Logo


1. External Penetration Testing
  1. Penetration Testing of Windows

  2. Self-testing Security

  3. Laptop Hacking

2. Enterprise Penetration Testing
  1. Penetration Testing of your VPN

  2. Domain Controller Penetration Testing

  3. Tools; Metasploit

  4. Choosing a penetration Testing Supplier

3. CISCO Penetration Testing
  1. CISCO Penetration Testing

  2. Scan & Fingerprint

  3. Credentials Guessing

  4. Connect

  5. Vulnerability Assessment

  6. Further your attack

  7. CISCO Command Refference

CISCO Testing - Further your Attack

Following is a sample running-config file from a Cisco 2600 router running IOS version 12.2.

Enable password.
The Holy Grail, the 'enable' password, the root level access to the router. There are two main methods of storing the enable password in a config file, type 5 and type 7, MD5 hashed and Viginere encryption respectively.
enable secret 5 $1$c2He$GWSkN1va8NJd2icna9TDA.

Type 7 should be avoided as it is extremely easy to crack, it can even be done by hand! They can be cracked with tools like "Cain & Abel" (www.oxid.it) and Boson's GetPass (bosondownload.com/utils/bos_getpass.exe). Even online at www.ibeast.com/content/tools/CiscoPassword/index.asp

An example Type 7 password is given below but does not exist in the example running-config file:
enable password 7 104B0718071B17

Type 5 password protection is much more secure. However, should an attacker get hold of the configuration file somehow, then the MD5 hash can be extracted and cracked offline with tools like "Cain & Abel". If you want to use "John The Ripper", then the hash should be extracted and entered into a text file as follows:
username:$1$c2He$GWSkN1va8NJd2icna9TDA.

The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.




SNMP Settings.
If the target router is configured to use SNMP, then the SNMP community strings will be in the config file. It should have the read-only (RO) and may have the read-write (RW) strings.
snmp-server community Cisco RO
snmp-server community enable RW



Telnet Access.
If telnet is configured on the VTY (Virtual TTY) interface, then the credentials will be in the config file:
line vty 0 4
password telnet
login

S A M P L E
!
version 12.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vapt-router
!
logging queue-limit 100
enable secret 5 $1$c2He$GWSkN1va8NJd2icna9TDA.
enable password router
!
memory-size iomem 10
ip subnet-zero
no ip routing
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Ethernet0/0
ip address 10.1.1.175 255.255.255.0
no ip route-cache
no ip mroute-cache
half-duplex
!
interface Serial0/0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
snmp-server community Cisco RO
snmp-server community enable RW
snmp-server enable traps tty
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password telnet
login
!
!
end

To receive your CISCO Vulnerability Assessment , please submit your payment of $1999.00 If more than 100 miles of travel will be required, the additional cost will be billed separatelly.


Business Name:
Contact Information:
Email Address:
URL or IP address:
  

Other members of our business group:
Cloud-Security.us

COPYRIGHT (C) 2000 - 2011 InfoSecPro.com ALL RIGHTS RESERVED