With request from my one fren to make the script more user frendly
I have created version 2 of the script which can be downloaded from http://neo1981.googlepages.com/ciscoPassChkv2.py
Well Here is some Spoon Feeding and brief documentation as Requested by my fren.
This script is checked on windows xp with python version 2.5. Though it should run with python 2.3 and 2.4 also.
You can download python for windows or linux machine from this page http://python.org/download/
On Linux system you can execute the script by using commnd
# python ciscoPassChkv2.py
On windows you can execute script by using command
C:\>c:\Python25\python.exe ciscoPassChkv2.py
Where C:\Python25\ is the directory where you have installed python 2.5
By default the script will ask you IP address of the router to be checked for default login.
If you want multiple routers checked at one go, put the IP addresses of the routers one IP in single line in a file and save
it as iplist.txt
Keep iplist.txt in the same folder as the python script and run python script. The script will read IP addresses from the file and check
those routers for default passwords.
Friday, June 5, 2009
Friday, May 22, 2009
python script to find cisco routers with default password
While I was doing my work (No options...have to do some to earn) in recent days
I was busy auding lots of cisco routers. As hacker mind I just went ahead hacking my way in to nearly all routers getting full access. But when I had completed my work I suddenly remember that some of the routers used default passwords and others I had extracted password from config of already accessed routers. But I just didnt remember for which routers I found using default password. As usual the programmer in me wake up (My colleague said he would check out manualy in 1 hour) I said I would better use half hour to write a script to find out those. This script will be use full in finding out routers with default password in future also.
So I did write a python script (you must be knowing by now python is my fav language) to check out routers with default passwords.
This script is still in its early stages. So looking forward for some good or bad feedbacks.
You can find script at
http://neo1981.googlepages.com/ciscoPassChk.py
I was busy auding lots of cisco routers. As hacker mind I just went ahead hacking my way in to nearly all routers getting full access. But when I had completed my work I suddenly remember that some of the routers used default passwords and others I had extracted password from config of already accessed routers. But I just didnt remember for which routers I found using default password. As usual the programmer in me wake up (My colleague said he would check out manualy in 1 hour) I said I would better use half hour to write a script to find out those. This script will be use full in finding out routers with default password in future also.
So I did write a python script (you must be knowing by now python is my fav language) to check out routers with default passwords.
This script is still in its early stages. So looking forward for some good or bad feedbacks.
You can find script at
http://neo1981.googlepages.com/ciscoPassChk.py
Decrypting...No..Deobfuscating Cisco IOS Passwords
Why I said not decrypt but Deobfuscating ???
The level 7 password is not actually encrypted . The Vigenere algorithm is used to obfuscate the passwords (there is not key used in this algo)
Cisco IOS uses this level-7 encryption when the "service password-encryption" command is used.
I found some interesting info while I was getting tools to decrypt cisco level 7 password. Yes you might know that there are Lots of softwares available on net whcih decrypt cisco 7 secrete. But this method got my attention since it uses cisco commands to obtain cleartext password from the secret.
The level 7 password is not actually encrypted . The Vigenere algorithm is used to obfuscate the passwords (there is not key used in this algo)
Cisco IOS uses this level-7 encryption when the "service password-encryption" command is used.
I found some interesting info while I was getting tools to decrypt cisco level 7 password. Yes you might know that there are Lots of softwares available on net whcih decrypt cisco 7 secrete. But this method got my attention since it uses cisco commands to obtain cleartext password from the secret.
Here it goes...
The show key-chain command executed on Cisco IOS displays the password configured in a key chain in cleartext even when the same password is stored as type-7 obfuscated password in the router configuration.
For example, if you want to get the cleartext password corresponding to string 04480E051A33490E, enter the following lines into the router configuration (any routers configuration it can be your router not necessary victims router :D) :-
R1(config)#key chain test
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string 7 04480E051A33490E
When you execute show key chain test command, the cleartext value of the password is displayed:
R1#show key chain test
Key-chain decrypt:
key 1 -- text "secure"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
Walla Cleartext without using any tools
I also have found perl code by Bostjan Sustar to do the same task.
