Results 1 to 3 of 3

Thread: GNS3-Cisco3745-Multi HowTo. SSH server, Security Device Manager, quick VPN server,etc

Threaded View

  1. #1
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Midwest, USA

    Default GNS3-Cisco3745-Multi HowTo. SSH server, Security Device Manager, quick VPN server,etc

    GNS3-Cisco3745-Multi HowTo. SSH server, Security Device Manager, simple VPN server, eventually IPS cli config

    This HowTo will detail installing cisco SDM into an emulated router in BT4. SDM is a slick GUI that can simplify some configuration tasks, and can be cool to mess around with. Some feature may or may not work depending on what IOS version and feature set it is coupled with. I Apologize for any redundancy with previous posts, but I like my HowTo's to be as complete as possible, despite this being somewhat of a GNS3 series.

    Later on in the post I'll add a simple VPN setup, and demonstrate pivoting with it. I'd like to address command like setup of IPS if I can. I've begun some of the stages, so I'll keep you posted. It was initially intended to tie in with SDM, but I have as yet been unable to get SDM to recognise that my emulated IOS does indeed have IPS included in the feature set.

    The primary file needed in this case is
    You'll need to extract it. I like to keep things clean in a working directory.
    root@bt:~# mkdir /root/workspace
    root@bt:~# cd /root/workspace
    root@bt:~# cp /root/Downloads/CisSdM.rar /root/workspace
    root@bt:~# unrar x CisSdM.rar
    Then you'll need to copy a list of files. I like to put them into a tarball and then put them on my ftp server. Here's
    the list
    And tarballing it all...Don't forget to change directories. You should end up in ../SDM-V25/
    root@bt:~# tar -cf sdm-install.tar home.shtml sdm.tar common.tar es.tar home.tar sdmconfig-36xx-37xx.cfg securedesktop-ios- sslclient-win- wlanui.tar 128MB.sdf 256MB.sdf
    and copy it to your ftp root directory. Then configure a 3745 router using this IOS version or something similar
    For the networking...remember you'll need uml-utilities installed. If you do not have it run
    root@bt:~# apt-get install uml-utilities
    setup a loopback, add a bridge, plug our ethernet and loopback adapters into the bridge with no IP and promiscuous, then obtain a DHCP lease on the bridge
    root@bt:~# tunctl tap0
    root@bt:~# brctl addbr br0
    root@bt:~# brctl addif br0 tap0
    root@bt:~# brctl addif br0 eth0
    root@bt:~# ifconfig eth0 promisc up
    root@bt:~# ifconfig tap0 promisc up
    root@bt:~# dhclient br0
    Now add your IOS image into GNS3. Start your router and console in. Wait until it is finished booting and is idle. Right click and calculate and IDLE-PC value, otherwise your CPU will be loaded hard. Choose a value with a * next to it. Configure your router for SSH, and some other basics. Use 1024 bits for the SSH key when prompted. SDM also requires the user to have level 15 privilege
    Router> enable
    Router# conf t
    Router(config)# hostname SDM-router
    SDM-router(config)# enable password ciscopass 
    SDM-router(config)# ip domain name
    SDM-router(config)# ip ssh authentication-retries 5
    SDM-router(config)# ip ssh version 2
    SDM-router(config)# crypto key generate rsa
    SDM-router(config-line)# line con 0
    SDM-router(config-line)# no exec-timeout
    SDM-router(config-line)# no session-timeout
    SDM-router(config-line)# line vty 0 4
    SDM-router(config-line)# no exec-timeout
    SDM-router(config-line)# no session-timeout
    SDM-router(config-line)# login local
    SDM-router(config-line)# transport input ssh
    SDM-router(config-line)# exit
    SDM-router(config)# username iprouteth0 privilege 15 password 0 ciscopass
    SDM-router(config)# int fa0/0
    SDM-router(config-if)# ip address dhcp
    SDM-router(config-if)# no shut
    Then SSH in to the IP that was assigned to your cisco router.
    root@bt:~# ssh iprouteth0@
    And lets setup the HTTPS server, clean the flash and upload our SDM files.
    SDM-router# conf t
    SDM-router(config)# no ip http server
    SDM-router(config)# ip http secure-server
    SDM-router(config)# ip http authentication local
    SDM-router(config)# exit
    SDM-router# erase flash:
    SDM-router# format flash:
    SDM-router# archive tar /xtract flash:
    And now just browse to the router's IP in your browser. Make sure you have Java installed. Some different java version allow some SDM features to work properly. I'm not sure which however. Also turn off your pop-up blocker. I am using
    a windows VM just to simply the process as everything was already set up.
    Have fun with SDM!


    And now on to the simple VPN server config. Could be handy for messing around with VPN discovery or bruteforcing tools. I haven't had the time to try some of my ideas as of yet, or other VPN configurations for that matter. The original idea for this came as an idea for a nice way to pivot inside. Suppose you've already comprimised your client's cisco router. Maybe it hasn't seen care lately, has an old IOS version that has the level/99 HTTP vulnerability. Well now you've got
    level 15 access. Now what? Ok, well maybe show arp, and hey, how many records is that in the table? Around 34 entries. Let's ping the IPs! Well some are alive, but if only I could nmap them somehow or use metasploit.......

    Router's IP in this scenario is, which is sort of representing the public or outside in the config below.
    Router(config)# vpdn enable
    Router(config)# vpdn source-ip
    Router(config)# vpdn-group nemesisvpn
    Router(config-vpdn)# accept-dialin
    Router(config-vpdn)# protocol pptp
    Router(config-vpdn)# virtual-template 1
    Router(config-vpdn)# exit
    Router(config)# interface Virtual-Template 1
    Router(config-if)# ip unnumbered fa0/1
    Router(config-if)# peer default ip address pool nemesispool
    !!&&This command may not be required, forces encryption....Router(config-if)# ppp encrypt mppe auto required
    Router(config-if)# ppp authentication ms-chap ms-chap-v2
    Router(config)# ip local pool nemesispool
    Router(config)# username vpntest password vpntest
    Router(config)# aaa new-model
    Router(config)# aaa authentication ppp default local
    Router(config)# vpdn enable
    Now install your pptp client. I used pptp-linux because it was fairly simple
    root@bt:~# apt-get install pptp-linux
    Then connect your PPTP client, and add a static route so you can get there.
    root@bt:~# pptpsetup --create nemesis --server --username iprouteth0 --password ciscopass --start
    root@bt:~# route add -net netmask dev ppp0
    The network is the inside network we are wanting to pivot to in order to attack in this given scenario.

    Let me know if this if useful or interesting for any of you. I'm still working on the SIP/VoIP tools for my previous write-up and working on this howto as well. IPS stuff will be coming, but I'd like to get some video's of the previous processes up first to help illustrate that, then comes IPS. Stay tuned....
    Last edited by iproute; 11-29-2010 at 10:31 PM.

Similar Threads

  1. Replies: 1
    Last Post: 03-22-2011, 05:36 PM
  2. Replies: 0
    Last Post: 11-24-2010, 02:03 PM
  3. Replies: 7
    Last Post: 05-27-2009, 05:57 PM
  4. HowTo: FreeRADIUS EAP/TLS Authentication Server
    By imported_wyze in forum OLD Tutorials and Guides
    Replies: 4
    Last Post: 02-06-2008, 04:00 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts