Cisco Incident Response (CIR) 1.1 Open Source Release

Recurity Labs created a system for the inspection of Cisco legacy IOS memory dumps back in 2008. The tool, called Cisco Incident Response, was meant to identify successful and unsuccessful exploits of binary nature against Cisco routers running IOS 11.x and 12.x. IOS 15.x is now available, but doesn't differ much from the previous releases in terms of internal design.

We ran an online service for uploading and analyzing IOS images together with core dumps generated from them. This service has been used by various people, but not a single core dump contained indications of an actual binary exploit against the platform. It seems that it's simply too easy to pwn a company by traditional means of browser, Flash, Java, EXE file in email, social engineering or cloud service.

To support nostalgic hobbyists concerning themselves with the same questions half a decade later, we decided to publish the source code of CIR today, in order to allow anyone to use it and inspect its inner workings. We believe that Kerckhoff's Principle also holds true for defense and detection systems. Therefore it is educating to look at code bases that have been tested in production for quite some time.

The code is interesting besides the embedded knowledge about Cisco IOS data structures. Here are a couple of points for the inclined reader:

The code is released under GPLv3, and can be found at We also provide a binary distribution for those who simply want to use it.