Test Lab V8: Cisco Device and Terminal System
In this article we will learn about Test Lab V8: Cisco Device and Terminal System.
Information about Cisco Device and Terminal System
This is the second part of the v8 test lab write-up, in the first part of the article we removed the two systems Site and Cabinet from the gateway 192.168.101.6. So in this section we will see how to find Cisco device and terminal system token through gateway 192.168.101.7
Attacking the CISCO: We fired nmap on the gateway IP by using the following command nmap -sS -sV -Pn -p1-65535 192.168.101.7
Nmap found two open ports SSH and HTTP, we open the IP and port 8080 from the browser and it loads the email application. So we’ve already found one valid credential when solving Ralph Westfall’s account in the Site and Cabinet system. We tried logging in using the credentials: RalphWestfall@sas bank.lab / freeman and successfully logged in.
After login, we started to check all emails, and we found something interesting: a VPN password
If we look at the network diagram, there is only one network device, which is a Cisco router. Now we will try to access the VPN network, for this we will need two specific tools IKEforce and IKEscan. We start from IKEscan using the following command sudo ike-scan -M –id=test -A 192.168.101.7. In the command, -M is for readability, -A is for aggressive mode, and -id is for a random group name that was required to run this tool.
As seen in the screenshot above, what information we have:
- Enc=3DES
- Hash=SHA1
- Group=2:modp1024
- Auth=psk
We will now use IKEforce to enumerate a valid VPN group name. We will brute force using the default IKEforce dictionary using the following command sudo ./ikeforce.py 192.168.101.7 -e -w -wordlists/groupnames.dic -t 5 2 1 2. In the -t command, specify the encryption type, hash, group and authentication method we found from IKEscan. There is a table in the readme file of the tool which can be seen below for reference:
After running the tool, we found the correct group id which is vpn.
Now we have the valid group id, so we will re-run the ike-scan tool for capturing the PSK handshake by using the following command sudo ike-scan -M –id=vpn -A 192.168.101.7 -Pcapture.psk
After running the scan now we have the capture.psk file
Now we will try to crack the psk file using brute force. The psk-crack tool is available in the IKEScan toolkit. We ran a brute force attack using the following psk-crak -d /usr/share/wordlists/rockyou.txt capture.psk
As you can see above we found the correct key value which is cicso123.
Now that we have the relevant details to connect to the VPN, we now have the following:
- Gateway IP – 192.168.101.7
- IPSec ID – vpn
- Secret IPSec -cisco123
- Username – westfall
- Password – AiWa8ahk
We tried to connect using vpnc and as can be seen below we successfully connected to the Cisco device.
To verify that the internet is working or not, we tried to ping Google but failed to ping. But when we tried to ping the Google IP we get a response.
It looks like DNS resolution issue so we opened the /etc/resolv.conf for troubleshooting the issue, and we found the Token there.
TERMINAL Attack: Now we have a VPN connection so we can attack this machine which is on another network. Before running any tool, we need to make sure we are connected to the Cisco VPN and then start a port scan with the following command: nmap -sS -sV -Pn -A 192.168.0.2
Looking at the ports it looks like this system is vulnerable to this famous netapi vulnerability, port 445 is open which is where the samba service runs and is highly vulnerable to remote exploit. We started Metasploit using the following commands:
use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/bind_tcp
RHOST set 192.168.0.2
to use
The exploit worked smoothly, and we have a meterpreter session now. We used a post exploitation module, and it added an extra user test on the system by using the following command run getgui -u test -p test
Now we can login with our user test/test in the Terminal system.
Related article:The Hacker Methodology 2023
Once we logged into the system, we started looking for the token file. Start->Administrative Tools->Computer Management, now click on Local Users and Groups->Users and done, we found our token in westfall account description.
Our work is not done here, whenever we root any system, we go through the entire system and look for other files and information that will help to root another system in the network. As you can see below, there are multiple users in the system, it is possible that some of them are active on another system, so we dump all the hashes for all users using the meterpreter session using the following command: run hashdump.
We copied all the hashes into a text file and cracked it with Ophcrack, we used XP fast and XP small tables and these are the following cracked hashes:
Now we are done with the Terminal system.
References:
- http://opensourceforu.efytimes.com/2012/01/ipsec-vpn-penetration-testing-backtrack-tools/
- https://github.com/royhills/ike-scan
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Cracking-IKE-Mission-Improbable-(Part-1)/
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Cracking-IKE-Mission-Improbable-(Part-2)/
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Cracking-IKE-Mission-Improbable-(Part3)/
