Cisco products are one of the top networking devices found in major corporate
and government organizations today. This not only increases the threat and attack landscape for Cisco devices, but also presents a significant challenge to exploit them.
Some of the most popular technologies developed by Cisco include routers, switches, security appliances, wireless products, and software such as IOS, NX-OS, Security Device Manager, CiscoWorks, Unified Communications Manager, and many others.
Scan And Fingerprinting
1. The purpose of 'Scan & Fingerprint' is to identify open ports on the target device and attempt to determine the exact IOS version.??This then sets the plan for further attacks.
2. If Telnet is active, then password guessing attacks should be performed.
3. If SNMP is active, then community string guessing should be performed.
Credential Guessing
1. If a network engineer/administrator has configured just one Cisco device with a poor password, then the whole network is open to attack.??Attempting to connect with various usernames/passwords is a mandatory step to testing the level of security that the device offers.
2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!.
Connecting To The Rigs
1.Once you have identified the access credentials, whether that be HTTP, Telnet or SSH, then connect to the target device to identify further information.
2.If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.
Checking For Some Known Bugs
1. To check for known bugs, vulnerabilities or security flaws with the device, a good security scanner should be used The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln
Advanced Exploitation
1. To further the attack into the target network, some changes need to be made to the running-config file of the target device. There are two main categories for configuration files with Cisco routers - running-config and startup-confg:
1.1 running-config is the currently running configuration settings. This gets loaded from the startup-config on boot. This configuration file is editable and the changes are immediate. Any changes will be lost once the router is rebooted. It is this file that requires altering to maintain a non-permenant connection through to the internal network.
1.2 startup-config is the boot up configuration file. It is this file that needs altering to maintain a permenant connection through to the internal network.
SCAN AND FINGERPRINTING
Port Scanning
nmap (To effectively scan a Cisco device, both TCP and UDP ports across the whole range must be checked.There are a number of tools that can achieve the goal, however we will stick with nmap examples.
TCP scan: - This will perform a TCP scan, fingerprint, be verbose, scan ports 1-65535 against IP 10.1.1.1 and output the results in normal mode to TCP.scan.txt file. nmap -sT -O -v -p 1-65535 <IP> -oN TCP.scan.txt
UDP scan: - This will perform a UDP scan, be verbose, scan ports 1.65535 against IP 10.1.1.1 and output the results in normal mode to UDP.scan.txt file. nmap -sU -v -p 1-65535 <IP> -oN UDP.scan.txt)
Other Tools (ciscos is a scanner for discovering Cisco devices in a given CIDR network range.
Usage: ./ciscos <IP> <class> [option]
mass-scanner is a simple scanner for discovering Cisco devices within a given network range.)
Fingerprinting
cisco-torch is a fingerprinter for Cisco routers.There are a number of different fingerprinting switches, such as SSH, telnet or HTTP e.g. The -A switch should perform all scans, however I have found it to be unreliable.
USAGE : cisco-torch.pl -A 10.1.1.175
nmap version scan: - Once open ports have been identified, version scanning should be performed against them. In this example, TCP ports 23 and 80 were found to be open.
TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt
UDP Port scan - nmap -sV -O -v -p 161,162 <IP> -oN UDP.version.txt
Once you have access to the config files, you will need enable (privileged mode) access for this, you can add an access list rule to allow your IP address into the internal network.???The following ACL will allow the defined <IP> access to any internal IP address. So if the router is protecting a web server and an email server, this ACL will allow you to pass packets to those IP addresses on any port.??Therefore you should be able to port scan them efficiently.
#> access-list 100 permit ip <IP> any
PASSWORD Guessing
CAT (Cisco Auditing Tool)
This tool extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.
Usage :- /CAT -h <IP> -a password.wordlist
Example :- CAT -h 10.1.1.175 -a /tmp/dict.txt
Brute-Enabler
brute-enabler is an internal enable password guesser. You require valid non-privilege mode credentials to use this tool, they can be either SSH or Telnet.
Usage :- /enabler <IP> [-u username] -p password /password.wordlist [port]
Example :- ./enabler 10.1.1.175 telnet /tmp/dict.txt
Hydra
Hydra is a multi-functional password guessing tool. It can connect and pass guessed credentials for many protocols and services, including Cisco Telnet which may only require a password. (Make sure that you limit the threads to 4 (-t 4) as it will just overload the Telnet server!).
Usage :- hydra -l user -P password.wordlist -t 4 <IP> cisco
SNMP Attacks
CAT (Cisco Auditing Tool)
This tool extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.
Usage : CAT -h <IP> -w SNMP.wordlist
Example : CAT -h ww.xx.yy.zz -w lists/community -a lists/passwords -i
OneSixtyOne
Onesixtyone is a reliable SNMP community string guesser. Once it identifies the correct community string, it will display accurate fingerprinting information.
