Wednesday, March 18, 2015

How to Download an IOS configuration with NMAP's snmp-ios-config Script

If a Cisco switch/router running IOS has a RW community string you can run the NMAP snmp-ios-config script to pull down the configuration. In this example, the switch is at 192.169.10.100 and has a RW community string of private.

nmap -sU -p 161 --script snmp-ios-config --script-args snmpcommunity=private 192.168.10.100

Update June 29, 2017

nmap 7.40 and above has been updated to use a standard snmp libary for all snmp based scripts. This changes the script-args as follows:

nmap -sU -p 161 --script snmp-ios-config --script-args creds.snmp=private 192.168.10.100

You should upgrade to nmap 7.50 as it includes a lot of new scripts and bug fixes.

Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-03 15:23 Pacific Standard Time
Nmap scan report for 192.168.10.100
Host is up (0.0031s latency).
PORT    STATE SERVICE
161/udp open  snmp
| snmp-ios-config:
| !
| ! Last configuration change at 15:21:28 PST Tue Mar 3 2015 by mhubbard
| ! NVRAM config last updated at 15:21:31 PST Tue Mar 3 2015 by mhubbard
| !
| version 15.0
| no service pad
| service tcp-keepalives-in
| service tcp-keepalives-out
| service timestamps debug datetime msec localtime show-timezone
| service timestamps log datetime msec localtime show-timezone
| service password-encryption
| service sequence-numbers
| !
| hostname ACME_Test
| !
| boot-start-marker
| boot-end-marker
| !
| !
| username Test privilege 15 password 7 0037312531682F2506324F41
| username cisco privilege 15 secret 5 $1$CxMS$kdjNOfZxN6qcqqCWBDEvQ1

Snipped

This example should be enough to convince you not to use private as a RW string and use ACLs to limit logical access to your network devices!

In our example the SNMP monitoring stations are at 192.168.10.200 and .201. To add access lists:

ACME_Test(config)# access-list 99 permit 192.168.10.200
ACME_Test(config)# access-list 99 permit 192.168.10.201
ACME_Test(config)# snmp-server community public ro 99

Trouble Shooting


I have found this script to very reliable but I have run into two things that caused it fail.

You cannot have a TFTP server running on the machine you are running the script from. This is because the script has a TFTP server built in. On Windows you will get the following error "NSOCK ERROR [9.3070s] mksock_bind_addr(): Bind to 0.0.0.0:69 failed (IOD #2): An attempt was made to access a socket in a way forbidden by its access permissions.  (10013)".

A community string that is for lack of a better word invalid. What does that mean? I could not get the script to work during a new deployment. I ran Wireshark and saw that the script sent the snmp SET but the switch didn't answer. I checked the access list on the SNMP config, made sure there wasn't a TFTP server running, checked the firewall, etc. Finally I ran "show snmp community" and to my surprise the RW string wasn't bound to any interfaces!

On this switch I am using vlan18 as the management vlan. You can see that the RW string isn't listed with an interface. I changed the RW string and ran the show command again. This time the RW string had vlan18 and the access-list and the script worked.

These aren't the actual strings I was using. The real strings had a lot of special characters and mixed caps.

ACME_Test#sh run | sec snmp
snmp-server community SuperSecret RW 25
snmp-server community BigSecret RO 20
snmp-server trap-source Vlan18


ACME_Test#sh snmp com
Community name: SuperSecret
Community Index: SuperSecret
Community SecurityName: SuperSecret
storage-type: nonvolatile        active

Community name: BigSecret
Community Index: BigSecret
Community SecurityName: BigSecret
storage-type: nonvolatile        active access-list: 20

Community name: BigSecret@18
Community Index: BigSecret@18
Community SecurityName: BigSecret
storage-type: read-only  active access-list: 20


References



Monday, March 16, 2015

Discovering SSH Host Keys with NMAP

As network engineers we use SSH daily (hopefully, ssh and not telnet!) and with all the uproar over duplicate SSH keys lately I thought it would be a good time to do a blog about NMAP’s SSH Host-Key script. Last month, John Matherly, founder of Shodan published this blog:
If you aren’t familiar with www.shodan.com it’s a search engine for Internet connected devices. There is a monthly fee but if you are interested in hacking it’s well worth the cost.

