Pwning Cisco Devices Using Smart Install Exploitation Tool (siet.py)

Abdirahman Hish Mohamed
Oct 16 · 2 min read

I was on a recent internal assessment engagement and boy oh boy, this clients’ environments looked pretty solid. Until I came across some of their Cisco Switches running a vulnerable version of Smart Install as reported by Nessus at https://www.tenable.com/plugins/nessus/108723

Verified the existence of this vulnerability with NMAP and Metasploit:

nmap -p 4786 -v <IP Address(s)>use auxiliary/scanner/misc/cisco_smart_install

Looked around for a way to exploit this & stumbled upon the Smart Install Exploitation Tool (SEIT) at https://github.com/Sab0tag3d/SIET With this tool, I was able to download the config files of their Core Switch which showed passwords in clear text for some of the user accounts configured. Other accounts used weak cisco type 7 encryption algorithms which can be cracked within seconds using online tools like: http://ibeast.com/tools/CiscoPassword/index.asp

This eventually gave me access to the core routers and other Cisco Network Infra devices since the user accounts credentials were the same across the devices.

The tools has other capabilities such as installing new configuration file to the remote device, and also multiple remote devices, update the cisco IOS running on the remote device and execute code on the remote device.

A simple shodan search for port 4786 shows that there are over 70K Devices which have the smart install services exposed to the internet.

Shodan Scan for Cisco Smart Install Service

And guess what it takes to close on this critical vulnerability? Just running the no-vstack command on your Cisco Switch will do the wonders.

This was reported to Cisco in 2018 (CVE-2018–0171) with a CVSS 3.0 base score of 9.8. Cisco since then released several advisories to fix it.

  1. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg76186
  2. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

There is also detailed presentation of this vulnerability available at https://2016.zeronights.ru/wp-content/uploads/2016/12/CiscoSmartInstall.v3.pdf

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade