The cisco-ocs application available in the Backtrack menu ( Backtrack > Vulnerability Assessment > Network Assessment > Cisco Tools ) is also known as cisco-ocs Mass Scanner. This tool provides a single function which is to scan large ranges of IP’s looking for Cisco devices or really any device listening on TCP port 23, attempts to login using telnet with a password of cisco, then passes the enable command to the Cisco router if its able to login via telnet, uses cisco again for the enable password, and finally reports a success if its able to get to the enable prompt using these exact steps. Unfortunately this is the only function of the tool as you cannot specify a wordlist of passwords to attempt or for that matter you cannot set anything accept for the range of IP addresses to scan. Below we should a couple examples of the Cisco-OCS Mass Scanner working on Backtrack 5 R3.
cisco-auditing-tool – Backtrack 5 – Vulnerability Assessment – Network Assessment – Cisco Tools – cisco-auditing-tool
The cisco-auditing-tool located in the Backtrack menu ( Backtrack > Vulnerability Assessment > Network Assessment > Cisco Tools ) is written in Perl and accomplishes three tasks which include attempting to brute force the telnet password on a Cisco device if telnet is running, attempting to show the iOS history on the Cisco device using a vulnerability which I believe is from the late 90’s, and attempting to brute force the SNMP community strings for the device. The tool is fairly outdated as most Cisco devices in corporate networks should now be using SSH and it would seem surprising unless you are doing an internal audit if SNMP was exposed for any Cisco devices still in service. That being said there is definitely still value if you have a ton of Cisco devices to audit you can feed a list of IP’s or hostnames into the script and check basic SNMP community strings and telnet passwords.
I remember being so happy about 0trace when I started to write some Backtrack related articles because even though 0trace is fairly simple it is really useful to locate the full path to devices you are investigating. In the article below I will explain the necessary 0trace input from the command line, what needs to be done to complete a successful trace to a target using 0trace, and provide some example of devices in front of and behind a firewall blocking ICMP or traceroute requests.
While assisting a client troubleshooting some issues with their APC Smart-UPS 3000 RM I was unable to login to the web interface to grab information from the logs. When attempting to login via the web interface I received a message stating that someone else is currently logged in as shown in the below example image.
The other day while configuring a Asus RT-N16 wireless router we had installed DD-WRT software on I decided to turn off HTTP access to the web admin interface. After making this change I got pulled away to test something else and never tested it so I was surprised when I attempted to login today and I was unable to login to the DD-WRT web interface using HTTP or HTTPS. Turns out something was not allowing HTTPS to start and since I had disabled HTTP the wireless router was no longer listening on port 80 or port 443. Below is information on how to start Apache after logging into a wireless router running DD-WRT either via SSH or via telnet.