Monday, November 28, 2011

Cisco Auditing Tool

Vulnerability Assessment -> Network Assesstment -> Cisco Tools

This is similar to the previous two tools, so do not expect too much, this can search for telnet passwords and SNMP community strings. It's better in one way than the previous programs: we can give a list of words for testing passwords, and it will try all of them. Unfortunately, it doesn't look for the enable password.

The usage is also very easy, but it has a couple of more options. Example:

root@bt:/pentest/cisco/cisco-auditing-tool# ./CAT -h -w lists/community -a lists/passwords

This will scan the host at, the "lists/passwords" contains the telnet passwords and the "lists/community" the SNMP strings.

Sunday, November 27, 2011

Cisco OCS

Vulnerability Assessment -> Network Assesstment -> Cisco Tools

It does a little bit more then the Cisco Scanner, it will also check if the enable password is "cisco" (Cisco scanner only looked if the telnet password is "cisco"). It also slower a little bit. The protection is the same: don't use default passwords!

The usage is very simple, give it an address range and let it run. Example:


Official website:

Cisco Scanner

Vulnerability Assesstment -> Network Assessment -> Cisco Tools -> cisco passwd scanner

The only item this tool does is scanning a subnet for Cisco devices - it will try to telnet to each IP, and login with the default password "cisco", if this is successful, then it considers to find a device. It's important to mention, that it will basically check the telnet password, which is set on the vty lines, and not the enable password:

router(config)#line vty 0 4
router(config-line)#password cisco

If we change this password, then it won't find the device, so change it. Also never use default passwords.


./ciscos 192.168.80 3

This will scan the subnet (3 means that this we provided a class C subnet).

Saturday, November 26, 2011

MAC flooding with macof

macof can flood a switch with random MAC addresses. This is called MAC flooding. This fills in the switch's CAM table, thus new MAC addresses can not be saved, and the switch starts to send all packets to all ports, so it starts to act as a hub, and thus we can monitor all traffic passing through it.

The tool can be started from the command line. Below we can see its options, which are not that many.

root@bt:~# macof -h
Version: 2.4
Usage: macof [-s src] [-d dst] [-e tha] [-x sport] [-y dport]
[-i interface] [-n times]

Example (Generating 10 packets on the eth1 interface):

root@bt:~# macof -i eth1 -n 10


We can protect our network against this kind of attack with port security, which limits the number of MAC addresses on an interface. This looks somehow like this on Cisco switches:

switch(config)# interface fastethernet 1/1
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum 1
switch(config-if)# switchport port-security mac-address [mac_addres]

There are still a few other options for this command, but the configuration above, will tell the switch to allow only a single MAC address: the one we set.

Monday, November 21, 2011

Backtrack basics 9. - Using wireless if running as a VM

I'm sure many people wondered, including me, how to do wireless in VMware, because the wifi network card can not be shared or attached to the virtual machine. The solution is an USB wireless network card, because VMware can pass any USB device to a virtual machine, thus solving the problem.

Just plug in your USB device, and then at the lower right corner of the VMware window, select whether you want to connect it to the VM, in this case to Backtrack.

If Backtrack support the wifi card, it will appear as wlan0 interface. Here are two lists about the supported wireless cards:

Sunday, November 20, 2011

Cisco Global Exploiter

Exploitation Tools -> Network Exploitation Tools -> Cisco Attacks

cisco-global-exploiter can detect 14 different vulnerabilities on Cisco routers and switches. Most of these can only be found on end of life IOS or CatOS versions, and they mostly allow us to make DoS attacks, but there is one for example which can give us level 15 privileged access, in case some circumstances are met.

The tool expects two options: 1. the device's IP address, 2. the number of the vulnerability

root@bt:/pentest/cisco/cisco-global-exploiter# perl 3

[3] - Cisco IOS HTTP Auth Vulnerability

Tested on 12.4(15)T4 IOS:

Despite the fact that the tool considers attack #3 successful, it really doesn't work - it's reported false positive, only because the returned webpage doesn't contain an element, which would mean that the attack is unsuccessful (you can deep dive into the script).

There is a very detailed documentation about the vulnerabilities in the tool's directory.


Exploitation Tools -> Network Exploitation Tools -> Cisco Attacks

tftpbrute is a fast TFTP file search tool. It can scan a server on multiple threads based on a predefined list, and if it finds a match, it prints it to the screen. is a Cisco router, where I run the "tftp-server nvram:startup-config" command. This filename exists on the tftpbrute's default word list, so we can find it:

root@bt:/pentest/cisco/tftp-bruteforce# ./ brutefile.txt

The result:

More information:

There is a similar tool in Metasploit as well: