Backtrack cisco-auditing-tool Additional Enable Password Confirmation Added

When using the cisco-auditing-tool script located in the Backtrack Linux menu ( Backtrack > Vulnerability Assessment > Network Assessment > Cisco Tools ) I was getting an error even though I was sure one of the passwords I had in the wordlist was accurate. After some troubleshooting I was able to figure out that the script checked for a non-privileged account on the Cisco device but if the account was actually a privileged account which is also known as an enable account it would crash because it never received the response it expected. I added a couple lines of code and now the cisco-auditing-tool Perl script will provide confirmation of lower level accounts on a Cisco device as well as enable level accounts on a Cisco device. Below I describe the error message output when the cisco-auditing-tool Perl script was crashing followed by the code update to provide Cisco enable level password auditing.

You can see in the example output below that the cisco-auditing-tool Perl script is named CAT and run by issuing ./CAT from the command line in Backtrack Linux.

cisco-auditing-tool Or CAT Crashing On Backtrack Linux:

root@bt:/pentest/cisco/cisco-auditing-tool# ./CAT -h 192.168.1.22 -a lists/passwords
Cisco Auditing Tool - g0ne [null0]
Checking Host: 192.168.1.22
Guessing passwords:
Invalid Password: cisco
pattern match timed-out at ./plugins/brute line 15
root@bt:/pentest/cisco/cisco-auditing-tool#

As you can see above the error output is a pattern match timed-out message complaining about the brute plugin on line 15. After some investigation I realized that the pattern that the script was attempting to match was > which displays for privilege level 1 Cisco accounts on the current iOS or “Version 15.1(4)M4” that I am testing with. It would be typical for the entry to the device via telnet only have a privilege level of 1 however it is extremely beneficial to know if you have just brute forced a higher level password for the device. I believe that either all or most Cisco privileged level accounts ranging from 2 to 15 will always have a # instead of a >. It was easy enough to update the CAT Perl script located in the /pentest/cisco/cisco-auditing-tool/ directory as well as the brute Perl plugin located in the /pentest/cisco/cisco-auditing-tool/plugins/ directory.

Below you can click on the title of the file I modified to see the original code. To save the article from being super long I only have printed out the entire updated code so you can copy/paste it into CAT and brute in the correct locations. Again this updated cisco-auditing-tool code provides two outputs for when a password is located which include the original “Password Found: <found password here>” output but it also will now output “Enable Password Found: <found password here>” when a password for a Cisco privilege level 2+ account is located.

CAT: cisco-auditing-tool Perl Script Original File

#!/usr/bin/perl
#
use lib './lib';
use Getopt::Std;
$|=1;
require './plugins/usage';
require './plugins/brute';
require './plugins/snmp';
require './plugins/ihist';
getopts("h:f:p:w:a:l:iq", \%args);
if(!%args)
{
usage();
exit;
}
#if(!defined $args{l}) {
#$logfile = "$args{h}.log";
#} else {
#$logfile = $args{l};
elsif(!defined $args{h} && !defined $args {f})
{
usage();
exit;
}
if(defined $args{f})
{
@hosts = `cat $args{f}`;
}
else
{
@hosts = $args{h};
}
if(defined $args{p})
{
$port = $args{p};
}
else
{
$port = 23;
}
if(defined $args{w})
{
@community = `cat $args{w}`;
}
else
{
@community = ( "public", "private" );
}
if(defined $args{a})
{
@wordlist = `cat $args{a}`;
}
else
{
@wordlist = ( "cisco", "ciscos", "cisco1", "router", "router1", "admin", "Admin" ) ;
}
if(defined $args{i})
{
$ioshist = 1;
}
if(defined $args{l})
{
$logfile = $args{l};
open LOG, ">$logfile";
}
if(defined $args{q})
{
$quiet = 1;
}
if (!defined $quiet)
{
print "\nCisco Auditing Tool - g0ne [null0]\n\n";
}
if (defined $logfile)
{
print LOG "\nCisco Auditing Tool - g0ne [null0]\n\n";
}
foreach(@hosts)
{
$hostname = $_;
chomp $hostname;
if (!defined $quiet)
{
print "Checking Host: $hostname\n\n\n";
print "Guessing passwords: \n\n";
}
if (defined $logfile)
{
print LOG "Checking Host: $hostname\n\n\n";
print LOG "Guessing passwords: \n\n";
}
foreach(@wordlist)
{
$password = $_;
chomp $password;
$ret = brute($hostname, $port, $password);
if ($ret eq 1)
{
if (!defined $quiet)
{
print "Password Found: $password\n";
}
if (defined $logfile)
{
print LOG "Password Found: $password\n";
}
}
else
{
if (!defined $quiet)
{
print "Invalid Password: $password\n";
}
if (defined $logfile)
{
print LOG "Invalid Password: $password\n";
}
}
sleep 2;
}
if (!defined $quiet)
{
print "\n\nGuessing Community Names: \n\n";
}
if (defined $logfile)
{
print LOG "\n\nGuessing Community Names: \n\n";
}
foreach(@community)
{
$community = $_;
chomp $community;
$ret = snmp($hostname, $community);
if ($ret eq 1)
{
if (!defined $quiet)
{
print "Community Name Found: $community\n";
}
if (defined $logile)
{
#print to log file
}
}
else
{
if (!defined $quiet)
{
print "Invalid Community Name: $community\n";
}
if (defined $logfile)
{
print LOG "Invalid Community Name: $community\n";
}
}
}
if (defined $ioshist)
{
if (!defined $quiet)
{
print "\n\nChecking for IOS History Bug: \n\n";
}
if (defined $logfile)
{
print LOG "\n\nChecking for IOS History Bug: \n\n";
}
($users, $history) = ihist($hostname, $port);
if (!defined $quiet)
{
print "Users Currently Logged In: \n";
print $users;
print "\n\n";
print "History Log: \n";
print $history;
print "\n";
}
if (defined $logfile)
{
print LOG "Users Currently Logged In: \n";
print LOG $users;
print LOG "\n\n";
print LOG "History Log: \n";
print LOG $history;
print LOG "\n";
}
}
if (!defined $quiet)
{
print "\n---------------------------------------------------\n\n";
}
if (defined $logfile)
{
print LOG "\n---------------------------------------------------\n\n";
}
}
if (!defined $quiet)
{
print "Audit Complete\n\n";
}
if (defined $logfile)
{
print LOG "Audit Complete\n\n";
close LOG;
}
exit;

