Crash that switch!
Welcome back, my pentesting gurus! This will be a tutorial on how to DOS a Cisco 3550 Switch through telnet. Back in March 2017 this year Cisco released a vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges, dubbed CVE-2017-3881.
If you want some more information on this you can go to https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
We are going to use the DOS module for Metasploit from artkond. You can find the module here.
https://github.com/artkond/cisco-rce/blob/master/ios_telnet_rocem.rb So at one point while in college, I was heavily studying for the CCNA. I have around 3 switches and 2 routers sitting around in my home lab and figured I'd try to DOS the 3550 switch with this module.
First, we're going to download the exploit/module and set it up in Metasploit. I chose to use Metasploit for windows because it was quicker than firing up kali. If you need information on how to install a module in Metasploit, google it.
Next, I putty into the cisco 3550 switch to get the IP address as I forgot how I set up my vlan as well. Note: You're going to need the IP address of the switch, if your pen testing on an internal network you could discover this through scanners like Nmap.
So we load our Metasploit module, set the rhost and rport correctly and run a constant ping to the device so we can monitor if the DOS packet exploits successfully.
As you notice in the screenshot below after we launch the exploits it works!
We have successfully sent a DOS telnet packet to the 3550 switch and the switch begins to crash/reboot. Well, there you have it my friends, DOSing a Cisco 3550 switch. This can be achieved of course if you are already on the internal network and know the IP of the switch. Maybe your work computer is attached to a switch that is vulnerable to this attack method?
In order to block this type of attack, disable telnet in your Cisco IOS and only use SSH. Its that simple!
Happy pen testing!