Metasploit Express and Metasploit Pro will automatically recognize Cisco IOS HTTP services during a discovery scan, check for these two flaws, and exploit them to gain access to the running device configuration. In addition to these two known vulnerabilities, the device password can also be determined through a brute force attack on the HTTP service. The HTTP protocol is relatively quick to brute force, compared to slower, terminal-based services like Telnet and SSH. Metasploit Express and Metasploit Pro will automatically grab the running device configuration after a successful HTTP brute force of an IOS device.
The next service I want to discuss is SNMP. Oddly enough, SNMP is often left exposed on otherwise secure routers. The reason for this may be the general view of what SNMP is and does. The Simple Network Management Protocol is great for polling information across a wide range of systems in a standard format. Regardless of who built your switch or router, just about any SNMP client and monitoring software will work with that device, provided SNMP is enabled and configured.
What many network administrators don’t realize, is not only the depth of information exposed by SNMP but the fact that a writeable SNMP community can be leveraged to gain complete control over a device. In the case of Cisco IOS, a writeable SNMP community can be used to download the running device configuration AND modify the running configuration. A router with telnet disabled and a complex serial password can be hijacked nearly instantly through a writeable SNMP community. The Metasploit Framework provides a SNMP brute force tool, written as an auxiliary module, which can leverage a wordlist of common passwords to identify valid communities and determine whether they are read-only or read-write. In addition to the basic brute force module, Metasploit now contains a module (submitted by community contributor “pello”), that can use a writeable SNMP community to download the running device configuration.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.