Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mohemiv/tcltools

Сollection of TCL scripts for Cisco IOS penetration testing
https://github.com/mohemiv/tcltools

Last synced: 3 months ago
JSON representation

Сollection of TCL scripts for Cisco IOS penetration testing

Awesome Lists containing this project

README

        

TCL scripts for Cisco IOS penetration testing
=======
With TCLtools you can transform any Cisco IOS hardware into a pivoting station. It's easy to set up and use!

Features
---------------------------

* TCLmap — Port scanner implementation (nmap)
* TCLproxy — Proxy server implementation

TCLproxy
--------
TCLproxy is a tool for pivoting through Cisco devices. It's capable to forward any TCP port or launch a proxy server.

```
TCLproxy v0.0.3

Usage: tclsh ./tclproxy.tcl [-L address]... [-D address]...

Proxy server implementation. Binary protocols are supported.

-L [bind_address:]port:remote_host:remote_port
Forward a remote port to a local port.
Multiple connections and multiple forwards are supported.

-D [bind_address:]port
Launch a SOCKS4a proxy server.

Forwarding between VRF tables:
-D [VRF_table_for_listening@][bind_address]:port[@VRF_table_for_outbound_connections]
-L [VRF_table_for_listening@][bind_address]:port[@VRF_table_for_outbound_connections]:remote_host:remote_port

optional arguments:
-f, --disable-eof-check Speed increases by 1-15 KB/s, but connections don't close automatically. Dangerous!
-h, --help Show this help message and exit.
-q, --disable-output Quite mode. In this mode, you can disconnect from the console without script termination. Dangerous!
-l, --low-ports Use privileged source ports. Required for NFS (source port increments from 1 to 1023 every connection)
-n, --disable-dns Do not resolve DNS names in SOCKS mode

The effect of --disable-eof-check and --disable-output options depends on hardware architecture and firmware version.
TCLproxy will not work for port scanning, use tclmap.tcl instead.

example:
$ sudo py3tftp -p 69
cisco# configure terminal
cisco(config)# scripting tcl low-memory 5242880
cisco(config)# end
cisco# copy tftp://192.168.1.10/tclproxy.tcl flash:/
cisco# tclsh tclproxy.tcl -h
cisco# tclsh tclproxy.tcl -L 5901:10.0.0.1:445 -D :5902@enterpriseVRF -D 5900
...
cisco# del flash:/tclproxy.tcl

```

About TCL
=========
TCL is a high-level, general-purpose, interpreted, dynamic programming language. Cisco IOS implements TCL 8.3.4:

```
cisco# tclsh
cisco(tcl)# puts $tcl_version
8.3

cisco(tcl)# puts $tcl_patchLevel
8.3.4
```

How to use TCLtools
===========================
TCLtools requires privilege level 15 on the hardware.

There are four methods to upload TCL scripts:

1. Copy tcl script from ftp or tftp server:

```
$ sudo py3tftp -p 69
or
$ python2 -m pyftpdlib

cisco# copy tftp://192.168.1.10/tclproxy.tcl flash:/
cisco# copy ftp://192.168.1.10:2121/tclproxy.tcl flash:/
cisco# tclsh tclproxy.tcl

or

cisco# tclsh ftp://192.168.1.10:2121/tclproxy.tcl
```

2. Create new file via tclsh:

```
$ cat tclproxy.tcl | sed -E 's/([{}$\[])/\\\1/g'
cisco# tclsh
cisco(tcl)# puts [open "flash:tclproxy.tcl" w+] {
cisco(tcl)# ; Copy file contents onto this
cisco(tcl)# }
cisco(tcl)# exit
cisco#
cisco# tclsh tclproxy.tcl
```

3. Set $argv var and put script code into tclsh (non-recommended):

```
cisco# tclsh
cisco(tcl)# set argv [list -D 1080]
cisco(tcl)# ; Copy file contents onto this
```

4. Use "scripting tcl init" command (non-recommended):

```
cisco# configure terminal
cisco(config)# scripting tcl init ftp://192.168.1.10/tclproxy.tcl
cisco(config)# end
cisco# tclsh
```

A good practice is to set the minimum size of free memory:

```
cisco# configure terminal
cisco(config)# scripting tcl low-memory 5242880
cisco(config)# end
```

In addition to, or instead of, you can view device performance with the following commands:

```
cisco# show processes cpu | i Tcl
cisco# show processes mem | i Tcl
```

Remarks
=======================

* Do not use TCLproxy for TCP/IP port scanning. Because Cisco doesn't implement -async socket option, socks server is interrupted for 30 seconds after every connection to any filtered port.
* Outdated IOS versions can redirect TCL output to another console. It's an IOS bug.
* If you disconnect from the console, TCL script stops after the next output.

Tested on Cisco 2811 / Cisco 2821 Integrated Services Router, Cisco Catalyst 2960, and Cisco Catalyst 3750-X.

Contact Us
==========

You can Open a New Issue to report a bug or suggest a new feature to improve the project. Or you can drop a few lines at [email protected].