During a recent penetration testing project, I decided to explore how I could exploit Cisco devices with SNMP enabled on them. In order not to reveal customer information, I recreated my steps within my lab.

I started off with a basic Nmap scan for UDP Port 161 against my target.

Image for post
Image for post

Next, I used Nmap once again to perform a SNMP brute force scan against the target.

Image for post
Image for post

Interesting. As an alternative to Nmap, I used Hydra to perform a SNMP brute force attack against the target using the SecLists snmp-community-strings.txt wordlist.

Image for post
Image for post

Note: during the engagement, I only recovered one of multiple SNMP community strings using Nmap against a single target. Whereas Hydra was able to recover multiple strings from a single target.

Cool. I had an SNMP password. However, I was not sure if it was the read or the read-write community string. So, I launched Metasploit and used the snmp_login module and set the RHOSTS and Password parameters.

Image for post
Image for post

At this point, I had confirmation that I had the SNMP read-write community string for the Cisco switch. So, I used the cisco_config_tftp Metasploit module to obtain a copy of the startup-config file from the switch. This time, I set the RHOSTS, COMMUNITY, and OUTPUTDIR parameters for the module.

Image for post
Image for post

Reviewing the contents of the config file, I found credentials for Type 5 and Type 7 passwords. Type 7 passwords used the Vigenere algorithm in order to obfuscate the password. Whereas Type 5 passwords were salted MD5 hashes.

Also, it should be noted that both user accounts had privileges set at 15. Meaning, both users had Enable or administrative access for the device.

As a side note, using version 5 of Metasploit during the engagement, I noticed that some of the Type 7 passwords were recovered and displayed within the downloaded startup configuration files.

Image for post
Image for post

Next, I downloaded a script that would decrypt Type 5 and Type 7 passwords created by Alexandre Cheron called cisco_pwdcrypt. I used pip to install the required modules and ran the script to decrypt the Type 7 password.

Note: If one has the Solar Winds Engineer Tool Kit, a Cisco password cracker should be included.

Image for post
Image for post

To validate that the credentials worked, I used a modified SSH command to connect with SHA1 to the target.

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-cbc admin@172.27.254.7

Image for post
Image for post

With regards to mitigating SNMP exploitation, consideration should be made to move to SNMPv3. However, one needs to make sure that monitoring tools are compatible with version 3 of SNMP.

In addition, an ACL (Access Control List) should be utilized to control the devices authorized to establish a SNMP session. Furthermore, complexed community strings should also be considered.

Lastly, it should be best practice to use Type 5 based complexed passwords when possible. Also, SSH access should be limited by ACL to authorized personnel.

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.

Information within this article is “as is”, without warranty of any sort.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store