Usage :- onesixytone -c SNMP.wordlist <IP>
Example :- onesixtyone -c dict.txt 10.1.1.175
SNMPWalk
Snmpwalk is part of the SNMP toolkit. After a valid community string is identified, you should use snmpwalk to 'walk' the SNMP Management Information Base (MIB) for further information. Ensure that you get the correct version of SNMP protocol in use or it will not work correctly. It may be a good idea to redirect the output to a text file for easier viewing as the tool outputs a large amount of text.
Usage :- snmapwalk -v <Version> -c <Community string> <IP>
Example :- snmpwalk -v 1 -c enable 10.1.1.1
Braa
Usage : braa -v public@192.168.77.0-192.168.77.255:161:.1.3.6.1. 2.1.1.1.0
Cisco Global Exploiter (CGE)
Cisco Global Exploiter (CGE) is a small Perl script that combines 14 individual
vulnerabilities that can be tested against the Cisco devices. Note that these
vulnerabilities represent only a specific set of Cisco products and the tool is not fully designed to address all the Cisco security assessment needs.
Usage :
perl cge.pl <target> <vulnerability number>
Vulnerabilities list :
[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability
[2] - Cisco IOS Router Denial of Service Vulnerability
[3] - Cisco IOS HTTP Auth Vulnerability
[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
[6] - Cisco 675 Web Administration Denial of Service Vulnerability
[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability
[9] - Cisco 514 UDP Flood Denial of Service Vulnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
[11] - Cisco Catalyst Memory Leak Vulnerability
[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
[13] - 0 Encoding IDS Bypass Vulnerability (UTF)
[14] - Cisco IOS HTTP Denial of Service Vulnerability
example : cge.pl 192.168.99.230 3
Connecting To The Rig
Telnet
The telnet service on Cisco devices can authenticate users based upon a password in the config file or against a RADIUS or TACACS server. If the device is simply using a VTY configuration for Telnet access, then it is likely that only a password is required to log on.
If the device is passing authentication details to a RADIUS or TACACS server, then a combination of username and password will be required.
usage : telnet <ip>
Web Browser
HTTP/HTTPS: - Web based access can be achieved via a simple web browser, as long as the HTTP adminstration service is active on the target device:
This uses a combination of username and password to authenticate. After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:
Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:
Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.
TFTP
(Trivial File Transfer Protocol is used to back up the config files of the router. Should an attacker discover the enable password or RW SNMP community string, the config files are easy to retrieve.
Cain & Abel -Cisco Configuration Download/Upload (CCDU) With this tool the RW community string and the version of SNMP in use and running-config file can be downloaded to your local system.
ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server. Both of these tools require the config files to be saved with default names.)
There are ways of extracting the config files directy from the router even if the names have changed, however you are really limited by the speed of the TFTP server to dictionary based attacks. Cisco-torch is one of the tools that will do this.
The relevant configuration files that control a Cisco router have already been covered in Methodology. In the child to this entry is a sample running-config file from a Cisco 2600 router running IOS version 12.2.
Configuration Files Explained {
The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.
Telnet Access. If telnet is configured on the VTY (Virtual TTY) interface, then the credentials will be in the config file: line vty 0 4 password telnet login.
SNMP Settings. If the target router is configured to use SNMP, then the SNMP community strings will be in the config file. It should have the read-only (RO) and may have the read-write (RW) strings: snmp-server community Cisco RO snmp-server community enable RW.
Password Encryption Utilised
Enable password. The Holy Grail, the 'enable' password, the root level access to the router. There are two main methods of storing the enable password in a config file, type 5 and type 7, MD5 hashed and Viginere encryption respectively. An example is:enable secret 5 $1$c2He$GWSkN1va8NJd2icna9TDA.
Cisco type 7 password is a very weak password, so it should not be used anymore. However, for penetration testing, we see that it is still being used, although it's not widespread anymore. Type 7 should be avoided as it is extremely easy to crack, it can even be done by hand, An example Type 7 password is given below but does not exist in the example running-config file: enable password 7 104B0718071B17 They can be cracked with the following tools:
BOSON GetPass
Cain And Abel
IBeast Online Cracker
(Type 5 password protection is much more secure. However, should an attacker get hold of the configuration file somehow, then the MD5 hash can be extracted and cracked offline with the following tools:
Cain And Abel
John The Ripper (Entered into a text file as follows: username:$1$c2He$GWSkN1va8NJd2icna9TDA.
https://www.rapid7.com/db/search?utf8=%E2%9C%93&q=cisco&t=m
https://blogs.cisco.com/security/automating-cisco-ios-vulnerability-assessment
https://www.shodan.io/explore/tag/cisco
and government organizations today. This not only increases the threat and attack landscape for Cisco devices, but also presents a significant challenge to exploit them.
Some of the most popular technologies developed by Cisco include routers, switches, security appliances, wireless products, and software such as IOS, NX-OS, Security Device Manager, CiscoWorks, Unified Communications Manager, and many others.
Scan And Fingerprinting
1. The purpose of 'Scan & Fingerprint' is to identify open ports on the target device and attempt to determine the exact IOS version.??This then sets the plan for further attacks.
2. If Telnet is active, then password guessing attacks should be performed.
3. If SNMP is active, then community string guessing should be performed.
Credential Guessing
1. If a network engineer/administrator has configured just one Cisco device with a poor password, then the whole network is open to attack.??Attempting to connect with various usernames/passwords is a mandatory step to testing the level of security that the device offers.
2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!.
Connecting To The Rigs
1.Once you have identified the access credentials, whether that be HTTP, Telnet or SSH, then connect to the target device to identify further information.
2.If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.
Checking For Some Known Bugs
1. To check for known bugs, vulnerabilities or security flaws with the device, a good security scanner should be used The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln
Advanced Exploitation
1. To further the attack into the target network, some changes need to be made to the running-config file of the target device. There are two main categories for configuration files with Cisco routers - running-config and startup-confg:
1.1 running-config is the currently running configuration settings. This gets loaded from the startup-config on boot. This configuration file is editable and the changes are immediate. Any changes will be lost once the router is rebooted. It is this file that requires altering to maintain a non-permenant connection through to the internal network.
1.2 startup-config is the boot up configuration file. It is this file that needs altering to maintain a permenant connection through to the internal network.
SCAN AND FINGERPRINTING
Port Scanning
nmap (To effectively scan a Cisco device, both TCP and UDP ports across the whole range must be checked.There are a number of tools that can achieve the goal, however we will stick with nmap examples.
TCP scan: - This will perform a TCP scan, fingerprint, be verbose, scan ports 1-65535 against IP 10.1.1.1 and output the results in normal mode to TCP.scan.txt file. nmap -sT -O -v -p 1-65535 <IP> -oN TCP.scan.txt
UDP scan: - This will perform a UDP scan, be verbose, scan ports 1.65535 against IP 10.1.1.1 and output the results in normal mode to UDP.scan.txt file. nmap -sU -v -p 1-65535 <IP> -oN UDP.scan.txt)
Other Tools (ciscos is a scanner for discovering Cisco devices in a given CIDR network range.
Usage: ./ciscos <IP> <class> [option]
mass-scanner is a simple scanner for discovering Cisco devices within a given network range.)
Fingerprinting
cisco-torch is a fingerprinter for Cisco routers.There are a number of different fingerprinting switches, such as SSH, telnet or HTTP e.g. The -A switch should perform all scans, however I have found it to be unreliable.
USAGE : cisco-torch.pl -A 10.1.1.175
nmap version scan: - Once open ports have been identified, version scanning should be performed against them. In this example, TCP ports 23 and 80 were found to be open.
TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt
UDP Port scan - nmap -sV -O -v -p 161,162 <IP> -oN UDP.version.txt
Once you have access to the config files, you will need enable (privileged mode) access for this, you can add an access list rule to allow your IP address into the internal network.???The following ACL will allow the defined <IP> access to any internal IP address. So if the router is protecting a web server and an email server, this ACL will allow you to pass packets to those IP addresses on any port.??Therefore you should be able to port scan them efficiently.
#> access-list 100 permit ip <IP> any
PASSWORD Guessing
CAT (Cisco Auditing Tool)
This tool extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.
Usage :- /CAT -h <IP> -a password.wordlist
Example :- CAT -h 10.1.1.175 -a /tmp/dict.txt
Brute-Enabler
brute-enabler is an internal enable password guesser. You require valid non-privilege mode credentials to use this tool, they can be either SSH or Telnet.
Usage :- /enabler <IP> [-u username] -p password /password.wordlist [port]
Example :- ./enabler 10.1.1.175 telnet /tmp/dict.txt
Hydra
Hydra is a multi-functional password guessing tool. It can connect and pass guessed credentials for many protocols and services, including Cisco Telnet which may only require a password. (Make sure that you limit the threads to 4 (-t 4) as it will just overload the Telnet server!).
Usage :- hydra -l user -P password.wordlist -t 4 <IP> cisco
SNMP Attacks
CAT (Cisco Auditing Tool)
This tool extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.
Usage : CAT -h <IP> -w SNMP.wordlist
Example : CAT -h ww.xx.yy.zz -w lists/community -a lists/passwords -i
OneSixtyOne
Onesixtyone is a reliable SNMP community string guesser. Once it identifies the correct community string, it will display accurate fingerprinting information.
