Vulnerabilities exist in IOS, just like any other piece of software, but only a few folks have managed to leverage memory corruption flaws into code execution. With few exceptions, this leaves a small number of services that are commonly exposed in production environments. There are two main categories for configuration files with Cisco routers - running-config and startup-confg: If the collection script is able to gain enable access, it will automatically dump additional information from the system, including the running configuration. We have recently done work in situations where recovering the Cisco config from one device e.
The screen shot below demonstrates the output of brute forcing the Telnet vty password, then the enable password, then dumping and parsing the configuration:
Check out what Packt has to offer