How to Check CISCO for SYNful Knock

How to Check CISCO for SYNful Knock

FireEye has discovered a modification of the CISCO’s router firmware image, dubbed SYNful Knock that can be used to maintain persistence within a victim’s network. Meaning that SYNful Knock is practically a backdoor which is already used by hackers around the world.

FireEye has introduced several resources to check your company’s network for this vulnerability and quickly fix the issue. And in this post we would like to share those findings with you.

First of all, there are two ways of checking for SYNful Knock: Python way and Nmap way, it all depends on what suits you more.

Python way

Head to FireEye’s Github and download SYNfulKnock_scanner.py. This script sends a crafted TCP SYN packet and analyses the SYN/ACK response for indications of an implant. The script relies on the Scapy packet manipulation library for processing, sending and receiving packets. The scanning process uses several scan threads and a single thread for collecting the responses.  If you don’t have scapy yet on your system then go to Installation guidelines.

After you are finished with installation process and your system is good to go you will need to execute a python script with the following command:

python ./SYNfulKnock_scanner.py -d 10.1.1.1/10.1.1.2

Where -d indicated IPs to scan.

The output you receive should be similar to this:

2015-09-17 14:01:49,760 190 INFO Sniffer daemon started
2015-09-17 14:01:49,761 218 INFO Sending 2 syn packets with 10 threads
2015-09-17 14:01:50,188 110 INFO 10.1.1.1:80 - Found implant seq: 6676e09 ack: 66735bcd
2015-09-17 14:01:51,190 225 INFO Waiting to complete send
2015-09-17 14:01:51,190 227 INFO All packets sent

NMAP Way

Visit FireEye Github and download synfulknock.nse and packet2.lua. Place .nse file in nmap/scripts and .lua to nmap/nselib. Since the NSE packet library does not allow the user modification of ACK values, the library needs to be modified to allow for this capability. You need to add following strings to packet.lua and packet2.lua:

> --- Set the TCP acknowledgment field.
> -- @param new_ack Acknowledgment.
> function Packet:tcp_set_ack(new_ack)
>   self:set_u32(self.tcp_offset + 8, new_ack)
>   self.tcp_ack = new_ack
> end

If you did everything right the last thing you need to do is to execute this command within nmap/zenmap:

nmap -sS -PN -n -T3 -p 80 --script="SYNfulKnock" 10.1.1.1/24

If the result is similar to following than a CISCO devices is infected:

-- | SYNfulKnock:
-- | seq = 0x7528092b
-- | ack = 0x75341b69
-- | diff = 0xc123e
-- | Result: Handshake confirmed. Checking flags.
-- | TCP flags: 2 04 05 b4 1 01 04 02 1 03 03 05
-- |_Result: Flags match. Confirmed infected!

Solution

If your devices prove to be compromised then you are advised to download official image from Cisco and reimage the device. Ensure the new image hash values match and then harden the device to prevent future compromise.

There is a high possibility that the initial compromise took place due to default credentials or the discovery of such credentials. In case if the router was not using default passwords, you should definitely check other devices too because exploitation might have occurred from different sources

4 thoughts on “How to Check CISCO for SYNful Knock

    1. In case of NMAP you would get a result similar to: — | SYNfulKnock:
      — | seq = 0x7528092b
      — | ack = 0x75341b69
      — | diff = 0xc123e
      — | Result: Handshake confirmed. Checking flags.
      — | TCP flags: 2 04 05 b4 1 01 04 02 1 03 03 05
      — |_Result: Flags match. Confirmed infected!
      But in case of Python:
      Found implant seq: 6676e09 ack: 66735bcd

      it is describer in article.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.