And Yet Another Weekend Post! (YAWP)
Do you know how to create hidden users for Cisco CLI ?! If not, then this article is for you... Enjoy!
Let's assume you have got an elevated command prompt on a Cisco router, and you want to establish a permanent backdoor on the device while leaving as few markers as possible. You need to do this with existing code, and the keypoint is to change the config as little as possible.
Cisco EEM is the answer.
Cisco EEM is like a programming language built into any modern Cisco IOS router or switch. It allows for all sorts of automatic actions to take place, and it has a key feature which we’ll exploit here — it can ‘catch’ a string a user enters and transparently replace it with another string — one which we’ll instruct to exclude our ‘malicious’ pivot code.
1.Create a user with level 15 permission:
Hint: Check if the username contains the string “hidden” again, because those are the lines we are hiding from the configuration.
2. Install a couple of EEM functions:
Hide our user and history from any valid admins by proxying valid commands with commands filtered to hide our information.
There you go! You just DID it!
I know, you tried to copy and paste the code, but it did not work. I put that in PNG format so that you have to write it manually for exercise purposes! 😈
Caveats of using this method are:
If the tool uses SNMP to pull a full config, the new config will get overwritten and users become visible! If the tool is like most tools, and simply uses a service account to programmatically run “show run”, your config will stay hidden.
If you want to know more about EEM, then continue reading:
Event detectors and actions
EEM uses event detectors and actions to provide notifications of those events.
IOS Embedded Event Manager supports more than 20 event detectors that are highly integrated with different Cisco IOS Software components to trigger actions in response to network events. Some examples are:
EEM Actions could be:
TRADEMARK LEGAL NOTICE
All product names, logos, and brands are the property of their respective owners in Austria or other countries. All company, product and service names used in this website are for identification purposes only. Pheniix is not affiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, OpenStack, Vagrant, Ansible, Docker, GIT, Blockchain or other companies. Use of these names, logos, and brands does not imply endorsement. The opinions expressed in Pheniix are personal perspectives and not those of Cisco, Dimension Data or any other company. Pheniix runs as an independent blog.