Test Lab V8: Cisco Device and Terminal System

March 21, 2016 by

This is the second part of the test lab v8 write up, in the first part of the article we took down the two system Site and Cabinet from the gateway So in this part, we will see how to find token of Cisco device and Terminal system via gateway

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Attacking the CISCO: We fired nmap on the gateway IP by using the following command nmap -sS -sV -Pn -p1-65535

Nmap found two open ports SSH and HTTP we opened the IP and port 8080 from the browser, and it loads an e-mail application. So we already found one valid credential while solving the Site and Cabinet system Ralph Westfall's account. We tried to login by using the credential: RalphWestfall@sas bank.lab / freeman and we successfully logged in.

After login, we started to check all emails, and we found something interesting: a VPN password

If we look into network diagram, there is only one network device is there that is Cisco router. Now we will try to get access to the VPN network, for this, we will need two specific tools IKEforce and IKEscan. We will start from IKEscan by using the following command sudo ike-scan -M --id=test -A In the command -M is for readable out, -A is for aggressive mode and --id is for random group name which was necessary to run this tool.

As can be seen above in screenshot what information we have:

  • Enc=3DES
  • Hash=SHA1
  • Group=2:modp1024
  • Auth=psk

Now we will use IKEforce for enumerating the valid VPN group name. We will do brute force by using default dictionary of IKEforce by using the following command sudo ./ikeforce.py -e -w -wordlists/groupnames.dic -t 5 2 1 2. In the command -t parameter is to specify encryption-type, hash, group and authentication method that we found from IKEscan. There is a table into the tool readme file which can be seen below for reference:

After running the tool, we found the correct group id which is vpn.

Now we have the valid group id, so we will re-run the ike-scan tool for capturing the PSK handshake by using the following command sudo ike-scan -M --id=vpn -A -Pcapture.psk

After running the scan now we have the capture.psk file

Now we will try to crack the psk file by using brute force. There is a psk-crack tool available with IKEScan tool package. We ran brute force attack by using the following command psk-crak -d /usr/share/wordlists/rockyou.txt capture.psk

As can be seen, above we found the correct key value which is cicso123.

Now we have relevant details to connect to VPN as of now we have the following things:

  • Gateway IP -
  • IPSec ID - vpn
  • IPSec secret -cisco123
  • Username - westfall
  • Password - AiWa8ahk

We tried to connect by using vpnc, and as can be seen, below we successfully connected to the Cisco device.

For verifying that the Internet is working or not we tried to ping Google, but we are unable to ping. But when we tried to ping Google's IP we are getting a response.

It looks like DNS resolution issue so we opened the /etc/resolv.conf for troubleshooting the issue, and we found the Token there.

Attacking the TERMINAL: We have the VPN connection now so we can attack this machine which is on a different network. Before running any tool, we need to make sure that we are connected to Cisco VPN, and then we start port scan by using the following command: nmap -sS -sV -Pn -A

By looking at the ports, it looks like this system is vulnerable to that famous netapi vulnerability, port 445 is open which runs samba service and it's highly vulnerable to remote exploit. We fired Metasploit by using the following commands:

  • use exploit/windows/smb/ms08_067_netapi
  • set payload windows/meterpreter/bind_tcp
  • set RHOST
  • exploit

The exploit worked smoothly, and we have a meterpreter session now. We used a post exploitation module, and it added an extra user test on the system by using the following command run getgui -u test -p test

Now we can login with our user test/test in the Terminal system.

Once we logged in into the system, and we started looking for the token file. Start->Administrative Tools->Computer Management, now click on Local Users and Groups->Users and done we found our token in westfall's account description.

Our job is not done here whenever we root any system we browse the whole system for other files and information which will help to root another system in the network. As can be seen, below there are multiple users in the system it could be possibility that may be some of the users are being active on another system so we will dump all hashes for all users via meterpreter session by using the following command: run hashdump

Copied all hashes in text file and cracked it by using Ophcrack tool we used XP fast and XP small tables and these are the following cracked hashes:

Another thing what we found from the westfall's desktop a ppk file generated from Putty.

We copied the ppk file in our local system. Now we have to convert this ppk file to OpenSSH format for this we will be using Puttygen tool. Open the tool and click load.

Select the ppk file then go to Conversions>Export OpenSSH key

And in the output, we will get the SSH private key.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Now we are done with the Terminal system.



Warlock works as a Information Security Professional. He has quite a few global certifications to his name such as CEH, CHFI, OSCP and ISO 27001 Lead Implementer. He has experience in penetration testing, social engineering, password cracking and malware obfuscation. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.