The cisco-ocs application available in the Backtrack menu ( Backtrack > Vulnerability Assessment > Network Assessment > Cisco Tools ) is also known as cisco-ocs Mass Scanner. This tool provides a single function which is to scan large ranges of IP’s looking for Cisco devices or really any device listening on TCP port 23, attempts to login using telnet with a password of cisco, then passes the enable command to the Cisco router if its able to login via telnet, uses cisco again for the enable password, and finally reports a success if its able to get to the enable prompt using these exact steps. Unfortunately this is the only function of the tool as you cannot specify a wordlist of passwords to attempt or for that matter you cannot set anything accept for the range of IP addresses to scan. Below we should a couple examples of the Cisco-OCS Mass Scanner working on Backtrack 5 R3.
cisco-auditing-tool – Backtrack 5 – Vulnerability Assessment – Network Assessment – Cisco Tools – cisco-auditing-tool
The cisco-auditing-tool located in the Backtrack menu ( Backtrack > Vulnerability Assessment > Network Assessment > Cisco Tools ) is written in Perl and accomplishes three tasks which include attempting to brute force the telnet password on a Cisco device if telnet is running, attempting to show the iOS history on the Cisco device using a vulnerability which I believe is from the late 90’s, and attempting to brute force the SNMP community strings for the device. The tool is fairly outdated as most Cisco devices in corporate networks should now be using SSH and it would seem surprising unless you are doing an internal audit if SNMP was exposed for any Cisco devices still in service. That being said there is definitely still value if you have a ton of Cisco devices to audit you can feed a list of IP’s or hostnames into the script and check basic SNMP community strings and telnet passwords.
goofile – Backtrack 5 – Information Gathering – Web Application Analysis – Open Source Analysis – goofile
The goofile Backtrack menu item ( Backtrack > Information Gathering > Web Application Analysis > Open Source Analysis ) is a great little Python script that provides easy access and results from one of Google’s Advanced Searches. During the information gathering phase of a penetration test it provides a great method to collect data about your target by searching a domain for specific file types. Below we describe goofile in more detail and provide an example of how goofile works.
Many people still seem to not be aware of EXIF data and the information it provides anyone that wants to view it. EXIF data is attached to image files as well as other files and provides all sorts of details from file creation time to exact GPS coordinates. This is the type of data that was extracted from an image uploaded by Vice Magazine that gave away John McAfee’s location when he escaped Belize. On Backtrack Linux there are numerous tools to extract EXIF data including exiftool which is written in Perl and easy to use. Below we will describe exiftool, which is located in /pentest/misc/exiftool/ or /usr/bin, and provide examples to show how easy it is to use.
I personally use exiftool to extract EXIF or Exchangeable Image File data from files including Microsoft Office files such as .doc, .xls, and .ppt. The newer versions of Microsoft Office have new file extensions as you know which are .docx, .pptx, and .xlsx. The version of exiftool on Backtrack Linux doesn’t extract EXIF data from the latest MS Office file formats however you can easily download the latest exiftool for use on Backtrack Linux 5. Use the information below to download the latest exiftool on Backtrack, install a necessary Perl library, and then start extracting EXIF data from the newer Microsoft Office file versions.