Re: Cisco Smart Install script

[Gordon Fyodor Lyon <fyodor () nmap org>]

That sounds good.  Once you're happy with the script, can you submit a
Github pull request so people can start testing it out?

Cheers,
Fyodor

On Mon, Sep 9, 2019 at 10:50 AM XenoN. w0w <e-net15 () hotmail com> wrote:

> I am really honored that I got response from you. By default, nmap can
> detect that whether it is running smart-install service. When passing -sV
> flag, nmap can’t detect the version. Here is the sample output.
>
>
>
> $ sudo nmap -Pn -sV -p 4786 <TARGET_IP>
>
> Starting Nmap 7.80SVN ( https://nmap.org ) at 2019-09-09 19:42 CEST
>
> Nmap scan report for <TARGET_IP>
>
> Host is up (0.20s latency).
>
>
>
> PORT     STATE SERVICE        VERSION
>
> 4786/tcp open  smart-install?
>
>
>
> Script that I already have created and haven’t pushed it will by default
> test whether device is vulnerable by crafting packet and sending it to the
> port 4786, then it will check if we got the right response and if so,
> device is vulnerable and we can grab config, perhaps change config etc.
> Below is output of the script I tested on one of the devices which are
> vulnerable to this.
>
>
>
> $ sudo nmap -Pn -p 4786 <TARGET_IP> --script "./cisco-siet.nse"
>
> Starting Nmap 7.80SVN ( https://nmap.org ) at 2019-09-09 19:42 CEST
>
> Nmap scan report for <TARGET_IP>
>
> Host is up (0.20s latency).
>
>
>
> PORT     STATE SERVICE
>
> 4786/tcp open  smart-install
>
> | cisco-siet:
>
> |   Host: <TARGET_IP>
>
> |_  Status: VULNERABLE
>
>
>
> Also, I have added option to the script to pass argument to the script to
> get config, this requires running nmap as root user (or sudo) because it
> will start tftp server onto which cisco device will send config. By
> default, script will only test if the device is vulnerable or not.
>
>
>
> *From: *Gordon Fyodor Lyon <fyodor () nmap org>
> *Date: *Monday, 9 September 2019 at 19:34
> *To: *"XenoN. w0w" <e-net15 () hotmail com>
> *Cc: *"dev () nmap org" <dev () nmap org>
> *Subject: *Re: Cisco Smart Install script
>
>
>
>
>
>
>
> On Mon, Aug 26, 2019 at 4:08 AM XenoN. w0w <e-net15 () hotmail com> wrote:
>
> Hello guys, during penetration testing engagements I often come to cisco
> devices which allows me to grab their config over smart install protocol.
>
> I would like to make a script and add functionality of testing and getting
> config within the script.
>
> Here is the link for reference exploit https://github.com/Sab0tag3d/SIET
>
>
>
> What do you guys think about it?
>
>
>
> Thanks for the details.  And wow, the Cisco advisory[1] really tries to
> shirk all responsibility for this mess by writing:
>
>
>
> "Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or the
> Smart Install feature itself but a misuse of the Smart Install protocol,
> which does not require authentication by design."
>
>
>
> Well maybe they shouldn't have introduced such a lame "feature" in the
> first place.  And even though it is broken by design, there are lots of
> ways that Cisco could have at least mitigated the problem.  Apparently they
> only recently added a command to turn this crap off.
>
>
>
> Anyway, yeah, we'd like to see an NSE script or other Nmap features
> related to this.  For example, does Nmap version detection (-sV) detect
> this properly? Are there good ways to detect the vulnerability (beyond just
> port 4786 being open) without reconfiguring the device or otherwise being
> too intrusive?  I mean an exploitation feature is nice too, but often Nmap
> users just want to learn as much as possible about the device and
> vulnerability without doing anything too intrusive.
>
>
>
> Cheers,
>
> Fyodor
>
>
>
>
>
> [1]
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/