Digitial Ocean is a Cloud Hosting Provider that sells “Droplets”. You spin up a droplet using their control panel ($5 per month for 512MB RAM, 20GB SSD and a TB of bandwidth!). Ubuntu is a very popular OS for a droplet and they have instructions explaining how duplicate SSH keys can be accidentally created. Here are their instructions - Avoid Duplicate SSH Host Keys. Well worth reading if you run any version of Linux and enable SSH. You can use lasdigital (Linux Action Show) as a code to get two months of hosting for free.

Background

The script returns the SSH Host key of the target. There are some script arguments depending on whether you want to see the fingerprint or the full key. With no options the script returns the Fingerprint. This is a quick way to verify that the device has a key created and to see the fingerprint if you are looking for duplicates.

I have used the script when I get a “Connection Refused” message when connecting to a network device that should have SSH running. If SSH is enabled but you get a connection refused message the device may not have a host key installed. 

Let’s check the keys!

In this example I configured SSH on a Cisco 3750 switch. I kicked off "cypto key generate rsa usage-keys mod 1024” and immediately ran the script. I was lucky enough to catch it right before it created the keys:

nmap --script ssh-hostkey 192.168.10.50
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-14 20:22 Pacific Daylight Time
Nmap scan report for 192.168.10.50
Host is up (0.053s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
|_ssh-hostkey:
23/tcp  open  telnet
443/tcp open  https
MAC Address: 00:1B:90:9F:FF:C0 (Cisco Systems)

When the keys finished I re-ran the script with no options to get the fingerprint:

nmap --script ssh-hostkey 192.168.10.50
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-14 20:24 Pacific Daylight Time
Nmap scan report for 192.168.10.50
Host is up (0.047s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|_  1024 5b:b1:f3:00:b9:09:4a:04:75:10:ce:f5:11:e7:48:73 (RSA)
23/tcp  open  telnet
443/tcp open  https
MAC Address: 00:1B:90:9F:FF:C0 (Cisco Systems) 


A Quick Policy Assessment

You arrive at a customer site and are asked to do log into the switches/routers and make sure that they meet the corporate security policy:
SSH key length at least 1024 bits
telnet disabled
HTTP disabled

You complete the assignment almost before the customer finishes describing it to you!

root@YHS-kali:~# nmap --script ssh-hostkey 10.99.16.231-254
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-17 13:50 PDT

Nmap scan report for 10.99.16.240
Host is up (0.0043s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
23/tcp open  telnet
80/tcp open  http

Nmap scan report for 10.99.16.241
Host is up (0.0044s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
23/tcp open  telnet
80/tcp open  http

Nmap scan report for 10.99.16.249
Host is up (0.0053s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|_  1024 6a:7a:5f:54:ba:ce:ce:1e:7a:2c:4e:d3:65:fb:51:bf (RSA)
443/tcp open  https

Nmap scan report for 10.99.16.250
Host is up (0.0076s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|_  1024 b5:75:9d:d4:0b:f2:29:97:d1:ce:c4:2f:13:aa:c7:c7 (RSA)
443/tcp open  https

Nmap scan report for 10.99.16.252
Host is up (0.0060s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|_  1024 08:62:de:73:1a:b6:66:cc:9b:62:f5:86:64:a7:68:a3 (RSA)
443/tcp open  https

Nmap scan report for 10.99.16.253
Host is up (0.0033s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|_  1024 c9:3a:9c:0f:79:7f:62:73:dd:3d:dd:16:c3:85:08:4c (RSA)
443/tcp open  https

