Information Gatheringciscoscannersnmptelnetsshtftpwebserverfingerprintingbruteforce

Cisco Torch

Cisco Torch is a mass scanner for discovering remote Cisco hosts running services like Telnet, SSH, Web, NTP, TFTP, and SNMP. It launches dictionary attacks against discovered services and can automatically retrieve device configuration files if SNMP RW community is found.

Description

Cisco Torch is designed for efficient scanning of Cisco devices across networks. It excels at identifying hosts running specific services and performing targeted attacks such as SNMP community bruteforcing and TFTP configuration file bruteforcing followed by leeching. The tool is particularly useful for penetration testers needing to quickly map and assess Cisco infrastructure.

Key use cases include discovering vulnerable Cisco devices in large IP ranges, fingerprinting services for further exploitation, and extracting configurations via SNMP or TFTP. It supports multiple scanning methods simultaneously for speed and thoroughness.

The tool differentiates itself through extensive forking to run multiple background scanning processes, maximizing efficiency. It also employs various application layer fingerprinting techniques as needed.

How It Works

Cisco Torch uses forking to launch multiple scanning processes in the background for maximum efficiency. It performs application layer fingerprinting across protocols like Telnet, SSH, SNMP, Web (HTTP/HTTPS), NTP, and TFTP simultaneously when specified. Dictionary attacks are launched against discovered services using password lists (e.g., community.txt), including SNMP community guessing and TFTP config file bruteforcing. If SNMP RW access is gained, it automatically downloads device configuration files. Fingerprints are loaded from fingerprint.db, and results include service details like IOS versions.

Installation

bash

sudo apt install cisco-torch

Flags

-O <output file>Specify output file

-AAll fingerprint scan types combined

-tCisco Telnetd scan

-sCisco SSHd scan

-uCisco SNMP scan

-gCisco config or tftp file download

-nNTP fingerprinting scan

-jTFTP fingerprinting scan

-l <type>Set loglevel: c (critical, default), v (verbose), d (debug)

-wCisco Webserver scan

-zCisco IOS HTTP Authorization Vulnerability Scan

-cCisco Webserver with SSL support scan

-bPassword dictionary attack (use with -s, -u, -c, -w, -j or -t only)

-VPrint tool version and exit

-F <hostlist>Read targets from hostlist file

Examples

Run all available scan types against the target IP address

cisco-torch -A 192.168.99.202

Run all scans against a /16 network

cisco-torch -A 10.10.0.0/16

SSH scan with password dictionary attack using hostlist file

cisco-torch -s -b -F sshtocheck.txt

Webserver scan with Cisco IOS HTTP Authorization Vulnerability Scan on /16 network

cisco-torch -w -z 10.10.0.0/16

TFTP scan with bruteforce and config download using hostlist file

cisco-torch -j -b -g -F tftptocheck.txt

Show help and available options

cisco-torch -h

Print tool version and exit

cisco-torch -V

Updated 2026-04-16kali.org ↗