首页 > 其他分享 >BT5 2011.3.漏洞发现.1(cisco snmp)

BT5 2011.3.漏洞发现.1(cisco snmp)

时间:2024-08-20 23:04:06浏览次数:10  
标签:BT5 ---------------------------------------- cisco name 2011.3 bt pentest root

3.漏洞发现   内容简介 第一部分:Cisco工具 第二部分:SNMP工具 第三部分:HTTP工具 第四部分:SMB工具 第五部分:综合漏洞发现工具Nessus   第一部分
Cisco工具   拓扑介绍   1.Cisco Auditing Tool Cisco Auditing Tool(CAT) is a mini security auditing tool.It scans the Cisco routers for common vulnerabilities such as default passwords,SNMP community strings,and some old IOS bugs.(一个很小的安全审计工具,它扫描Cisco路由器的一般性漏洞,录入默认密码,SNMP Community字串和一些老的IOS bug)   root@bt:~# cd /pentest/cisco/cisco-auditing-tool/ root@bt:/pentest/cisco/cisco-auditing-tool# ls CAT  lib  lists  plugins  TODO root@bt:/pentest/cisco/cisco-auditing-tool# cd lists/ root@bt:/pentest/cisco/cisco-auditing-tool/lists# ls community  passwords root@bt:/pentest/cisco/cisco-auditing-tool/lists# vim community  list public private root@bt:/pentest/cisco/cisco-auditing-tool/lists# vim passwords  list cisco1 cisco smoke root@bt:/pentest/cisco/cisco-auditing-tool# ./CAT -h   Cisco Auditing Tool - g0ne [null0] Usage:  -h hostname (for scanning single hosts) -f hostfile (for scanning multiple hosts) -p port # (default port is 23) -w wordlist (wordlist for community name guessing) -a passlist (wordlist for password guessing) -i [ioshist] (Check for IOS History bug) -l logfile (file to log to, default screen) -q quiet mode (no screen output) root@bt:/pentest/cisco/cisco-auditing-tool# ./CAT -h 10.1.1.2 -w lists/community -a lists/passwords -i   2.Cisco Passwd Scanner The Cisco Passwd Scanner has been developed to scan the whole bunch of IP addresses in a specific network class.This class can be represented an A,B or C in terms of netowrk computing.Each class has it own defintion for a number of hosts to be scanned.The tool is much faster and efficient in handling multiple threads in a single instance.It discovers those Cisco devices carrying default telnet password "cisco".(这个工具用于发现拥有默认telnet密码"cisco"的Cisco设备,这个工具非常快并且有效。) ./ciscos <ip network> <class> <options> we can easily scan the whole class of IP network. IN our exercise we will be using two available options,-t<connection timeout value in seconds> and -C <maximum connection threads> in order to optimize the test execution process.(命令格式介绍)   root@bt:~# cd /pentest/cisco/ciscos/ root@bt:/pentest/cisco/ciscos# ./ciscos 10.1.1 3 -t 4 -C 10  Cisco Scanner v1.3 Scanning: 10.1.1.*  output:cisco.txt  threads:10  timeout:4   第二部分 SNMP工具   1.ADMsnmp The ADMSnmp is a very handful audit scanner.It can brute force the SNMP community strings with a predefined set of wordlist or make guess based on the given hostname.It will scan the host for valid community strings and then check each of those valid community names for read and write access permissions to MIBs.(ADMSnmp用于暴力破解SNMP community字串,使用一个预先定义的"wordlist".)   root@bt:~# cd /pentest/enumeration/snmp/admsnmp/ root@bt:/pentest/enumeration/snmp/admsnmp# ./ADMsnmp  ADMsnmp v 0.1 (c) The ADM crew ./ADMsnmp: <host> [-g,-wordf,-out <name>, [-waitf,-sleep, -manysend,-inter <#>] ]  <hostname>     : host to scan  [-guessname]   : guess password with hostname  [-wordfile]    : wordlist of password to try [-outputfile] <name>: output file [-waitfor] <mili>  : time in milisecond in each send of snmprequest [-sleep]   <second> : time in second of the scan process life [-manysend] <number>: how many paket to send by request  [-inter] <mili>     : time to wait in milisecond after each request root@bt:/pentest/enumeration/snmp/admsnmp# ls ADMsnmp  ADMsnmp.README  snmp.passwd root@bt:/pentest/enumeration/snmp/admsnmp# ./ADMsnmp 10.1.1.2 -wordf snmp.passwd  ADMsnmp vbeta 0.1 (c) The ADM crew ftp://ADM.isp.at/ADM/ greets: !ADM, el8.org, ansia >>>>>>>>>>> get req name=router  id = 2 >>>>>>>>>>> >>>>>>>>>>> get req name=cisco  id = 5 >>>>>>>>>>> >>>>>>>>>>> get req name=public   id = 8 >>>>>>>>>>> >>>>>>>>>>> get req name=private  id = 11 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 12 name = private ret =0 <<<<<<<<<< >>>>>>>>>>>> send setrequest id = 12 name = private >>>>>>>>  >>>>>>>>>>> get req name=admin  id = 14 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 13 name = private ret =0 <<<<<<<<<< >>>>>>>>>>> get req name=proxy  id = 17 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 140 name = private ret =2 <<<<<<<<<< >>>>>>>>>>> get req name=write  id = 20 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 140 name = private ret =2 <<<<<<<<<< >>>>>>>>>>> get req name=access  id = 23 >>>>>>>>>>> >>>>>>>>>>> get req name=root  id = 26 >>>>>>>>>>> >>>>>>>>>>> get req name=enable  id = 29 >>>>>>>>>>> >>>>>>>>>>> get req name=all private  id = 32 >>>>>>>>>>> >>>>>>>>>>> get req name= private  id = 35 >>>>>>>>>>> >>>>>>>>>>> get req name=test  id = 38 >>>>>>>>>>> >>>>>>>>>>> get req name=guest  id = 41 >>>>>>>>>>>     <!ADM!> snmp check on 10.1.1.2 <!ADM!> sys.sysName.0:R1.smoke.com name = private readonly access   2.Snmp Enum The Snmp Enum is small Perl script used to enumerate the target SNMP device to get more information about its internal system and networ.The key data retrieved may include system users,hardware information,running services,installed software,uptime,share folders,disk drives,IP addresses,network interfaces,and other useful information based on the type of SNMP device(Cisco,Windows,and Linux).(在获取community后,可以使用snmp enum获取大量有关Cisco,windows和linux的信息)   root@bt:/pentest/enumeration/snmp# cd snmpenum/ root@bt:/pentest/enumeration/snmp/snmpenum# ls cisco.txt  linux.txt  README.txt  snmpenum.pl  windows.txt root@bt:/pentest/enumeration/snmp/snmpenum# ./snmpenum.pl 10.1.1.2 private cisco.txt      ---------------------------------------- PROCESSES ----------------------------------------   Chunk Manager Load Meter CEF Scanner EDDRI_MAIN Check heaps Pool Manager Timers IPC Dynamic Cache IPC Zone Manager IPC Periodic Timer IPC Deferred Port Closure IPC Seat Manager IPC BackPressure OIR Handler Crash writer Environmental monitor ARP Input ATM Idle Timer AAA high-capacity counters AAA_SERVER_DEADTIME Policy Manager DDR Timers Entity MIB API EEM ED Syslog HC Counter Timers Serial Background RO Notify Timers SMART GraphIt Dialer event SERIAL A'detect XML Proxy Client Inode Table Destroy Critical Bkgnd Net Background IDB Work Logger TTY Background Per-Second Jobs DHCPD Timer AggMgr Process dev_device_inserted dev_device_removed mxt5100 sal_dpc_process ARL Table Manage ESWILPPM Eswilp Storm Control Process SM Monitor VNM DSPRM MAIN DSPFARM DSP READY FLEX DNLD MAIN HDV background Ether-Switch RBCP Monitor AAL2CPS TIMER_CU IGMP Snooping Process IGMP Snooping Receiving Process Call Management Dot11 auth Dot1x process Dot11 Mac Auth dot1x DTP Protocol PI MATM Aging Proc EtherChnl AAA Server AAA ACCT Proc ACCT Periodic Proc AAA Dictionary Recycle CDP Protocol IP Input ICMP event handler MOP Protocols PPP Hooks SSS Manager SSS Test Client SSS Feature Manager SSS Feature Timer VPDN call manager L2X Socket process L2X SSS manager L2TP mgmt daemon X.25 Encaps Manage EAPoUDP Process IP Host Track Process IPv6 RIB Redistribute KRB5 AAA PPP IP Route PPP IPCP IP Traceroute IP Background IP RIB Update SNMP Timers CEF process Asy FS Helper TCP Timer Transport Port Agent TCP Protocols COPS L2MM MRD IGMPSN RLM groups Process DDP SCTP Main Process IUA Main Process RUDPV1 Main Process bsm_timers bsm_xmt_proc CES Client SVC Retry Periodic Socket Timers DHCPD Receive Dialer Forwarder IP Cache Ager Adj Manager ATM OAM Input ATM OAM TIMER HTTP CORE RARP Input PAD InCall X.25 Background PPP Bind PPP SSS RBSCP Background Inspect Timer DHCPD Database Authentication Proxy Timer Auth-proxy AAA Bkgd IPS Timer SDEE Management IPv6 Inspect Timer URL filter proc Crypto HW Proc CCVPM_HDSPRM FLEX DSPRM MAIN FLEX DSP KEEPALIVE MAIN CRM_CALL_UPDATE_SCAN HDA DSPRM MAIN ENABLE AAA EM Background Process Key chain livekeys LINE AAA LOCAL AAA TPLUS VSP_MGR encrypt proc Crypto WUI Crypto Support CCVPM_HTSP VPM_MWI_BACKGROUND CCVPM_R2 FB/KS Log HouseKeeping EPHONE MWI BG Process CCSWVOICE IP SNMP http client process PDU DISPATCHER QOS_MODULE_MAIN RPMS_PROC_MAIN VoIP AAA crypto engine proc Crypto CA Crypto PKI-CRL Crypto SSL  Crypto ACL CRYPTO QoS process Crypto INT Crypto IKMP IPSEC key engine IPSEC manual key Crypto PAS Proc Crypto Delete Manager Key Proc PM Callback DATA Transfer Process DATA Collector AAA SEND STOP EVENT EEM ED CLI EEM ED Counter EEM ED Interface EEM ED IOSWD EEM ED Memory-threshold EEM ED None EM ED OIR EEM ED SNMP EEM ED Timer EEM Server Syslog Traps trunk conditioning supervisory * trunk conditioning supervisory * VLAN Manager crypto sw pk proc EEM Policy Director Syslog VPDN Scal SNMP ENGINE Net Input Compute load avgs Per-minute Jobs SSH Event handler SNMP ConfCopyProc SNMP Traps     ---------------------------------------- IP ADDRESSES ----------------------------------------   10.1.1.2     ---------------------------------------- UPTIME ----------------------------------------   1 hour, 22:17.28     ---------------------------------------- HOSTNAME ----------------------------------------   R1.smoke.com     ---------------------------------------- SNMPcommunities ----------------------------------------       ---------------------------------------- LAST TERMINAL USERS ----------------------------------------             smoke           ---------------------------------------- HARDWARE ----------------------------------------   2691 chassis 3620 Chassis Slot c2691 Motherboard with Fast Ethernet 3620 DaughterCard Slot 3620 DaughterCard Slot 3620 DaughterCard Slot AIM Container Slot 0 AIM Container Slot 1 3620 Chassis Slot Gt96k FE Gt96k FE     ---------------------------------------- SYSTEM INFO ----------------------------------------   Cisco IOS Software, 2600 Software (C2691-ADVENTERPRISEK9_SNA-M), Version 12.4(13b), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 24-Apr-07 15:33 by prod_rel_team     ---------------------------------------- TACACS SERVER ----------------------------------------   10.1.1.100     ---------------------------------------- SNMP TRAP SERVER ----------------------------------------       ---------------------------------------- INTERFACES ----------------------------------------   FastEthernet0/0 FastEthernet0/1 Null0     ---------------------------------------- INTERFACE DESCRIPTIONS ----------------------------------------             ---------------------------------------- LOGMESSAGES ----------------------------------------   Configuration was modified.  Issue "write memory" to save new certificate

标签:BT5,----------------------------------------,cisco,name,2011.3,bt,pentest,root
From: https://www.cnblogs.com/smoke520/p/18370541

相关文章

  • SNRS Day 1 (Cisco+Secure+ACS)
    SecuringNetworksWithCiscoRoutersandSwitchesaaaserver(ciscosecureaccesscontrolserver)1.aaa是什么authentication识别用户authorization由一系列的属性限定用户能够有什么权限(avpair)accounting统计用户在什么时间、什么地方、做了什么.1.网管登录流量......
