Codebase list cisco-torch / master README.txt
master

Tree @master (Download .tar.gz)

README.txt @masterraw · history · blame 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
  #############################################################
  # Cisco Torch Mass Cisco Vulnerability Scanner version 0.4b #
  #############################################################

  ________________________________________________________________
  Born by Arhont Team, 2005.  Special thanks to Boris Chernov, for
  http://www.arhont.com       checking the code and suggestions 
  ----------------------------------------------------------------

Basically, in the process of writing "Hacking Exposed Cisco Networks" we got dissatisfied 
with the Cisco scanners currently available and decided to do our own. Some code
(telnet fingerprint scan and several entries in the telnet fingerprinting database) 
are borrowed from Hackbot - thank you guys for writing an exellent tool! The main 
feature that makes cisco-torch different from similar tools is the extensive use of forking 
to launch multiple scanning processes on the background for maximum scanning efficiency. 
Also, it uses several methods of application layer fingerprinting simultaneoulsy, if needed.
We wanted something fast to discover remote Cisco hosts running Telnet, SSH, Web, NTP, TFTP 
and SNMP services and launch dicitionary attacks against the services discovered, including 
SNMP community attack (you would like the community.txt list :-) and TFTP servers (configuration
file name bruteforcing with following config leeching). The tool can also get device configuration
files automatically if SNMP RW community is found.

It should be fast enough to crunch through a large company or a small country (like UK :-) 
In addition, the tool finds classical, but still relevant Cisco IOS HTTP Auth and Cisco 
Catalyst 3500 XL Remote Arbitrary Command Execution Vulnerabilities. We could 
(and we will) add more vulnerabilities to check for, but mind it we are not interested in 
DoS, only enable :-)

By the way, this seems to be the only tool that does Cisco fingerprinting via NTP, spare for
the NTP Nessus plugin :-) Application layer fingerprinting performed against several services
on the host is fast and reliable. And if none of these services are running, it is unlikely
that you will manage to get into that Cisco box anyway, at least when you aren't on the same
LAN. 

As to the dictionary/bruteforcing attacks, we could've done them faster, but we didn't parallel 
the attacks to get maximum efficiency when attacking large networks (kind of paralleling it by IP's, 
rather than processes). 



DISCLAIMER
+++++++++++

Cisco Torch is written for legitimate penetration testing, network hardening and educational
purposes. The authors are not responsible for any possible misuse of the tool. 



INSTALLATION AND USE
++++++++++++++++++++

1. Make sure that you have the following Perl modules installed:

 Net::hostent;
 Net::Telnet;
 Net::SSH::Perl;
 Net::SNMP;
 Net::SSLeay;

If in Windows without Perl set up, download and install Active Perl binary from http://www.activestate.com/
Then you can install necessary modules listed above with commands like ppm install Net::Telnet, ppm Net::SSH::Perl  
and so on. Or, even better, use Cygwin. The Windows package of the tool is in making, anyways.

2. Modify the variables in the configuration file (torch.conf) to suit your personal taste:

$max_processes=20;
$hosts_per_process=10;
$passfile= "password.txt";
$communityfile="community.txt";
$usersfile="users.txt";
$fingerprintdb = "fingerprint.db";
$tmplogprefix="/tmp/tmplog";
$logfile="scan.log";
$llevel="c";

3. perl cisco-torch.pl and see the options available. You should get an output similar to

 # perl cisco-torch.pl -A 192.168.XXX.XXX

###############################################################
#   Cisco Torch Mass Scanner 0.4b                             #
#   Because we need it...                                     #
#   http://www.arhont.com/tools/cisco-torch.html              #
###############################################################

List of targets contains 1 host(s)
8711:   Checking 192.168.66.202 ...
Fingerprint:                    2552511255251325525324255253311310
Description:                    Cisco IOS host (tested on 2611,2950 and Aironet 1200 AP)
Fingerprinting Successful

Cisco found by SSH banner SSH-1.5-Cisco-1.25

HTTP/1.1 401 Unauthorized
Date: Tue, 25 Jan 2005 00:02:18 GMT
Server: cisco-IOS
Accept-Ranges: none
WWW-Authenticate: Basic realm="level_15_access"

401 Unauthorized

--->
- All scans done. Cisco Torch Mass Scanner 0.4b -
---> Exiting.

It is nicely stored in the scan.log file or whatever you name it. Mention, that if you see a host, 
fingerprinted as Cisco box via Telnet or/and SSH, but not showing up as an IOS-running host 
on a webserver check, it is likely to be a Catalyst. For example, this is Cisco Catalyst 2950:

List of targets contains 1 host(s)
9467:   Checking 192.168.77.254 ...
Fingerprint:                    2552511255251325525324255253311310
Description:                    Cisco IOS host (tested on 2611, 2950 and Aironet 1200 AP)
Fingerprinting Successful

HTTP/1.0 501 Not Implemented
Date: Tue, 25 Jan 2005 03:28:04 0
Content-type: text/html
Expires: Thu, 16 Feb 1989 00:00:00 GMT

<H1>501 Not Implemented</H1>

Keep in mind, that PIX firewalls usually employ HTTPS, not HTTP by default.
Also keep in mind, that on a PIX without aaa authentication the default username for 
the SSH login is "pix". 

By the way, running -A against vast networks is rather slow and is not recommended, so, scanning
/8 with -A may not be a good idea, unless you are a RAM maniac. 



BUGS
++++

It is a beta release and there are probably bugs lurking. 
Please send bug reports and comments to [email protected]



FINGERPRINTS
++++++++++++

Collecting and adding Telnetd fingerprints of Cisco devices using the tool is very easy. 
For now, the fingerprint.db coming with the tool is limited, containing signatures from Hackbot,
TESO Team telnetftp and our testing lab. Please send Cisco-relevant Telnetd fingerprints 
you may discover to us at [email protected] so that we can verify and include them in the future
releases. Also, please add additional devices and comments to what is already in the database. 
We have tested what we have at hand and supplied the signatures with names of the devices tested. 
Of course, this is not precise and there could be more Cisco (or even other vendor) hosts that 
possess mentioned signatures and are not listed. Please take this into account when scanning.  



LICENCE
+++++++

Cisco Torch is released under GNU Lesser General Public License. You should recieve a copy of this license 
together with the tool.