312-50V9 · Question #597
The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below: You are hired to conduct security testing on their network. You successfully
The correct answer is B. Run a network sniffer and capture the returned traffic with the configuration file from the router D. Send a customized SNMP set request with a spoofed source IP address in the range - 192.168.1.0. With the SNMP community string known but an ACL blocking direct access, spoofing a permitted source IP bypasses the ACL, and sniffing captures the configuration data returned by the router.
Question
The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below:
You are hired to conduct security testing on their network. You successfully brute-force the SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection. You want to retrieve the Cisco configuration from the router. How would you proceed?
Options
- AUse the Cisco's TFTP default password to connect and download the configuration file
- BRun a network sniffer and capture the returned traffic with the configuration file from the router
- CRun Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking
- DSend a customized SNMP set request with a spoofed source IP address in the range - 192.168.1.0
How the community answered
(49 responses)- A16% (8)
- B55% (27)
- C29% (14)
Why each option
With the SNMP community string known but an ACL blocking direct access, spoofing a permitted source IP bypasses the ACL, and sniffing captures the configuration data returned by the router.
Cisco TFTP has no default password because TFTP is an unauthenticated protocol; access to configuration files via TFTP is controlled entirely by router configuration, not built-in credentials.
Because SNMP responses are sent back to the source IP of the request, an attacker sniffing on the local network segment can capture the configuration data the router returns, even though the attacker cannot initiate a direct authenticated connection from their real IP.
GRE encapsulates traffic between two configured tunnel endpoints but does not change the source IP seen by an ACL, so it cannot be used to impersonate a permitted IP range and bypass the access-list.
The router's ACL permits SNMP access only from the 192.168.1.0 range - by crafting an SNMP set request with a spoofed source IP within that permitted range, the ACL check passes and the router processes the request, sending the configuration back toward the spoofed address.
Concept tested: SNMP ACL bypass via source IP spoofing and traffic capture
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/xe-16/snmp-xe-16-book/nm-snmp-cfg-snmp-support.html
Topics
Community Discussion
No community discussion yet for this question.