  • Configuring the Cisco IOS XE DHCP Relay Agent
    CiscoroutersrunningCiscoIOSXEsoftwareincludeDynamicHostConfigurationProtocol(DHCP)serverandrelayagentsoftware.ADHCPrelayagentisanyhostthatforwardsDHCPpacketsbetweenclientsandservers.Thismoduledescribestheconceptsandt......
  • Cisco NX-OS Software Release 10.5(1)F - 网络操作系统软件
    CiscoNX-OSSoftwareRelease10.5(1)F-网络操作系统软件NX-OS网络操作系统请访问原文链接:https://sysin.org/blog/cisco-nx-os-10/,查看最新版。原创作品,转载请保留出处。CiscoNX-OSCiscoNX-OS操作系统助力网络紧跟业务发展步伐。功能和优势NX-OS网络操作系统为现代......
  • Cisco Nexus 9000v Switch, NX-OS Release 10.5(1)F - 用于网络原型设计和学习研究的
    CiscoNexus9000vSwitch,NX-OSRelease10.5(1)F用于网络原型设计和学习研究的虚拟化数据中心交换机请访问原文链接:https://sysin.org/blog/cisco-nexus-9000v/,查看最新版。原创作品,转载请保留出处。ReleaseDateNX-OSSystemSoftwareReleaseDateCiscoNX-OSRe......
  • 2024年Cisco思科认证体系详解
    思科作为全球领先的网络设备供应商,其认证体系在全球范围内被广泛认可;但是大部分了解的朋友都只知道CCNA、CCNP和CCIE,但对思科的整个系统不是很清楚。随着Cisco产品线的扩大和市场份额的不断提升,Cisco认证产品从当初仅有的路由交换发展到现在的多个方向。思科认证共分为五......
  • Cisco Secure Firewall 4200 Series FTD Software 7.4.2 & ASA Software 9.20.3 发布
    CiscoSecureFirewall4200SeriesFTDSoftware7.4.2&ASASoftware9.20.3发布下载-思科防火墙系统软件FirepowerThreatDefense(FTD)Software请访问原文链接:https://sysin.org/blog/cisco-firepower-4200/,查看最新版。原创作品,转载请保留出处。为什么选择CiscoSe......
  • Cisco Secure Firewall 3100 Series FTD Software 7.4.2 & ASA Software 9.20.3 发布
    CiscoSecureFirewall3100SeriesFTDSoftware7.4.2&ASASoftware9.20.3发布下载-思科防火墙系统软件FirepowerThreatDefense(FTD)Software请访问原文链接:CiscoSecureFirewall3100SeriesFTDSoftware7.4.2&ASASoftware9.20.3,查看最新版。原创作品,转载请......
  • Cisco Firepower 9300 Series FTD Software 7.4.2 & ASA Software 9.20.3 发布下载 -
    CiscoFirepower9300SeriesFTDSoftware7.4.2&ASASoftware9.20.3发布下载-思科防火墙系统软件FirepowerThreatDefense(FTD)Software请访问原文链接:https://sysin.org/blog/cisco-firepower-9300/,查看最新版。原创作品,转载请保留出处。为什么选择CiscoSecure......
  • 第五天2cisco_security_device_manger_appliance_
    asdm视窗化管理把asdm加载进asa的flash必须支持des或3desie浏览器支持java。不能阻止弹出窗口。配置向导设置Pre-configureFirewallnowthroughinteractiveprompts[yes]?(预配置防火墙现在通过交互式提示符)FirewallMode[Routed]:Enablepassword[<usecurrent......
  • Cisco Firepower 4100 Series FTD Software 7.4.2 & ASA Software 9.20.3 发布下载 -
    CiscoFirepower4100SeriesFTDSoftware7.4.2&ASASoftware9.20.3发布下载-思科防火墙系统软件FirepowerThreatDefense(FTD)Software请访问原文链接:https://sysin.org/blog/cisco-firepower-4100/,查看最新版。原创作品,转载请保留出处。为什么选择CiscoSecure......