#################################################

Lecture Log
May 04th 2002
By Vegas

#################################################
 
<Vegas> ___Lecture : Cisco IOS security___
<Vegas>  
<Vegas> Cisco solutions are today deployed in many companies.
<Vegas> Security is the principal point of this companies.
<Vegas> Thats why Cisco systems is so deploy coz it offer a nice security level.
<Vegas> We can consider IOS (Internetworking Operating System) as the OS of Cisco routers.
<Vegas> We can't find much vulnerabilities on that OS.
<Vegas> Securityfocus for example survey about 5 or 6 vulnerabilities only.
<Vegas> Thats poor considering all the IOS cisco has made.
<Vegas> There's meanwhile a hot topic Cisco doesn't want to talk, the password encryption on IOS systems.
<Vegas> Before talking about this security hole, i will first explain some way you can use to find and steal the configuration file where the encrypted (or not) password is.
<Vegas> I will start with SNMP and some other vulnerabilities, then i will explain the different ways you have to decrypt the acquired passwords.
<Vegas> btw you can see if a router is a Cisco router by portscanning it and see if the port 1999 tcp and udp are open and are responding with a special Cisco RST packet.
<Vegas>  
<Vegas> I - SNMP
<Vegas>
<Vegas> Adopted in 1988 (RFC 1067) and modified in 1989 (RFC 1098) and in 1990 (RFC 1057), SNMPv1 is the most impanted version of SNMP.
<Vegas> The Simple Network Management Protocol (SNMP) is another method that can be used to access network devices.
<Vegas> SNMP can be used to gather statistics or configure the router.
<Vegas> The network manager may gather statistics with SNMP get-request and get-next-request messages and change router configurations with set-request messages.
<Vegas> Each of these SNMP messages has a community string that is a clear text password sent in every packet between a management station and the router (which contains an SNMP agent).
<Vegas> The SNMP community string is used to authenticate messages sent between the manager and agent.
<Vegas> The agent will respond only when the manager sends a message with the correct community string.
<Vegas> SNMP community strings are sent on the network in clear ASCII text.
<Vegas> Anyone who has the ability to capture a packet on the network can discover the community string.
<Vegas> This may allow unauthorized users to query or modify routers via SNMP.
<Vegas> This may also allow an attacker to catch the configuration file and obtain an encryted password.
<Vegas> You can refer to "Hijacking a session with dsniff and Hunt" on http://www.advknowledge.net to have some more precisions on how to sniff a connection and capture packets sent.
<Vegas> Now here is a known exploit for the SNMP service.
<Vegas> This exploit isn't only used to hack a Cisco IOS but can also be used for many hosts running that service (installed by default on most windows and unix systems.)
<Vegas> The exploit is using the community string i were talking about.
<Vegas> Some infos first, SNMP is using the UDP protocol (ports 161 and 162).
<Vegas> The PDU (Protocol Data Unit) getRequest is used to reclaim a data registerted in a table on the server, a MIB (Management Information Base).
<Vegas> An OID (Object IDentifier) is assigned to all MIB objects and will look like that : 1.3.6.1.2.1.1.1
<Vegas> By running getRequest 1.3.6.1.2.1.1.1, you will have informations on the network disposition and a system description.
<Vegas> getNextRequest reclaims the data next to the obtain data.
<Vegas> setRequest permiss a client to define a variable on the MIB.
<Vegas> This fonction is very powerfull and need a community string with a write access on the authentification.
<Vegas> I know thats long but you have to know that to understand the exploit
<Vegas> :)
<Vegas> The authentification contain two elements : a version number and a community string including an IP.
<Vegas> The community string define two access levels : a read only access and a read/write access.
<Vegas> With the first level, get commands can be executed and with the second level, setRequest is auauthorized.
<Vegas> Name of this strings can be easiely guess with a special brute force attack.
<Vegas> Here is a SNMP brute forcer, Solarwinds : http://www.solarwinds.net/_Tools/Security/SNMP%20Brute%20Force/index.htm
<Vegas> Most used community strings are private and public
<Vegas> Errors won't be register in any log files so you can do and try what you want to find strings
<Vegas> Names of strings can also be found by a sniffing attack.
<Vegas> With a valid IP, you can also send setRequest PDU and change the configuration file.
<Vegas> Now, how does it work ?
<Vegas> You can choose the SNMP client you want, i personally use SNMPUTIL which can be found in the NT4 and W2k ressource kits.
<Vegas>  
<Vegas> snmputil walk hostname community OID
<Vegas>  
<Vegas> Now here is an example of a request made to an NT4 SP5 :
<Vegas>  
<Vegas> snmputil walk target public 1.3.6.1.4.1.77.1.2.25
<Vegas>  
<Vegas> Variable = .iso.org.dod.internet.private.entreprises.lanmanager.lanmgr-2.server.svUserTable.svUserEntry.svUserName.5.71.117.101.115.116
<Vegas> Value    = OCTET STRING - Guest
<Vegas>  
<Vegas> Variable = .iso.org.dod.internet.private.entreprises.lanmanager.lanmgr-2.server.svUserTable.svUserEntry.svUserName.13.65.100.109.105.110.105.115.116.114.97.116.111.114
<Vegas> Value    = OCTET STRING - Administrator
<Vegas>  
<Vegas> End of MIB subtree.
<Vegas>  
<Vegas> As you can see, we now have the list of username accounts on the server.
<Vegas> The command has been made just after an install but we would have all users' names if there were any other.
<Vegas> As you can see, i've put "public" as the community string which is usually the default string for any system.
<Vegas> Now that you see how it work, how will you do on a cisco router ?
<Vegas>  
<Vegas> I will here use Snmpset (this example has been took from a Phrack article about SNMP security) : 
<Vegas>  
<Vegas> Snmpset -v 1 -e 10.0.10.12 router.pitfiful.com cisco00 system.sysName.0 s "owned"
<Vegas>  
<Vegas> Snmpset is here use to change the hostname of a Cisco router.
<Vegas> Here are some free SNMP tools you can use :
<Vegas>  
<Vegas> snmpscan : the program sweeps host and routers using SNMPD (the SNMP Daemon) to search for common community strings.
<Vegas> http://www.linux.org/apps/AppId_886.html
<Vegas>  
<Vegas> SNMP Sniff : The program decode all SNMP v1 and v2 packets that are circulating on a network. Thats a perl program.
<Vegas> http://linas.org/linux/NMS.html
<Vegas>  
<Vegas> Scns.c : Sniff for community names.
<Vegas> http://www.s0ftpj.org/en/site.html
<Vegas>  
<Vegas> Ucd-SNMP : Advanced Snmp toolkit.
<Vegas> http://net-snmp.sourceforge.net/
<Vegas>  
<Vegas> Scotty : Network tools including a SNMP client.
<Vegas> http://www.home.cs.utwente.nl/~schoenw/scotty/
<Vegas>  
<Vegas> Now if you want to know what version of the IOS is running on a Cisco router try Ucd-SNMP and more especially Snmpwalk
<Vegas>  
<Vegas> [root@hackerbox /etc]# snmpwalk target public system
<Vegas> system.sysDescr.0 = Cisco Internetwork Operating System Software
<Vegas> IOS <tm> C2900XL Software <C2900XL-HS-M>, Version 11.2<8>SA5, 
<Vegas> RELEASE SOFTWARE <fc1>
<Vegas> ...
<Vegas>  
<Vegas> The "..." is for some more infos like the name of the administartor and the address and some other stuff.
<Vegas> This will allow you to try a social engeneering method to have some passwords perhaps.
<Vegas> The version of the software (Server C2900XL with the version 11.2(8) of the IOS) will help you to find exploits for the target.
<Vegas> Also try WS PING Pro Pack for Windows (http://www.ipswitch.com)
<Vegas> The SNMP tool is very usefull coz it show you the MIB architecture in graphic mode and will tell you what version of cisco is running on a router.
<Vegas> SNMP is a big chunk and i think i've already said too much about it even if you don't have all the skills you need to start this type of attacks.
