Description of Cisco IOS Vulnerabilities

explanatory Essay
1869 words
1869 words

In the computer age, vulnerabilities and back doors into devices are proving heaven for hackers and hell for administrators. Every week it seems that new vulnerabilities are discovered in different devices. Cisco IOS is no different and numerous vulnerabilities can be found in their devices. The aim of the report is to research vulnerabilities in Cisco's IOS operating system. Tools available in Backtrack 5 will be used to exploit the vulnerabilities. GNS3 will be used to set up a working topology to work in conjunction with Backtrack 5 to demonstrate the tools. The report also contains screenshots of the tools that will aid the readers understanding.

2. Cisco IOS Vulnerabilities

3. GNS3 Setup

A network topology in GNS3 (Graphical Network Simulator) is used in conjunction with Backtrack 5 to demonstrate the exploit tools of Cisco. The topology consists of three routers connected to one switch which is connected to a cloud. The cloud will act as Backtrack. The network address is Each router is configured with separate IP addresses in the network. Backtrack is connected to the cloud on the same Vmnet custom network. (See Figure 3-1 below).

Figure 3-1. GNS3 Topology.

4. Cisco Auditing Tool

The Cisco Auditing Tool's main function is to scan cisco routers to look for well known vulnerabilties. The tool accomplishes three main tasks which are, brute forcing the telnet password if telnet is running, it tries to brute force the Simple Network Management Protocol (SNMP) community strings, and finally it looks for the IOS history bug. (Ali and Heriyanto, 2011, p 144).

Telnet is a program that connects a PC to the server or router on the network. The default port for telnet is 23. SNMP is a p...

... middle of paper ...


Mati Aharoni, William M. Hidalgo (2010) Cisco SNMP configuration attack with a GRE tunnel

[online] available from

< > [08 March 2014].

Faircloth J, Beale J, Temmingh R, Meer H, van der Walt C, Moore HD (2006) Penetration Testers Open Source Toolkit.

3rd edn. Massachusetts : Elsevier Syngress Publishing.

Kevin Orrey (2008) Cisco Torch [online] available from

<> [08 March 2014].

Ali, S. and Heriyanto T. (2011) BackTrack 4: Assuring Security by Penetration Testers.

1st edn. Birmingham: Packt Publishing.

Alfredo Andres Omella, David Barroso Berrueta (2010) Yersinia Man Page [online] available from

<> [08 March 2014].

In this essay, the author

  • Explains that vulnerabilities and back doors into devices are proving heaven for hackers and hell for administrators. the report aims to research vulnerabilities in cisco's ios operating system.
  • Describes how cisco's gns3 (graphical network simulator) is used in conjunction with backtrack 5 to demonstrate the exploit tools of cisco.
  • Explains that the default telnet password for cisco is 'cisco'. the password was found very quickly due to the small password list file which only contains slight variations.
  • Advises network administrators to be aware that telnet sends information in plain text and is open to a plethora of attacks.
  • Recommends using a combination of username and password on telnet, as it increases the time it could take for hacker to brute force them.
  • Explains that the cisco auditing tool is a limited tool because it only discovers telnet passwords.
  • Explains that when no telnet password is set, the router is not vulnerable to this type of attack.
  • Explains how the scanner reveals that the default password of telnet is set on the router.
  • Explains that if the default enable password of cisco is set on the router, ocs scanner will identify it and aided with the telnet password.
  • Explains that password telnet and enable mode are set to default! ip router vulnerable.
  • Describes cisco passwd scanner as a tool that scans class a, b, or c ip addresses for cisco routers that haven't changed their default password.
  • Explains that the routers in the topology were not configured with line vty passwords, so cisco scanner doesn't return a result.
  • Explains that the routers were configured with the default password of 'cisco' in the vty terminal.
  • Explains that the cisco passwd scanner tool has limited functionality and renders ineffectual if a different password is set for line vty.
  • Analyzes how the brute force attack of the router reveals that the community strings are set to public and private.
  • Explains that the snmpcheck tool checks the community strings to determine if there read/write or read only. the community string public on the router from the topology has been inadvertently set to read
  • Explains that the pubic community string is set to read/write, making the router configuration vulnerable.
  • Explains that the configuration file is sent to the log viewer on the tftpd server.
  • Explains that john the ripper is a widely used password cracker.
  • Explains that question defence (2012) copy-router-config is available from backtrack 5, vulnerability assessment, network assessment and cisco tools.
  • Explains null byte (2014) hack like a pro: how to crack private & public snmp passwords using onesixtyone.
  • Explains that question defence (2012) copy-router-config is available from backtrack 5, vulnerability assessment, network assessment and cisco tools.
  • Describes the features of the penetration testers open source toolkit.
  • Explains the cisco auditing tool's main function is to scan cisco routers to look for well known vulnerabilities.
  • Explains that if the telnet password is not set to a default value, it's easy to brute force the password.
  • Explains that an nmap scan is one of the most efficient ways to discover the open ports on a router or network.
  • Describes how cisoc ocs scans a range of ip address on cisco routers looking for the default telnet and enable passwords.
  • Explains that virtual teletype (vty) is used to connect to the daemon via telnet. a simple topology set up in gns3 easily demonstrates the tool.
  • Explains that the cisco scanner scans the network searching for the default password of the company on line vty.
  • Explains that the tool copy cisco router config is only possible if the router is configured with the read/write (rw) community string.
  • Explains that the copy router config tool copies the router configuration file and a trivial file transfer protocol (tftp) server stores the copied configuration files.
  • Explains that the config file can be viewable from the tftpd server folder. an attacker can view sensitive information like usernames and passwords.
Get Access