The perl code is uploaded at http://neo1981.googlepages.com/decrypt_cisco.pl
Wednesday, March 18, 2009
Story of IT Novice
I read a very good story on my frens profile... I thought I should share with all
IT Novice and Master...
One day a Novice came to the Master.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code?" the Master asked.
"No," replied the Novice. The Master sent the Novice on a quest to the Store of Software.
Many hours later the Novice returned.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code?" the Master asked.
"Yes," replied the Novice.
The Master frowned at the Novice.
"You have a Compiler of Source. What now can prevent you from becoming a Writer of Programs?".
The Novice fidgeted nervously and presented his Compiler of Source to the Master.
"How is this used?" asked the Novice.
"Have you in your possession a Manual of Operation?" the Master asked.
"No," replied the Novice.
The Master instructed the Novice as to where he could find the Manual of Operation.
Many days later the Novice returned.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code?" the Master asked.
"Yes," replied the Novice.
"Have you in your possession a Manual of Operation?" the Master asked.
"Yes," replied the Novice.
The Master frowned at the Novice.
"You have a Compiler of Source, and a Manual of Operation. What now can prevent you from becoming a Writer of Programs?".
At this the Novice fidgeted nervously and presented his Manual of Operations to the Master.
"How is this used?" asked the Novice.
The Master closed his eyes, and heaved a great sigh.
The Master sent the Novice on a quest to the School of Elementary.
Many years later the Novice returned.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code, a Manual of Operation and an Education of Elementary?" the Master asked.
"Yes," replied the Novice.
The Master frowned at the Novice.
"What then can prevent you from becoming a Writer of Programs?".
The Novice fidgeted nervously. He looked around but could find nothing to present to the Master.
The Master smiled at the Novice.
"I see what problem plagues you." said the Master.
"Oh great master, please tell me." asked the Novice.
The Master turned the Novice toward the door, and with a supportive hand on his shoulder said, "Go young Novice, and Read The Fucking Manual." And so the Novice became enlightened.
IT Novice and Master...
One day a Novice came to the Master.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code?" the Master asked.
"No," replied the Novice. The Master sent the Novice on a quest to the Store of Software.
Many hours later the Novice returned.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code?" the Master asked.
"Yes," replied the Novice.
The Master frowned at the Novice.
"You have a Compiler of Source. What now can prevent you from becoming a Writer of Programs?".
The Novice fidgeted nervously and presented his Compiler of Source to the Master.
"How is this used?" asked the Novice.
"Have you in your possession a Manual of Operation?" the Master asked.
"No," replied the Novice.
The Master instructed the Novice as to where he could find the Manual of Operation.
Many days later the Novice returned.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code?" the Master asked.
"Yes," replied the Novice.
"Have you in your possession a Manual of Operation?" the Master asked.
"Yes," replied the Novice.
The Master frowned at the Novice.
"You have a Compiler of Source, and a Manual of Operation. What now can prevent you from becoming a Writer of Programs?".
At this the Novice fidgeted nervously and presented his Manual of Operations to the Master.
"How is this used?" asked the Novice.
The Master closed his eyes, and heaved a great sigh.
The Master sent the Novice on a quest to the School of Elementary.
Many years later the Novice returned.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code, a Manual of Operation and an Education of Elementary?" the Master asked.
"Yes," replied the Novice.
The Master frowned at the Novice.
"What then can prevent you from becoming a Writer of Programs?".
The Novice fidgeted nervously. He looked around but could find nothing to present to the Master.
The Master smiled at the Novice.
"I see what problem plagues you." said the Master.
"Oh great master, please tell me." asked the Novice.
The Master turned the Novice toward the door, and with a supportive hand on his shoulder said, "Go young Novice, and Read The Fucking Manual." And so the Novice became enlightened.
Tuesday, March 17, 2009
Windows Commandline KungFu Part 2
If you check out wmic has many good feature that we never use. Since I like commandline very much I am always upto commands and keybord shortcuts. :D
Now some more info about wmic...
If you use command
C:\> wmic /?
Then you would get a list of attributes and all the settings for given alias.
For example type
C:\>wmic share list full
AccessMask=
AllowMaximum=TRUE
Description=Remote IPC
InstallDate=
MaximumAllowed=
Name=IPC$
Path=
Status=OK
Type=-2147483645
...
