together to support Cisco proprietary protocols like EIGRP, why not use an actual router? Okay, not an actual router, but for most cases an emulated router will work just as good (so long as we don't try to pass any serious amount of data). Dynamips offers several distinct benefits to a penetration tester:
- Stealth - A much lower profile than lugging around a 3725 or two
- Compatibility - No need to worry about protocol implementation issues; you're using the real IOS
- Flexibility - You're not limited by your tool set; anything you can configure on a real router you can configure via Dynamips
- Ease of integration - A physical network interface can be bound to a virtual router port, providing fully transparent connectivity to the target network
Once connected, a pen tester armed with a fully functioning virtual router has a great number of potential attack vectors. Maybe he can insert a custom route via EIGRP to assist a man-in-the-middle attack, or form a dynamic trunk with the local switch through DTP, or perhaps become the new PVST+ root. (These are just some ideas off the top of my head. If you have others, be sure to add them in the comments.)
Of course there are notable downsides: Dynamips is obviously crippled in terms of throughput, and IOS itself isn't ideal for exploiting known vulnerabilities. Still, it makes a valuable addition to a pen tester's toolkit.
About the Author
Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.
Posted in Security
August 26, 2008 at 8:32 a.m. UTC
Interesting concept. There is a tool called Yersinia which claims to be able to spoof DTP, and I even saw a tool that could spoof as an IP phone in order to get access to the voice VLAN. Nothing can speak to a Cisco as well as another "Cisco" though. Imagine being able to build a topology table for someone else's network, using a laptop.
August 26, 2008 at 10:11 p.m. UTC
You could also use it to "HOP" vlans if you plug into a trunked interface.
Considering most voip phones are plugged into trucked interfaces...........
August 27, 2008 at 8:49 p.m. UTC
If your network is configured properly none of this can happen
September 2, 2008 at 10:43 p.m. UTC
If everything is configured properly alot of things can't happen, but how many networks are configured properly or are just configured enough to work?
June 20, 2012 at 8:34 a.m. UTC
I'm writing a dissertation about it. Let me know if you know any other useful information about it.