A Sense of Security Blog

Identifying Potential SYNful Knock Afflicted Routers

by Brandon Hoffman, Chief Technology Officer


By now you have likely heard or read about SYNful Knock. It is the combination of exploits that allows a router to be compromised and leaves backdoor access. Having the ability to implant a router or take over a router inside of an organization’s infrastructure can be extremely powerful for an adversary.

Currently, according to the published research, this exploit is relatively fragile due to the requirements for successfully executing the exploit. The exploit appears to only be workable against specific models of Cisco routers (1841, 2811, 3825) and requires legitimate credentials along with specific protocol access.* While there are likely remediation steps available and more steps being discovered, the first step is to identify the vulnerable infrastructure.

Most enterprise organizations have a large volume of devices that make up their infrastructure, making identifying these potentially vulnerable machines difficult. Being able to quickly identify these machines becomes paramount while the opportunity to resolve this issue still exists. The real-time and point-in-time network situational awareness solutions offered by Lumeta (IPsonar and ESI) provide a quick and easy method to find these machines. For anybody using these products currently, a simple view into the Network Index to find devices profiled as Routers+Cisco and having ports 23+80 open would immediately provide candidates for the SYNful Knock exploit. Further profile filtering can be done to trim results down to the specific aforementioned models of Cisco equipment – although most of us security folks prefer to have a wider spectrum of potentials than a more narrow view and possibly miss something.

Current Lumeta IPsonar customers can download and install a “canned” SYNful Knock View from our Support site. For those folks who do not currently use the Lumeta IPsonar or ESI solutions, deploying these solutions for network indexing to identify this specific issue would be minimal effort, especially compared to a manual hunt. Contact us.

Naturally, once these devices are identified, further manual effort must be applied to validate and exploit activity and take remediation steps.

A final thought is that users may want to cast a wider net for reviewing their infrastructure and services running, as it is entirely possible that this is simply what the adversaries want us to know and the exploit has evolved … thereby providing a solid redirection/distraction from the main event to follow.



* Source: https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html