Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #71467
Powerman-1r Testing
Powerman-1r Testing
Xetron delivered ROCEM version 1.1 for 3560G. Testing ROCEM for operational use on JQJADVERSE. Operator was not able to provide a configuration for the 3560G - we only know that this 3560G is a core switch with a router on a stick configuration and in a VTPVLAN Trunk Protocol enviroment. Conop will be to first use ROCM to survey device and then subsequently use ROCEM to throw HG. We are testing with a 3560G-24-PS, although Xetron's readme lists this ROCEM release is for 3560G-24-TS. It is not believed that the power over ethernet feature should affect the implant.
Testing Summary
- Readme needs to be changed - show switch detail does not exist in this IOSApple operating system for small devices version
- Smoke Test - Survey completed successfully
Progress/Notes
- Smoke Test - Survey 3560G with ROCEM
- 3560G is configured to use AAASecurity Server from Cisco server to authenticate users as well as authorize commands and log all commands entered
- 3560G is configured to log snmp traps and syslogs to Solarwinds
- Output of "who" command before ROCEM shows my console session and my vty session on line 1
3560G#who
Line User Host(s) Idle Location
0 con 0 cisco idle 00:07:52
* 1 vty 0 root idle 00:00:00 10.9.8.96Interface User Mode Idle Peer Address
3560G#
- Verified that AAASecurity Server from Cisco is logging show commands when entered in 3560G through regular telnet session
- Followed Xetron Powerman-1R readme procedure to use ROCEM to execute show commands
- ./rocem_c3560-ipbase-mz.122-35.SE5.py -i -f fill.bin 192.168.111.1
- Entered y to proceed
- 3560# prompt appeared - no creds were netered
- Executed show commands from readme successfully - show switch detail does not exist in this IOS
- Output of "who" command shows ROCEM vty session from ICON-CT IP and no username
-
Typed exit at ROCEM prompt - session closed, no logs generated to AAASecurity Server from Cisco server. Output of "who" shows vty session for ROCEM is gone. No logs in 3560G logging buffer. SNMP trap for the connection close is logged:
CISCOTRAP-MIB:tcpConnectionClose
tsLineUser.2 =
loctcpConnOutBytes.192.168.111.1.XX.XXX.XX.XX (???).22.37770 = 78
loctcpConnInBytes.192.168.111.1.XX.XXX.XX.XX (???).22.37770 = 810
loctcpConnElapsed.192.168.111.1.XX.XXX.XX.XX (???).22.37770 = 0.50 second
tcpConnState.192.168.111.1.XX.XXX.XX.XX (???).22.37770 = synReceived(4)
tslineSesType.2.1 = telnet(5)
snmpTrapOID = CISCOTRAP-MIB:tcpConnectionClose
sysUpTime = 15 minutes 31.92 seconds