Sunday, July 14, 2019

Cisco IOS & SNMP: A backdoor into devices you can't access.





We've all been there. You desparately need to get into a router or a switch, but every username and password you try doesn't seem to work. Or even worse, you can ping the device, see it in CDP but SSH isn't replying and telnet is disabled (presumably because the device doesn't have an RSA key). If you were close to the device, sure, you could walk over to it and try to console in. What if that's not an option? Reload and do password recovery?? Well, maybe not. In today's super quick post I want to give you an alternative if SNMP is enabled and you know the rw community string.

Ingredients:

  1. Router you can't log into.
    1. SNMP read-write community string
  2. SNMP tools installed on your machine. (e.g. net-snmp for Windows)
  3. TFTP Server running on your machine.
  4. Deep breaths. Seriously, calm down. You're locked out of a router, it's not the end of the world or anything Eddie. Yeah, I'm calling you out Eddie.

Don't Panic

Now that you're definitely not panicking, let's open a command prompt on our machine. Since this is a lab, I'm actually using an Ubuntu docker image in GNS3, however the actual process and syntax doesn't change at all if you're running net-snmp in Windows. Where I'm in bash, you'll be in CMD issuing the exact same commands. My TFTP server is also running on this Ubuntu docker image, but again, this works absolutely fine with SolarWind's tftp server or tftpd64. Finally my device is a router named R1 running at 192.168.122.211, and my Ubuntu machine is 192.168.122.93. Let's first confirm the state of things.

root@LX1:~# ssh admin@192.168.122.211     
Password:
Password:
Password:
admin@192.168.122.211's password:
Connection to 192.168.122.211 closed by remote host.
Connection to 192.168.122.211 closed.
root@LX1:~#  



Yup. Good and locked out. So the first thing I'll need to do is create a file in my TFTP directory that contains the changes I wish to make. For this post I'm just going to change the username admin's password to cisco123. However, get creative with this. You could just as easily modify vty lines to permit telnet temporarily, or disable AAA if it's pointing to TACACS/RADIUS for authentication. So I'll create a small file called 'configme.txt' and put said file in my TFTP root directory. Important note here, you don't need to put the full running config in this file, only the changes you wish to merge with existing config on the router. That is to say, this doesn't overwrite and replace the entire running-config, say it with me Eddie "merge". Here's what my file looks like.

root@LX1:~# cat /var/TFTP-ROOT/configme.txt
username admin privi 15 secret cisco123
!
end
root@LX1:~# 


Putting the word "end" on a line all by itself let's the router know it's reached the end of the config file. You don't have to do this, but if you don't the router generates an error saying the config file ended unexpectedly. Alright, now that we have all that setup, and our tftp server is running, let's send our router some commands via SNMP and tell it to download 'configme.txt' and merge it into our running-config. Lucky for me, I just so happen to know this device has 'write' as a read-write community string.

root@LX1:~# snmpset -c write -v 2c 192.168.122.211 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1

Created directory: /var/lib/snmp/mib_indexes
iso.3.6.1.4.1.9.9.96.1.1.1.1.2.111 = INTEGER: 1
root@LX1:~# snmpset -c write -v 2c 192.168.122.211 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 1


iso.3.6.1.4.1.9.9.96.1.1.1.1.3.111 = INTEGER: 1
root@LX1:~# snmpset -c write -v 2c 192.168.122.211 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 4


iso.3.6.1.4.1.9.9.96.1.1.1.1.4.111 = INTEGER: 4
root@LX1:~# snmpset -c write -v 2c 192.168.122.211 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a 192.168.122.93


iso.3.6.1.4.1.9.9.96.1.1.1.1.5.111 = IpAddress: 192.168.122.93
root@LX1:~# snmpset -c write -v 2c 192.168.122.211 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s configme.txt


iso.3.6.1.4.1.9.9.96.1.1.1.1.6.111 = STRING: "configme.txt"
root@LX1:~# snmpset -c write -v 2c 192.168.122.211 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1


iso.3.6.1.4.1.9.9.96.1.1.1.1.14.111 = INTEGER: 1


Now let's quickly confirm everything works as expected.

root@LX1:~# ssh admin@192.168.122.211 
Password:


R1#show ip int br | ex unass
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet1       192.168.122.211 YES DHCP   up                    up     

R1#show logging | inc tftp
Jul 14 15:40:49.808: %SYS-5-CONFIG_I: Configured from tftp://192.168.122.93/configme.txt by console
R1#exit
Connection to 192.168.122.211 closed.



What just happened?

All in all we sent (6) SNMP strings to the router, I'll really quickly break those out here.


  1. "1.3.6.1.4.1.9.9.96.1.1.1.1.2.[random_number] i 1" sets the transfer protocol to TFTP.
  2. "1.3.6.1.4.1.9.9.96.1.1.1.1.3.[random_number] i 1" sets the source file as a network file
  3. "1.3.6.1.4.1.9.9.96.1.1.1.1.4.[random_number] i 4" sets the destination as running-config
  4. "1.3.6.1.4.1.9.9.96.1.1.1.1.5.[random_number] a 192.168.122.93" sets the TFTP Server Address
  5. "1.3.6.1.4.1.9.9.96.1.1.1.1.6.[random_number] s configme.txt" sets the file name
  6. "1.3.6.1.4.1.9.9.96.1.1.1.1.14.[random_number] i 1" initiates the transfer.

If you look above, my [random_number] was 111, now if I wanted to issues these commands again, maybe to change the file name or TFTP server address, I'd need to pick a new random number. Just re-running those MIBs with the same random number as before will error out as seen here:

root@LX1:~# snmpset -c write -v 2c 192.168.122.211 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a 192.168.122.93
Error in packet.
Reason: inconsistentValue (The set value is illegal or unsupported in some way)
Failed object: iso.3.6.1.4.1.9.9.96.1.1.1.1.5.111


However, if I change .111 to .112 we're back in business.

root@LX1:~# snmpset -c write -v 2c 192.168.122.211 1.3.6.1.4.1.9.9.96.1.1.1.1.2.112 i 1

iso.3.6.1.4.1.9.9.96.1.1.1.1.2.112 = INTEGER: 1
root@LX1:~# snmpset -c write -v 2c 192.168.122.211 1.3.6.1.4.1.9.9.96.1.1.1.1.3.112 i 1


iso.3.6.1.4.1.9.9.96.1.1.1.1.3.112 = INTEGER: 1
root@LX1:~# snmpset -c write -v 2c 192.168.122.211 1.3.6.1.4.1.9.9.96.1.1.1.1.4.112 i 4


iso.3.6.1.4.1.9.9.96.1.1.1.1.4.112 = INTEGER: 4
root@LX1:~# snmpset -c write -v 2c 192.168.122.211 1.3.6.1.4.1.9.9.96.1.1.1.1.5.112 a 192.168.122.93


iso.3.6.1.4.1.9.9.96.1.1.1.1.5.112 = IpAddress: 192.168.122.93
root@LX1:~# snmpset -c write -v 2c 192.168.122.211 1.3.6.1.4.1.9.9.96.1.1.1.1.6.112 s configme.txt


iso.3.6.1.4.1.9.9.96.1.1.1.1.6.112 = STRING: "configme.txt"
root@LX1:~# snmpset -c write -v 2c 192.168.122.211 1.3.6.1.4.1.9.9.96.1.1.1.1.14.112 i 1


iso.3.6.1.4.1.9.9.96.1.1.1.1.14.112 = INTEGER: 1

root@LX1:~#



Best of luck getting back into your devices, that's it for this post.








No comments:

Post a Comment