XxthugstylezxX

Cisco router question

18 posts in this topic

So i got a new job as a intern at a engineering firm. They told me to prove myself on their IT staff so thats exactly what i plan to do.

I tried telnet'ing to their routers both the isp and internal. Both were open but both had passwords. I was wondering if their is an exploit out there to bypass the telnet password on a cisco router or any other method. I was kind of challenged already by the guy that set the router up. He said and i quote "prove yourself you haven't even changed the router banner yet."

Secondly while im on the subject I've also decided to do a little pen-testing. They don't have to strict of security policies at all but enough to keep someone like me from doing damage. What are some common pen-testing techniques to play with? Im not looking for your basic nmap, footprint, etc. I want something juicy that they'll say wow. Any idea's?

0

Share this post


Link to post
Share on other sites

There are exploits for Cisco routers, but what IOS are they running? You also should make sure you have some kind of terms of engagement. Even if they verbally told you it is OK, they would deny that later without having anything in writing.

0

Share this post


Link to post
Share on other sites
There are exploits for Cisco routers, but what IOS are they running? You also should make sure you have some kind of terms of engagement. Even if they verbally told you it is OK, they would deny that later without having anything in writing.

wish i knew what IOS they were running. Unfortunately i cannot get that information with out logging in. I've talked with the guy a few times about it jokingly. He knows what im upto and to be honest he doesnt seem to care at all. For instance i downloaded the adminpak from microsoft to see if i could change anything in active directory or anything else. I showed him and he was pretty impressed with it all. Nothing major i know but none the less its an example of why i dont think this is going to reflect on my job given i dont do anything destructive. Heck maybe they might even let me start locking things down around here better.

0

Share this post


Link to post
Share on other sites

Keep trying to find out the IOS. Not too long a go i had a week of work experience at BT in the Global Services section, who deal exclusively with Cisco routers.

At the end of the week the people i had been working with were nice enough to literally hand me over dozens of Cisco service manuals, config files, staff tutorials, and a few Cisco exam cram questions. I'd be more than happy to give you any help if i can dig out anything that applies.

I might be wrong, but doesnt nmap pump out a guess at the IOS if you scan it? :huh:

0

Share this post


Link to post
Share on other sites
Keep trying to find out the IOS. Not too long a go i had a week of work experience at BT in the Global Services section, who deal exclusively with Cisco routers.

At the end of the week the people i had been working with were nice enough to literally hand me over dozens of Cisco service manuals, config files, staff tutorials, and a few Cisco exam cram questions. I'd be more than happy to give you any help if i can dig out anything that applies.

I might be wrong, but doesnt nmap pump out a guess at the IOS if you scan it? :huh:

Actually it does i just realized that to. So that's my first line of attack i think. All im really tring to accomplish is to change the banner. Lol i told the admin to be on the look out over the weekend for the change. He chuckled at me.

0

Share this post


Link to post
Share on other sites

Its not always the most streamlined way to do things, but i assume that since you work for them you should have limited physical access to the router?

Even if you dont physically hook yourself up to an ethernet jack, getting a glance at the internal router set-up should give you a better idea of what your up against.

You said they dont have strict security policies.. if thats the type of management that their suited to, you might be safe to assume that they use a less-updated IOS than the ones currently available.

0

Share this post


Link to post
Share on other sites

You could say ..

Run nmap, see if snmp, http or other useful interfaces are up, otherwise you are going to have to telnet or try one of the routing/routed protocol exploits that let you run code locally or dump memory (like say.. the password hash ;))

Might want to focus on ipv6 as most anything else should have been patched long ago.

If you thought you could pull it off:

- find a largely unused router/switch, power it down and unplug the network cables but keep the correct order

- plug in a console and boot in to rommon, set it to ignore the init config and reboot

- load the config and dump the pass hashes, reboot without saving

- load rommon again, set it to use the init config

- plug the cables back in and restart a final time

Note: if they are running tacacs, monitoring with OPENView/etc or have logging enabled - this is not recommended!!

I would look around for retired routers/switches not in production that might still have configs or search for configs stored on the network/tapes/printouts/etc.

If they aren't running tacacs/other and logging isn't going on then throwing together a simple perl script to brute some of the routers/switches or using an existing script might do the job.

------

If you don't get in - or even better, if you don't try in the first place, show them your script and how you would/could have got in.

Avoids any messy legal issues / implication of guilt / breaching company policy /etc , and shows more thought on your part.

- Cobble net-snmp, net-ssh, lwp and any number of the console modules in to your own easily customizable brute-forcer.

- Diff join a few of the common wordlists out on the net with a grepper that grabs words to try from their corporate website and docs/pdfs/txt/etc.

- Create/port a framework for exploits and rewrite any exploit you come across to work within your framework (and credit the original author).

- If you have the time/effort you could throw in cam table overflows, poisoning, double encapsulation and whatever else you come across.

