Kali Linux comes preloaded and chock-full of a myriad of useful penetration testing and scanning tools. Some might even argue that it comes with too many, because it can be hard finding the right tool that you want to use – especially if you’ve never heard about it before. Nevertheless, today we’re going to be looking at a tool called Cisco-Torch, which has a variety of applications.
In addition to being an exploitation tool, it can also be used for fingerprinting and reconnaissance. And to be fair, a few of its functions overlap with the functions of other tools. That is, you’ll find that most reconnaissance tools are going to provide some similar mechanisms to scan the local network.
However, I don’t want you to think that this program is identical to another scanner, such as NMAP. In addition to having more features and exploitation tools, Cisco-Torch varies from other simple scanners in that it can launch multiple simultaneous scanning functions at the same time for greater speed and efficiency. It also works well in the Application layer of the OSI model for fingerprinting systems, which is something that NMAP lacks.
And while NMAP is well adept at scanning networks for individual ports and services, Cisco-Torch takes things one step further. Not only can it scan a network for devices accepting Telnet, HTTP, and SSH (these services would likely identify networking devices like routers, switches, firewalls, servers, etc.), but it can even run dictionary attacks against discovered hosts – depending on the device type, OS version, and so on.
What Are Cisco-Torch’s Capabilities?
Sometimes it’s hard to pin down exactly what a tool can be used for – as well as what it can’t be used for. However, Cisco-Torch is pretty straightforward because it has some specific applications. First off, note that Cisco-Torch can scan for the following types of services to better identify hosts that can be attacked:
Cisco IOS HTTP Authorization Vulnerability Scan
Cisco Webserver with SSL support scan
The bottom line is that Cisco-Torch, as the name implies, is tooled to scan for and identify Cisco hosts, though it can also discover other vendors’ networking devices that are accepting certain connections.
And though host identification is a necessary first step in many attacks, it isn’t always the most important function of a tool. After a host has been identified, Cisco-Torch can then launch password attacks against that host.
Cisco-Torch Command Flags and Syntax
Like just about every other command on Linux systems, Cisco-Torch has a help screen. However, unless you have quite a bit of experience in the I.T. industry, some of the options’ functions may not be readily apparent, and bear further discussion. The following outlines the command syntax and available options:
usage: cisco-torch <options> <IP,hostname,network>
or: cisco-torch <options> -F <hostlist>
-O <output file>
-t Cisco Telnetd scan
-s Cisco SSHd scan
-u Cisco SNMP scan
-g Cisco config or tftp file download
-n NTP fingerprinting scan
-j TFTP fingerprinting scan
-l <type> loglevel
-c critical (default)
-w Cisco Webserver scan
-z Cisco IOS HTTP Authorization Vulnerability Scan
-c Cisco Webserver with SSL support scan
-b Password dictionary attack (use with -s, -u, -c, -w , -j or -t only)
-V Print tool version and exit
First and foremost, I’d like to point out how powerful this tool is. When you use NMAP, you have to specify each and every type of scan you’d like to do perform. For instance, you might specify the subnet, host, range of hosts, type of scan, port ranges, and other parameters before running a scan.
While you still need to specify the target(s) as a parameter with Cisco-Torch, there is one simple flag that will run all available scans against a host or range. For instance, the following command will run all fingerprint and scan types against the desired host:
cisco-torch -A 10.1.1.54
The above command scans a single target host. Now let’s pretend that the host was accepting Telnet connections. If you wanted to run a dictionary attack against the host, you could issue the following command:
cisco-torch -t -b 10.1.1.54
Now, however, let’s pretend that you were doing a real-world host discovery, and not testing tools on your local network (as you should be doing). If you wanted to scan an entire network or subnet, you would simply append the subnet mask to the end of the host, being sure to remember your binary math to appropriately lable the subnet as follows:
cisco-torch -A 10.1.1.0/24
This command will, of course, run a fingerprint scan types combined against the 10.1.1.0/24 subnet, which is 256 addresses in total. Also note that the result won’t be instantaneous, so babysit your process patiently. Lastly, I’d like to point out that it isn’t possible to run this type of scan using other scanners, such as NMAP.
You’d have to run multiple scans independently, instead of all at once. Doing them individually could take hours, so there is a lot of power in the multi-threaded scan used in Cisco-Torch.
I think that NMAP is a more robust scanning tool with more general and flexible options. However, I think that Cisco-Torch is more sophisticated and specialized to identify Cisco hosts (though it can identify other vendors’ equipment) and run fingerprint scans and password attacks against them. And you might be thinking that this tool isn’t worth very much since it specializes in attacks against only one vendor.
But I digress. You see, Cisco Systems is the largest producer of telecommunications and Internet equipment in the Western world. You’re going to find Cisco products (routers, switches, ASAs, etc.) more often than you’re going to find their competitors’ equipment, such as Juniper, Dell, or other runner-ups in the networking world.
And lastly, while I don’t recommend snooping around a corporate network or launching attacks against your ISP, I do highly encourage you to try this tool out on your home network. Remember to use Kali responsibly, because I don’t advocate breaking the law.