CAT: cisco-auditing-tool Perl Script Updated File

#!/usr/bin/perl
#
use lib './lib';
use Getopt::Std;
$|=1;
require './plugins/usage';
require './plugins/brute';
require './plugins/snmp';
require './plugins/ihist';
getopts("h:f:p:w:a:l:iq", \%args);
if(!%args)
{
usage();
exit;
}
#if(!defined $args{l}) {
#$logfile = "$args{h}.log";
#} else {
#$logfile = $args{l};
elsif(!defined $args{h} && !defined $args {f})
{
usage();
exit;
}
if(defined $args{f})
{
@hosts = `cat $args{f}`;
}
else
{
@hosts = $args{h};
}
if(defined $args{p})
{
$port = $args{p};
}
else
{
$port = 23;
}
if(defined $args{w})
{
@community = `cat $args{w}`;
}
else
{
@community = ( "public", "private" );
}
if(defined $args{a})
{
@wordlist = `cat $args{a}`;
}
else
{
@wordlist = ( "cisco", "ciscos", "cisco1", "router", "router1", "admin", "Admin" ) ;
}
if(defined $args{i})
{
$ioshist = 1;
}
if(defined $args{l})
{
$logfile = $args{l};
open LOG, ">$logfile";
}
if(defined $args{q})
{
$quiet = 1;
}
if (!defined $quiet)
{
print "\nCisco Auditing Tool - g0ne [null0]\n\n";
}
if (defined $logfile)
{
print LOG "\nCisco Auditing Tool - g0ne [null0]\n\n";
}
foreach(@hosts)
{
$hostname = $_;
chomp $hostname;
if (!defined $quiet)
{
print "Checking Host: $hostname\n\n\n";
print "Guessing passwords: \n\n";
}
if (defined $logfile)
{
print LOG "Checking Host: $hostname\n\n\n";
print LOG "Guessing passwords: \n\n";
}
foreach(@wordlist)
{
$password = $_;
chomp $password;
$ret = brute($hostname, $port, $password);
if ($ret eq 1)
{
if (!defined $quiet)
{
print "Password Found: $password\n";
}
if (defined $logfile)
{
print LOG "Password Found: $password\n";
}
}
if ($ret eq 2)
{
if (!defined $quiet)
{
print "Enable Password Found: $password\n";
}
if (defined $logfile)
{
print LOG "Enable Password Found: $password\n";
}
}
if ($ret eq 0)
{
if (!defined $quiet)
{
print "Invalid Password: $password\n";
}
if (defined $logfile)
{
print LOG "Invalid Password: $password\n";
}
}
sleep 2;
}
if (!defined $quiet)
{
print "\n\nGuessing Community Names: \n\n";
}
if (defined $logfile)
{
print LOG "\n\nGuessing Community Names: \n\n";
}
foreach(@community)
{
$community = $_;
chomp $community;
$ret = snmp($hostname, $community);
if ($ret eq 1)
{
if (!defined $quiet)
{
print "Community Name Found: $community\n";
}
if (defined $logile)
{
#print to log file
}
}
else
{
if (!defined $quiet)
{
print "Invalid Community Name: $community\n";
}
if (defined $logfile)
{
print LOG "Invalid Community Name: $community\n";
}
}
}
if (defined $ioshist)
{
if (!defined $quiet)
{
print "\n\nChecking for IOS History Bug: \n\n";
}
if (defined $logfile)
{
print LOG "\n\nChecking for IOS History Bug: \n\n";
}
($users, $history) = ihist($hostname, $port);
if (!defined $quiet)
{
print "Users Currently Logged In: \n";
print $users;
print "\n\n";
print "History Log: \n";
print $history;
print "\n";
}
if (defined $logfile)
{
print LOG "Users Currently Logged In: \n";
print LOG $users;
print LOG "\n\n";
print LOG "History Log: \n";
print LOG $history;
print LOG "\n";
}
}
if (!defined $quiet)
{
print "\n---------------------------------------------------\n\n";
}
if (defined $logfile)
{
print LOG "\n---------------------------------------------------\n\n";
}
}
if (!defined $quiet)
{
print "Audit Complete\n\n";
}
if (defined $logfile)
{
print LOG "Audit Complete\n\n";
close LOG;
}
exit;