Usage :- onesixytone -c SNMP.wordlist <IP>
Example :- onesixtyone -c dict.txt 10.1.1.175
SNMPWalk
Snmpwalk is part of the SNMP toolkit. After a valid community string is identified, you should use snmpwalk to 'walk' the SNMP Management Information Base (MIB) for further information. Ensure that you get the correct version of SNMP protocol in use or it will not work correctly. It may be a good idea to redirect the output to a text file for easier viewing as the tool outputs a large amount of text.
Usage :- snmapwalk -v <Version> -c <Community string> <IP>
Example :- snmpwalk -v 1 -c enable 10.1.1.1
Braa
Usage : braa -v public@192.168.77.0-192.168.77.255:161:.1.3.6.1. 2.1.1.1.0
Cisco Global Exploiter (CGE)
Cisco Global Exploiter (CGE) is a small Perl script that combines 14 individual
vulnerabilities that can be tested against the Cisco devices. Note that these
vulnerabilities represent only a specific set of Cisco products and the tool is not fully designed to address all the Cisco security assessment needs.
Usage :
perl cge.pl <target> <vulnerability number>
Vulnerabilities list :
[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability
[2] - Cisco IOS Router Denial of Service Vulnerability
[3] - Cisco IOS HTTP Auth Vulnerability
[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
[6] - Cisco 675 Web Administration Denial of Service Vulnerability
[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability
[9] - Cisco 514 UDP Flood Denial of Service Vulnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
[11] - Cisco Catalyst Memory Leak Vulnerability
[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
[13] - 0 Encoding IDS Bypass Vulnerability (UTF)
[14] - Cisco IOS HTTP Denial of Service Vulnerability
example : cge.pl 192.168.99.230 3
Connecting To The Rig
Telnet
The telnet service on Cisco devices can authenticate users based upon a password in the config file or against a RADIUS or TACACS server. If the device is simply using a VTY configuration for Telnet access, then it is likely that only a password is required to log on.
If the device is passing authentication details to a RADIUS or TACACS server, then a combination of username and password will be required.
usage : telnet <ip>
Web Browser
HTTP/HTTPS: - Web based access can be achieved via a simple web browser, as long as the HTTP adminstration service is active on the target device:
This uses a combination of username and password to authenticate. After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:
Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:
Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.
TFTP
(Trivial File Transfer Protocol is used to back up the config files of the router. Should an attacker discover the enable password or RW SNMP community string, the config files are easy to retrieve.
Cain & Abel -Cisco Configuration Download/Upload (CCDU) With this tool the RW community string and the version of SNMP in use and running-config file can be downloaded to your local system.
ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server. Both of these tools require the config files to be saved with default names.)
There are ways of extracting the config files directy from the router even if the names have changed, however you are really limited by the speed of the TFTP server to dictionary based attacks. Cisco-torch is one of the tools that will do this.
The relevant configuration files that control a Cisco router have already been covered in Methodology. In the child to this entry is a sample running-config file from a Cisco 2600 router running IOS version 12.2.
Configuration Files Explained {
The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.
Telnet Access. If telnet is configured on the VTY (Virtual TTY) interface, then the credentials will be in the config file: line vty 0 4 password telnet login.
SNMP Settings. If the target router is configured to use SNMP, then the SNMP community strings will be in the config file. It should have the read-only (RO) and may have the read-write (RW) strings: snmp-server community Cisco RO snmp-server community enable RW.
Password Encryption Utilised
Enable password. The Holy Grail, the 'enable' password, the root level access to the router. There are two main methods of storing the enable password in a config file, type 5 and type 7, MD5 hashed and Viginere encryption respectively. An example is:enable secret 5 $1$c2He$GWSkN1va8NJd2icna9TDA.
Cisco type 7 password is a very weak password, so it should not be used anymore. However, for penetration testing, we see that it is still being used, although it's not widespread anymore. Type 7 should be avoided as it is extremely easy to crack, it can even be done by hand, An example Type 7 password is given below but does not exist in the example running-config file: enable password 7 104B0718071B17 They can be cracked with the following tools:
BOSON GetPass
Cain And Abel
IBeast Online Cracker
(Type 5 password protection is much more secure. However, should an attacker get hold of the configuration file somehow, then the MD5 hash can be extracted and cracked offline with the following tools:
Cain And Abel
John The Ripper (Entered into a text file as follows: username:$1$c2He$GWSkN1va8NJd2icna9TDA.
https://www.rapid7.com/db/search?utf8=%E2%9C%93&q=cisco&t=m
https://blogs.cisco.com/security/automating-cisco-ios-vulnerability-assessment
https://www.shodan.io/explore/tag/cisco
Pen Test Diary: Cisco Network Penetration Testing >>>>> Download Now
BalasHapus>>>>> Download Full
Pen Test Diary: Cisco Network Penetration Testing >>>>> Download LINK
>>>>> Download Now
Pen Test Diary: Cisco Network Penetration Testing >>>>> Download Full
>>>>> Download LINK NO