for scanning single hosts ) -f hostfile ( for

Download 22,59 Mb. Pdf ko'rish
bet	133/225
Sana	14.05.2024
Hajmi	22,59 Mb.
	#232856

1 ... 129 130 131 132 133 134 135 136 ... 225

Bog'liq
learningkalilinux

140 | Chapter 4: Looking for Vulnerabilities

for
scanning single hosts
)
-f hostfile
(
for
scanning multiple hosts
)
-p port
#
(default port is 23)
-w wordlist
(
word list
for
community name guessing
)
-a passlist
(
word list
for
password guessing
)
-i
[
ioshist
]
(
Check
for
IOS History bug
)
-l logfile
(
file to log to, default screen
)
-q quiet mode
(
no screen output
)
The program
cisco-torch
can be used to scan for Cisco devices. One of the differences
between this and
CAT
is that
cisco-torch
can be used to scan for available SSH ports/
services. Additionally, Cisco devices can store and retrieve configurations from Triv‐
ial File Transfer Protocol (TFTP) servers.
cisco-torch
can be used to fingerprint both
TFTP and Network Transfer Protocol (NTP) servers. This will help identify infra‐
structure related to both Cisco Internetwork Operating System (IOS) devices and the
supporting infrastructure for those devices. IOS is the operating system that Cisco
uses on its routers and enterprise switches.
Example 4-7
shows a scan of a local net‐
work looking for Telnet, SSH, and Cisco web servers. All of these protocols can be
used to remotely manage Cisco devices.
Cisco has been using its IOS for decades now. IOS should not be
confused with iOS, which is what Apple calls the operating system
that controls its mobile devices.
140 | Chapter 4: Looking for Vulnerabilities

Example 4-7. Output from cisco-torch
root@rosebud:~# cisco-torch -t -s -w 192.168.86.0/24
Using config file torch.conf...
Loading include and plugin ...
###############################################################
# Cisco Torch Mass Scanner #
# Because we need it... #
# http://www.arhont.com/cisco-torch.pl #
###############################################################
List of targets contains
256
host
(
s
)
Will fork
50
additional scanner processes
Range Scan from 192.168.86.12 to 192.168.86.17
17855: Checking 192.168.86.12 ...
HUH db not found, it should be in fingerprint.db
Skipping Telnet fingerprint
Range Scan from 192.168.86.6 to 192.168.86.11
17854: Checking 192.168.86.6 ...
HUH db not found, it should be in fingerprint.db
Skipping Telnet fingerprint
Range Scan from 192.168.86.18 to 192.168.86.23
17856: Checking 192.168.86.18 ...
Partially because of Cisco’s market share and the amount of time its devices have been
used on the internet, Cisco devices have known vulnerabilities. Identifying devices
isn’t the same as identifying vulnerabilities. As a result, we need to know what vulner‐
abilities may be on the devices we find. Fortunately, in addition to using OpenVAS for
vulnerability scanning, a Perl script comes with Kali to look for Cisco vulnerabilities.
This script,
cge.pl
, knows about specific vulnerabilities related to Cisco devices.
Example 4-8
shows the list of vulnerabilities that can be tested with
cge.pl
as well as
how to run the script, which takes a target and a vulnerability number.
Example 4-8. Running cge.pl for Cisco vulnerability scanning
root@rosebud:~# cge.pl
Usage :
perl cge.pl
Vulnerabilities list :
[
1
]
- Cisco 677/678 Telnet Buffer Overflow Vulnerability
[
2
]
- Cisco IOS Router Denial of Service Vulnerability
[
3
]
- Cisco IOS HTTP Auth Vulnerability
[
4
]
- Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
[
5
]
- Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
[
6
]
- Cisco
675
Web Administration Denial of Service Vulnerability
[
7
]
- Cisco Catalyst
3500
XL Remote Arbitrary Command Vulnerability
[
8
]
- Cisco IOS Software HTTP Request Denial of Service Vulnerability

Download 22,59 Mb.

1 ... 129 130 131 132 133 134 135 136 ... 225

Download 22,59 Mb.

Pdf ko'rish