top of page

Configure a hidden User on Cisco IOS (Router/Switch)

And Yet Another Weekend Post! (YAWP)

Do you know how to create hidden users for Cisco CLI ?! If not, then this article is for you... Enjoy!

Let's assume you have got an elevated command prompt on a Cisco router, and you want to establish a permanent backdoor on the device while leaving as few markers as possible. You need to do this with existing code, and the keypoint is to change the config as little as possible.

Cisco EEM is the answer.

Cisco EEM is like a programming language built into any modern Cisco IOS router or switch. It allows for all sorts of automatic actions to take place, and it has a key feature which we’ll exploit here — it can ‘catch’ a string a user enters and transparently replace it with another string — one which we’ll instruct to exclude our ‘malicious’ pivot code.

1.Create a user with level 15 permission:

Hint: Check if the username contains the string “hidden” again, because those are the lines we are hiding from the configuration.

2. Install a couple of EEM functions:

Hide our user and history from any valid admins by proxying valid commands with commands filtered to hide our information.

EEM Code:

There you go! You just DID it!

I know, you tried to copy and paste the code, but it did not work. I put that in PNG format so that you have to write it manually for exercise purposes! 😈

Caveats of using this method are:

  • You can NOT trick Syslog-servers! No ability to hide the execution of commands in real-time, so they will be logged to an external server if device set up to do so.

  • If the tool uses SNMP to pull a full config, the new config will get overwritten and users become visible! If the tool is like most tools, and simply uses a service account to programmatically run “show run”, your config will stay hidden.

  • The local log of the device will have many hidden lines in its buffer, so it will look short to someone looking closely.

  • If the local log uses line numbers, as recommended by Cisco security best practice (but which is not the default config!), it’ll be evident to someone looking closely that lines are missing.

  • All EEM scripts are hidden using this method. If administrators utilize EEM for their administration activities, they may become suspicious that their EEM scripts have disappeared.

If you want to know more about EEM, then continue reading:

Event detectors and actions

EEM uses event detectors and actions to provide notifications of those events.

IOS Embedded Event Manager supports more than 20 event detectors that are highly integrated with different Cisco IOS Software components to trigger actions in response to network events. Some examples are:

  • SNMP – Monitoring SNMP objects, events and notifications (SNMP traps) of the device.

  • Syslog – Responds to various syslog messages, allowing for matching on regular expressions of the content of the message.

  • Counter(s) – Monitoring and responding to interface counters when cross threshold settings.

  • CLI – Screening CLI input for a regular expression match or when a special parser character is entered, like Tab or “?” (question mark).

  • Timers – Countdown, watchdog and CRON.

  • IP SLA and NetFlows events.

  • OIR (online insertion and removal) – When a card is removed od inserted.

  • Resource – When the Embedded Resource Manager (ERM) reports an event.

  • Enhanced Object Tracking Event Detector (EOT) – When the status of a tracked object changes.

  • Another EEM policy – Another EEM policy may publishes an event.

  • None – This event detector is to test the EEM script/applet using “event manager run” command.

  • Routing – When a route entry changes in the Routing Information Base (RIB).

  • RPC – Provides the ability to invoke EEM policies from outside the router over an encrypted connection using SSH. The RPC event detector uses Simple Object Access Protocol (SOAP) data encoding for exchanging XML-based messages. This event detector can be used to run EEM policies and then receive output in a SOAP XML-formatted reply.

EEM Actions could be:

  • Executing a Cisco IOS command-line interface (CLI) command.

  • Generating a CNS event for upstream processing by Cisco CNS devices.

  • Setting or modifying a named counter.

  • Reloading the Cisco IOS software.

  • Generating an SNMP trap.

  • Generating prioritized syslog messages.

  • Reading the state of a tracked object.

  • Setting the state of a tracked object.

  • Switching to a secondary processor in redundant hardware configuration.

  • Requesting system information when an event occurs.

  • Sending a short e-mail message.

  • Manually running an EEM policy

  • Publishing an application-specific event.


All product names, logos, and brands are the property of their respective owners in Austria or other countries. All company, product and service names used in this website are for identification purposes only. Pheniix is not affiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, OpenStack, Vagrant, Ansible, Docker, GIT, Blockchain or other companies. Use of these names, logos, and brands does not imply endorsement. The opinions expressed in Pheniix are personal perspectives and not those of Cisco, Dimension Data or any other company. Pheniix runs as an independent blog.

bottom of page