8/6/2019 Cisco Flash1

1/4

4)Flash file (created from the "qemu-img create FLASH 256M" command)

GNS3-Cisco3745-Multi HowTo. SSH server, Security Device Manager, simple VPN

server, eventually IPS cli config

This HowTo will detail installing cisco SDM into an emulated router in BT4. SDM is a

slick GUI that can simplify some configuration tasks, and can be cool to mess around

with. Some feature may or may not work depending on what IOS version and feature setit is coupled with. I Apologize for any redundancy with previous posts, but I like my

HowTo's to be as complete as possible, despite this being somewhat of a GNS3 series.

Later on in the post I'll add a simple VPN setup, and demonstrate pivoting with it. I'd liketo address command like setup of IPS if I can. I've begun some of the stages, so I'll keep

you posted. It was initially intended to tie in with SDM, but I have as yet been unable to

get SDM to recognise that my emulated IOS does indeed have IPS included in the feature

set.

The primary file needed in this case isCode:CisSdM.rar

You'll need to extract it. I like to keep things clean in a working directory.

Code:root@bt:~# mkdir /root/workspace

root@bt:~# cd /root/workspace

root@bt:~# cp /root/Downloads/CisSdM.rar /root/workspace

root@bt:~# unrar x CisSdM.rar

Then you'll need to copy a list of files. I like to put them into a tarball and then put them

on my ftp server. Here'sthe listCode:home.shtml

sdm.tar

common.tar

es.tar

home.tar

sdmconfig-36xx-37xx.cfg

securedesktop-ios-3.1.1.45-k9.pkg

sslclient-win-1.1.4.176.pkg

wlanui.tar

128MB.sdf

256MB.sdfAnd tarballing it all...Don't forget to change directories. You should end up in ../SDM-V25/

Code:root@bt:~# tar -cf sdm-install.tar home.shtml sdm.tar common.tar es.tar

home.tar sdmconfig-36xx-37xx.cfg securedesktop-ios-3.1.1.45.k9.pkg

sslclient-win-1.1.4.176.pkg wlanui.tar 128MB.sdf 256MB.sdf

and copy it to your ftp root directory. Then configure a 3745 router using this IOS

version or something similar

8/6/2019 Cisco Flash1

2/4

Code:c3745-advsecurityk9-mz.124-23

For the networking...remember you'll need uml-utilities installed. If you do not have it

runCode:root@bt:~# apt-get install uml-utilities

setup a loopback, add a bridge, plug our ethernet and loopback adapters into the bridgewith no IP and promiscuous, then obtain a DHCP lease on the bridge

Code:root@bt:~# tunctl tap0

root@bt:~# brctl addbr br0

root@bt:~# brctl addif br0 tap0

root@bt:~# brctl addif br0 eth0

root@bt:~# ifconfig eth0 0.0.0.0 promisc up

root@bt:~# ifconfig tap0 0.0.0.0 promisc up

root@bt:~# dhclient br0

Now add your IOS image into GNS3. Start your router and console in. Wait until it is

finished booting and is idle. Right click and calculate and IDLE-PC value, otherwise your

CPU will be loaded hard. Choose a value with a * next to it. Configure your router forSSH, and some other basics. Use 1024 bits for the SSH key when prompted. SDM also

requires the user to have level 15 privilege

Code:Router> enable

Router# conf t

Router(config)# hostname SDM-router

SDM-router(config)# enable password ciscopass

SDM-router(config)# ip domain name pentest-client.com

SDM-router(config)# ip ssh authentication-retries 5

SDM-router(config)# ip ssh version 2

SDM-router(config)# crypto key generate rsa

SDM-router(config-line)# line con 0

SDM-router(config-line)# no exec-timeoutSDM-router(config-line)# no session-timeout

SDM-router(config-line)# line vty 0 4

SDM-router(config-line)# no exec-timeout

SDM-router(config-line)# no session-timeout

SDM-router(config-line)# login local

SDM-router(config-line)# transport input ssh

SDM-router(config-line)# exit

SDM-router(config)# username iprouteth0 privilege 15 password 0

ciscopass

SDM-router(config)# int fa0/0

SDM-router(config-if)# ip address dhcp

SDM-router(config-if)# no shut

Then SSH in to the IP that was assigned to your cisco router.Code:root@bt:~# ssh iprouteth0@192.168.25.105

And lets setup the HTTPS server, clean the flash and upload our SDM files.

Code:SDM-router# conf t

SDM-router(config)# no ip http server

SDM-router(config)# ip http secure-server

SDM-router(config)# ip http authentication local

8/6/2019 Cisco Flash1

3/4

SDM-router(config)# exit

SDM-router# erase flash:

SDM-router# format flash:

SDM-router# archive tar /xtract ftp://192.168.25.254/sdm-install.tar

flash:

And now just browse to the router's IP in your browser. Make sure you have Java

installed. Some different java version allow some SDM features to work properly. I'm notsure which however. Also turn off your pop-up blocker. I am using

a windows VM just to simply the process as everything was already set up.

Code:https://192.168.25.105/

Have fun with SDM!

......

