Cisco WLC / Rogue WCS Attack “All your base are belong to us”
Tuesday, October 6, 2009 at 9:47PM

Geo - “I blogged on my site about the unencrypted RRM packet just a few weeks ago. The RRM packet got little attention, but I seen this as a much bigger issue. I seen this as more than just an IP address in the clear but rather a gold mine of information, but just how could it be exploited. “

In this tutorial I will share with you an attack using the recently identified and less talked about security vulnerability with the Cisco RRM packet in conjunction with SNMP. I would like to emphasize --- this video is to educate network engineers,  system administrators and security professionals of the potential risk of a enterprise wide attack on your Cisco Unified Wireless Network if Cisco best practices are not followed.

The foundation of this attack is to use the less talked about RRM and widely known SNMP vulnerabilities.  There isn’t  anything new that isn’t already known about these vulnerabilities, but what I will share  is the concept of an attack and the real world potential it may have in your enterprise especially if you use default strings or and more importantly if an attacker knows your strings on the WLC. The concept of the attack is simple, sniff the RRM packet, discovery the WLC, and then join the WLC to the rogue WCS server. After which point your wireless network is at the complete mercy of the hacker. The hacker could create a “rogue” ssid for later outside attack over wireless, complete DOS attack of your wireless network enterprise wide, delete admin accounts on the controllers to prevent you from logging into the controllers while an attack is underway.

Article originally appeared on (
See website for complete article licensing information.