Re: dev Digest, Vol 174, Issue 8🔐🕷😄

[HUMBERTO TOSCANO <htoscanoruiz () gmail com>]

MM mgeen

El El jue, 19 sept 2019 a las 9:10, <dev-request () nmap org> escribió:

> Send dev mailing list submissions to
>         dev () nmap org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://nmap.org/mailman/listinfo/dev
> or, via email, send a message with subject or body 'help' to
>         dev-request () nmap org
>
> You can reach the person managing the list at
>         dev-owner () nmap org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of dev digest..."
>
>
> Today's Topics:
>
>    1. Re: Cisco Smart Install script (Gordon Fyodor Lyon)
>    2. Re: Cisco Smart Install script (Robin Wood)
>    3. Re: Cisco Smart Install script (XenoN. w0w)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 18 Sep 2019 21:59:47 -0700
> From: Gordon Fyodor Lyon <fyodor () nmap org>
> To: "XenoN. w0w" <e-net15 () hotmail com>
> Cc: "dev () nmap org" <dev () nmap org>
> Subject: Re: Cisco Smart Install script
> Message-ID:
>         <
> CAJjO9MkCHtnqAOAEQgmKE6w+HQScBzQxRrEu5-VPNv8a1xWvCg () mail gmail com>
> Content-Type: text/plain; charset="utf-8"
>
> That sounds good.  Once you're happy with the script, can you submit a
> Github pull request so people can start testing it out?
>
> Cheers,
> Fyodor
>
> On Mon, Sep 9, 2019 at 10:50 AM XenoN. w0w <e-net15 () hotmail com> wrote:
>
> > I am really honored that I got response from you. By default, nmap can
> > detect that whether it is running smart-install service. When passing -sV
> > flag, nmap can?t detect the version. Here is the sample output.
> >
> >
> >
> > $ sudo nmap -Pn -sV -p 4786 <TARGET_IP>
> >
> > Starting Nmap 7.80SVN ( https://nmap.org ) at 2019-09-09 19:42 CEST
> >
> > Nmap scan report for <TARGET_IP>
> >
> > Host is up (0.20s latency).
> >
> >
> >
> > PORT     STATE SERVICE        VERSION
> >
> > 4786/tcp open  smart-install?
> >
> >
> >
> > Script that I already have created and haven?t pushed it will by default
> > test whether device is vulnerable by crafting packet and sending it to
> the
> > port 4786, then it will check if we got the right response and if so,
> > device is vulnerable and we can grab config, perhaps change config etc.
> > Below is output of the script I tested on one of the devices which are
> > vulnerable to this.
> >
> >
> >
> > $ sudo nmap -Pn -p 4786 <TARGET_IP> --script "./cisco-siet.nse"
> >
> > Starting Nmap 7.80SVN ( https://nmap.org ) at 2019-09-09 19:42 CEST
> >
> > Nmap scan report for <TARGET_IP>
> >
> > Host is up (0.20s latency).
> >
> >
> >
> > PORT     STATE SERVICE
> >
> > 4786/tcp open  smart-install
> >
> > | cisco-siet:
> >
> > |   Host: <TARGET_IP>
> >
> > |_  Status: VULNERABLE
> >
> >
> >
> > Also, I have added option to the script to pass argument to the script to
> > get config, this requires running nmap as root user (or sudo) because it
> > will start tftp server onto which cisco device will send config. By
> > default, script will only test if the device is vulnerable or not.
> >
> >
> >
> > *From: *Gordon Fyodor Lyon <fyodor () nmap org>
> > *Date: *Monday, 9 September 2019 at 19:34
> > *To: *"XenoN. w0w" <e-net15 () hotmail com>
> > *Cc: *"dev () nmap org" <dev () nmap org>
> > *Subject: *Re: Cisco Smart Install script
> >
> >
> >
> >
> >
> >
> >
> > On Mon, Aug 26, 2019 at 4:08 AM XenoN. w0w <e-net15 () hotmail com> wrote:
> >
> > Hello guys, during penetration testing engagements I often come to cisco
> > devices which allows me to grab their config over smart install protocol.
> >
> > I would like to make a script and add functionality of testing and
> getting
> > config within the script.
> >
> > Here is the link for reference exploit https://github.com/Sab0tag3d/SIET
> >
> >
> >
> > What do you guys think about it?
> >
> >
> >
> > Thanks for the details.  And wow, the Cisco advisory[1] really tries to
> > shirk all responsibility for this mess by writing:
> >
> >
> >
> > "Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or
> the
> > Smart Install feature itself but a misuse of the Smart Install protocol,
> > which does not require authentication by design."
> >
> >
> >
> > Well maybe they shouldn't have introduced such a lame "feature" in the
> > first place.  And even though it is broken by design, there are lots of
> > ways that Cisco could have at least mitigated the problem.  Apparently
> they
> > only recently added a command to turn this crap off.
> >
> >
> >
> > Anyway, yeah, we'd like to see an NSE script or other Nmap features
> > related to this.  For example, does Nmap version detection (-sV) detect
> > this properly? Are there good ways to detect the vulnerability (beyond
> just
> > port 4786 being open) without reconfiguring the device or otherwise being
> > too intrusive?  I mean an exploitation feature is nice too, but often
> Nmap
> > users just want to learn as much as possible about the device and
> > vulnerability without doing anything too intrusive.
> >
> >
> >
> > Cheers,
> >
> > Fyodor
> >
> >
> >
> >
> >
> > [1]
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://nmap.org/mailman/private/dev/attachments/20190918/37bc11b1/attachment.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Thu, 19 Sep 2019 08:06:39 +0100
> From: Robin Wood <robin () digininja org>
> To: Fyodor <fyodor () nmap org>
> Cc: "XenoN. w0w" <e-net15 () hotmail com>, nmap list <dev () nmap org>
> Subject: Re: Cisco Smart Install script
> Message-ID:
>         <CALmccy7PhNDi-tRT3uwRgm_xNYVb0kisN3=
> XupcWBGYtwXpckA () mail gmail com>
> Content-Type: text/plain; charset="utf-8"
>
> If it's the same issue I think it is, Nessus reports it as an info. The one
