What is Cisco Global exploiter? How to use cisco global exploiter tool.

 


How to use cisco global exploiter 

Attack the target host (192.168.99.230) using the Cisco IOS HTTP Auth Vulnerability (3):

root@kali:~# cge.pl 192.168.99.230 3

Vulnerability successful exploited with [http://192.168.99.230/level/17/exec/....] ...

Packages and Binaries:

cisco-global-exploiter

Cisco Global Exploiter (CGE), is an advanced, simple and fast security testing tool.

Installed size: 37 KB


How to install: sudo apt install cisco-global-exploiter


perlcge.pl

root@kali:~# cge.pl -h

Usage :
perl cge.pl <target> <vulnerability number>

Vulnerabilities list :
[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability
[2] - Cisco IOS Router Denial of Service Vulnerability
[3] - Cisco IOS HTTP Auth Vulnerability
[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
[6] - Cisco 675 Web Administration Denial of Service Vulnerability
[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability
[9] - Cisco 514 UDP Flood Denial of Service Vulnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
[11] - Cisco Catalyst Memory Leak Vulnerability
[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
[13] - 0 Encoding IDS Bypass Vulnerability (UTF)
[14] - Cisco IOS HTTP Denial of Service Vulnerability

Cisco Global Exploiter is a hacking tool used to find and exploit vulnerabilities in Cisco Network-systems. It was created by the Italian group "BlackAngels". CGE was discovered the first time on March…


What is Cisco Global Exploiter :
Cisco Global Exploiter (CGE), is an advanced, simple and fast security 
testing tool, that is able to exploit the most dangerous vulnerabilities 
of Cisco systems.

How CGE works :
CGE has an intuitive and simple user interface and it is executable from
commands line, by inputting two simple parameters, like the target and the
vulnerability to exploit.

For more informations or a detailed description of all vulnerabilities
and of their exploiting, read /doc/documentation.


Cisco has a webpage where anybody can report security vulnerabilities and also possible to obtain assistance and signing up for security updates. Also possible to read Cisco’s Security Vulnerability Policy and the web page can lead to many other pages from “Secure Development Practice” to “Security Software Updates”.
Cisco is trying to keep its devices and networks secure and up to date with the today’s standards. They have their own Product Security Response Process.

SecurityIncidentResponseProcess

Figure 1

Cisco is maintaining a very good relationship with the hackers (security team) and trying to solve all the issues.


According to the Cisco Vulnerability Statistics most of the attacks are Denial of Service attack, on the second place is the Code Execution, on the third place is the Overflow. With the time the numbers of attacks are increasing. In the late 90’s much more knowledge needed to attack, hack something than today. Today with the technical improvements don’t need that much of brain to succeed in hacking.

That’s why in the 2000’s the “scrip kiddies” came up on the stage and do serious damage, because they don’t know what they are doing, but they can get the software to do the job, hacking for them.
From 2002 to 2003 there was a fall back in the vulnerabilities, but then from 2012 to 2013 there was a jump, almost three times more vulnerabilities in 2013 than in 2012.

VulnerabilitiesByYear

Figure 2

SWITCH

 If the device is not configured properly, then that can be really vulnerable. On the switch possible to create VLAN’s to improve security. For example to separate networks, but still using the same device, VLAN’s are good and cost efficient. Layer 2 security is as important as Layer 3 or other Layers security. Switches have many security features to avoid vulnerability like some of them have firewall and/or intrusion detection.

If an attacker would like to enter into the network the system would recognize that. Also in the hard configuration the network administrator can improve security with the “mac-address sticky” command for example (just to mention one). That command means that the switch memorizes those computers MAC addresses which are on the network and then no other MAC address can send packets through on the network.


Switches have a relatively small memory (CAM table) which is vulnerable because if attackers overflow that (MAC flooding), then the switch will start to behave as a hub. It means that, it will send the packets out on every port, so even those computers will receive them which are not supposed to. But there is a way to protect the switch against this vulnerability as well, just need to configure that in port security and have to tell to the switch to allow only one MAC address on a port, what the network administrator configured.

 

Cisco Device Manager Command Execution Vulnerability
Cisco MDS 9000 switches are multilayer SAN switches and Cisco say that these are possible to build scalable storage networks with advanced security features.
Cisco Nexus 5000 switches are capable of networking Layer 2 and Layer 3. This family is a platform part of the Cisco Unified Fabric portfolio.


The Cisco MDS 9000 Family and the Cisco Nexus 5000 Series Switches have a vulnerability which affects the Cisco Device Manager in these devices when it is installed or launched via the Java Network Launch Protocol (JNLP) on a host machine which is running Microsoft Windows.
This vulnerability means that, a remote attacker can execute arbitrary commands on the client host with the privileges of the user. This vulnerability can only be exploited if the Java Network Launch Protocol (JNLP) file is executed on system running Microsoft Windows. The vulnerability affects the confidentiality, integrity and availability on the client host performing the installation or execution.

