Ok, tried dictionary attacks, brute forcing and fingerprinting a Cisco router today. The tools used are THC hydra and Cisco Torch. The password is hard to guess, that is why hydra couldnt picked it up nor Cisco Torch. I must admit that hydra is such a wonderful tool to have, it fast and waste no time. On the other hand cisco torch is slower, but still gets the job done. p0f is a tool used for passive and active fingerprinting. I would say i would love to use a third tool (SinFP) to actually double verify the IOS version and device running. Unfortunately, SinFP crashed on my machine and i did not probe further.
Well, the command to the tools are:
Nmap: nmap -sV -A -P0 -O -vvv -sS 127.0.0.1
hydra: I prefer to use the GTK
p0f: Because i did a pssive fingerprinting, so i actually save a pcap file first using wireshark and use p0f to run over it. So the command is:
p0f -s cisco.pcap -V -A
The -A is to acutally see the SYN/ACK packet return from the router.
SinFP: sinfp.pl -ai 127.0.0.1 -p 23
Cisco torch: ./cisco-torch.pl -t -b 127.0.0.1
I am going to write a methodology on enumerating VoIP soon, so stay tune.