> that they report on can also be used to do unauthenticated code exec but is
> a feature not "vulnerability" so not a problem.
>
> Robin
>
> On Mon, 9 Sep 2019, 18:34 Gordon Fyodor Lyon, <fyodor () nmap org> wrote:
>
> > On Mon, Aug 26, 2019 at 4:08 AM XenoN. w0w <e-net15 () hotmail com> wrote:
> >
> > > Hello guys, during penetration testing engagements I often come to cisco
> > > devices which allows me to grab their config over smart install
> protocol.
> > > I would like to make a script and add functionality of testing and
> > > getting config within the script.
> > >
> > > Here is the link for reference exploit
> https://github.com/Sab0tag3d/SIET
> > > What do you guys think about it?
> >
> > Thanks for the details.  And wow, the Cisco advisory[1] really tries to
> > shirk all responsibility for this mess by writing:
> >
> > "Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or
> the
> > Smart Install feature itself but a misuse of the Smart Install protocol,
> > which does not require authentication by design."
> >
> > Well maybe they shouldn't have introduced such a lame "feature" in the
> > first place.  And even though it is broken by design, there are lots of
> > ways that Cisco could have at least mitigated the problem.  Apparently
> they
> > only recently added a command to turn this crap off.
> >
> > Anyway, yeah, we'd like to see an NSE script or other Nmap features
> > related to this.  For example, does Nmap version detection (-sV) detect
> > this properly? Are there good ways to detect the vulnerability (beyond
> just
> > port 4786 being open) without reconfiguring the device or otherwise being
> > too intrusive?  I mean an exploitation feature is nice too, but often
> Nmap
> > users just want to learn as much as possible about the device and
> > vulnerability without doing anything too intrusive.
> >
> > Cheers,
> > Fyodor
> >
> >
> > [1]
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi
> > _______________________________________________
> > Sent through the dev mailing list
> > https://nmap.org/mailman/listinfo/dev
> > Archived at http://seclists.org/nmap-dev/
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://nmap.org/mailman/private/dev/attachments/20190919/a7d11120/attachment.html
> >
>
> ------------------------------
>
> Message: 3
> Date: Thu, 19 Sep 2019 07:09:44 +0000
> From: "XenoN. w0w" <e-net15 () hotmail com>
> To: Robin Wood <robin () digininja org>, Fyodor <fyodor () nmap org>
> Cc: nmap list <dev () nmap org>
> Subject: Re: Cisco Smart Install script
> Message-ID:
>         <
> VI1PR0902MB17896F77F296C8D7CDC94F55FC890 () VI1PR0902MB1789 eurprd09 prod outlook com
> >
>
> Content-Type: text/plain; charset="us-ascii"
>
> What do you think should i submit PR for it at all? Even though it is
> feature, during pentesting engagements you can find out a lots of
> information and perhaps gain code exec depending on ios version.
> ________________________________
> From: Robin Wood <robin () digininja org>
> Sent: Thursday, September 19, 2019 9:06:39 AM
> To: Fyodor <fyodor () nmap org>
> Cc: XenoN. w0w <e-net15 () hotmail com>; nmap list <dev () nmap org>
> Subject: Re: Cisco Smart Install script
>
> If it's the same issue I think it is, Nessus reports it as an info. The
> one that they report on can also be used to do unauthenticated code exec
> but is a feature not "vulnerability" so not a problem.
>
> Robin
>
> On Mon, 9 Sep 2019, 18:34 Gordon Fyodor Lyon, <fyodor () nmap org<mailto:
> fyodor () nmap org>> wrote:
>
>
> On Mon, Aug 26, 2019 at 4:08 AM XenoN. w0w <e-net15 () hotmail com<mailto:
> e-net15 () hotmail com>> wrote:
> Hello guys, during penetration testing engagements I often come to cisco
> devices which allows me to grab their config over smart install protocol.
> I would like to make a script and add functionality of testing and getting
> config within the script.
> Here is the link for reference exploit https://github.com/Sab0tag3d/SIET
>
> What do you guys think about it?
>
> Thanks for the details.  And wow, the Cisco advisory[1] really tries to
> shirk all responsibility for this mess by writing:
>
> "Cisco does not consider this a vulnerability in Cisco IOS, IOS XE, or the
> Smart Install feature itself but a misuse of the Smart Install protocol,
> which does not require authentication by design."
>
> Well maybe they shouldn't have introduced such a lame "feature" in the
> first place.  And even though it is broken by design, there are lots of
> ways that Cisco could have at least mitigated the problem.  Apparently they
> only recently added a command to turn this crap off.
>
> Anyway, yeah, we'd like to see an NSE script or other Nmap features
> related to this.  For example, does Nmap version detection (-sV) detect
> this properly? Are there good ways to detect the vulnerability (beyond just
> port 4786 being open) without reconfiguring the device or otherwise being
> too intrusive?  I mean an exploitation feature is nice too, but often Nmap
> users just want to learn as much as possible about the device and
> vulnerability without doing anything too intrusive.
>
> Cheers,
> Fyodor
>
>
> [1]
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi
>
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://nmap.org/mailman/private/dev/attachments/20190919/eeb97a0a/attachment.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> dev mailing list
> dev () nmap org
> https://nmap.org/mailman/listinfo/dev
>
>
> ------------------------------
>
> End of dev Digest, Vol 174, Issue 8
> ***********************************
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/