Nmap scan report for 10.99.16.254
Host is up (0.0025s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|_  1024 07:f1:5d:51:1d:93:96:ae:72:96:e0:fd:95:2f:b9:b6 (RSA)
23/tcp  open  telnet
443/tcp open  https


Grabbing the banner from the services running on the device

NMAP also comes with a Banner Grab script. This one is handy if you are verifying that none of your devices are running SSH V1. Remember, NMAP can scan a range of IP addresses, not just one host!

nmap --script banner 192.168.10.50
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-14 21:19 Pacific Daylight Time
Nmap scan report for 192.168.10.50
Host is up (0.036s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
|_banner: SSH-2.0-Cisco-1.25
23/tcp  open  telnet
|_banner: \xFF\xFB\x01\xFF\xFB\x03\xFF\xFD\x18\xFF\xFD\x1F
443/tcp open  https
MAC Address: 00:1B:90:9F:FF:C0 (Cisco Systems)

Nmap done: 1 IP address (1 host up) scanned in 70.09 seconds


The "Full" script argument

This time the script was run against my SonicWall firewall
sudo nmap --script ssh-hostkey --script-args ssh_hostkey=full 192.168.10.254

Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-14 19:09 PDT
Nmap scan report for 192.168.10.254
Host is up (0.0051s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
|_ssh-hostkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDSypZN2N3s3ACk+yOF72YCB4mmHcvF/kIjLuoJz2C991orznolsbBWIdKWcGjcil6mvIT5nj93miiaLMrS746Y9r7GBvrzV2xiNSYsK1Gs61sWn13tyTFbDaUeHK5SW2DYFbXDKHHtiVkTlXtc4bVPrvNpSmgmbCsD2Wo+ZZdlzQ==
80/tcp open http
443/tcp open https
MAC Address: 00:17:C5:67:BE:CC (SonicWALL)

Configuring SSH on Recent Versions of Cisco IOS

It only takes a few steps to setup SSH on an IOS device. You should add it to your standard build script! Note: The Cisco IOS image used must be a k9(crypto) image in order to support SSH.

Switch(config)#ip ssh version 2
Switch(config)#ip domain-name hubbardonnetworking.com
Switch(config)#crypto key generate rsa usage-keys modulus 1024
The name for the keys will be: Switch.example.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
exit

#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa

References









UNSECURED SSH – THE CHALLENGE OF MANAGING SSH KEYS AND ASSOCIATIONS


Sunday, March 15, 2015

Troubleshooting DHCP with the NMAP Broadcast-DHCP-Discover script

The NMAP DHCP Broadcast script sends a DCHP Discover request to the broadcast address (255.255.255.255) and returns the results. It can be very useful for trouble shooting DHCP issues.

The NMAP man page for the script is here - broadcast-dhcp-discover. In these examples I am running the script on a Linux box but NMAP works on Windows/Linux/Mac.

Does the Switch have the DHCP service running?


I set up a new (recycled from another site) core switch and DHCP wasn't working. I double checked the "ip helper-address" on the switch, pinged the DHCP server from the switch using the DHCP server as the destination and  the Vlan interface IP as the source and it worked.

I gave a client a static IP address and could ping the DHCP server. Wireshark showed that the client was sending a DHCP Discover but not getting an answer. So I ran nmap in broadcast discover mode:

C:\Windows\System32>nmap -sU -p67 --script broadcast-dhcp-discover

Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-15 22:26 Pacific Daylight Time
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 11.20 seconds

That was the expected result since DHCP was working. Next I ran nmap with directed discover mode which uses unicast instead of a broadcast:
C:\Windows\System32>nmap -sU -p67 --script dhcp-discover 10.46.1.53

