In previous articles, we were investigating how to scan ports using a TCL script from IOS. Now, let’s see how to redirect ports and create a socks4 proxy. This method is very stealthy because most sysadmins don’t suspect these types of devices because they think they are too dumb, but nothing could be further from the truth.

The tool in question is the following https://github.com/mohemiv/TCLtools . On the website, they indicate several ways to upload TCL code, the first two are considered secure, the other two are not. In my test environment, I have tried the two secure methods, but it only worked using the TFTP server.

In the last article, we set up a TFTP server, but with Python, it will be easier and faster than setting up that service. Install the necessary libraries:

Create the directory where we will download the tool:

Download the script either from the project repository or from Alfaexploit:

Start the TFTP server:

Access the IOS device and switch to enable mode:

Copy the script to the device’s flash:

We verify that it has been stored correctly:

Directory of flash:/  
  431  -rwx       16624   May 6 1993 10:00:39 +01:00  tclproxy.tcl

We execute the script in proxySocks mode:

From Curl, we can use this proxy as follows:

WANIPIOS

Great!! As we can see, our public IP is that of the IOS router.

It also allows port forwarding, in this case, anything that arrives at port 1234 will end up at 216.58.211.35:80, one of the IPs of google.es:

We verify the redirection using Curl:

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">  
<TITLE>301 Moved</TITLE></HEAD><BODY>  
<H1>301 Moved</H1>  
The document has moved  
<A HREF="http://www.google.com:7755/">here</A>.  
</BODY></HTML>

We see the response from the Google server, but we have used the IOS router as an intermediate bridge.