ccat – Cisco Config Analysis Tool

Cisco IOS Devices are used on the network to connect different network and systems. The configuration of the routers is constantly changing like adding new route or network , creating new ACL to allow certain ports or traffic , updating the firmware to patch critical vulnerabilities or just adding new users to the system. Any of these changes may involve a risk of misconfiguration or a bug that allow malicious user to compromise the system. If you are looking to run a security assessment against Cisco config you can use ccat.

ccat is a tool designed to analyze the configuration files of Cisco devices. The list of checks is based on the Cisco Guide to Harden Cisco IOS Devices.

ccat - Cisco Config Analysis Tool

ccat – Cisco Config Analysis Tool

List of the checks include the following:

  1. Firmware version (Older versions of IOS may contain vulnerabilities so it will be important to keep the firmware updated).
  2. Unused or dangerous services (Tool check if service is disabled and if is not is there will be a warning, services include PAD, Config service , TCP and UDP small servers ,Finger service ,Smart install (vstack) , Identd, Source-route, BOOTP server, HTTP server Maintenance Operation Protocol (MOP) (L3 switches))
  3. Cisco devices have 16 privilege levels from 0 to 15. The «1» level is user’s privilege and the «15» level is highest administrator’s rights. If there is several users with 15 privilege there will be a warning.
  4. This tool checks if AAA is enabled and makes some configuration checks related to authentication method.
  5. The tool checks what type of encryption used for password storage on device.
  6. check the SSH configuration and security settings.
  7. DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. It prevents usage of DHCP servers on untrusted interfaces, helps prevent MITM attacks and DHCP starvation.
  8. Defense from ARP spoofing check.
  9. Check the VLAN configuration and settings to prevent several type of attacks like vlan hooping
  10. Spanning Tree Protocol (STP) check
  11. check the port settings to protect against certain type of attacks, when an attacker can mount a DoS attack against infrastructure devices by using MAC flooding to cause MAC address table exhaustion, as well as other Layer 2 Content Addressable Memory (CAM) overflow attacks.
  12. check unused interfaces

There are many other checks that will allow network administrator to evaluate the config and settings of the Cisco IOS. You can read more and download this tool over here:

Notify of
Inline Feedbacks
View all comments