Re: Cisco Smart Install script

["XenoN. w0w" <e-net15 () hotmail com>]

I am really honored that I got response from you. By default, nmap can detect that whether it is running smart-install 
service. When passing -sV flag, nmap can’t detect the version. Here is the sample output.

$ sudo nmap -Pn -sV -p 4786 <TARGET_IP>
Starting Nmap 7.80SVN ( https://nmap.org ) at 2019-09-09 19:42 CEST
Nmap scan report for <TARGET_IP>
Host is up (0.20s latency).

PORT     STATE SERVICE        VERSION
4786/tcp open  smart-install?

Script that I already have created and haven’t pushed it will by default test whether device is vulnerable by crafting 
packet and sending it to the port 4786, then it will check if we got the right response and if so, device is vulnerable 
and we can grab config, perhaps change config etc. Below is output of the script I tested on one of the devices which 
are vulnerable to this.

$ sudo nmap -Pn -p 4786 <TARGET_IP> --script "./cisco-siet.nse"
Starting Nmap 7.80SVN ( https://nmap.org ) at 2019-09-09 19:42 CEST
Nmap scan report for <TARGET_IP>
Host is up (0.20s latency).

PORT     STATE SERVICE
4786/tcp open  smart-install
| cisco-siet:
|   Host: <TARGET_IP>
|_  Status: VULNERABLE

Also, I have added option to the script to pass argument to the script to get config, this requires running nmap as 
root user (or sudo) because it will start tftp server onto which cisco device will send config. By default, script will 
only test if the device is vulnerable or not.

From: Gordon Fyodor Lyon <fyodor () nmap org>
Date: Monday, 9 September 2019 at 19:34
To: "XenoN. w0w" <e-net15 () hotmail com>
Cc: "dev () nmap org" <dev () nmap org>
Subject: Re: Cisco Smart Install script



On Mon, Aug 26, 2019 at 4:08 AM XenoN. w0w <e-net15 () hotmail com<mailto:e-net15 () hotmail com>> wrote:
Hello guys, during penetration testing engagements I often come to cisco devices which allows me to grab their config 
over smart install protocol.
I would like to make a script and add functionality of testing and getting config within the script.
Here is the link for reference exploit https://github.com/Sab0tag3d/SIET

What do you guys think about it?

Thanks for the details.  And wow, the Cisco advisory[1] really tries to shirk all responsibility for this mess by 
writing:

"Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or the Smart Install feature itself but a misuse of 
the Smart Install protocol, which does not require authentication by design."

Well maybe they shouldn't have introduced such a lame "feature" in the first place.  And even though it is broken by 
design, there are lots of ways that Cisco could have at least mitigated the problem.  Apparently they only recently 
added a command to turn this crap off.

Anyway, yeah, we'd like to see an NSE script or other Nmap features related to this.  For example, does Nmap version 
detection (-sV) detect this properly? Are there good ways to detect the vulnerability (beyond just port 4786 being 
open) without reconfiguring the device or otherwise being too intrusive?  I mean an exploitation feature is nice too, 
but often Nmap users just want to learn as much as possible about the device and vulnerability without doing anything 
too intrusive.

Cheers,
Fyodor


[1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/