I read that certain Cisco IOS devices are vulnerable to brute forcing. My organization doesn't use these particular devices, but how can we test other pieces of network equipment to see if they are easily susceptible to a brute-force attack?
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
One tool that has become quite popular is something called Cisco Torch. It is a penetration testing tool installed by default in various Backtrack and Kali distributions. There is also a section of Hacking Exposed devoted to it.
Now you say that your organization doesn't use any Cisco IOS devices, to which my response is, "Are you sure?" Many times in organizations experiencing rapid growth, network devices are sometimes lost in the mayhem that is network architecture planning. So just to be on the safe side, I would pull up a command prompt that has access to the Cisco Torch tool and type in:
./cisco-torch.pl -A x.x.x.x/x
This command will allow you to conduct the full range of Cisco scans on your network, if the tool finds a Cisco networking device. The x's in the command denote an IP address and accompanying subnet mask. If vulnerable Cisco devices are found, updating them (or taking them offline) should be fairly easy.
If the Cisco Torch scan comes up dry, then rest assured that your organization doesn't have any rogue Cisco devices on its network. At this point, you can begin to test your varying nodes for brute-force vulnerabilities. For nodes running some type of Linux distro, I prefer to use a tool known as John the Ripper. This tool not only tests your operating system against brute-force attacks, but it has the ability to run a wide variety of password-cracking techniques against the various user accounts on each operating system. John the Ripper can be scripted to run remotely, but I prefer to use it locally on the box. Root privileges are necessary, as you will need access to the shadow files within each Linux node. As soon as you have access to the shadow files, run the following command:
The password portion of the command assumes that this is the name of your password file. Depending on the complexity of each password, John the Ripper can run for anywhere from a few seconds to a few days. If the complexity of a given password is closer to the latter, then I would argue that the password is not immediately susceptible to a brute-force attack.
If you're organization is like most, and it is Windows-centric, then I would use the trial version of L0phtcrack. This tool has a very intuitive graphical user interface, and it typically cracks Windows passwords in a matter of seconds. If you go to the L0phtcrack website, you can download a free 15-day trial version of the software, and remotely crack nodes that operate Windows 7 and earlier versions.
This was first published in November 2013