...
Good ? not enough but there is more wmic is object oriented , so you've got attributes and methods. Attributes are cool, letting you get info about your box and tweak it a bit, but methods let you take action on a box, giving you real power.
For example
C:\> wmic process where name="cmd.exe" call getowner
Or, even:
C:\> wmic process where name="cmd.exe" call getownersid
Nice ! isnt it ?
Second Example : We want a built in command to reboot or shutdown windows box accross the network. Try this
C:\> wmic os where buildnumber="2600" call reboot
Third example get parameter (Atrribute of object)
C:\>wmic nic get macaddress,name
You want interface-related methods? Check these out:
C:\> wmic nicconfig call setdefaultttl 200
C:\> wmic nicconfig call settcpwindowsize 3212
Those change the IP TTL and TCP Window size from default settings to something else, possibly fooling some forms of passive OS fingerprinting. Be careful with them, though... changing those settings could hose your network performance, make your system ugly, and make your hair fall out. You have been warned!
Now how about some nasty example :D
Like from POST Exploitation ;)
you could:
C:\> wmic nteventlog where (description like "%secevent%") call cleareventlog
Guess what it would do ????
or events like those associated with logging onto the box:
C:\> wmic ntevent where (message like "%logon%") list brief
Fifth, here is one that could be useful for handlers:
C:\>wmic netlogin where (name like "%neo%") get numberoflogons
NumberOfLogons
1760
Where neo is username offcourse.
you can use methods associated with "wmic service" to change the service configuration, as in:
C:\> wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled
//Spot odd executables
C:\> wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath
//Look at services that are set to start automatically
C:\> wmic SERVICE WHERE StartMode="Auto" GET Name, State
//Find user-created shares (usually not hidden)
C:\> wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path
//Find stuff that starts on boot
C:\> wmic STARTUP GET Caption, Command, User
//Identify any local system accounts that are enabled (guest, etc.)
C:\> wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name"
Enjoyyyyy....
Now some more info about wmic...
If you use command
C:\> wmic /?
Then you would get a list of attributes and all the settings for given alias.
For example type
C:\>wmic share list full
AccessMask=
AllowMaximum=TRUE
Description=Remote IPC
InstallDate=
MaximumAllowed=
Name=IPC$
Path=
Status=OK
Type=-2147483645
...
...
Good ? not enough but there is more wmic is object oriented , so you've got attributes and methods. Attributes are cool, letting you get info about your box and tweak it a bit, but methods let you take action on a box, giving you real power.
For example
C:\> wmic process where name="cmd.exe" call getowner
Or, even:
C:\> wmic process where name="cmd.exe" call getownersid
Nice ! isnt it ?
Second Example : We want a built in command to reboot or shutdown windows box accross the network. Try this
C:\> wmic os where buildnumber="2600" call reboot
Third example get parameter (Atrribute of object)
C:\>wmic nic get macaddress,name
You want interface-related methods? Check these out:
C:\> wmic nicconfig call setdefaultttl 200
C:\> wmic nicconfig call settcpwindowsize 3212
Those change the IP TTL and TCP Window size from default settings to something else, possibly fooling some forms of passive OS fingerprinting. Be careful with them, though... changing those settings could hose your network performance, make your system ugly, and make your hair fall out. You have been warned!
Now how about some nasty example :D
Like from POST Exploitation ;)
you could:
C:\> wmic nteventlog where (description like "%secevent%") call cleareventlog
Guess what it would do ????
or events like those associated with logging onto the box:
C:\> wmic ntevent where (message like "%logon%") list brief
Fifth, here is one that could be useful for handlers:
C:\>wmic netlogin where (name like "%neo%") get numberoflogons
NumberOfLogons
1760
Where neo is username offcourse.
you can use methods associated with "wmic service" to change the service configuration, as in:
C:\> wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled
//Spot odd executables
C:\> wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath
//Look at services that are set to start automatically
C:\> wmic SERVICE WHERE StartMode="Auto" GET Name, State
//Find user-created shares (usually not hidden)
C:\> wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path
//Find stuff that starts on boot
C:\> wmic STARTUP GET Caption, Command, User
//Identify any local system accounts that are enabled (guest, etc.)
