I have created a new script that you might find useful. Cisc0wn is simply a bash script that pulls various tools and enumeration into one simple command for ease, so is not really a tool in itself. It doesn’t do anything extra than you can’t really already do, it just saves running several different tools and commands and entering the same info over and over. It uses Metasploit modules and snmpwalk for most of the tasks.

Again as per my fr0gger VLAN hopping script, I am very new to bash scripting and there are bound to be strange ways I am doing things. But it works and does what it says on the tin.


  • Checks SNMP is enabled
  • Brute forces the SNMP Read Only and Read Write community strings (can edit which wordlist it uses in script header)
  • It then enumerates things like IOS, hostname, Arp table, Routing table, interface list and IP addresses using the RO or RW.
  • If RW community was found it will then download the router config automatically.
  • It then searches and displays any enable or telnet passwords in clear text.
  • If it finds Cisco type 7 encoded enable or telnet passwords it will auto decode them.
  • It will display the Enable secret type 5 password and attempt to crack the MD5. It uses John first with its built in wordlist for speed. If this fails it will try and full crack.

That’s about it, nice a simple script. Lots of error checking and conditions in place i.e if it finds just RO it does as much as it can. If it finds just a RW it switches and enumerates with this, then gets config.

I have tested this within my test platforms and works well. It is the first release so bound to be some bugs here and there, I will aim to add new features or iron out any bad code when I get time.

Recommend you use this with Backtrack 5 then will work without any additional software. It does dependency check so just try it. Supports SNMP v1/2 not 3.

Video demo:


Download from the NCC Open Source GitHub Repository below:



Screen shots are below.