1. External Penetration Testing
- Penetration Testing of Windows
- Self-testing Security
- Laptop Hacking
2. Enterprise Penetration Testing
- Penetration Testing of your VPN
- Domain Controller Penetration Testing
- Tools; Metasploit
- Choosing a penetration Testing Supplier
3. CISCO Penetration Testing
- CISCO Penetration Testing
- Scan & Fingerprint
- Credentials Guessing
- Connect
- Vulnerability Assessment
- Further your attack
- CISCO Command Refference
|
|
CISCO Testing - Further your Attack
Following is a sample running-config file from a Cisco 2600 router running IOS version
12.2.
Enable password. The Holy Grail, the 'enable' password, the root
level access to the router. There are two main methods of storing the enable
password in a config file, type 5 and type 7, MD5 hashed and Viginere encryption
respectively. enable secret 5 $1$c2He$GWSkN1va8NJd2icna9TDA.
Type 7
should be avoided as it is extremely easy to crack, it can even be done by hand!
They can be cracked with tools like "Cain & Abel" (www.oxid.it) and Boson's
GetPass (bosondownload.com/utils/bos_getpass.exe). Even online at
www.ibeast.com/content/tools/CiscoPassword/index.asp
An example Type 7
password is given below but does not exist in the example running-config
file: enable password 7 104B0718071B17
Type 5 password protection is
much more secure. However, should an attacker get hold of the configuration file
somehow, then the MD5 hash can be extracted and cracked offline with tools like
"Cain & Abel". If you want to use "John The Ripper", then the hash should be
extracted and entered into a text file as
follows: username:$1$c2He$GWSkN1va8NJd2icna9TDA.
The line that reads
"enable password router", where "router" is the password, is the TTY console
password which is superceeded by the enable secret password for remote
access.
SNMP Settings. If the target router is configured
to use SNMP, then the SNMP community strings will be in the config file. It
should have the read-only (RO) and may have the read-write (RW)
strings. snmp-server community Cisco RO snmp-server community enable
RW
Telnet Access. If telnet is configured on the VTY (Virtual
TTY) interface, then the credentials will be in the config file: line vty 0
4 password telnet login
S A M P L E ! version 12.2 service config service
timestamps debug datetime msec service timestamps log datetime msec no
service password-encryption ! hostname vapt-router ! logging
queue-limit 100 enable secret 5 $1$c2He$GWSkN1va8NJd2icna9TDA. enable
password router ! memory-size iomem 10 ip subnet-zero no ip
routing ! ! ! ip audit notify log ip audit po max-events
100 ! ! ! ! ! ! ! ! ! ! ! ! no voice hpi
capture buffer no voice hpi capture destination ! ! mta receive
maximum-recipients 0 ! ! ! ! interface Ethernet0/0 ip address
10.1.1.175 255.255.255.0 no ip route-cache no ip
mroute-cache half-duplex ! interface Serial0/0 no ip address no
ip route-cache no ip mroute-cache shutdown ! ip http server no ip
http secure-server ip classless ! ! ! ! snmp-server community
Cisco RO snmp-server community enable RW snmp-server enable traps
tty call rsvp-sync ! ! mgcp profile default ! dial-peer cor
custom ! ! ! ! ! line con 0 line aux 0 line vty 0
4 password
telnet login ! ! end
To receive your CISCO Vulnerability Assessment , please submit your payment of $1999.00 If more than 100 miles of travel will be required, the additional cost will be billed separatelly.
|