C:\> wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name"
Enjoyyyyy....
Sunday, March 15, 2009
Windows Commandline KungFu Part 1
When I first attended training by ed on commandline kungFu I was just amzed.
Well bassically commandline KungFu is more about windows commandline since linux already has extremly powerfull commandline so need to go to that side.
Lots of people dont know or ignore the power of wmic commands, we will start with wmic command which will allow us some stuff that we always do on linux.
C:\> wmic process [pid] delete
That's the rough equivalent (for you UNIX/Linux minded folks) of "kill -9 [pid]".
Or, better yet, try this one on for size:
C:\> wmic process where name='cmd.exe' delete
I love that one! It functions something like "killall -9 cmd.exe" would on a Linux box, where killall lets you kill processes by name.
And, check this out:
C:\> wmic process list brief /every:1
Sort of like (but not exactly) the Linux/UNIX top command.
But, wait! There's more...
C:\> wmic useraccount
This one gives a lot more detail than the old "net user" command. With "wmic useraccount" you get user names, SIDs, and various security settings.
Fun, fun, fun! Here's another:
C:\> wmic qfe
This one shows all hotfixes and service packs. qfe doesn't stand for Quad Fast Ethernet... It stands for Quick Fix Engineering in this context.
C:\> wmic startup list full
It shows a whole bunch of stuff useful in malware analysis, including all files loaded at Startup and the reg keys associated with autostart.
C:\> wmic process list brief | find "cmd.exe"
That works a little like a Linux "ps -aux | grep cmd.exe".
So, I run it as I show above, piping its output through sort, find, findstr, etc.
C:\> wmic /output:[file] [stuff you want it to do] /format:[format]
Numerous formats are supported, including HTML format (hform), CSV, XSL, and so on. So, check this out:
C:\> wmic /output:c:\os.html os get /format:hform
Then, open c:\os.html in a browser, and soak in that beautiful output. Ooooohhhh. Ahhhhhhh.
For a list of format types supported by WMIC, you could type:
C:\> wmic [stuff to do] /format /?
As in:
C:\> wmic process list /format /?
Going further, there is ability to pull lists of attributes and output them nicely, as follows:
C:\> wmic /output:c:\temp.html os get name,version /format:htable.xsl
Well bassically commandline KungFu is more about windows commandline since linux already has extremly powerfull commandline so need to go to that side.
Lots of people dont know or ignore the power of wmic commands, we will start with wmic command which will allow us some stuff that we always do on linux.
C:\> wmic process [pid] delete
That's the rough equivalent (for you UNIX/Linux minded folks) of "kill -9 [pid]".
Or, better yet, try this one on for size:
C:\> wmic process where name='cmd.exe' delete
I love that one! It functions something like "killall -9 cmd.exe" would on a Linux box, where killall lets you kill processes by name.
And, check this out:
C:\> wmic process list brief /every:1
Sort of like (but not exactly) the Linux/UNIX top command.
But, wait! There's more...
C:\> wmic useraccount
This one gives a lot more detail than the old "net user" command. With "wmic useraccount" you get user names, SIDs, and various security settings.
Fun, fun, fun! Here's another:
C:\> wmic qfe
This one shows all hotfixes and service packs. qfe doesn't stand for Quad Fast Ethernet... It stands for Quick Fix Engineering in this context.
C:\> wmic startup list full
It shows a whole bunch of stuff useful in malware analysis, including all files loaded at Startup and the reg keys associated with autostart.
C:\> wmic process list brief | find "cmd.exe"
That works a little like a Linux "ps -aux | grep cmd.exe".
So, I run it as I show above, piping its output through sort, find, findstr, etc.
C:\> wmic /output:[file] [stuff you want it to do] /format:[format]
Numerous formats are supported, including HTML format (hform), CSV, XSL, and so on. So, check this out:
C:\> wmic /output:c:\os.html os get /format:hform
Then, open c:\os.html in a browser, and soak in that beautiful output. Ooooohhhh. Ahhhhhhh.
For a list of format types supported by WMIC, you could type:
C:\> wmic [stuff to do] /format /?
As in:
C:\> wmic process list /format /?
