On 09/15/2015 11:40 AM, Jake Mertel wrote:
C) keep the
image firmware file size the same, preventing easy detection of the
compromise.
Hmmm...time to automate the downloading and checksumming of the IOS
images in my router. Hey, Expect, I'm looking at YOU.
Wait a minute...doesn't Cisco have checksums in its file system? This
might be even easier than I thought, no TFTP server required...
http://www.cisco.com/web/about/security/intelligence/iosimage.html#10
Switch#dir *.bin
(Capture the image name)
Switch#verify /md5 my.installed.IOS.image.bin
The output is a bunch of dots (for a switch) followed by an output line
that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the x's
replaced with the MD5 hash.
The command is on 2811 routers, too. Maybe far more devices, but I
didn't want to take the time to check. You would need to capture the
MD5 from a known good image, and watch for changes.
