Last year, fellow tester Jordan Drysdale wrote a blog post about Cisco’s Smart Install feature. His blog post can be found here. If this feature is enabled on a Cisco device, an attacker can download or upload a config file and even execute commands. Whether you use the Smart Install feature or some other method to obtain a config file during a pentest, there is a tool out there called Cisco Config Analysis Tool, or CCAT, that can parse the file for you. This tool could also come in handy for network administrators looking to conduct audits of their Cisco devices.
CCAT conducts a set of checks against the configuration file or folder of files that are supplied as input by the user. The checks are based on the Cisco Guide to Harden Cisco IOS Devices. The tool was written in Python and can be found at the following GitHub repository:
Running CCAT is straightforward and the tool offers several optional arguments:
In the command example below, I ran CCAT against a directory of config files that were retrieved from a few Cisco devices and saved the results.
C:>ccat.py config_files/ -output results
The output from the script in the command prompt contained a categorized list of the checks that took place and the results, which were color-coded to highlight areas that may need attention.
The output was also saved to an HTML file for each file in the “config_files” directory. These files can be viewed in the browser. Viewing the files in the browser revealed a bit more information than what could be seen in the command prompt. For each check that showed as red or yellow, there was a brief explanation and/or suggestion for how to fix the issue.
In the above example, there were three instances of configurations that were shown in red and considered to be insecure. The ARP inspection and DHCP snooping protections were both disabled, leaving this particular device potentially vulnerable to man-in-the-middle (MitM) attacks. Also, Cisco Smart Install was enabled. In summary, the output from this tool is useful on an engagement where testers may be looking to highlight a device’s misconfigurations that could be abused by an attacker.