![]() ![]() I am hopeful that the information shared makes both network administrators and security professionals aware of these misconfigures and provides a reference to further improve securing Cisco networks. nmap -sU -p69 -script tftp-enum.nse įigure 20: Port Descriptions 4.0 ConclusionĪs I briefly demonstrated, obtaining a Cisco configuration file could provide an attacker the required information to establish a foothold and laterally move across a network. Since TFTP does not provide a directory listing, the NSE script performs basic enumeration of common Cisco configuration file names. It will prompt you for the IP address of the TFTP server as well as the source name and destination file names for. 2.0 Configuration File Download 2.1 TFTPĪfter identifying a TFTP server during the reconnaissance phase, I will rescan the exposed TFTP server port utilizing Nmap with the tftp-enum.nse script. The copy command is fairly straightforward. Not only do configuration files provide information regarding the device, but they also provide additional avenues for further enumeration and possible lateral movement, such as physical and logical neighbor relations, password reuse, user enumeration, and applied access control lists (ACL). Each one of these services provides an avenue to exploit a misconfiguration to download a Cisco configuration file.Ĭisco configuration files can provide a wealth of knowledge for an attacker. Today, I have taken that knowledge and used it to demonstrate how to compromise networks so that I can help clients strengthen their security posture.ĭuring the reconnaissance phase of a penetration test, I typically look for an exposed TFTP, SNMP, and Cisco Smart Install (SMI) service on a network. ![]() During that time, I performed best practice assessments aimed at identifying misconfigurations that could lead to a network compromise. Prior to making a career change to offensive security, I spent over 15 years working for a Cisco partner designing and implementing enterprise and VoIP networks. ![]() By Michael Bond in Penetration Testing, Security Testing & Analysis 1.0 Intro You can use your routers flash to store configuration files and make them available for download via TFTP as well. ![]()
0 Comments
Leave a Reply. |