Pentest of a Wi-Fi network with Cisco NCS

I had a chance to audit this device during a Wi-Fi pentest. Cisco Prime Network Control System is a Wi-Fi controller that allows to manage multiple access points and centralize their configuration: Wi-Fi settings, access control, security, etc.

I was surprised how easy it was to compromise this equipment, thanks to default credentials. Of course, Cisco published a patch… however how many network teams would have applied the patch ? Routers, switches, Wi-Fi controllers, especially when they are not part of the core infrastructure, are often dropped and forgotten for years…

Here is the vendor advisory, which is about “unspecified” default credentials. With a little of ninja googling, I managed to glue the pieces.

It was not that easy to find the credentials in questions, but the guys from Tenable Security managed to get the info: wcsdba / wcs123.

Now, you will think, “ok, but we need to find a way to reach the database…’. Piece of cake! By default, the device exposes an Oracle listener on port 1522.

Then, we would need to know the Oracle instance… Don’t think too much, don’t even look up at your wordlists, this is just: WCS.

Of course, as you should guess now, the account has DBA privileges. :-)

So, in summary:

Oracle listener on port TCP 1522
Instance: WCS
Account: wcsdba
Password: wcs123
Privileges: DBA

Now you can do pretty much every thing: control network settings, grab and crack password hashes, etc.

Besides, there is also an XSS on a login page…

Well done Cisco, for not hardening anything.  :-/

Have fun!