<Vegas> If you want to know more about SNMP, have a look at the RFC 1574 and 1212. Also look at http://www?inforamp.net/~kjvallil/t/snmp.html
<Vegas> and http://www.snmpframeworks.com/Download/index.html.
<Vegas>  
<Vegas> II - Some other vulnerabilities on Cisco IOS
<Vegas>  
<Vegas> * Cisco IOS HTTP %% Vulnerability
<Vegas> A denial of service attack exists in versions of Cisco IOS, running on a variety of different router hardware.
<Vegas> If the router is configured to have a web server running, for configuration and other information, via:
<Vegas>  
<Vegas> ip http server
<Vegas>  
<Vegas> in the configuration, by requesting:
<Vegas>  
<Vegas> http://<router-ip>/%%
<Vegas>  
<Vegas> a user can cause the router to crash.
<Vegas> Some routers will automatically reboot, while others will require a power cycling to start routing packets again.
<Vegas> Most Cisco IOS are vulnerable to this exploit (From Cisco IOS 11.1 to 12.0.7).
<Vegas>  
<Vegas> * Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
<Vegas> When HTTP server is enabled and local authorization is used, it is possible, under some circumstances, to bypass the authentication and execute any command on the device.
<Vegas> It that case, the user will be able to exercise complete control over the device.
<Vegas> All commands will be executed with the highest privilege (level 15). 
<Vegas> Use this URL : 
<Vegas>  
<Vegas> http://CiscoIP/level/XX/exec/...
<Vegas>  
<Vegas> where "XX" is an number between 16 and 99 and "..." is the program you want to execute.
<Vegas> It is possible for a remote user to gain full administrative access.
<Vegas> This problem makes it possible for a remote user to gain full administrative privileges,
<Vegas> which may lead to further compromise of the network or result in a denial of service.
<Vegas> Most Cisco IOS are vulnerable to this exploit (From Cisco IOS 11.3 to 12.2)
<Vegas> Here are the addresses where you will find an exploit :
<Vegas>  
<Vegas> - http://online.securityfocus.com/data/vulnerabilities/exploits/cishttpex.pl
<Vegas> - http://online.securityfocus.com/data/vulnerabilities/exploits/ios-http-auth.sh
<Vegas> - http://online.securityfocus.com/data/vulnerabilities/exploits/cisco-http.c
<Vegas> - http://online.securityfocus.com/data/vulnerabilities/exploits/IOScan.pl
<Vegas> - http://online.securityfocus.com/data/vulnerabilities/exploits/ios.pl
<Vegas>  
<Vegas> * Cisco NRP2 Unauthorized Telnet Access Vulnerability
<Vegas> The Cisco Node Route Processor 2 card is a module designed to enhance the services of the Cisco 6400 series broadband aggregators.
<Vegas> It is distributed by Cisco Systems (of course) :)
<Vegas> A problem in the Node Route Processor 2 (NRP2) makes it possible for remote users to gain unauthorized access to vtys.
<Vegas> The default configuration of the NRP2 allows access to the vtys of the module when no password has been set.
<Vegas> By default configuration, the NRP2 should allow no access until a password has been set.
<Vegas> This makes it possible for a remote user to gain access to systems behind the NRP2 module, potentially accessing secure systems.
<Vegas>  
<Vegas> III - Cisco IOS password cracking
<Vegas>  
<Vegas> A weakness in the encryption protocol allows a hacker to crack IOS passwords using type 7 Cisco encrytion.
<Vegas> This password can be found in the configuration file of any Cisco IOS.
<Vegas> Here is an extract of the configuration file from a Cisco 3640 router with the version 12.1 of IOS :
<Vegas>  
<Vegas> Current configuration : 656 bytes
<Vegas> !
<Vegas> version 12.1
<Vegas> service timestamps debug uptime
<Vegas> service timestamps log uptime
<Vegas> no service password-encryption
<Vegas> !
<Vegas> hostname Router
<Vegas> !
<Vegas> enable secret 5 $1$2ZTf$9UBtjkoYo6vW9FwXpnbuA.
<Vegas> !
<Vegas> username admin privilege 15 password 0 cisco
<Vegas> !
<Vegas> ip subnet-zero
<Vegas> !
