Sign in to follow this  
Followers 0
chevalier3as

Cisco IOS 12.1

7 posts in this topic

I know hacking router and switches isn't a traditional thing to do, but after running and nmap with os fingerprinting on an internal network, I found out the IP addresses of some switches and routers with the telnet port open, I even know the address of the administrator, and I could perform and ARP poisoning the get the password, but what I'm most interested in, is to test a remote exploit for the first time, I've been reading on metasploit and nessus for quite a while, and the backtrakc has some exploitation tools special just for cisco.

Even after searching on security focus for known remote exploits that could grant me remote control, or hashed pass, I can't find anything.

So what I'm asking for is to know how to scan for vulnerabilities, is Nessus the men for that, where to find how to exploit them, and where to look for more info on the subject.

in case you are wondering, is what I'm doing is legal, I managed to have the agreement of the administrator.

thanks for your answers.

0

Share this post


Link to post
Share on other sites

I think the problem is that you're looking for an all-in-one vulnerability scanner -- "here's an IP address, tell me any possible exploits against it". Truth be told, there are some tools out there for that... but in general, you need to do a bit more homework. You need to do some testing to see what your target is running, then do some Internet searching to see what vulnerabilities may exist for that system. Based, then, on what you discover about vulnerabilities, you'll determine how exactly to determine if they are there.

It's really more about reading and putting pieces together than typing in an IP address and clicking "Go". :)

0

Share this post


Link to post
Share on other sites
It's really more about reading and putting pieces together than typing in an IP address and clicking "Go". :)

Unless they didn't change the default passwords. Then you open telnet and "Go"!

0

Share this post


Link to post
Share on other sites
It's really more about reading and putting pieces together than typing in an IP address and clicking "Go". :)

Unless they didn't change the default passwords. Then you open telnet and "Go"!

Where can i find those default passwords?

0

Share this post


Link to post
Share on other sites
It's really more about reading and putting pieces together than typing in an IP address and clicking "Go". :)

Unless they didn't change the default passwords. Then you open telnet and "Go"!

Where can i find those default passwords?

check google for default password list

And remember the password "Cisco" is different than "cisco"

Also remember that cisco devices can be set to log (un)successful login attempts to a syslog or RADIUS server.

0

Share this post


Link to post
Share on other sites

Phenoelit has a huge list of default passes.

Also, you might wanna look into snmp for default comms / custom comms (with wordlists) / eventually RW ones that will let you dump the config, then check the hashes (depending on the algo used... I let you check this aspect), understand the routes and filters, etc, etc.

Look at other services like ntp, etc.

You won't find anything in a public or commercial tool, except cisco/cisco.

cheers.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0