Hi,
   Need a help. Is there any tool to crack the password of cisco switches 3560 without disturbing the service or restarting the same.

Thanks in Advance

Do you know if it is running SNMP? If it is can you get access to the lan to sniff traffic? If you said yes to both of the above and it's running IOS and not Catos it is very possible you could Man in the middle attack the lan with Cain & Able. Once your APR Poisoning you just capture the SNMP string and use Cains CCDU (Cisco Config Download Utility) to SNMP pull the running config. Once you have the config you can get the plain-text or Cisco type 7 encrypted password (type 7 password can also be decrypted with Cain). This is just one more reason to make Chicagocon as I am going to be presenting all kinds of fun things you can do with Cain & Able!

Answer to your question yes it is possible to force a Cisco Router or switch to give you it's config with out turning it off or stopping traffic. It all depends on how it was setup and if it is running SNMP.

Brian

The Audio from my presentation at Chicagocon last year on Cain & Able is on the site and my power point is too but I skipped the power point and did a live demo. I plan to do another live demo this year and maybe if don can get some form of video for the con we can have that also. I have some of my videos on www.anti-hacker.info which have some of the basics of Cain & Able with a few other tools I like using.

There are many ways manage a Cisco device and if setup correctly 90% of the hacks will not work. But in my experience most routers are not setup with security in mind as the engineers think the firewall will save them and this leaves many holes that need to be patched.

Brian

Yes they are trying to get everything onto IOS and there are some switches/routers that will run in hybrid mode of both IOS and CatOS. I am one of the few that likes CatOS for basic switching & VLANs. I mean it is so much faster to configure and by default has alot less bloated and fewer security holes. Remember with all the extra features you want in that IOS version they might also come with the cost of possible holes.

Brian

From my experience just about all manageable switches have SNMP weaknesses  (normally just sniffing finds the write string) it's just finding the vendor OID to dump the config file. BTW most vendors use the Cisco type 7 encryption so you can crack the password the same way. If it is not a Cisco type 7 encrypted password then you can expect it to be MD5 and thats where you rainbow tables come in to crack it with or without Cain & Able.

At the end of the day if you configure you routers and switches correctly with all there security features 90% of the back-door cracks and weaknesses will be sealed up. ACL's are you friend so learn how to apply them correctly.

Brian

I have not seen any switches that use a salted MD5 but even if it did you could still brutefocre or dictionary attack it since most network engineers or Lan admins do not think to make network device passwords too hard and in many cases it's the same passwords to all switches or routers since laziness is easer than common security sense. I would also look to find the vendor documents on the device as default passwords do not always get changed.


Brian