Cisco Incident Response (CIR) 1.1 Open Source Release
Recurity Labs created a system for the inspection of Cisco legacy IOS memory dumps back in 2008. The tool, called Cisco Incident Response, was meant to identify successful and unsuccessful exploits of binary nature against Cisco routers running IOS 11.x and 12.x. IOS 15.x is now available, but doesn't differ much from the previous releases in terms of internal design.
We ran an online service for uploading and analyzing IOS images together with core dumps generated from them. This service has been used by various people, but not a single core dump contained indications of an actual binary exploit against the platform. It seems that it's simply too easy to pwn a company by traditional means of browser, Flash, Java, EXE file in email, social engineering or cloud service.
To support nostalgic hobbyists concerning themselves with the same questions half a decade later, we decided to publish the source code of CIR today, in order to allow anyone to use it and inspect its inner workings. We believe that Kerckhoff's Principle also holds true for defense and detection systems. Therefore it is educating to look at code bases that have been tested in production for quite some time.
The code is interesting besides the embedded knowledge about Cisco IOS data structures. Here are a couple of points for the inclined reader:
- 23k lines of code, completely managed .NET (C#)
- Plug-in based knowledge system, where every plug-in consumes and provides some type of abstracted information about the subject, formulated by .NET types
- Several lists with differing offsets between IOS minor versions and service releases, for those assuming that IOS data structures will always look the same between e.g. 12.4.3 and 12.4.3J.
- An ELF file format parser that could be useful in other projects
- Report generation and daemon mode, to allow CIR to be used in corporate and provider networks automatically.