Nmap Development mailing list archives
Re: Cisco Smart Install script
From: "XenoN. w0w" <e-net15 () hotmail com>
Date: Fri, 27 Sep 2019 11:41:37 +0000
Hello guys, here is the follow-up PR request for the script: https://github.com/nmap/nmap/pull/1763 Cheers, Erhad Husović From: dev <dev-bounces () nmap org> on behalf of "XenoN. w0w" <e-net15 () hotmail com> Date: Thursday, 19 September 2019 at 09:09 To: Robin Wood <robin () digininja org>, Fyodor <fyodor () nmap org> Cc: nmap list <dev () nmap org> Subject: Re: Cisco Smart Install script What do you think should i submit PR for it at all? Even though it is feature, during pentesting engagements you can find out a lots of information and perhaps gain code exec depending on ios version. ________________________________ From: Robin Wood <robin () digininja org> Sent: Thursday, September 19, 2019 9:06:39 AM To: Fyodor <fyodor () nmap org> Cc: XenoN. w0w <e-net15 () hotmail com>; nmap list <dev () nmap org> Subject: Re: Cisco Smart Install script If it's the same issue I think it is, Nessus reports it as an info. The one that they report on can also be used to do unauthenticated code exec but is a feature not "vulnerability" so not a problem. Robin On Mon, 9 Sep 2019, 18:34 Gordon Fyodor Lyon, <fyodor () nmap org<mailto:fyodor () nmap org>> wrote: On Mon, Aug 26, 2019 at 4:08 AM XenoN. w0w <e-net15 () hotmail com<mailto:e-net15 () hotmail com>> wrote: Hello guys, during penetration testing engagements I often come to cisco devices which allows me to grab their config over smart install protocol. I would like to make a script and add functionality of testing and getting config within the script. Here is the link for reference exploit https://github.com/Sab0tag3d/SIET What do you guys think about it? Thanks for the details. And wow, the Cisco advisory[1] really tries to shirk all responsibility for this mess by writing: "Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or the Smart Install feature itself but a misuse of the Smart Install protocol, which does not require authentication by design." Well maybe they shouldn't have introduced such a lame "feature" in the first place. And even though it is broken by design, there are lots of ways that Cisco could have at least mitigated the problem. Apparently they only recently added a command to turn this crap off. Anyway, yeah, we'd like to see an NSE script or other Nmap features related to this. For example, does Nmap version detection (-sV) detect this properly? Are there good ways to detect the vulnerability (beyond just port 4786 being open) without reconfiguring the device or otherwise being too intrusive? I mean an exploitation feature is nice too, but often Nmap users just want to learn as much as possible about the device and vulnerability without doing anything too intrusive. Cheers, Fyodor [1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Cisco Smart Install script XenoN. w0w (Aug 26)
- Re: Cisco Smart Install script Gordon Fyodor Lyon (Sep 09)
- Re: Cisco Smart Install script XenoN. w0w (Sep 09)
- Re: Cisco Smart Install script Gordon Fyodor Lyon (Sep 18)
- Re: Cisco Smart Install script Robin Wood (Sep 19)
- Re: Cisco Smart Install script XenoN. w0w (Sep 19)
- Re: Cisco Smart Install script XenoN. w0w (Sep 09)
- <Possible follow-ups>
- Re: Cisco Smart Install script XenoN. w0w (Sep 27)
- Re: Cisco Smart Install script Gordon Fyodor Lyon (Sep 09)