 Cisco Catalyst 3750-X Series

Switch Default Credentials Vulnerability

An attacker can gain root access to the kernel running on the Cisco Service Module. The vulnerability is caused by the default testimonial. An exploit could allow the attacker to take full control of the operating system running on the service module.

Multiple Vulnerabilities in Cisco ASA 5500  Services Module

There are the same vulnerabilities in different devices which make this very serious. There are four vulnerabilities in these devices:

  • MSN Instant Messenger (IM) Inspection Denial of Service vulnerability
  • TACACS+ Authentication Bypass vulnerability
  • Four SunRPC Inspection Denial of Service vulnerabilities
  • Internet Locator Service (ILS) Inspection Denial of Service vulnerability

MSN IM Inspection Denial of Service vulnerability

MSN inspection is not enabled by default on the device and the traffic which is designed for the network will not cause this vulnerability, only transit traffic can trigger this vulnerability. A Denial of Service vulnerability affects the IM’s inspection feature. The IM inspect feature lets the user to control the network usage, dissemination of worms, doesn’t let confidential data leak and other threats.

TACACS+ Authentication Bypass vulnerability

AAA (Authentication Authorization Accounting) enables the ASA to identify who the user is (authentication), what the user can do (authorization), what the user did (accounting). The Cisco ASA supports TACACS+ authentication for VPN users, firewall sessions, and administrative access to the device.


These are all vulnerable, but the only way to exploit this vulnerability is, if the attacker has access to the network between the ASA and the TACACS+ server. An authentication bypass vulnerability exists in the TACACS+ implementation of the Cisco ASA. Successful use could allow an attacker to bypass TACACS+ authentication of VPN users, firewall sessions, or administrative access to the device.

Sun RPC Inspection Denial of Service vulnerabilities

The Sun is a protocol, Sun RPC is Remote Procedure Calls, it forms the basis of many UNIX services, especially Network File System (NFS) and Network Information Service (NIS) (also others like Mount and PMAP). Sun RPC services can run on any port, usually it runs on the port number 111 after learning it.
An attacker can cause the device to reload, before affecting the Sun RPC inspection feature and then result in a DoS attack.

ILS Inspection Denial of Service vulnerability

ILS inspection is not enabled by default on the device and the traffic which is designed for the network will not cause this vulnerability, only transit traffic can trigger this vulnerability. A DoS vulnerability affects the ILS supervision feature of the device.
The ILS inspection engine provides Network Address Translation (NAT) support for Microsoft NetMeeting, Site Server, and Active Directory products that use Lightweight Directory Access Protocol (LDAP) to exchange directory information with an ILS server.

 ROUTER

 A router can be found on the internet, just like everything else. Bu it is really easy to attack a Cisco router. Enough just to trace our IP address. It can be done from the command line with the “tracert IPaddress” command. It will trace the IP up to 30 hops. Almost every ISP (Internet Service Provider) will route through on a Cisco router.

TraceIP

Figure 3

From the list, what the trace will give it is possible to read out which router is Cisco router and besides the name we can find its IP address. When we have the location, then we should find out if the router is protected by a firewall or not. It can be tested very easy, by pinging. If the ping comes back, then the router probably doesn’t have firewall protection. Then we can already use one of the denial of service (DoS) attacks which is called: ping to death. That is why for router security (as well) the firewall is important. The other way to test, it is to try to connect to the router via telnet (on port 23) and see what happens. If the router asks for a password, but no username, then there is no firewall on that.


Now it is possible to start to attempt to get into the router. Proxy server should be used, so our IP address will not get logged by the router. At first we can try to give a huge password digest, so that will freeze the router for few minutes. It also can happen the router will reboot, then it will be not possible to hack into that, because that will go offline. But when it’s frozen, with another proxy connection we can type in the password “admin” which is the default password for the router.

Because we freeze the router, while it’s frozen it will revert to its default state. – But maybe first we could also try the password “cisco” because cisco is beating this routine into the students who are became network administrator and maybe they are automatically configuring their router with the default passwords what they learnt from the Cisco’s slides. – We should already have a set up Hyper Terminal so the router can call us. As now we are logged into the router we should find the password file and send it to us by using the Hyper Terminal.

We can also find out all the commands in the router we need, by using the “?” sign. The router will give us a long list of commands. If we get the file from the router, then we need to give that to John the Ripper to get the password in plain text, because the file is encrypted. Then we can login to the router anytime on a normal way.

