Introduction to some Cisco security auditing tools

 

And Yet Another Weekend Post! (YAWP)

 

Cisco Auditing Tool

 

It is a PERL script, which scans Cisco routers for common vulnerabilities. To use it, again open the terminal on the left pane as shown in the previous section and type “CAT –h hostname or IP”.

 

You can add the port parameter “-p” as shown in the following screenshot, which in this case is 23 to brute-force it.

 

This tool is located in the Linux menu ( Kali > Vulnerability Assessment > Network Assessment > Cisco Tools ) is written in Perl and accomplishes three tasks which include attempting to brute force the telnet password on a Cisco device if telnet is running, attempting to show the iOS history on the Cisco device using a vulnerability which I believe is from the late 90’s, and attempting to brute force the SNMP community strings for the device.

 

The tool is fairly outdated as most Cisco devices in corporate networks (should) now be using SSH (But I have seen many of even big companies still have telnet port open) and it would seem surprising unless you are doing an internal audit if SNMP was exposed for any Cisco devices still in service.

 

That being said there is definitely still value if you have a ton of Cisco devices to audit you can feed a list of IP’s or hostnames into the script and check basic SNMP community strings and telnet passwords.

 

The cisco-auditing tools is run by executing ./CAT from the /pentest/cisco/cisco-auditing-tool directory. You could also run “perl CAT” from the same directory to use the tool.

 

 

 

  1. root@mike_lab:/pentest/cisco/cisco-auditing-tool# ./CAT

  2.  

  3. Cisco Auditing Tool - g0ne [null0]

  4. Usage:

  5.     -h hostname (for scanning single hosts)

  6.     -f hostfile (for scanning multiple hosts)

  7.     -p port #   (default port is 23)

  8.     -w wordlist (wordlist for community name guessing)

  9.     -a passlist (wordlist for password guessing)

  10.     -i [ioshist]    (Check for IOS History bug)

  11.     -l logfile  (file to log to, default screen)

  12.     -q quiet mode   (no screen output)

  13.  

  14. root@mike_lab:/pentest/cisco/cisco-auditing-tool#

 

In the examples output below we performed testing on a controlled Cisco device where we knew the telnet password as well as the SNMP community strings so we could demonstrate what a success for each looked like when auditing a Cisco device using the cisco-auditing-tool. It should also be noted that it is possible with this tool to locate more than one valid SNMP community string however the script will not distinguish between read/write SNMP community strings and read only SNMP community strings.

 

cisco-auditing-tool: Audit Cisco Telnet Password & SNMP Community String

 

 

  1. root@mike_lab:/pentest/cisco/cisco-auditing-tool# ./CAT -h 192.168.1.22 -a lists/passwords -w lists/community

  2.  

  3. Cisco Auditing Tool - g0ne [null0]

  4.  

  5. Checking Host: 192.168.1.22

  6.  

  7. Guessing passwords:

  8.  

  9. Invalid Password: list

  10. Invalid Password: cisco1

  11. Invalid Password: cisco

  12. Password Found: password

  13.  

  14. Guessing Community Names:

  15.  

  16. Invalid Community Name: list

  17. Community Name Found: public

  18. Community Name Found: private

  19.  

  20. ---------------------------------------------------

  21.  

  22. Audit Complete

  23.  

  24. root@mike_lab:/pentest/cisco/cisco-auditing-tool#

 

 

From the above example we can see that a Cisco privilege level 1 telnet account being successfully brute forced.

You will also have the ability to locate Cisco enable passwords as shown in the example below.

 

 

 

  1. root@mike_lab:/pentest/cisco/cisco-auditing-tool# ./CAT -h 192.168.1.22 -a lists/passwords -w lists/community

  2.  

  3. Cisco Auditing Tool - g0ne [null0]

  4.  

  5. Checking Host: 192.168.1.22

  6.  

  7. Guessing passwords:

  8.  

  9. Invalid Password: cisco1

  10. Invalid Password: cisco

  11. Enable Password Found: password

  12. Invalid Password: letmein

  13.  

  14. Guessing Community Names:

  15.  

  16. Invalid Community Name: cisco

  17. Community Name Found: public

  18. Community Name Found: private

  19. Invalid Community Name: snmp

  20.  

  21. ---------------------------------------------------

  22.  

  23. Audit Complete

  24.  

  25. root@mike_lab:/pentest/cisco/cisco-auditing-tool#

 

I didn’t use the -i switch in either example because the iOS command history bug is pretty dated so it wouldn’t have worked on the Cisco 861 Integrated Services Router that I was testing against. Other switches available include the -l switch for specifying an output logfile as well as the -q switch for suppressing output to the screen while running the command. It is also possible to specify a different telnet port using -p if you believe telnet to be running on something other than TCP port 23.

 

 

Now we will introduce you some other built in Cisco Vulnerability Assessment tools in Kali:

 

Cisco Torch

 

Kali has some tools that can be used to exploit Cisco router. One such tool is Cisco-torch which is used for mass scanning, fingerprinting, and exploitation.

 

Let’s open the Terminal console by clicking the left pane.

 

 

Then, type “cisco-torch –parameter IP of host” and if there is nothing found to exploit, then the following result will be shown.

 

 

 

To see what are the parameters that can be used, type “cisco-torch ?”

 

 

 

 

Cisco Global Exploiter

 

Cisco Global Exploiter (CGE) is an advanced, simple, and fast security testing tool.

With these tools, you can perform several types of attacks as shown in the following screenshot. However, be careful while testing in a live environment as some of them can crash the Cisco devise. For example, option 2  can stop the services.

 

 

 

To use this tool, type “cge.pl IPaddress number of vulnerability”

The following screenshot shows the result of the test performed on Cisco router for the vulnerability number 3 from the list above. The result shows the vulnerability was successfully exploited.

 

 

 

BED

 

BED is a program designed to check daemons for potential buffer overflows, format strings, et. al.

 

 

In this case, we will test the testing machine with IP 192.168.1.102 and the protocol HTTP.

The command will be “bed –s HTTP –t 192.168.1.102” and testing will continue.

 

 

 

 

TRADEMARK LEGAL NOTICE

All product names, logos, and brands are the property of their respective owners in Austria or other countries. All company, product and service names used in this website are for identification purposes only. Pheniix is not affiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, OpenStack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies. Use of these names, logos, and brands does not imply endorsement. The opinions expressed in Pheniix are personal perspectives and not those of Cisco, Dimension Data or any other company. Pheniix runs as an independent blog.

 

Please reload

Follow us:

  • Google play
  • Twitter
  • Pheniix bootique

©2020 Pheniix All Rights Reserved – Privacy Policy- Terms of Service , TRADEMARK LEGAL NOTICE