Now the Tools – Pt.2 Cisco Torch

Posted on October 21, 2008. Filed under: Auditing, Penetration Testing, Training | Tags: , , , |

Cisco Torch is a nice tool off that can be found on the BackTrack distro or as a standalone package. The main feature that makes cisco-torch different from similar tools is the extensive use of forking to launch multiple scanning processes on the background for maximum scanning efficiency. Also, it uses several methods of application layer fingerprinting simultaneously, if needed.

The developer wanted something fast to discover remote Cisco hosts running Telnet, SSH, Web, NTP, TFTP and SNMP services and launch dictionary attacks against the services discovered, including SNMP community attack (you would like the community.txt list and TFTP servers (configuration file name brute-forcing with following config leeching). The tool can also get device configuration files automatically if SNMP RW community is found.

It should be fast enough to crunch through a large company or a small country. In addition, the tool finds classical, but still relevant Cisco IOS HTTP Auth and Cisco Catalyst 3500 XL Remote Arbitrary Command Execution Vulnerabilities. Like MetaSploit the develop has promised to add more vulnerabilities to check for.

By the way, this seems to be the only tool that does Cisco fingerprinting via NTP, spare for the NTP Nessus plugin :-) Application layer fingerprinting performed against several services on the host is fast and reliable. And if none of these services are running, it is unlikely that you will manage to get into that Cisco box anyway, at least when you aren’t on the same LAN.

As to the dictionary/brute-forcing attacks, it could be done them faster, but the developer didn’t parallel the attacks to get maximum efficiency when attacking large networks (kind of paralleling it by IP’s, rather than processes).

INSTALLATION AND USE

1. Make sure that you have the following Perl modules installed:

Net::hostent;
Net::Telnet;
Net::SSH::Perl;
Net::SNMP;
Net::SSLeay;

If in Windows without Perl set up, download and install Active Perl binary from http://www.activestate.com/

Then you can install necessary modules listed above with commands like ppm install Net::Telnet, ppm Net::SSH::Perl and so on. Or, even better, use Cygwin. The Windows package of the tool is in making, anyways.

2. Modify the variables in the configuration file (torch.conf) to suit your personal taste:

$max_processes=20;
$hosts_per_process=10;
$passfile= “password.txt”;
$communityfile=”community.txt”;
$usersfile=”users.txt”;
$fingerprintdb = “fingerprint.db”;
$tmplogprefix=”/tmp/tmplog”;
$logfile=”scan.log”;
$llevel=”c”;

3. perl cisco-torch.pl and see the options available. You should get an output similar to

# perl cisco-torch.pl -A 192.168.XXX.XXX

###############################################################
#   Cisco Torch Mass Scanner 0.4b                             #
#   Because we need it…                                     #
#   http://www.arhont.com/tools/cisco-torch.html              #
###############################################################

List of targets contains 1 host(s)
8711:   Checking 192.168.66.202 …
Fingerprint:                    2552511255251325525324255253311310
Description:                    Cisco IOS host (tested on 2611,2950 and Aironet 1200 AP)
Fingerprinting Successful

Cisco found by SSH banner SSH-1.5-Cisco-1.25

HTTP/1.1 401 Unauthorized
Date: Tue, 25 Jan 2005 00:02:18 GMT
Server: cisco-IOS
Accept-Ranges: none
WWW-Authenticate: Basic realm=”level_15_access”

401 Unauthorized

—>
- All scans done. Cisco Torch Mass Scanner 0.4b -
—> Exiting.

It is nicely stored in the scan.log file or whatever you name it. Mention, that if you see a host, fingerprinted as Cisco box via Telnet or/and SSH, but not showing up as an IOS-running host on a webserver check, it is likely to be a Catalyst. For example, this is Cisco Catalyst 2950:

List of targets contains 1 host(s)
9467:   Checking 192.168.77.254 …
Fingerprint:                    2552511255251325525324255253311310
Description:                    Cisco IOS host (tested on 2611, 2950 and Aironet 1200 AP)
Fingerprinting Successful

HTTP/1.0 501 Not Implemented
Date: Tue, 25 Jan 2005 03:28:04 0
Content-type: text/html
Expires: Thu, 16 Feb 1989 00:00:00 GMT

<H1>501 Not Implemented</H1>

Keep in mind, that PIX firewalls usually employ HTTPS, not HTTP by default.  Also keep in mind, that on a PIX without AAA authentication the default username for the SSH login is “pix”.

By the way, running -A against vast networks is rather slow and is not recommended, so, scanning /8 with -A may not be a good idea, unless you are a RAM maniac.

FINGERPRINTS

Collecting and adding Telnetd fingerprints of Cisco devices using the tool is very easy.  For now, the fingerprint.db coming with the tool is limited, containing signatures from Hackbot, TESO Team telnetftp and the developers testing lab. If you are able to develop Cisco-relevant Telnetd fingerprints send them to the developer at ciscotorch@arhont.com so that they can verify and include them in the future releases. Also, please add additional devices and comments to what is already in the database.

The developer has tested what they had at hand and supplied the signatures with names of the devices tested.  This appears not to be precise and there could be more Cisco (or even other vendor) hosts that possess mentioned signatures and are not listed. Please take this into account when scanning.

Make a Comment

Make a Comment: ( None so far )

blockquote and a tags work here.

    About

    “The soft and the pliable will defeat the hard and strong.” Lao Tzu

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS
    • Subscribe in Rojo

    Meta

Liked it here?
Why not try sites on the blogroll...