Starting Nmap 6.47 ( http://nmap.org ) at 2016-05-15 22:27 Pacific Daylight Time
Nmap scan report for 10.46.1.53
Host is up (0.00s latency).
PORT   STATE SERVICE
67/udp open  dhcps
| dhcp-discover:
|   DHCP Message Type: DHCPACK
|   Server Identifier: 10.46.1.53
|   Subnet Mask: 255.255.255.0
|   Vendor Specific Information: \xDC\x03NAP
|   Router: 10.40.109.1
|   Domain Name Server: 192.168.10.221
|_  Domain Name: pu.pri

So the Layer 3 networking was correct, it looked like relay wasn't working. I wasn't able to put Wireshark on the customer's server so I couldn't verify that the DHCP Discover was getting to the server. I double checked the ip helper-address again to make sure that I hadn't fat fingered it and it was correct.

Next I ran:
sh run all | i service dhc
no service dhcp


Turns out the switch had the DHCP service disabled since it wasn't needed in the last deployment and Cisco best practice says to disable unused services.


Decommissioning a DHCP server


I have found this script to be useful when decommissioning a DHCP server and bringing up a new one. You can run a scan before and after the change and compare the scope options that are returned.

I was moving DHCP from a Cisco Router to a windows server recently. The customer set up the Windows server and I shut down the DHCP server on the router. But when we rebooted a couple clients got an address from another site!

I assigned the switch port that I was connected to the correct vlan, assigned a static IP and ran the script. It found the server and the scope options were wrong. It turned out to be a problem with the server that required a reboot. But the script was useful because it quickly showed that the correct server was replying with incorrect scope options.

Is there a Rogue DHCP sever on the network?


In my lab I set up two DHCP servers to simulate a rogue DHCP server. I had Wireshark running during the test to see what the script was doing. Unfortunately, even though each server sent back an offer, the script terminated on the first one. I was able to run the script two times in a row and it did find the second server but it was hit or miss.

Then I opened a second terminal session, hit Enter on the first one then immediately hit Enter on the second. That seemed pretty reliable for finding both DHCP servers.

Is the DHCP Scope out of Addresses to Assign?


Another use case is to see whether a server is offering a DHCP address. I have been trouble shooting wireless issues lately where the problem wasn't wireless but a depletion of IP addresses in the DHCP scope.

I typically don't have a log in to the customer's Windows Server but I do have access to the switches. To use the script in this situation you will need to connect to a port with an Ethernet cable and set the port to the correct vlan.

In this example I ran the script with a Windows Server that had an available IP address in the scope:

root@kali:~# nmap -sU -p67 --script broadcast-dhcp-discover
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-15 17:25 PDT
Pre-scan script results:
| broadcast-dhcp-discover:
|   IP Offered: 192.168.10.200
|   DHCP Message Type: DHCPOFFER
|   Subnet Mask: 255.255.255.0
|   Renewal Time Value: 0 days, 0:30:00
|   Rebinding Time Value: 0 days, 0:52:30
|   IP Address Lease Time: 0 days, 1:00:00
|   Server Identifier: 192.168.10.221
|   Router: 192.168.10.254
|   Domain Name Server: 127.0.0.1, 8.8.8.8, 208.67.222.222, 208.67.220.220
|_  Domain Name: pu.pri
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.22 seconds

In this example the Windows server doesn't have an available address in the scope:

root@kali:~# nmap -sU -p67 --script broadcast-dhcp-discover
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-15 20:35 PDT
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 10.27 seconds

No IP address was offered. But is it a wireless or a DHCP issue? Next we will run the NMAP DHCP-Discover script. This script doesn't use a DHCP Discover in a broadcast, it sends a DHCPINFORM in a unicast. Here are the results right after the broadcast script failed:

root@kali:~# nmap -sU -p67 --script dhcp-discover 192.168.10.221
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-15 21:40 PDT
Nmap scan report for 192.168.10.221
Host is up (0.00048s latency).
PORT   STATE SERVICE
67/udp open  dhcps
| dhcp-discover:
|   DHCP Message Type: DHCPACK
|   Server Identifier: 192.168.10.221
|   Subnet Mask: 255.255.255.0
|   Vendor Specific Information: \xDC\x03NAP
|   Router: 192.168.10.254
|   Domain Name Server: 127.0.0.1, 8.8.8.8, 208.67.222.222
|_  Domain Name: pu.pri
MAC Address: 00:0C:29:2C:23:E0 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds

So the DHCP server is up but no addresses are being offered. The NMAP man page for the script is here - dhcp-discover



Wednesday, March 4, 2015

Brute Forcing SNMP with NMAP

Have you ever been on site and no one could remember the password for a network device you needed to log into? Using NMAP and a pre-built text file it may be possible to quickly pull down the configuration of the device.

Once you have the configuration you may find the password in plain text. If not you can use my blog on "Decrypting Cisco type 5 passwords" to recover the password.

A lot of network devices have an SNMP Read/Write (RW) string configured. If they do NMAP has a script to pull down the configuration. But what if you don't know the RW community string? Luckily "private" is the default for a lot of devices and NMAP has a script for that!

To get started, create a file with your guesses. I usually start with just private in the file. If that doesn't work then I paste in my list of guesses. There are a lot of password lists on the Internet but I haven't found any snmp lists. What I have done is created a list based on all the switch/router configs that I have in my possession. If the script finds a community string it prints it out with the words "Valid Credentials". A note here, the script will return "Valid Credentials" whether it finds a RW community string or a Read Only (RO) string. The script used to pull down the configuration ONLY works with the RW string.

As always, DO NOT use this on a switch you don't own or have explicit written permission to work on. This script was run against a Cisco switch in my test lab. It wasn't connected to anything except my laptop.

Let's get started! Run this script and hopefully find a valid RW community string.

nmap -sU --script snmp-brute 192.168.10.100 --script-args snmp-brute.communitiesdb=c:\tftp-root\snmp-string.txt

Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-03 15:50 Pacific Standard Time
Stats: 0:13:44 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 86.13% done; ETC: 16:06 (0:01:52 remaining)
Stats: 0:13:45 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 86.22% done; ETC: 16:06 (0:01:52 remaining)
Nmap scan report for 192.168.10.100
Host is up (0.0057s latency).
Not shown: 996 closed ports
PORT    STATE         SERVICE
67/udp  open|filtered dhcps
123/udp open          ntp
161/udp open          snmp
| snmp-brute:
|   private - Valid credentials
|_  public - Valid credentials
162/udp open|filtered snmptrap

In this case private was being used as a RW community string. Now that we have the RW community string we can run the script that pulls down the configuration. On this switch there is a type 7 password! In that case just hit the IOS App store or Google Play store and grab a "Cisco Type 7" app. It will recover the password in a split second without a word list.

nmap -sU -p 161 --script snmp-ios-config --script-args snmpcommunity=private 192.168.10.100

Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-03 15:23 Pacific Standard Time
Nmap scan report for 192.168.10.100
Host is up (0.0031s latency).
PORT    STATE SERVICE
161/udp open  snmp
| snmp-ios-config:
| !
| ! Last configuration change at 15:21:28 PST Tue Mar 3 2015 by mhubbard
| ! NVRAM config last updated at 15:21:31 PST Tue Mar 3 2015 by mhubbard
| !
| version 15.0
| no service pad
| service tcp-keepalives-in
| service tcp-keepalives-out
| service timestamps debug datetime msec localtime show-timezone
| service timestamps log datetime msec localtime show-timezone
| service password-encryption
| service sequence-numbers
| !
| hostname ACME_Test
| !
| boot-start-marker
| boot-end-marker
| !
| !
| username Test privilege 15 password 7 0037312531682F2506324F41
| username cisco privilege 15 secret 5 $1$CxMS$kdjNOfZxN6qcqqCWBDEvQ1

Snipped