1. External Penetration Testing
  1. Penetration Testing of Windows

  2. Self-testing Security

  3. Laptop Hacking

2. Enterprise Penetration Testing
  1. Penetration Testing of your VPN

  2. Domain Controller Penetration Testing

  3. Tools; Metasploit

  4. Choosing a penetration Testing Supplier

3. CISCO Penetration Testing
  1. CISCO Penetration Testing

  2. Scan & Fingerprint

  3. Credentials Guessing

  4. Connect

  5. Vulnerability Assessment

  6. Further your attack

  7. CISCO Command Refference

CISCO Penetration Testing - Connecting

  • Telnet
  • The telnet service on Cisco devices can authenticate users based upon a password in the config file or against a RADIUS or TACACS server.

    If the device is simply using a VTY configuration for Telnet access, then it is likely that only a password is required to log on.

    If the device is passing authentication details to a RADIUS or TACACS server, then a combination of username and password will be required.

    telnet <IP>

    • VTY configuration:
    • BT / # telnet
      Connected to
      Escape character is '^]'.

      User Access Verification


    • External authentication server:
    • BT / # telnet
      Connected to
      Escape character is '^]'.

      User Access Verification
      Username: admin

  • SSH
    • Web Browser

      Web based access can be achieved via a simple web browser, as long as the HTTP adminstration service is active on the target device.

      This uses a combination of username and password to authenticate. After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:

      Authentication Required
      Enter username and password for "level_15_access" at
      User Name:

      Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.

      Cisco Systems
      Accessing Cisco 2610 "router"

      Show diagnostic log - display the diagnostic log.
      Monitor the router - HTML access to the command line interface at level 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

      Show tech-support - display information commonly needed by tech support.
      Extended Ping - Send extended ping commands.

      VPN Device Manager (VDM) - Configure and monitor Virtual Private Networks (VPNs) through the web interface.

    • TFTP
    • Trivial File Transfer Protocol is used to back up the config files of the router. Should an attacker discover the enable password or RW SNMP community string, the config files are easy to retrieve.

      "Cain & Abel" (www.oxid.it) has a CCDU tab, Cisco Configuration Download/Upload. With this tools, along with the RW community string and the version of SNMP in use, the running-config file is downloaded to your local system.

      ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server. Both of these tools require the config files to be saved with default names.

      There are ways of extracting the config files directy from the router even if the names have changed, however you are really limited by the speed of the TFTP server to dictionary based attacks. Cisco-torch is one of the tools that will do this. It will attempt to retrieve config files listed in the brutefile.txt file.

      BT cisco-torch-0.4b # cisco-torch.pl
      Using config file torch.conf...
      Loading include and plugin ...
      usage: ./cisco-torch.pl <options> <IP,hostname,network>

      or: ./cisco-torch.pl <options> -F <hostlist>

      Available options:
      -O <output file>
      -A All fingerprint scan types combined
      -t Cisco Telnetd scan
      -s Cisco SSHd scan
      -u Cisco SNMP scan
      -g Cisco config or tftp file download
      -n NTP fingerprinting scan
      -j TFTP fingerprinting scan
      -l <type> loglevel
      c critical (default)
      v verbose
      d debug
      -w Cisco Webserver scan
      -z Cisco IOS HTTP Authorization Vulnerability Scan
      -c Cisco Webserver with SSL support scan
      -b Password dictionary attack (use with -s, -u, -c, -w , -j or -t only)
      -V Print tool version and exit
      examples: ./cisco-torch.pl -A
      ./cisco-torch.pl -s -b -F sshtocheck.txt
      ./cisco-torch.pl -w -z
      ./cisco-torch.pl -j -b -g -F tftptocheck.txt

To receive your CISCO configuration support , please submit your payment of $1999.00 If more than 100 miles of travel will be required, the additional cost will be billed separatelly.

Business Name:
Contact Information:
Email Address:
URL or IP address:

Other members of our business group:

COPYRIGHT (C) 2000 - 2011 InfoSecPro.com ALL RIGHTS RESERVED