The Shadowserver Foundation

Accessible Cisco Smart Install Scanning Project

If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at the Cisco Smart Install service.

The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have the Cisco Smart Install service running. The goal of this project is to identify openly accessible systems that have the Smart Install service running and report them back to the network owners for remediation.

This service does not require authentication or authorization and could allow an entity to obtain a copy of the device's config file, upload an altered config file, or even upload/install an iOS software image that is different than the device is currently running.

Devices that we have found to have Smart Install accessible have been incorporated into our reports and are being reported on a daily basis.

Methodology

We are querying all computers with routable IPv4 addresses that are not firewalled from the internet on port 4786/tcp with a smartinstall-specific probe and capturing the response. We intend no harm, but if we are causing problems, please contact us at gro [tod] revfooreswodahs [ta] nacbarssnd

If you would like to test your own device to see if it has Smart Install accessible, try using the smi_check utility that was released by Cisco TALOS. The utility can be obtained from https://github.com/Cisco-Talos/smi_check.

When the utility is run, if Smart Install is running, you will get back the result "[INFO] Smart Install Client feature active on [IP]:[PORT]".

Whitelisting

To be removed from this set of scanning you will need to send an email to dnsscan [at] shadowserver [dot] org with the specific CIDR's that you would like to have removed. You will have to be the verifiable owner of these CIDR's and be able to prove that fact. Any address space that is whitelisted will be publicly available here: https://smartinstallscan.shadowserver.org/exclude.html

Useful Links

Scan Status

Statistics on current run

Other Statistics

Stats from the most current scan are listed below.


All devices with Smart Install Accessible

All smartinstall

(Click image to enlarge)

If you would like to see more regions click here

All devices with Smart Install Accessible

All smartinstall

(Click image to enlarge)



If you would like us to not scan your network, please let us know and we will remove your networks from the scan.

Likewise, if you have anymore questions please feel free to send us an email at: gro [tod] revfooreswodahs [ta] nacbarssnd

The Shadowserver Foundation