  ################################################################
  #Cisco Torch Mass Cisco Vulnerability Scanner version 0.1 alpha#
  ################################################################

  ________________________________________________________________
  Born by Arhont Team, 2005.  Special thanks to Boris Chernov, for
  http://www.arhont.com       checking the code and suggestions 
  ----------------------------------------------------------------

Basically, in the process of writing "Hacking Exposed Cisco Networks" we got dissatisfied 
with the Cisco scanners currently available and decided to do our own. Some code
(taking input, telnet fingerprint scan and several entries in the fingerprinting database) 
are borrowed from Hackbot - thank you guys for writing an exellent tool! The main 
feature that makes cisco-torch different from similar tools is the extensive use of forking 
to launch multiple scanning processes on the background for maximum scanning efficiency. 
Also, it uses several methods of application layer fingerprinting simultaneoulsy, if needed.
We wanted something fast to discover remote Cisco hosts running Telnet, SSH, Web 
and SNMP services and launch dicitionary attacks against the services discovered. 
It should be fast enough to crunch through a large company or a small country (like UK :-) 
In addition, the tool finds classical, but still relevant Cisco IOS HTTP Auth and Cisco 
Catalyst 3500 XL Remote Arbitrary Command Execution Vulnerabilities. We could 
(and we will) add more vulnerabilities to check for, but mind it we are not interested in 
DoS, only enable :-)

This alpha version does not contain a proper SNMP scanner / dictionary attack feature
tuned for mass scanning of Cisco hosts. The next release would contain it and more. 


DISCLAIMER.

Cisco Torch is written for legitimate penetration testing, network hardening and educational
purposes. The authors are not responsible for any possible misuse of the tool. 


INSTALLATION AND USE.

1. Make sure that you have the following Perl modules installed:

 Net::hostent;
 Net::Telnet;
 Net::SSH::Perl;

2. Modify the variables in the beginning of the program to suit your personal taste:

$max_processes=20;
$hosts_per_process=10;
$passfile= "password.txt";
$usersfile="users.txt";
$fingerprintdb = "fingerprint.db";
$tmplogprefix="/tmp/tmplog";
$logfile="scan.log";
$llevel="c";

3. perl cisco-torch.pl and see the options available. You should get an output similar to

 # perl cisco-torch.pl -A 192.168.XXX.XXX

###############################################################
#   Cisco Torch Mass Scanner alpha version                    #
#   Becase we need it...                                      #
#   http://www.arhont.com/cisco-torch.pl                      #
###############################################################

List of targets contains 1 host(s)
8711:   Checking 192.168.66.202 ...
Fingerprint:                    2552511255251325525324255253311310
Description:                    Cisco IOS host (tested on 2611,2950 and Aironet 1200 AP)
Fingerprinting Successful

Cisco found by SSH banner SSH-1.5-Cisco-1.25

HTTP/1.1 401 Unauthorized
Date: Tue, 25 Jan 2005 00:02:18 GMT
Server: cisco-IOS
Accept-Ranges: none
WWW-Authenticate: Basic realm="level_15_access"

401 Unauthorized

--->
- All scans done. Cisco Torch Mass Scanner 0.1 -
---> Exiting.

It is nicely stored in the scan.log file or whatever you name it. Mention, that if you see a host, 
fingerprinted as Cisco box via Telnet or/and SSH, but not showing up as an IOS-running host 
on a webserver check, it is likely to be a Catalyst. For example, this is Cisco Catalyst 2950:

List of targets contains 1 host(s)
9467:   Checking 192.168.77.254 ...
Fingerprint:                    2552511255251325525324255253311310
Description:                    Cisco IOS host (tested on 2611, 2950 and Aironet 1200 AP)
Fingerprinting Successful

HTTP/1.0 501 Not Implemented
Date: Tue, 25 Jan 2005 03:28:04 0
Content-type: text/html
Expires: Thu, 16 Feb 1989 00:00:00 GMT

<H1>501 Not Implemented</H1>

Keep in mind, that PIX firewalls usually employ HTTPS by default and you will not discover HTTPSd 
using this tool. Also keep in mind, that on a PIX without aaa authentication the default username for 
SSH login is "pix". 


BUGS.

It is an alpha release and there are probably bugs lurking. 
Please send bug reports and comments to info@arhont.com


FINGERPRINTS.

Collecting and adding Telnetd fingerprints of Cisco devices using the tool is very easy. 
For now, the fingerprint.db coming with the tool is limited, containing signatures from Hackbot,
TESO Team telnetftp and our testing lab. Please send Cisco-relevant Telnetd fingerprints 
you may discover to us at info@arhont.com so that we can verify and include them in the future
releases. Also, please add additional devices and comments to what is already in the database. 
We have tested what we have at hand and supplied the signatures with names of the devices tested. 
Of course, this is not precise and there could be more Cisco (or even other vendor) hosts that 
possess mentioned signatures and are not listed. Please take this into account when scanning.  


LICENCE.

Cisco Torch is released under Lesser GNU Public License. You should recieve a copy of this license 
together with the tool.


 
