SUMMARY

There is more to Cisco dictionary and bruteforcing attacks than meets the eye. First of all, the way an attacker searches for vulnerable hosts is of paramount importance. This is not the thorough enumeration we have considered in the previous chapters, but rather a fast, specific service discovery with multithreaded scanning applied.

Then, many services on routers, switches, and other devices can be attacked , and a selection of passwords and usernames used to do that is quite intelligent , taking into account device type, hostname, service type, management software type, and other factors.

One of the main ways of taking over Cisco hosts on the Internet is via guessable SNMP communities. Once you've got hold of a read-write SNMP community, you can do with the device anything you want. In many cases, you don't even need to log in. We have analyzed such cases in great detail, providing appropriate SNMP commands for maximum remote control and reconfiguration efficiency. In addition, it is possible to snatch and replace device configuration files from TFTP servers if the filename is known or guessed. Or a cracker can wardial into a router that uses POTS or ISDN lines for remote out-of- band management or as a backup link. None of this is high-class, high-skill hacking, but writing code to do and automate such tasks can be. Nevertheless, this is how the majority of Cisco network devices fall into a cracker's hands and network mayhem begins.