The attacks listed above are not anything new. What is new is the ease that they can be carried out using Metasploit and the ability of the commercial products to chain them together to automatically compromise vulnerable devices. These attacks are just an extension of our existing coverage and a hint of what is on the roadmap for future development of our commercial products.
One thing I haven’t mentioned so far is what we actually do with the Cisco IOS configuration files after we capture them. These files contain the running configuration of the device, this includes the vty passwords, enable passwords, VPN keys, SSL certifications, and WiFi credentials. Metaspoit will automatically parse these configuration files to scrape out sensitive data and store it as either evidence of a compromise or as stolen authentication credentials. The screen shot below demonstrates the output of brute forcing the Telnet vty password, then the enable password, then dumping and parsing the configuration:
Metasploit Express and Metasploit Pro can automatically recycle credentials obtained from these configuration files to gain access to other devices on the network. If you crack one Cisco device through a weak SNMP community and discover that the vty password is “ciscorules!”, you can use the “known-only” profile of the brute force component to automatically try this password, via any protocol, against any other device on the network. Once you gain access to other devices, the configuration files are obtained and the entire process starts again. You can easily apply a password taken from a Cisco router against the login page of an intranet site or leverage a password obtained through a traditional exploit to gain access to a multitude of network devices. One of our development goals is to ensure that our users can always identify and exploit the weakest link on a given network.