spod.cx

IOSHunter from VitalTech - software full of false claims

IOSHunter is an application produced by the VitalTech Group designed to search and download IOS firmware images for Cisco routers and switches. The manufacturers of this software make some pretty bold claims, including my personal favourite:

It browses various ftp servers and web pages to find the requested image. IOSHunter's search engine is multithreaded, so the process of searching is rather fast. Current version of IOSHunter searches for images in more than 1800 sources all over the world.

Why do I care?

I acquired some old Cisco routers for free (a 4000 series and a couple of 2500s) and figured they'd be useful for experimenting with. After powering them up and checking they worked, I noticed they were running an old version of IOS, so decided to upgrade them to the latest version that they'd run.

Unfortunately, the login I had for cisco.com from when I bought my switch no longer allows me to download IOS firmware images, so I had to resort to google.

This lead me to IOSHunter, and as they have a demo version available for download I decided to have a look. I fired up the app, selected the router model number and hit the search button, expecting the search to take at least a few minues. 15 Seconds later, it returned a list of 76 items - impossibly fast given the claim of searching "1800 sources".

Traffic inspection

I ran another search, monitoring the number of open connections through my adsl router, and noticed only 2 additional ones being made, both to the same IP: 207.229.149.216 on port 80

Doing a reverse dns lookup on the IP didn't reveal much, but a little deductive reasoning revealed the location:

$ host 207.229.149.216
Name: .
Address: 207.229.149.216

$ host www.vitaltech-group.com
www.vitaltech-group.com A       207.229.149.216

So, this supposed "search application" is only really talking to the manufacturers website. Hmmm.

I fired up tcpdump on the router, and had a look at the traffic passing to that IP address, and spotted 2 HTTP GET requests.

GET /basa HTTP/1.0
GET /da.txt HTTP/1.0

The first file, basa, appeared to be full of garbage, but the second, da.txt contained the list of search results:

c4000-i-mz.bin 2269418 03 05 2004
c4000-is-mz.120-7.bin 1310720 11 08 2004
c4000-is56i-mz.121-9.bin 5049233 24 01 2004
c4000-j-mz.111-5.bin 3980974 29 11 2004
c4000-j-mz.bin 4053762 01 12 2004

These matched up with filename, size, and date in the application. As the trial only allows the download of some files, I picked one of the files it let me download, and watched the traffic through my router. It established a connection to an FTP server straight away, and starting downloading an image.

It seemed logical that this 'basa' file somehow contained a list of locations from which to download these files, as IOSHunter wasn't making any further requests to the website on download, so I took a closer look.

Shoddy encryption

While this file did indeed appear to contain garbage, there seemed a definate pattern to it - lots of repeated blocks of the same or similar characters, over and over again - the classic signs of a simple Caesar Shift Cipher. I knocked up a quick perl script to xor the characters against values from 0 to 255, then look at the results for strings I expected to find (http, ftp, and a known firmware name). A few minutes later, I had a list of FTP servers that were in the basa file, but it wasn't a complete list - just the files available for download in the demo version.

A worrying result...

While it's true that IOSHunter does indeed seem to find IOS images, it doesn't work as advertised - their claim of it being a fast multi-threaded search is simply a lie. It relies on their website being up and the company still being in business.

If that weren't bad enough, the images it finds are pulled from random websites and ftp servers, not legitimate company sites. Looking through the list that the demo version pulls, names such as hardcorehackers.com and personal users ftp directories jump out - hardly the sorts of places you want to be downloading software to go on a router. In addition, at least some, if not all of these are used without permission, and neither ISOHunter or the VitalTech Group offer any credit to the sites whose bandwidth they're making a profit ($60 per license) from.

Obviously, you shouldn't use this software, and you especially shouldn't pay for it. There's no guarantee that it will continue to work, and the images it downloads could damage your router, or contain malicious code.

It seems that the market for this sort of dodgy-at-best rip off would be easily dealt with if Cisco were a lot less restrictive about their router firmware. They may be the market leader, but leaving customers out in the cold like this means they often have to rely on unofficial means of getting updated firmwares. This isn't good for customer relations, or for the stability of the internet in general.

Finding the latest firmware for my Cisco switch was difficult enough - they would do well to learn lessons from HP's excellent Procurve line of switches, for which the firmwares are freely available, and whom I shall be buying from next time I want a managed switch.


Contact: site@spod.cx