Use Metasploit to perform penetration tests on Cisco IOS

Open-source Metasploit Framework and commercial Metasploit products provide the security evaluation function for network devices. This article describes how to use the latest version to perform penetration testing for Cisco IOS, open-source frameworks need to add independent modules and support libraries. commercial products already include these modules, so you can start penetration testing more quickly, the following screen shows a successful penetration test result.

Figure 1 successful penetration test results

First, I want to explain that the correctly configured Cisco devices are difficult to crack. Like other software, Cisco IOS also has vulnerabilities, however, only a few people can successfully exploit the memory leakage vulnerability in code execution. Therefore, IOS attacks in the real world are usually concentrated in two aspects: misconfiguration and weak passwords.

The vulnerability scanner can determine the outdated IOS status by comparing the version strings. After determining the version number, it can further determine whether the network device has installed the latest patch. However, if you do not know much about IOS, this information may not help much. In fact, in the production environment, only a few services are exposed, including SNMP, Telnet, SSH, and HTTP, you may also find that there are media protocols such as Finger, SIP, and H.323. People familiar with remote access should be familiar with the first four protocols, But When configuring a router to allow these protocols to pass, some low-level errors are often made. The most common one is to expand the allowed access sources without intention.

In some old versions, Cisco ios http service has multiple well-known security vulnerabilities. As a Penetration Tester, we are most concerned about two vulnerabilities related to bypassing ID card verification, the first vulnerability number is the CVE-2000-0945, missing identity authentication on the IOS device management interface, which allows unauthenticated, direct access to all IOS functions through the Web interface, the second vulnerability number is the CVE-02001-0537, which allows attackers to bypass the authentication process with a verification level greater than 15 in HTTP requests. Attackers can directly gain access privileges to the device through the Web interface, open-source Metasploit Framework now provides two modules to exploit these vulnerabilities:

/Auxiliary/assets/http/cisco_device_manager
/Auxiliary/users/http/cisco_ios_auth_bypass
Metasploit Express and Metasploit Pro automatically identify Cisco ios http services during discovery scanning, check for these two defects, and use them to obtain device configuration information. In addition to these two known security vulnerabilities, the device password can also be obtained through brute-force cracking of HTTP Services. Compared with terminal services such as Telnet and SSH, HTTP services are more prone to brute-force cracking. Metasploit Express and Metasploit Pro can further obtain the running device configurations after brute-force cracking of HTTP Services.

The next service I want to discuss is SNMP. It is also strange to say that SNMP is often used on secure routers. As a standard Remote Access Protocol, SNMP is widely used, therefore, all vswitches, routers, and other network devices with monitoring and management functions support the SNMP protocol. The most common is to use it to monitor the running status of devices.

However, many network administrators do not realize that the information exposed by SNMP is not only in-depth, but can also be used to gain full control over the device if the SNMP community is writable. in Cisco IOS, the writable SNMP community can be used to download the configuration information of running devices, or even modify the running configuration. Vrouters with Telnet disabled and complex serial passwords can be easily hijacked by writing data to the SNMP community. Metasploit Framework provides an SNMP brute force cracking tool, which is an auxiliary module, it uses the universal cryptographic vocabulary to determine effective communities, and determines whether these communities are read-only or writable. In addition to the basic brute-force cracking modules, metaSploit now contains a very powerful module (submitted by pello, a community volunteer) that can be written to the SNMP community to download the running configuration of the device.

Metasploit Express and Metasploit Pro use these two modules to automatically capture configuration files of vulnerable devices. During the scan, the SNMP brute force cracking tool is started in the background. If it detects that the SNMP community is writable, they will configure a local TFTP service to download the running configuration file. Because the SNMP protocol is now integrated with the smart brute force cracking component, in addition to dynamically generated passwords, it also uses a well-adjusted Community list, which comes from an interesting research project, researchers collected SNMP community strings accidentally leaked by network administrators on the Internet and analyzed the longest passwords used. The results of this project were surprising, I have never imagined that the most common SNMP community strings are "public @ es0" and "private @ es0", because these two community strings are used in the example in the Cisco Document.

The last two protocols I want to discuss are Telnet and SSH. What they have in common is that they can remotely access the shell command of the target device and do not require non-privileged users. From the perspective of penetration testing, the most significant difference between them is that SSH needs to know the user name and password of the remote target device, while Telnet only needs to know the authentication password, metasploit Framework also contains the brute-force cracking modules of these protocols. After successful brute-force cracking, an interactive session is automatically created.

Both Metasploit Express and Metasploit Pro support attacks on network devices using Telnet and SSH protocols. In the latest version, the changed password table of the password analysis research project is used, it puts some infrequently used passwords at the front of the Word Table. In the real world, this is often a good practice. Based on our previous penetration testing experience, many ISPs use static passwords for devices, and these passwords have been included in the brute force password cracking table.

After a session is established on a Cisco IOS device through Telnet or SSH, the evidence collection function in commercial products automatically obtains the version information, list of active users, and attempts to crack brute force attacks, if you obtain access to the device, it also automatically dumps other information about the system, including running configurations.

After talking about this, we haven't talked about any new things yet. The latest version can link these operations together to complete all the penetration testing tasks in one go. So far, I have not mentioned that what should we do next after obtaining the Cisco IOS configuration file? We already know that these configuration files contain the running configuration information of the device, that is, they include vty passwords, enable passwords, VPN keys, SSL certificates, and Wi-Fi creden, metaspoit will automatically parse these configuration files, find sensitive data and save it as the basic data to be used in the next step, or steal the authentication certificate, the following screen shows the output result of brute-force password cracking for Telnet vty, followed by the enable password, followed by the configuration for dumping and parsing.

Figure 2 brute-force cracking results

Metasploit Express and Metasploit Pro can automatically collect certificates from these configuration files to further gain access to other devices on the network. If you break a Cisco device through the SNMP community, and found that the vty password is "cicsorules", you can use brute force cracking components to automatically try this password through multiple network protocols, and you can use this password to try to access other network devices, once successful, you can get the configuration file and start a new attempt. Maybe the vty of the router is the login password of the internal website, or use the obtained password to launch a traditional attack, our goal is to ensure that our users can identify and take advantage of the weaknesses of a given network.

Source: http://www.net-security.org/article.php? Id = 1548

Original Name: Cisco IOS penetration testing with Metasploit

Author: HD Moore