Also possible to exploit one computer which has Cisco installed on it and/or connected to a Cisco device and get the router’s passwords. The location is:

C:\Program Files\Cisco Systems\Cisco Connect\settings\settings.xml

In the xml file the attacker can find the following information:

<?xml version=”1.0″ encoding=”utf-8″ ?>
<!– Last modified by Connect.exe (1.4.11299.0) on 2/23/2012 at 11:35:17 AM –>
<Settings
ModelName=”E2500″
DefaultMode=”Tool”
WirelessSSID=”WLAN_Name”
WirelessPassword=”Password in plain text”
AdminPassword=”Password in plain text”
SerialNumber=”The Router’s SN#”
IsAlreadySetUp=”true” />

 

When configuring the router with passwords the administrator should choose carefully what type of password he/she set up because different command use different encryption, if it use any and not sends the password in plain text through the network. If the administrator uses “enable password 7” then the password will get encrypted but the encryption is the Cisco Type 7 Encryption which is a very weak, 

Low encryption level, not secure and easy to decrypt. That does not measure up to the today’s technology and attacks.
For higher security the administrator should use the “enable secret” command when configuring the router, because that way the password get encrypted in an MD5 hash, which provides more security than the Type 7 encryption.

 

Cisco IOS HTTP Server Vulnerability

This vulnerability is known for 14 years by now, but it is still not closed. The router is only vulnerable if the HTTP server is enabled, but it is not enabled by default. Except on the un-configured Cisco model 1003, 1004, and 1005 routers.


The problem is that the HTTP server get into an infinite loop, because a function parses incorrectly “%%”when an attempt is made to browse to “http://<router-ip>/%%”. But a timer expires after 2 minutes and forces the router to crash and then the router reloads. After reloading it is possible to do the same again, I mean the router is still vulnerable after the reload.

So it is possible to write a program which requests the same URI as soon as the router is back to normal and like this the router will not be able to do its job.
To solve this vulnerability the router’s IOS should be updated with the latest version and the router should be properly configured and disable or limit the access to the HTTP server. The network administrator also could create an access-list on the interface in the path to the router so only those could access to the HTTP server who is permitted, or create an access-class and apply that directly to the HTTP server.

 Cisco IOS Software DHCP Denial of 

Service Vulnerability

A remote attacker can cause a Denial of Service (DoS) condition because there is a vulnerability in the DHCP implementation of Cisco IOS Software and Cisco IOS XE Software. The problem is in the DHCP server implementation when it assigns and manages the IP version 4 addresses (IPv4), prefixes.

The DHCP relay agent forwards the packets between the client and the server when they are not on the same physical subnet and the problem occurs when it wants to process a crafted DHCP packet.
It is important to mention that, there is no solution for this vulnerability.
Valid DHCP packets will not trigger this vulnerability. Also won’t trigger this vulnerability those devices which are configured to manage IP version 6 addresses (IPv6).

Undocumented Test Interface In Cisco Small Business DevicesThe Cisco WRVS4400N Wireless-N Gigabit Security Router is capable of improving the network’s performance and it is also compatible with the older devices. It has a built in SPI Firewall, Intrusion Prevention System, VLAN, RADIUS, supports easy-to-use VPN connection. It has more features, but more important is that it also has a vulnerability which is due to an undocumented test interface. The port 32764 is listening to the TCP traffic. An attacker can gain root-level access and read the device configuration. At current date there is no solution for this “bug”.

 

Wireless Router

There are many tools to discover and hack into wireless networks. A good network administrator need to understand how those tools are working and should be able to setup a network is secure against those tools (as well).


Aircrack-ng is a very popular tool; it runs under Windows and Linux as well. A German team developed a new attacking method which is based on the RC4 cipher by Adi Shamir, who was also involved in creating the RSA cryptosystem and owns an ErdÅ‘s Prize. The new attack decreases the number of initialization vectors to decrypt a WEP key. It can’t crack the WPA/WPA2 networks, only possible to do a dictionary attack against that type of networks.
Another tool is the Kismet which can find hidden networks, those ones which are not broadcasting their SSID. But there are still some data floating in the air.


Airsnort is another popular tool which is used for opening up wireless network’s WEP key.
The network administrator should hide the network’s SSID, even tho there are tools which can find that easy, but it still protects the network for example from the script kiddies. The network administrator should not use a 40 bit WEP encryption key because then Airsnort or Aircrack-ng can break in easy and quick. Should use at least a 128 bit key because that takes longer to break. 

Choosing a good, strong password is important, but doesn’t worth much if that is sent through on the network in plain text. To pick a strong encryption is also important. For example to set up a Virtual Private Network (VPN) can be a good solution.

Frequently Asked Questions



People are also reading:

Thanks for read my blogpost.
      Mr Princeson Team