# Cisco Smart Install - PORT 4786

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

### Basic info

Cisco Smart Install (SMI) is a **plug-and-play feature** designed to simplify deploying new Cisco devices:

* Allows network admins to **push configs and images** automatically.
* Runs on **TCP port 4786**.
* Works without authentication (originally designed for trusted enterprise environments).

**The problem?** It trusted *anyone* connecting to it. 😎

***

### Enumeration

Nmap:

```bash
nmap -p 4786 --open -sV TARGET
```

To hunt on the entire internet (Shodan):

```
port:4786 product:"Cisco"
```

{% embed url="<https://www.shodan.io/search?query=smart%20install%20client%20active>" %}

***

### Exploitation

Several public PoCs exist. Let’s break it down:

1. **Check if Smart Install is enabled**:

   ```bash
   nmap --script cisco-smi -p 4786 TARGET
   ```
2. ### [<sup>Smart Install Exploitation Tool</sup>](ps://github.com/Sab0tag3d/SIETpy3) <a href="#smart-install-exploitation-tool" id="smart-install-exploitation-tool"></a>

**In 2018, a critical vulnerability, CVE-2018–0171, was found in this protocol. The threat level is 9.8 on the CVSS scale.**

**A specially crafted packet sent to the TCP/4786 port, where Cisco Smart Install is active, triggers a buffer overflow, allowing an attacker to:**

* forcibly reboot the device
* call RCE
* steal configurations of network equipment.

**The** [**SIET**](ps://github.com/Sab0tag3d/SIETpy3) **(Smart Install Exploitation Tool)** was developed to exploit this vulnerability, it allows you to abuse Cisco Smart Install. In this article I will show you how you can read a legitimate network hardware configuration file. Configure exfiltration can be valuable for a pentester because it will learn about the unique features of the network. And this will make life easier and allow finding new vectors for an attack.

**The target device will be a “live” Cisco Catalyst 2960 switch. Virtual images do not have Cisco Smart Install, so you can only practice on the real hardware.**

The address of the target switch is **10.10.100.10 and CSI is active.** Load SIET and start the attack. **The -g argument** means exfiltration of the configuration from the device, **the -i argument** allows you to set the IP address of the vulnerable target.

```
~/opt/tools/SIET$ sudo python3 siet.py -g -i 10.10.100.10
```

<figure><img src="/files/251mfgtHYqRHzWssN3MJ" alt=""><figcaption></figcaption></figure>

The switch configuration **10.10.100.10** will be in the **tftp/** folder

<figure><img src="https://book.hacktricks.wiki/en/images/image%20(1116).png" alt=""><figcaption></figcaption></figure>

### Vulnerability Breakdown (CVE-2018-0171)

* **Type:** Remote Code Execution (RCE)
* **Affected Products:** Cisco switches, routers, and Catalyst devices running Smart Install.
* **Attack Vector:** Malicious Smart Install packets crafted to exploit buffer overflow.
* **Impact:** Full device compromise (execute arbitrary code, wipe configs, reroute traffic).

**POC**: <https://github.com/AlrikRr/Cisco-Smart-Exploit>

<figure><img src="/files/9kQdvAhNZ1JVxWHO4GPC" alt=""><figcaption></figcaption></figure>

***

{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://whop.com/verylazytech/)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses.  📚

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/cisco-smart-install-port-4786.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.