And now on to the simple VPN server config. Could be handy for messing around with

VPN discovery or bruteforcing tools. I haven't had the time to try some of my ideas as of

yet, or other VPN configurations for that matter. The original idea for this came as anidea for a nice way to pivot inside. Suppose you've already comprimised your client's

cisco router. Maybe it hasn't seen care lately, has an old IOS version that has the level/99

HTTP vulnerability. Well now you've got

level 15 access. Now what? Ok, well maybe show arp, and hey, how many records is thatin the table? Around 34 entries. Let's ping the IPs! Well some are alive, but if only I

could nmap them somehow or use metasploit.......

Router's IP in this scenario is 192.168.25.105, which is sort of representing the public or

outside in the config below.

Code:Router(config)# vpdn enable

Router(config)# vpdn source-ip public.ip.address.hereRouter(config)# vpdn-group nemesisvpn

Router(config-vpdn)# accept-dialin

Router(config-vpdn)# protocol pptp

Router(config-vpdn)# virtual-template 1

Router(config-vpdn)# exit

Router(config)# interface Virtual-Template 1

Router(config-if)# ip unnumbered fa0/1

Router(config-if)# peer default ip address pool nemesispool

!!&&This command may not be required, forces

encryption....Router(config-if)# ppp encrypt mppe auto required

Router(config-if)# ppp authentication ms-chap ms-chap-v2

Router(config)# ip local pool nemesispool 192.168.10.200 192.168.10.254

Router(config)# username vpntest password vpntestRouter(config)# aaa new-model

Router(config)# aaa authentication ppp default local

Router(config)# vpdn enable

Now install your pptp client. I used pptp-linux because it was fairly simple

Code:root@bt:~# apt-get install pptp-linux

Then connect your PPTP client, and add a static route so you can get there.

Code:

8/6/2019 Cisco Flash1

4/4

root@bt:~# pptpsetup --create nemesis --server 192.168.25.105

--username iprouteth0 --password ciscopass --start

root@bt:~# route add -net 192.168.10.0 netmask 255.255.255.0 dev ppp0

The 192.168.10.0 network is the inside network we are wanting to pivot to in order toattack in this given scenario.

Let me know if this if useful or interesting for any of you. I'm still working on the

SIP/VoIP tools for my previous write-up and working on this howto as well. IPS stuff

will be coming, but I'd like to get some video's of the previous processes up first to helpillustrate that, then comes IPS. Stay tuned....

Last edited by iproute; 11-29-2010 at 10:31 PM.

11-30-2010 10:54 PM #2iproute

Junior Member

Join Date

Jan 2010Posts

94

Re: GNS3-Cisco3745-Multi HowTo. SSH server,

Security Device Manager, quick VPN server

I have now made a short video of a scenario using some of the above configurations.

You've been contracted to perform a pentest, and been provided the public IP of thecompany(per the scope of this particular test). Social engineering attacks are not

authorized by the client, and the goal is to penetrate from outside to the inside and be able

to attack inside machines.

The public network in this is represented by my labratory LAN network 192.168.25.0/24

which is bridged to tap0, and connected to the outside interface of the client'srouter(fa0/0).

The private network is on router interface fa0/1 and is bridged to tap1. I also have aDamn Small Linux virtual machine bridged to tap1 so we have a small target. The client's

inside LAN is discovered to be 10.0.0.0/24. The video demonstrates nmap to discoverservices, snmp to steal the config, and VPN to pivot to the inside network for scanning

and attacks.

http://www.backtrack-linux.org/forums/backtrack-howtos/35424-gns3-cisco3745-multi-howto-ssh-server-security-device-manager-quick-vpn-server-etc.html#post182687http://www.backtrack-linux.org/forums/members/iproute.htmhttp://www.backtrack-linux.org/forums/members/iproute.htmhttp://technorati.com/faves/?add=http%3A%2F%2Fwww.backtrack-linux.org%2Fforums%2Fbacktrack-howtos%2F35424-gns3-cisco3745-multi-howto-ssh-server-security-device-manager-quick-vpn-server-etc.html%23post182571http://del.icio.us/post?url=http%3A%2F%2Fwww.backtrack-linux.org%2Fforums%2Fbacktrack-howtos%2F35424-gns3-cisco3745-multi-howto-ssh-server-security-device-manager-quick-vpn-server-etc.html%23post182571&title=GNS3-Cisco3745-Multi+HowTo.+SSH+server%2C+Security+Device+Manager%2C+quick+VPN+server%2Cetchttp://digg.com/submit?phase=2&url=http%3A%2F%2Fwww.backtrack-linux.org%2Fforums%2Fbacktrack-howtos%2F35424-gns3-cisco3745-multi-howto-ssh-server-security-device-manager-quick-vpn-server-etc.html%23post182571&title=GNS3-Cisco3745-Multi+HowTo.+SSH+server%2C+Security+Device+Manager%2C+quick+VPN+server%2Cetchttp://www.backtrack-linux.org/forums/backtrack-howtos/35424-gns3-cisco3745-multi-howto-ssh-server-security-device-manager-quick-vpn-server-etc.html#post182687http://www.backtrack-linux.org/forums/members/iproute.htm