Follow us on Twitter!
The measure of a mans life is not how well he dies, but how well he lives.
Friday, April 25, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 20
Guests Online: 17
Members Online: 3

Registered Members: 82906
Newest Member: ilija
Latest Articles

Cisco any one?

Arrow Image Routers and Switches.....I would rather own them, than just pass through



I have replaced all passwords with “HACK” and all IPs with 127.0.0.1

So you scan a subnet and discover the names of various devices. Maybe you see some PCs, a couple boxes running Windows servers, maybe a managed VOIP gateway…ok, cool, you can mess with some e-mail, perform a DoS on their phones, if you know what you are doing, you could throw a sniffer in there. But…you are in..wouldnt you rather just….own..the entire network? Well, when you did your sweep, did you see anything devices with names containing Rt? Router? Switch? Sw?.. no? see a couple blank spaces? Try an SNMP sweep (Simple Network Management Protocol). Are they there now? Say, you see something that looks like this;

companySw1
or
companyRt

These are going to be switches and routers, and more often than not, they will be made by Cisco. The lifeblood of the network, every device has to pass through these at some point in time. If you see multiple switches or routers, they will most likely be numbered. Look for Rt1 or Sw1, these are their core devices. The first router will be the network gateway, and Sw1 will be their tier 1 (core) switch, plugged directly into the core router, with all other switches, routers, and servers, most likely plugged into this switch. Also, the core router, or gateway, may either be in front of, or behind the firewall.

There are a couple ways of validating your findings. You can try a simple telnet and you may recognize the banner and login screen. Brute-forcing this is a pain in the ass, even more so if it asks for a username. If it asks for a username, it is running aaa authentication, and in large networks, it will be authenticating users to a aaa server (this server can log every command entered into the device, this is why we don’t brute-force)

However, net admins usually dont want people telnetting into their boxes, so this may be turned off. Also, they may have just never been configured with the ability to telnet, because a lot of admins don’t like typing “telnet”…no, they prefer the programs with big, pretty buttons. SO….what are we going to do? We are going to pull out OUR programs with the big, pretty buttons. What happens when you type the devices I.P. in your IE or Firefox? Well, if you get a login prompt that says “Enter username and password for “level 15 access” at http://127.0.0.1” then bingo. Some of the old Cisco firmware even had a vulnerability, that allowed you to enter a certain long URL and simply see the entire config file without even logging in (hint: it ended with level99/exec) but Ive yet to be concerned with a switch that has an admin that stupid and firmware that outdated.

Alright, time to stop yapping and cut to the chase, right? Ok, either by logic or a hunch, we have determined that this device is, in fact, Cisco. This is where the beauty of SNMP (that neglected little protocol) comes into play. Devices such as routers and switches have what is called an “SNMP community string.” This is a password, so to speak, that allows an admin to use programs such as Putty or SolarWinds to upload and download the entire config file with the push of a button…their only authentication being this one (typically simple) community string. THIS is the password you want to brute-force…not the passwords at a telnet attempt. To do so, I prefer my CATV engineers edition of solar winds….sorry, it isnt exactly freeware.

Now that we have this community string, what are we going to do with it? Enter the IP and community string into Putty, and download the config file, of course. The first thing you are going to do is take a look somewhere near the end of the file and look for something like this

snmp-server community HACK RW

If it were to say HACK RO, this means you have read-only rights, and will need to look next to it for the RW string (read/write). Ok, you have the string with read/write permissions. You can now change anything in that config file. To make a change don’t just delete the line you want out of there and upload your modified file. Instead just type “no” in front of the line you want removed. For example…..

I’m in a box that had that pesky aaa authentication and I see these lines near the top of the file

enable secret 5 $1$i/Q5$2yjHKGuGOIkje2J38JHn
enable password 7 84726H6BHLJ7H5V91B
!
username HACK privilege 15 password 7 84726H6BHLJ7H5V91B
aaa new-model
aaa authentication login vty-in group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common

and I see these lines near the bottom of the config file

snmp-server host 127.0.0.1 admin
tacacs-server host 127.0.0.1
no tacacs-server directed-request
tacacs-server key 7 84726H6BHLJ7H5V91BJKRI9
radius-server source-ports 5555-5555
!

Well, personally I would get rid of every line on their minus the ones with the password hashes, for example;

no aaa new-model

and so on… And OOPS, the aaa server is no longer receiving our logs

the hashes with the 7 in front of them can be cracked with a simple Cisco decoder. The hashes with a 5 in front are MD5 (funny…Cain & Abel comes with a function just for Cisco MD5) Of course, you could always just type a “no” in front of the password lines then set your own, or you could leave it and set your own username and pass (there can be as many as you want at one time), or…well, you get the point…Cisco is pretty simple.

Naturally, you are going to want to give yourself another option to get back in the box (if you havent had your fill) so if telnet isn’t already available, we will make it available. Type this and upload…

line vty 0 15
password “yourpasswordgoeshere”

Voila, you can now telnet into it. And Voila, you now own the entire network, you can shut down or open up ports, and can see traffic from every single device on that network….get creative.

Tips & Tricks

Different versions of firmware have slight differences in syntax, you may need to add or remove a hyphen or backslash in your commands.

If you need a list of commands type “?” probably want to learn some cisco before you start, though.

It is much easier to perform a “Password Recovery” if you are standing next to the box.

If the admin left multiple passwords on the switch or router, you can add multiple telnet lines, i.e. line vty 0 15…line vty 1 15…line vty 2 15…etc, and paste a different one of his password on each line…thus resulting in a login looking for a different pass each time (sick humor).

This is how I would perform the whole thing I just explained in about 1000 words…

Find device.
Find community string.
Download config
FIRST upload ONLY the changes to remove aaa authentication.
Then upload changes to add telnet lines including any password changes.

Then….the grand finale…

Analyze config file write a text docu<i></i>ment including all commands I wish to perform, including entering and exiting “config t” and other modes and interfaces, in the proper sequence...of course with the command sequence to clear any logs, just before the exit commands are issued. Then copy the text, telnet into the device, paste the text into your telnet session and watch the magic.

This has been for educational purposes only…comments and suggestions would be appreciated… take it easy.

Comments

Xer0Xon April 28 2006 - 23:54:12
Finally some good articles. Nice job. Also, just for anyone interested, china has a LOT of cisco and usr routers with default passwords, you could use this with the nmap switch to scan a range of ips. Just a thought. Oh, and http://www.phenoelit.de/dpl/dpl.html
SwiftNomadon April 29 2006 - 00:51:57
oh wow. Really good read and I actually because interested. Good post man. A++
willeHon April 29 2006 - 16:02:31
Nice article, got me interested Smile
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.