When using the cisco-auditing-tool script located in the Backtrack Linux menu ( Backtrack > Vulnerability Assessment > Network Assessment > Cisco Tools ) I was getting an error even though I was sure one of the passwords I had in the wordlist was accurate. After some troubleshooting I was able to figure out that the script checked for a non-privileged account on the Cisco device but if the account was actually a privileged account which is also known as an enable account it would crash because it never received the response it expected. I added a couple lines of code and now the cisco-auditing-tool Perl script will provide confirmation of lower level accounts on a Cisco device as well as enable level accounts on a Cisco device. Below I describe the error message output when the cisco-auditing-tool Perl script was crashing followed by the code update to provide Cisco enable level password auditing.
You can see in the example output below that the cisco-auditing-tool Perl script is named CAT and run by issuing ./CAT from the command line in Backtrack Linux.
cisco-auditing-tool Or CAT Crashing On Backtrack Linux:
- root@bt:/pentest/cisco/cisco-auditing-tool# ./CAT -h 192.168.1.22 -a lists/passwords
- Cisco Auditing Tool - g0ne [null0]
- Checking Host: 192.168.1.22
- Guessing passwords:
- Invalid Password: cisco
- pattern match timed-out at ./plugins/brute line 15
- root@bt:/pentest/cisco/cisco-auditing-tool#
As you can see above the error output is a pattern match timed-out message complaining about the brute plugin on line 15. After some investigation I realized that the pattern that the script was attempting to match was > which displays for privilege level 1 Cisco accounts on the current iOS or “Version 15.1(4)M4” that I am testing with. It would be typical for the entry to the device via telnet only have a privilege level of 1 however it is extremely beneficial to know if you have just brute forced a higher level password for the device. I believe that either all or most Cisco privileged level accounts ranging from 2 to 15 will always have a # instead of a >. It was easy enough to update the CAT Perl script located in the /pentest/cisco/cisco-auditing-tool/ directory as well as the brute Perl plugin located in the /pentest/cisco/cisco-auditing-tool/plugins/ directory.
Below you can click on the title of the file I modified to see the original code. To save the article from being super long I only have printed out the entire updated code so you can copy/paste it into CAT and brute in the correct locations. Again this updated cisco-auditing-tool code provides two outputs for when a password is located which include the original “Password Found: <found password here>” output but it also will now output “Enable Password Found: <found password here>” when a password for a Cisco privilege level 2+ account is located.
- #!/usr/bin/perl
- #
- use lib './lib';
- use Getopt::Std;
- $|=1;
- require './plugins/usage';
- require './plugins/brute';
- require './plugins/snmp';
- require './plugins/ihist';
- getopts("h:f:p:w:a:l:iq", \%args);
- if(!%args)
- {
- usage();
- exit;
- }
- #if(!defined $args{l}) {
- #$logfile = "$args{h}.log";
- #} else {
- #$logfile = $args{l};
- elsif(!defined $args{h} && !defined $args {f})
- {
- usage();
- exit;
- }
- if(defined $args{f})
- {
- @hosts = `cat $args{f}`;
- }
- else
- {
- @hosts = $args{h};
- }
- if(defined $args{p})
- {
- $port = $args{p};
- }
- else
- {
- $port = 23;
- }
- if(defined $args{w})
- {
- @community = `cat $args{w}`;
- }
- else
- {
- @community = ( "public", "private" );
- }
- if(defined $args{a})
- {
- @wordlist = `cat $args{a}`;
- }
- else
- {
- @wordlist = ( "cisco", "ciscos", "cisco1", "router", "router1", "admin", "Admin" ) ;
- }
- if(defined $args{i})
- {
- $ioshist = 1;
- }
- if(defined $args{l})
- {
- $logfile = $args{l};
- open LOG, ">$logfile";
- }
- if(defined $args{q})
- {
- $quiet = 1;
- }
- if (!defined $quiet)
- {
- print "\nCisco Auditing Tool - g0ne [null0]\n\n";
- }
- if (defined $logfile)
- {
- print LOG "\nCisco Auditing Tool - g0ne [null0]\n\n";
- }
- foreach(@hosts)
- {
- $hostname = $_;
- chomp $hostname;
- if (!defined $quiet)
- {
- print "Checking Host: $hostname\n\n\n";
- print "Guessing passwords: \n\n";
- }
- if (defined $logfile)
- {
- print LOG "Checking Host: $hostname\n\n\n";
- print LOG "Guessing passwords: \n\n";
- }
- foreach(@wordlist)
- {
- $password = $_;
- chomp $password;
- $ret = brute($hostname, $port, $password);
- if ($ret eq 1)
- {
- if (!defined $quiet)
- {
- print "Password Found: $password\n";
- }
- if (defined $logfile)
- {
- print LOG "Password Found: $password\n";
- }
- }
- else
- {
- if (!defined $quiet)
- {
- print "Invalid Password: $password\n";
- }
- if (defined $logfile)
- {
- print LOG "Invalid Password: $password\n";
- }
- }
- sleep 2;
- }
- if (!defined $quiet)
- {
- print "\n\nGuessing Community Names: \n\n";
- }
- if (defined $logfile)
- {
- print LOG "\n\nGuessing Community Names: \n\n";
- }
- foreach(@community)
- {
- $community = $_;
- chomp $community;
- $ret = snmp($hostname, $community);
- if ($ret eq 1)
- {
- if (!defined $quiet)
- {
- print "Community Name Found: $community\n";
- }
- if (defined $logile)
- {
- #print to log file
- }
- }
- else
- {
- if (!defined $quiet)
- {
- print "Invalid Community Name: $community\n";
- }
- if (defined $logfile)
- {
- print LOG "Invalid Community Name: $community\n";
- }
- }
- }
- if (defined $ioshist)
- {
- if (!defined $quiet)
- {
- print "\n\nChecking for IOS History Bug: \n\n";
- }
- if (defined $logfile)
- {
- print LOG "\n\nChecking for IOS History Bug: \n\n";
- }
- ($users, $history) = ihist($hostname, $port);
- if (!defined $quiet)
- {
- print "Users Currently Logged In: \n";
- print $users;
- print "\n\n";
- print "History Log: \n";
- print $history;
- print "\n";
- }
- if (defined $logfile)
- {
- print LOG "Users Currently Logged In: \n";
- print LOG $users;
- print LOG "\n\n";
- print LOG "History Log: \n";
- print LOG $history;
- print LOG "\n";
- }
- }
- if (!defined $quiet)
- {
- print "\n---------------------------------------------------\n\n";
- }
- if (defined $logfile)
- {
- print LOG "\n---------------------------------------------------\n\n";
- }
- }
- if (!defined $quiet)
- {
- print "Audit Complete\n\n";
- }
- if (defined $logfile)
- {
- print LOG "Audit Complete\n\n";
- close LOG;
- }
- exit;
CAT: cisco-auditing-tool Perl Script Updated File
- #!/usr/bin/perl
- #
- use lib './lib';
- use Getopt::Std;
- $|=1;
- require './plugins/usage';
- require './plugins/brute';
- require './plugins/snmp';
- require './plugins/ihist';
- getopts("h:f:p:w:a:l:iq", \%args);
- if(!%args)
- {
- usage();
- exit;
- }
- #if(!defined $args{l}) {
- #$logfile = "$args{h}.log";
- #} else {
- #$logfile = $args{l};
- elsif(!defined $args{h} && !defined $args {f})
- {
- usage();
- exit;
- }
- if(defined $args{f})
- {
- @hosts = `cat $args{f}`;
- }
- else
- {
- @hosts = $args{h};
- }
- if(defined $args{p})
- {
- $port = $args{p};
- }
- else
- {
- $port = 23;
- }
- if(defined $args{w})
- {
- @community = `cat $args{w}`;
- }
- else
- {
- @community = ( "public", "private" );
- }
- if(defined $args{a})
- {
- @wordlist = `cat $args{a}`;
- }
- else
- {
- @wordlist = ( "cisco", "ciscos", "cisco1", "router", "router1", "admin", "Admin" ) ;
- }
- if(defined $args{i})
- {
- $ioshist = 1;
- }
- if(defined $args{l})
- {
- $logfile = $args{l};
- open LOG, ">$logfile";
- }
- if(defined $args{q})
- {
- $quiet = 1;
- }
- if (!defined $quiet)
- {
- print "\nCisco Auditing Tool - g0ne [null0]\n\n";
- }
- if (defined $logfile)
- {
- print LOG "\nCisco Auditing Tool - g0ne [null0]\n\n";
- }
- foreach(@hosts)
- {
- $hostname = $_;
- chomp $hostname;
- if (!defined $quiet)
- {
- print "Checking Host: $hostname\n\n\n";
- print "Guessing passwords: \n\n";
- }
- if (defined $logfile)
- {
- print LOG "Checking Host: $hostname\n\n\n";
- print LOG "Guessing passwords: \n\n";
- }
- foreach(@wordlist)
- {
- $password = $_;
- chomp $password;
- $ret = brute($hostname, $port, $password);
- if ($ret eq 1)
- {
- if (!defined $quiet)
- {
- print "Password Found: $password\n";
- }
- if (defined $logfile)
- {
- print LOG "Password Found: $password\n";
- }
- }
- if ($ret eq 2)
- {
- if (!defined $quiet)
- {
- print "Enable Password Found: $password\n";
- }
- if (defined $logfile)
- {
- print LOG "Enable Password Found: $password\n";
- }
- }
- if ($ret eq 0)
- {
- if (!defined $quiet)
- {
- print "Invalid Password: $password\n";
- }
- if (defined $logfile)
- {
- print LOG "Invalid Password: $password\n";
- }
- }
- sleep 2;
- }
- if (!defined $quiet)
- {
- print "\n\nGuessing Community Names: \n\n";
- }
- if (defined $logfile)
- {
- print LOG "\n\nGuessing Community Names: \n\n";
- }
- foreach(@community)
- {
- $community = $_;
- chomp $community;
- $ret = snmp($hostname, $community);
- if ($ret eq 1)
- {
- if (!defined $quiet)
- {
- print "Community Name Found: $community\n";
- }
- if (defined $logile)
- {
- #print to log file
- }
- }
- else
- {
- if (!defined $quiet)
- {
- print "Invalid Community Name: $community\n";
- }
- if (defined $logfile)
- {
- print LOG "Invalid Community Name: $community\n";
- }
- }
- }
- if (defined $ioshist)
- {
- if (!defined $quiet)
- {
- print "\n\nChecking for IOS History Bug: \n\n";
- }
- if (defined $logfile)
- {
- print LOG "\n\nChecking for IOS History Bug: \n\n";
- }
- ($users, $history) = ihist($hostname, $port);
- if (!defined $quiet)
- {
- print "Users Currently Logged In: \n";
- print $users;
- print "\n\n";
- print "History Log: \n";
- print $history;
- print "\n";
- }
- if (defined $logfile)
- {
- print LOG "Users Currently Logged In: \n";
- print LOG $users;
- print LOG "\n\n";
- print LOG "History Log: \n";
- print LOG $history;
- print LOG "\n";
- }
- }
- if (!defined $quiet)
- {
- print "\n---------------------------------------------------\n\n";
- }
- if (defined $logfile)
- {
- print LOG "\n---------------------------------------------------\n\n";
- }
- }
- if (!defined $quiet)
- {
- print "Audit Complete\n\n";
- }
- if (defined $logfile)
- {
- print LOG "Audit Complete\n\n";
- close LOG;
- }
- exit;
You will notice new Perl code added from line 126 thru line 136. Also the original line 126 which is now line 137 has been modified from “else” to “if ($ret eq 0)”. The second file that needs to be updated is the ~/cisco-auditing-tool/plugins/brute file and again you can click on the title of the original brute Perl plugin to see the original brute plugin code.
- use Net::Telnet();
- sub brute {
- my ($host, $port, $password) = @_;
- $telnet = new Net::Telnet ( Port => $port,
- Host => $host,
- Timeout => 3,
- Errmode => 'die');
- $telnet->waitfor('/password[: ]*$/i');
- $telnet->print($password);
- ($prematch, $match) = $telnet->waitfor(-match => '/>$/i',
- -match => '/password[: ]*$/i');
- if ($match =~ />$/i)
- {
- $telnet->close;
- return (1);
- }
- else
- {
- $telnet->close;
- return (0);
- }
- } print;
CAT: cisco-auditing-tool brute Plugin Updated File
- use Net::Telnet();
- sub brute {
- my ($host, $port, $password) = @_;
- $telnet = new Net::Telnet ( Port => $port,
- Host => $host,
- Timeout => 3,
- Errmode => 'die');
- $telnet->waitfor('/password[: ]*$/i');
- $telnet->print($password);
- ($prematch, $match) = $telnet->waitfor(-match => '/>$/i',
- -match => '/#$/i',
- -match => '/Password[: ]*$/i');
- if ($match =~ />$/i)
- {
- $telnet->close;
- return (1);
- }
- if ($match =~ /#$/i)
- {
- $telnet->close;
- return (2);
- }
- else
- {
- $telnet->close;
- return (0);
- }
- } print;
In the brute plugin file you will notice the addition of Perl code on line 16 as well as the additions of Perl code on lines 24 thru 28. I will describe the new output in more detail in an upcoming article I am working on that is going to be about using the CAT or cisco-auditing-tool Perl script to audit Cisco devices.
The updated code simply provides a second possible response to a success when an Cisco enable password or Cisco privileged account is located. The original developer “g0ne [null0]” didn’t have an email address in the script so unfortunately I could not contact him with the update. If anyone knows how to get ahold of “g0ne [null0]” let me know or have him contact me through this site. As always his work is appreciated because in the end even though the cisco-auditing-tool Perl script is fairly dated and simple it definitely accomplishes a couple tasks that are easy to run into during a penetration test.
Click here for more information about cisco-auditing-tool or click here for more Backtrack Linux articles.
Hi! I have tried your codes, but now the tool doesn’t work, it only shows the options header when I run it, but do not execute anymore… any ideas?. Thanks!
The code posted omits the ‘\’ (slash), if you put the slashes you got it.
This article is poorly written, im getting errors on your code as well. I give up.