This is a webshell fingerprinting scanner designed to identify implants on Cisco IOS XE WebUI's affected by CVE-2023-20198 and CVE-2023-20273. This Python script checks for compromised Cisco IOS XE devices by making HTTP and HTTPS requests. It supports multiple ways to specify target IPs and provides threading for faster scanning.

• Added new Authentication NGINX Configuration file from Talos Security's blog
• Added Explainer for configuration LUA script functionality.
• Added CURL from Talos Blog along with Authorization HEX value provided by Talos Security.

A few things you can do with this scipt:

• Scan a Single IP
• Scan a list of IP's (Provide a file with each IP on a new line and pass it via argument)
• Scan a CIDR range
• Specify a custom UserAgent
• Specify new IOC's within the response.text using a file (IOCS.txt is the default file. Ensure each IOC is on a new line.) *Known IOCS will be updated regularly should new ones become known. All current IOC's are already implemented directly into the code for clarity.
• Ability to specify a proxy for scans
• Concurrent Processing for speed and efficiency.
• Rate Limiting
• Logging of compromised hosts.
• Visual indication of potentially compromised hosts vs "clean" hosts. - This is not a guarantee and is based strictly off the known IOC's.

• Python 3.x
• Required Python packages: requests, termcolor, tqdm

Install the required Python packages using pip if you haven't already:

pip install requests termcolor tqdm

The script provides several command-line options for flexibility:

Specify a file containing a list of Cisco IOS XE Device IPs or hostnames. The IPs or hostnames should be listed one per line.

Example:

python iosxe-scanner.py --target_file targets.txt

Specify a CIDR range to scan. The script will generate all the IPs in the specified range and scan them.

Example:

python iosxe-scanner.py --cidr 192.168.1.0/24

Specify a single IP to scan.

Example:

python iosxe-scanner.py --ip 192.168.1.1

Set a custom User-Agent header for the HTTP requests. The default is CISCO-IOS-Shell-Scanner-cisco-sa-iosxe-webui-privesc-j22SaA4z.

Example:

python iosxe-scanner.py --user_agent "MyCustomUserAgent"

Set a rate limit in seconds between requests. The default is 1 second.

Example:

python iosxe-scanner.py --rate_limit 0.5

Specify an HTTP Proxy to use for requests.

Example:

python iosxe-scanner.py --proxy http://127.0.0.1:8080

Specify a file containing Indicators of Compromise (IoCs) to look for in the response text. The default is IOCS.txt.

Example:

python iosxe-scanner.py --iocs_file custom_iocs.txt

python iosxe-scanner.py --target_file targets.txt --rate_limit 0.5

python iosxe-scanner.py --cidr 192.168.1.0/24 --proxy http://127.0.0.1:8080

python iosxe-scanner.py --ip 192.168.1.1 --user_agent "MyCustomUserAgent"

python iosxe-scanner.py --iocs_file custom_iocs.txt

• This script disables SSL certificate verification for making HTTPS requests. Use this feature cautiously.
• This script is presented "As Is" with NO WARRANTY. USE AT YOUR OWN RISK!
• Use of this script may be illegal in your country or jurisdiction. While it only makes simple HTTP(S) requests and checks for specific responses it's up to you to determine whether or not its use is legal/ethical and appropriate. DONT BE A JERK.

If you find this script useful feel free to let me know or give me a follow on Twitter(𝕏) https://twitter.com/shadow0pz