Going further, there is ability to pull lists of attributes and output them nicely, as follows:
C:\> wmic /output:c:\temp.html os get name,version /format:htable.xsl
Thursday, January 29, 2009
Post Exploitation 2
We had discussion going on the topic Post exploitation when I realized that in my first post I didnt put any special things on windows. So I am adding that information in this second post on this topic.
Like lots of people dont know that there are FOR loop on windows command line using which we can have a ping sweep or port scan from cmd without any thirdparty tools.
Ex.
Ping Sweep: Using following command we can run a ping sweep
FOR /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"
This command will run a ping sweep on 10.10.10.0/24
Command line port scanner using ftp client:
The windows ftp client can be used as a port scanner.
But
C:\> ftp [IP_address]
This is not allowing to put port number and defaults to port 21 for connection.
But... we can specify a destination port in a ftp command file
- open [IP_addr] [port]
FTP client then can read this ftp commands file and execute them.
C:\> ftp -s:[filename]
So using this and FOR loop together...
for /L %i in (1,1,1024) do echo open [IPaddr] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>>ports.txt
Now the ports.txt will have output of the port scanner.
One more option in the FOR command let us use file as input
Ex. There is file with name PTips.txt containing one IP address each line
so following command will iterate through the file.
FOR /F "delims=^" %i in (PTips.txt) do ping %i
C:\>ping 222.222.222.222
Pinging 222.222.222.222 with 32 bytes of data:
Reply from 222.222.222.222: Destination net unreachable.
...
...
Like lots of people dont know that there are FOR loop on windows command line using which we can have a ping sweep or port scan from cmd without any thirdparty tools.
Ex.
Ping Sweep: Using following command we can run a ping sweep
FOR /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"
This command will run a ping sweep on 10.10.10.0/24
Command line port scanner using ftp client:
The windows ftp client can be used as a port scanner.
But
C:\> ftp [IP_address]
This is not allowing to put port number and defaults to port 21 for connection.
But... we can specify a destination port in a ftp command file
- open [IP_addr] [port]
FTP client then can read this ftp commands file and execute them.
C:\> ftp -s:[filename]
So using this and FOR loop together...
for /L %i in (1,1,1024) do echo open [IPaddr] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>>ports.txt
Now the ports.txt will have output of the port scanner.
One more option in the FOR command let us use file as input
Ex. There is file with name PTips.txt containing one IP address each line
so following command will iterate through the file.
FOR /F "delims=^" %i in (PTips.txt) do ping %i
C:\>ping 222.222.222.222
Pinging 222.222.222.222 with 32 bytes of data:
Reply from 222.222.222.222: Destination net unreachable.
...
...
One more addition
Having only cmd in windows does put lot of restrictions.
Lots of time I miss the simple commands like in linux to get HTML pages.
Can we download HTML pages on windows without Browser ???
...
...
...
Yes We Can
The problem with telnet is it dont allows us to redirect the output or screen to some file...
So... so we use -f for creating log of the telnet session.
Ex. Windows telnet as simple HTTP GET tool
C:\> telnet -f log.txt
Welcome to Microsoft Telnet Client
Escape Character is 'CTRL+]'
Microsoft Telnet>o in.yahoo.com 80
...
...
Microsoft Telnet>sen GET / HTTP/1.0
...
Html contents will scroll down all of sudden but dont worry,
all that content will be saved to the log file: log.txt
There you go.
Having only cmd in windows does put lot of restrictions.
Lots of time I miss the simple commands like in linux to get HTML pages.
Can we download HTML pages on windows without Browser ???
...
...
...
Yes We Can
The problem with telnet is it dont allows us to redirect the output or screen to some file...
So... so we use -f for creating log of the telnet session.
Ex. Windows telnet as simple HTTP GET tool
C:\> telnet -f log.txt
Welcome to Microsoft Telnet Client
Escape Character is 'CTRL+]'
Microsoft Telnet>o in.yahoo.com 80
...
...
Microsoft Telnet>sen GET / HTTP/1.0
...
Html contents will scroll down all of sudden but dont worry,
all that content will be saved to the log file: log.txt
There you go.
 |
Subscribe to:
Comments (Atom)