You will notice new Perl code added from line 126 thru line 136. Also the original line 126 which is now line 137 has been modified from “else” to “if ($ret eq 0)”. The second file that needs to be updated is the ~/cisco-auditing-tool/plugins/brute file and again you can click on the title of the original brute Perl plugin to see the original brute plugin code.

CAT: cisco-auditing-tool brute Plugin Original File

use Net::Telnet();
sub brute {
my ($host, $port, $password) = @_;
$telnet = new Net::Telnet ( Port => $port,
Host => $host,
Timeout => 3,
Errmode => 'die');
$telnet->waitfor('/password[: ]*$/i');
$telnet->print($password);
($prematch, $match) = $telnet->waitfor(-match => '/>$/i',
-match => '/password[: ]*$/i');
if ($match =~ />$/i)
{
$telnet->close;
return (1);
}
else
{
$telnet->close;
return (0);
}
} print;

CAT: cisco-auditing-tool brute Plugin Updated File

use Net::Telnet();
sub brute {
my ($host, $port, $password) = @_;
$telnet = new Net::Telnet ( Port => $port,
Host => $host,
Timeout => 3,
Errmode => 'die');
$telnet->waitfor('/password[: ]*$/i');
$telnet->print($password);
($prematch, $match) = $telnet->waitfor(-match => '/>$/i',
-match => '/#$/i',
-match => '/Password[: ]*$/i');
if ($match =~ />$/i)
{
$telnet->close;
return (1);
}
if ($match =~ /#$/i)
{
$telnet->close;
return (2);
}
else
{
$telnet->close;
return (0);
}
} print;

In the brute plugin file you will notice the addition of Perl code on line 16 as well as the additions of Perl code on lines 24 thru 28. I will describe the new output in more detail in an upcoming article I am working on that is going to be about using the CAT or cisco-auditing-tool Perl script to audit Cisco devices.

The updated code simply provides a second possible response to a success when an Cisco enable password or Cisco privileged account is located. The original developer “g0ne [null0]” didn’t have an email address in the script so unfortunately I could not contact him with the update. If anyone knows how to get ahold of “g0ne [null0]” let me know or have him contact me through this site. As always his work is appreciated because in the end even though the cisco-auditing-tool Perl script is fairly dated and simple it definitely accomplishes a couple tasks that are easy to run into during a penetration test.

Click here for more information about cisco-auditing-tool or click here for more Backtrack Linux articles.

3 Comments

Pablo says:

April 25, 2013 at 4:26 AM

Hi! I have tried your codes, but now the tool doesn’t work, it only shows the options header when I run it, but do not execute anymore… any ideas?. Thanks!

- EmMx says:
  
  January 5, 2014 at 5:18 PM
  
  The code posted omits the ‘\’ (slash), if you put the slashes you got it.
  
Feh says:

May 30, 2015 at 5:10 PM

This article is poorly written, im getting errors on your code as well. I give up.

Author: alex

3 Comments

Leave a Reply Cancel reply

Backtrack cisco-auditing-tool Additional Enable Password Confirmation Added

Author: alex

Related posts

3 Comments

Leave a Reply Cancel reply