Smart Install Exploitation Tool
Switch branches/tags
Nothing to show
Clone or download
Latest commit b2a08a0 Jun 19, 2018
Failed to load latest commit information. Update Jun 19, 2018 New information added Sep 19, 2017 Adding check for python version! Apr 13, 2018
vuln_dev_list.txt Create vuln_dev_list.txt Mar 17, 2017


Smart Install Exploitation Tool

Cisco Smart Install is a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches. You can ship a switch to a location, place it in the network and power it on with no configuration required on the device.

You can easy identify it using nmap: nmap -p 4786 -v

This protocol has a security issue that allows:

  1. Change tftp-server address on client device by sending one malformed TCP packet.

  2. Copy client's startup-config on tftp-server exchanged previously.

  3. Substitute client's startup-config for the file which has been copied and edited. Device will reboot in defined time.

  4. Upgrade ios image on the "client" device.

  5. Execute random set of commands on the "client" device. IS a new feature working only at 3.6.0E and 15.2(2)E ios versions.

All of them are caused by the lack of any authentication in smart install protocol. Any device can act as a director and send malformed tcp packet. It works on any "client" device where smart install is enabled. It does not matter if it used smart install in the network or not.

Confim from vendor:


This simple tool helps you to use all of them.


You can use it for password recovery of for unlock cisco switch when no password provided.

Example: sudo python -g -i

-t test device for smart install.

-g get device config.

-c change device config.

-u update device IOS.

-e execute commands in device's console.

-i ip address of target device

-l ip list of targets (file path)

--thread-count number of threads to be spawned


New option "-l". You can use list of ip addresses for getting configuration file.

Fix bug with incorrect test of device.