There are some interesting exploits but you should really stick to the privilege escalation and keep any denial of service stuff out of the copy you show them. :P

It's really all been done before but showing them someone else's code isn't going to get you a job or impress anyone, whereas writing your own provides good practice and proves you have something more to offer than point and click kiddie-ism; especially if it is clean, well documented, well thought out and easy to read and update.

0

Share this post


Link to post
Share on other sites

If the sysadmins use telnet to administer their routers, you could simply use APR to sniff the password(s). Unless they have an IDS running?

0

Share this post


Link to post
Share on other sites

gee...

Are you officially allowed to do that? Any contract to prove so? Such "mission" usually stinks, esp. in case things go bad (yeah nessus rocks, blabla, u just click n go and the whole lan just gets flooded). Same thing for the ISP, who *owns* the router and might well get upset by your attacks (not mentioning worse behaviours i've seen by the past). So, in this field, i'd say the key thing is to cover you ass.

then, yeah, scan the routers for common services: snmp (there are exploits out there, you can find unprotected communities, you can attack others), web interface (default passwords are listed on pheno's web), bf the telnet console, dsniff all traffic locally for credentials, poison switches with whatever tool you find out there.

Check for trust relationships between systems, find out where the admins work, what they use to connect to other systems, look for unprotected shares (it policies, procedures, documents, etc) and do some data-mining to find passwords. Scan unix boxes, some might be outdated because of portability issues, old exploits might run (sadmin, solaris telnet or whatever).

Look for hosts with multiple interfaces, they might allow you to bypass internal firewalls, if any. Search for the backup subnet, if any.

Scan user boxes for exploits, check their level of updates and use any windows exploit out there, scan for databases on the lan (mssql default sa login, oracle web interface, etc), grab mail folders and personal documents to find passwords...

For a complete public pentesting methodology, see http://www.vulnerabilityassessment.co.uk/P...ion%20Test.html

0

Share this post


Link to post
Share on other sites

As long as i dont do anything destructive they would not care. I've already tested that theory by trying to access active directory with adminpak. The onlything im looking to accomplish is to change the banner when you telnet to the router. I think i'll start with nmap'ing the router and then if need be scripting a perl script to brute force it. I already made some suggestions with the password attempt amoud as its set to 3 trys then it boots you. How ever it does not time you out, so after 3 trys log back in and try again. Thanks for all the information guys this should be a fun venture. I'll let you guys know how it goes.

0

Share this post


Link to post
Share on other sites

Using the 'banner' command is straight forward enough.

Got any ideas on what your going to replace the banner with? I would go with either

a meaningful quote or joke of some sort.

0

Share this post


Link to post
Share on other sites

Well the admin who put the original banner up is named Tim so i figured i'd put something like. "Tim got 0wned!" then again that only shows my immaturity hehe. A good quote would be good to though. Who knows maybe even some ascii art. Put up "Now property of BinRev" =p

0

Share this post


Link to post
Share on other sites

To be honest... there are reasons why it's secured.

Since you are an intern with supposedly "authorization" to "hack" the network, you should look at all aspects. Not simply network attacks but physical attacks.

Familiarize yourself with the network topology and the physical layout of the network. Use MRTG to monitor SNMP load across the network links so you can find where you can wedge in a "downtime" window.

Then for your endgame: Get a console cable and physical access to a router that won't be missed for a few minutes. It's likely it could be dismissed by ping scans/nagios as network latency/noise. Use the techniques described here: http://www.cisco.com/warp/public/474/index.shtml. Capture the config file from the NVRAM and reboot it. Then bruteforce the password hash enclosed on it for secret and enable. Chances are the password is the same across the infrastructure. Log in, change the banner and be done with it. Trying to brute force snmp r/w management would take forever.

If anything, you'll be able to find out what the exact version of IOS is running on the boot banner with a console cable. That would at least point the way to some exploits if there are any.

-jf

0

Share this post


Link to post
Share on other sites

I gave up on this due to certain factors. I was however given permission and i still surprised the admins with the information i had dug up on the network. Also we just got aquired by another company. So the network will be totally different, and i wont mess with the "new" companies equipment as they are in a different state, and i dont think they'll be to happy if i did so. Good information on this thread though. Also from what i understand this company that acquired us has a security IT department i may look into.

0

Share this post


Link to post
Share on other sites

Out of curiosity, what is the size of the company?

0

Share this post


Link to post
Share on other sites

Uhh.. dude they're running telnet on the damn thing. Just sniff the enable pass.

0

Share this post


Link to post
Share on other sites
Out of curiosity, what is the size of the company?

umm up until we got aquired it was about 60 now over a couple thousand.

Uhh.. dude they're running telnet on the damn thing. Just sniff the enable pass.

The admins dont go on it enough to sniff the enable password nor the secret password.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now