Jump to content

How to proceed a nmap from a router


Recommended Posts



I would like to know how you would perform a nmap from a router ?

As you may already know, Cisco shell called IOS is very restrictive..

Indeed I don't find a way to perform such network discovery from the router itself..


Have you ever succeed ?



Link to comment
Share on other sites

I assume by an 'nmap' you mean a portscan. SANs have a nice document on a portscanner called IOSMap. It's capable of performing some basic portscans from Cisco IOS. IOScat is a port of netcat for IOS. If you need service discovery you can use that to perform banner grabbing.

Link to comment
Share on other sites

The nmap program won't run from the router unless there is a specific port of it to the architecture of the router, and if it's high end cisco hardware running their IOS, and not some consumer linux based router, not going to happen. Also, do you have direct access to the cisco device as admin/system level? If not, built in commands to elevate and see the network probably going to be locked down and not give you anything to work with. The tools teabot mentioned can be found on https://sourceforge.net/projects/iostools/ 

Sans also has some documentation - http://www.sans.org/reading_room/whitepapers/tools/iosmap_tcp_and_udp_port_scanning_on_cisco_ios_platforms_32964 from the tools author. If seems if you have a lower end cisco router running IOS, you also need to make sure it has enough memory, or some of the scanning could consume the entire devices resources, possibly DOS yourself/the router.

I haven't touched an IOS based router since like 2008, so newer devices probably have more capabilities than what I remember, but I also recall a cisco appliance mars or something that had some security capabilities baked in, but not sure if it had port scanning features.

Alternative is also to see if you can port forward or tunnel a specific machine into the network to allow port scanning inside the network. This means you have permission and access to do all these things of course, which should make this easier if you have access to the device.

Link to comment
Share on other sites

  • 5 months later...

Thoughts on work around for this, if you have a machine you have control of on both the inside and outside the network, and you had a reverse shell to the inner machine, you could potentially use proxychains and a tunnel over the reverse shell to scan the inside of the network, from outside the network, which could let you use nmap or any other tools on your outside machine, to scan the inner network. However that is a bit of a different scenario than using the router itself, other than what is built into the router itself. Essentially, if you bridged yourself to the inner network from outside you could use pretty much any discovery, scanning and attack tools.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...