<Vegas> ip audit notify log
<Vegas> ip audit po max-events 100
<Vegas> !
<Vegas> interface Serial0/0
<Vegas>  ip address X.X.X.X.X.X.X.X
<Vegas> !
<Vegas> interface Serial0/0
<Vegas>  no ip address
<Vegas>  shutdown
<Vegas> !
<Vegas> interface Serial0/1
<Vegas>  no ip address
<Vegas>  shutdown
<Vegas> !
<Vegas> ip classless
<Vegas> ip route 0.0.0.0.0.0.0.0. X.X.X.X
<Vegas> no ip http server
<Vegas>  
<Vegas> First, what are the 3 types of passwords we can find on a Cisco IOS :
<Vegas>  
<Vegas> * Type 0 passwords
<Vegas> An IOS command allows to encrypt all passwords in the configuration file.
<Vegas> If this command isn't done, all passwords (exept when you see "enable secret") are in plaintext :
<Vegas>  
<Vegas> username admin privilege 15 password 0 cisco
<Vegas>  
<Vegas> Here, we can see that the user is named "admin" and his password is "cisco".
<Vegas>  
<Vegas> * Type 7 passwords
<Vegas> This mode is set when you use the encrypt command "service password-encryption".
<Vegas> With this command, all type 0 passwords transform to type 7 password and will look like that :
<Vegas>  
<Vegas> username admin privilege 15 password 7 0822455D0A16
<Vegas>  
<Vegas> * Type 5 passwords
<Vegas> The third type of password is encrypt with a MD5 algorithm.
<Vegas> This will encrypt "enable secret" passwords :
<Vegas>  
<Vegas> enable secret 5 $1$2ZTf$9UBtjkoYo6vW9FwXpnbuA.
<Vegas>  
<Vegas> Type 5 passwords encryption are more strong and need a brute force attack to decrypt it.
<Vegas> I won't explain how to decrypt manually the type 7 password, my lecture is enough long but i will, perhaps, in a tutorial.
<Vegas> I will just say that Cisco IOS use a XOR fonction to encrypt the password (xorstring)
<Vegas> Now what are the tools to decrypt it automatically ?
<Vegas> Here are two programs that can crack the password but there are many others
<Vegas>  
<Vegas> * The first program is ios7decrypt.pl (for Unix people)
<Vegas> -> http://www.alcrypto.co.uk/cisco/perl/ios7decrypt.pl
<Vegas> Thats a simple program, just past the line you want :
<Vegas>  
<Vegas> username admin privilege 15 password 7 0822455D0A16
<Vegas>  
<Vegas> and here is the result :
<Vegas>  
<Vegas> username admin privilege 15 password 7 cisco
<Vegas>  
<Vegas> * The second program is GetPass! v1.1 (for bill's children)
<Vegas> -> http://www.boston.com/download/eula.htm
<Vegas> Very easy to use, just paste the encrypted password (0822455D0A16) in the dilog box, press GetOut and you've got it !
<Vegas>  
<Vegas> The decrypted password is : cisco
<Vegas>  
<Vegas> As you can see, the harder work will be to steal the configuration file before cracking the passwords.
<Vegas> I hope this lecture will help you 1 day.
<Vegas> Even if i knew you were not hacking Cisco routers everyday, I've lectured about that topic to forge some hackers mind on what hacking is really.
<Vegas> Learning is hard but the reward is gratifying.
<Vegas> I will try to lecture here on #lecture every friday on different subjects and i'd like to have some feedback about what topics you want me to talk about.
<Vegas> This lecture will be loged, like all the lecture i made and i will make, in http://www.advknowledge.net


##################################################
#
#Post lecture rambling
#
##################################################


<Vegas> Now if you have questions ... 
<Trid3nt> :D
<Trid3nt> cool lecture
-_IRIX- it was cool ! i'll be here next friday too!
<Vegas> thx
<Vegas> some hot topic
* Criptik claps
<Criptik> bravo bravo
<Vegas> thats not for newbies
<HELL[homework]> cool
<dodo> wow
<Criptik> well done sonny
<t2k> great lecture
<Vegas> THANK YOU