Management Protocols
Cisco devices support several management protocols. These include SNMP, SSH, Tel‐
net, and HTTP. Cisco devices have embedded web servers. These web servers can be
attacked, both from the standpoint of compromised credentials as well as attacking
the
web server itself, to create denial-of-service attacks and other compromises of the
device. Various tools can be used to attack these management protocols. One of these
is
cisco-torch
.
The program
cisco-torch
is a scanner that can search for
Cisco devices on the network
based on these different protocols. It also can identify vulnerabilities within the web
server that may be running on the Cisco devices. The program uses a set of text files
to perform fingerprinting on the devices it finds in order to identify issues that may
exist in those files.
Additionally, it uses multiple threads to perform the scans faster. If
you want to alter the configuration or see the files that are used for its operation, you
can look at the configuration file at
/etc/cisco-torch/torch.conf
, as shown in
Example 5-1
.
Example 5-1. /etc/cisco-torch/torch.conf File
root@yazpistachio:/etc/cisco-torch# cat torch.conf
$max_processes
=
50;
#Max process
$hosts_per_process
=
5;
#Max host per process
$passfile
=
"password.txt"
;
#Password word database
$communityfile
=
"community.txt"
;
#SNMP community database
$usersfile
=
"users.txt"
;
# Users word database
$brutefile
=
"brutefile.txt"
;
#TFTP file word database
$fingerprintdb
=
"fingerprint.db"
;
#Telnet fingerprint database
$tfingerprintdb
=
"tfingerprint.db"
;
#TFTP fingerprint database
$tftprootdir
=
"tftproot"
;
# TFT root directory
$tftpserver
=
"192.168.77.8"
;
#TFTP server hostname
$tmplogprefix
=
"/tmp/tmplog"
;
#Temp file directory
$logfile
=
"scan.log"
;
#Log file filename
$llevel
=
"cdv"
;
#Log level
$port
=
80;
#Web service port
The files mentioned in the configuration
file can be found in
/usr/share/cisco-torch
.
One of the listings you can see in the configuration file is the list of passwords that
can be used. This is where
cisco-torch
can be used as an exploitation tool. The pro‐
gram can be used to launch brute-force password attacks against devices it identifies.
If the password file used by
cisco-torch
is
not extensive enough, you can change the
file used in the configuration settings and use one you have found or created. A larger
password file can provide a higher degree of success, of course, though it will also
increase the amount of time spent on the attack.
The more passwords you try, the
more failed login entries you will create in logs, which may be noticed.