CISCO Penetration Testing - Connecting

• Telnet

The telnet service on Cisco devices can authenticate users based upon a password in the config file or against a RADIUS or TACACS server.

If the device is simply using a VTY configuration for Telnet access, then it is likely that only a password is required to log on.

If the device is passing authentication details to a RADIUS or TACACS server, then a combination of username and password will be required.

telnet <IP>

• VTY configuration:

BT / # telnet 10.1.1.175
Trying 10.1.1.175...
Connected to 10.1.1.175.
Escape character is '^]'.

User Access Verification

Password:
router>

• External authentication server:

BT / # telnet 10.1.1.175
Trying 10.1.1.175...
Connected to 10.1.1.175.
Escape character is '^]'.

User Access Verification
Username: admin
Password:
router>

• SSH
• Web Browser

HTTP/HTTPS

Web based access can be achieved via a simple web browser, as long as the HTTP adminstration service is active on the target device.

This uses a combination of username and password to authenticate. After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:

Authentication Required
Enter username and password for "level_15_access" at http://10.1.1.1
User Name:
Password:

Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.

Cisco Systems
Accessing Cisco 2610 "router"

Show diagnostic log - display the diagnostic log.
Monitor the router - HTML access to the command line interface at level 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

Show tech-support - display information commonly needed by tech support.
Extended Ping - Send extended ping commands.

VPN Device Manager (VDM) - Configure and monitor Virtual Private Networks (VPNs) through the web interface.
• TFTP

Trivial File Transfer Protocol is used to back up the config files of the router. Should an attacker discover the enable password or RW SNMP community string, the config files are easy to retrieve.

"Cain & Abel" (www.oxid.it) has a CCDU tab, Cisco Configuration Download/Upload. With this tools, along with the RW community string and the version of SNMP in use, the running-config file is downloaded to your local system.

ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server. Both of these tools require the config files to be saved with default names.

There are ways of extracting the config files directy from the router even if the names have changed, however you are really limited by the speed of the TFTP server to dictionary based attacks. Cisco-torch is one of the tools that will do this. It will attempt to retrieve config files listed in the brutefile.txt file.

BT cisco-torch-0.4b # cisco-torch.pl
Using config file torch.conf...
Loading include and plugin ...
version
usage: ./cisco-torch.pl <options> <IP,hostname,network>

or: ./cisco-torch.pl <options> -F <hostlist>

Available options:
-O <output file>
-A All fingerprint scan types combined
-t Cisco Telnetd scan
-s Cisco SSHd scan
-u Cisco SNMP scan
-g Cisco config or tftp file download
-n NTP fingerprinting scan
-j TFTP fingerprinting scan
-l <type> loglevel
c critical (default)
v verbose
d debug
-w Cisco Webserver scan
-z Cisco IOS HTTP Authorization Vulnerability Scan
-c Cisco Webserver with SSL support scan
-b Password dictionary attack (use with -s, -u, -c, -w , -j or -t only)
-V Print tool version and exit
examples: ./cisco-torch.pl -A 10.10.0.0/16
./cisco-torch.pl -s -b -F sshtocheck.txt
./cisco-torch.pl -w -z 10.10.0.0/16
./cisco-torch.pl -j -b -g -F tftptocheck.txt