[goofy]

Hey, I hope one of you in her can help me, I have a little problem I need to get a password to a router on the net. I use telnet to connect the router and then the router ask me for a password, how can I get that password. Some one now any way ore tools I can use to get that password?

I relay hope some one can help me

Sorry for me bad English

[HalCon]

Um here ya go....
You can try default passwords because many dumb admins leave them as the default. Also you can freeze the router in which period the password will be temporarily reset to its default.The default depends on the type of router.

For example the default password for a cisco router may be "admin". While the router is frozen,connect to it and try the defaults.In v4.1 cisco software a HUGE password string is/was enough to freeze the router. Not sureif this bug is fixed. Also you can try other DoS attacks(much of which the router may filter ;-( anyways)...

Once the first password phase is cracked what lies next is getting the enable pass which I would not describe how to do in detail because it all depends onthe software running, type of router etc. Simply get the password file and crack it!


:ph34r:

[goofy]

Thanks fore you help. Its was very use full fore me :)

[tolf]

Does it ask for a userid and password or just password??

If it has userid and pass that means AAA is used and you have to brute force with two factor, if just password try the defaults "cisco" admin etc, run this through a brute forcer as well..

Also if it has HTTP access this exploit will show you the config and line passwords striaght away...

http://cert.uni-stut...07/bin00001.bin

Enjoy

[ST.]

only hammering with bruteforce is possible

[tori]

decryption MD5 is not easy task since most the router password is encrypted with MD5

[tolf]

ST., on Jan 19 2004, 12:14 AM, said:

only hammering with bruteforce is possible

Incorrect . There are many other ways to gain access:

(1) HTTP exploit previously mentioned (in the config ip http server) - if this enabled the majority of cisco devices are affected by this vulnerabilty(up until 12.1 or 2 IOS i think) and you can either execute system commands directly to the router, or obtain the configuration stright off, grab the type seven hash and break it in 1 second (if enable secret is enabled it will take longer). If acls are applied the confguration will show the IP address to spoof (us iterm to grab a connection)...

(2) Scan the device for port for SNMP - check for default or commonly used community strings(public for RO and private for RW). Again if RW SNMP is enabled then you have access to the router to make configuration changes. Use solarwinds SNMP thingy to download and upload the confg.

(3) Scan the device for tftp - if the feature is enabled you can upload a config to the device with no authnetication what so ever.

(4) Many other vulnerabilities inherent to the devices IOS version and type.. ie what does the banner say when you telnet to it? Search on the web for those vulnerabilites.

Go forth young one..

[gman24]

If you can, sniff between someone who has access to the router and the router. When they log on, crack the hash (or if its plaintext, you got it).