logo

Port 2000 / 4786 – Cisco SCCP / Smart Install

Service:

SCCP ,
Smart Install

Protocol:

TCP

Port:

2000 (SCCP), 4786 (Smart Install)

Used for:

IP phone control and Cisco device configuration

Why It’s Open

Cisco phones and switches use these ports for voice control and automation.

Common Risks

  • Config Extraction: Unauthenticated download of config.
  • Device Reboot or Wipe
  • Lateral Movement in Network

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Port and Version Check:

Terminal window
nmap -p 2000,4786 -sV

Smart Install Toolkit (Cisco or open source):

  • Tool: SmartInstallExploit.py Open-source tool to abuse Smart Install for config download/upload or device reload:
Terminal window
python SmartInstallExploit.py -target  -action download
  • Metasploit Modules:
Terminal window
auxiliary/scanner/misc/cisco_smart_install
auxiliary/admin/cisco/cisco_smart_install

SCCP Enumeration

  • SCCP (port 2000) is used for Cisco IP phones:
    • Use Wireshark filters: tcp.port == 2000
    • Look for registration messages or raw SCCP payloads (can reveal device info)
    • Cisco IP phones may expose device type, MAC, firmware version

Packet Crafting / Replay

  • Use tools like scapy or sippts to craft raw TCP payloads to simulate phone registrations or Smart Install messages.

Known Exploits

  1. CVE-2018-0171 A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.

🔗 NVD Entry

🔗 Cisco Advisory

Exploited in the wild (used in Russian state-sponsored attacks per US-CERT).

  1. CVE-2018-0156 A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to obtain configuration files from affected devices.

🔗 NVD Entry

🔗 Cisco Advisory

  1. CVE-2018-0172 Privilege escalation via Smart Install misuse

SCCP (Port 2000)

  • No specific public CVEs, but:
    • Devices on this port often expose unauthenticated metadata during IP phone provisioning.
    • SCCP can be abused in man-in-the-middle attacks or to spoof registration.

What to Look For

CheckpointWhat it means
Smart Install openDevice could be hijacked
SCCP externally exposedUnnecessary attack surfacea

Mitigation

  • Disable Smart Install.
  • Restrict SCCP to internal VLANs.
  • Monitor device activity logs.

TL;DR

  • Service: SCCP (Cisco VoIP) / Smart Install (Switch Config Management)
  • Default Ports: 2000/TCP, 4786/TCP
  • Risks: Unauthorized config access, switch takeover, remote code execution
  • Mitigation: Disable Smart Install if not used, restrict to trusted networks, monitor for abnormal traffic