Cisco devices have an integrated tcl interpreter that allows us to run scripts with all that it implies. Running code on hardware devices has the advantage that they are not usually given as much attention as classic servers. They are also not usually reinstalled or replaced, allowing for greater persistence. Additionally, if network traffic is detected through an IDS and reviewed by a novice sysadmin, they will believe it is legitimate traffic.
First, we will set up a tftp server to pass the script:
We indicate the directory that will be served:
TFTPD_ROOT="/tftproot"
We adjust the permissions and start the service:
/home/kr0m> /etc/init.d/atftp start
We download the script:
/tftproot> wget http://www.alfaexploit.com/files/scanip8a.tcl
We download the script on the router/switch:
netNode#show flash
433 -rwx 3791 Dec 15 1993 02:21:18 +01:00 scanip8a.tcl
We perform a scan against the IP A.A.A.A:
A.A.A.A:21 Port Closed: <connection refused>
A.A.A.A:22 Port Open:
A.A.A.A:23 Port Closed: <connection refused>
A.A.A.A:25 Port Closed: <connection refused>
A.A.A.A:80 Port Closed: <connection refused>
A.A.A.A:110 Port Closed: <connection refused>
A.A.A.A:443 Port Closed: <connection refused>
A.A.A.A:445 Port Closed: <connection timed out>
A.A.A.A:3128 Port Closed: <connection refused>
A.A.A.A:8080 Port Closed: <connection refused>
There is a website that has several very interesting scripts:
https://www.packetlevel.ch/html/cisco/ciscotcl.html
And this project can be very useful for pivoting from a router/switch:
https://github.com/mohemiv/TCLtools