Router1>enable Router1#configure terminal Router1(config)#ip routing Router1(config)#ip route 192.168.5.0 255.255.255.0 192.168.3.2 Managing routing information protocol for Cisco networking Routing Information Protocol (RIP) is widely used, with version 2 allowing you to use Variable Length Subnet Masks (VLSM) across your network. In this walk through, Putty will be used, which is freely available (See Lab Summary) to connect to a Cisco device and establish a console session to the Cisco Command Line Interface. Step 1: Connect your Cisco console cable or terminal adapter to a Serial port on your computer.
This post was authored by Cisco CSIRT’s Robert Semans, Brandon Enright, James Sheppard, and Matt Healy. In late 2013–early 2014, a compromised FTP client dubbed “StealZilla,” based off the open source FileZilla FTP client was discovered. The attackers modified a few lines of code, recompiled the program, and disbursed the trojanized version on compromised web servers. This new attack appears to involve the same actors who reused the same techniques to alter the source code of the widely used open source Telnet/SSH client, PuTTY, and used their network of compromised web servers to serve up similar fake Putty download pages. This new campaign is like the StealZilla campaign in almost every way. This trojanized version of PuTTY harvests credentials and relays the information back to a collection server in the same way too.
The operation is very quick and quiet. Login details are sent to attackers using an HTTP GET connection ONLY once. The primary mode of infection relies on users to search for PuTTY and follow a link to a fake mirror rather than the legitimate PuTTY page.
To increase the chances users reach the malicious mirrors, the attackers have used search engine optimization techniques. Some HTML pages hosted on the compromised servers reference PuTTY for Mac, PuTTY for Android platforms, or even more obscure things like PuTTY and shampoo, for example. The malicious PUTTY.exe (MD5 b5c88d5af37afd0f9311ca) comes in the PE format, just like the original. This trojanized version of PuTTY maintains a user interface and function seemingly similar to the original. One difference is the binary was compiled with a different version of Microsoft Visual C than PuTTY traditionally has been, and results in a slightly altered user interface. Also, the “About” button reveals altered information, being listed as “Unidentified build, Nov 29 2013 21:41:02.” Given that presumable compile time, that is only a couple of months after the release of PuTTY v0.63, which labels itself as “Release 0.63” under “About.” Comparison of MalPutty on left and legitimate PuTTY on right When an SSH session is initiated, the credentials are harvested and sent in the same format used in the StealZilla campaign, except with SSH in place of FTP for the protocol. “ssh://:@:” This string is then Base64 encoded and appended to the URI before the HTTP GET request is sent.
This is the only malicious network traffic witnessed from this binary. Hxxp://ngusto-uro.ru/get/index.php?record= Instructions reused in MalPutty that were also found in StealZilla Compromised servers host seemingly legitimate copies of the HTML pages used for PuTTY, but with small variations including words to catch attention and even a picture of the malicious version of PuTTY. All of the fake pages are dumped in a /putty directory on the compromised web servers.
The compromised web servers have nothing to do with PuTTY or SSH clients outside of this directory. The following are some examples of the compromised URI structures: /putty/super-magnetic-putty.html /putty/garnier-putty.html /putty/putty.html Further research into the delivery infrastructure of compromised web servers used in this campaign revealed interesting results.
Posts on various forums referenced an IP address (146.185.239.3) contained in injected JavaScript code used on multiple compromised sites containing various PHP frameworks. The domains used by the threat actors for StealZilla and MalPuTTY currently resolve to this IP address, and previously used 144.76.120.243. Some of these domains include the current MalPutty domain (ngusto-uro.ru) along with previously seen go-upload.ru and aliserv2013.ru. All were used previously in the StealZilla campaign.
The injected JavaScript uses the URI hxxp://146.185.239.3/sTDS/go.php, which appears to be running the Traffic Direction Systems (TDS) framework sTDS (a Russian-based project). TDS services are not uncommon in the malware world, being used for various nefarious activities such as delivering exploit kits. The JavaScript in question appears to attempt to identify characteristics of the device it was launched on to form a key sent to the TDS service, ultimately determining how the device is routed. One could also argue that servers with viable credentials previously harvested through the FTP and later SSH campaigns could be used to compromise legitimate web servers. We currently have no further information on the actors’ ultimate goal with the TDS system. This type of attack is extraordinarily simple but surprisingly effective. The nature of users to download unsigned and unverified files exposes a major flaw in the way many people operate on a daily basis.
Hashes of the legitimate versions of PuTTY are provided on the official web page, but with no way to generate cryptographic sums on a plain vanilla install of Windows, the average user will not go through the trouble. PuTTY does provide a mechanism for validating releases (described at; however, the process has several issues.
Even under ideal conditions, manually verifying hashes is useless because Windows does not provide any mechanism for computing MD5/SHA hashes, and even if it did, it’s trivial to provide fake hashes on the fake mirror. Instead, users would need to validate the binary with the provided RSA/DSA signatures. However, doing so is beyond the skill level of even most Windows system administrators. It’s also not clear how users would validate that the RSA/DSA key used to validate the signatures is legitimate and not just a fake key on the fake mirror. Finally, the existing legitimate PuTTY RSA/DSA keys cannot be used by current versions of GPG because they’re signed with MD5, which has been deprecated. Thus, even sophisticated security-conscious users simply have no realistic way of verifying the legitimacy of PuTTY. Legal Disclaimer Some of the individuals posting to this site, including the moderators, work for Cisco Systems.
Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public.
No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.
This is a Windows GUI application written in Python 2.7, used for Telnet and SSH into multiple Cisco Routers, Switches and Firewalls to send configuration commands. It will automate the tasks for Cisco network engineers and reduce the administrative overhead for repetitive tasks such as SNMP config, changing usernames, adding tacacs config etc. The application is very simple to use, with sample commands and hosts files saved inside, it's doesn't provide inter-active session, but it will do all.