nerdexam
EC-Council

312-50V9 · Question #597

The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below: You are hired to conduct security testing on their network. You successfully

The correct answer is B. Run a network sniffer and capture the returned traffic with the configuration file from the router D. Send a customized SNMP set request with a spoofed source IP address in the range - 192.168.1.0. With the SNMP community string known but an ACL blocking direct access, spoofing a permitted source IP bypasses the ACL, and sniffing captures the configuration data returned by the router.

Enumeration

Question

The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below:

You are hired to conduct security testing on their network. You successfully brute-force the SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection. You want to retrieve the Cisco configuration from the router. How would you proceed?

Options

  • AUse the Cisco's TFTP default password to connect and download the configuration file
  • BRun a network sniffer and capture the returned traffic with the configuration file from the router
  • CRun Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking
  • DSend a customized SNMP set request with a spoofed source IP address in the range - 192.168.1.0

How the community answered

(49 responses)
  • A
    16% (8)
  • B
    55% (27)
  • C
    29% (14)

Why each option

With the SNMP community string known but an ACL blocking direct access, spoofing a permitted source IP bypasses the ACL, and sniffing captures the configuration data returned by the router.

AUse the Cisco's TFTP default password to connect and download the configuration file

Cisco TFTP has no default password because TFTP is an unauthenticated protocol; access to configuration files via TFTP is controlled entirely by router configuration, not built-in credentials.

BRun a network sniffer and capture the returned traffic with the configuration file from the routerCorrect

Because SNMP responses are sent back to the source IP of the request, an attacker sniffing on the local network segment can capture the configuration data the router returns, even though the attacker cannot initiate a direct authenticated connection from their real IP.

CRun Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking

GRE encapsulates traffic between two configured tunnel endpoints but does not change the source IP seen by an ACL, so it cannot be used to impersonate a permitted IP range and bypass the access-list.

DSend a customized SNMP set request with a spoofed source IP address in the range - 192.168.1.0Correct

The router's ACL permits SNMP access only from the 192.168.1.0 range - by crafting an SNMP set request with a spoofed source IP within that permitted range, the ACL check passes and the router processes the request, sending the configuration back toward the spoofed address.

Concept tested: SNMP ACL bypass via source IP spoofing and traffic capture

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/xe-16/snmp-xe-16-book/nm-snmp-cfg-snmp-support.html

Topics

#SNMP community string#ACL bypass#IP spoofing#network sniffing

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice