Author: jfs
Date: 2007-11-04 00:32:20 +0100 (Sun, 04 Nov 2007)
New Revision: 515
Added:
trunk/openvas-plugins/scripts/cisco_default_pw.nasl
Log:
Add script I contribute a long time ago, but did not find in the GPL feed
Added: trunk/openvas-plugins/scripts/cisco_default_pw.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cisco_default_pw.nasl 2007-11-03 23:02:06 UTC
(rev 514)
+++ trunk/openvas-plugins/scripts/cisco_default_pw.nasl 2007-11-03 23:32:20 UTC
(rev 515)
@@ -0,0 +1,215 @@
+#
+# This script was written by Javier Fernandez-Sanguino
+# based on a script written by Renaud Deraison <[EMAIL PROTECTED]>
+# with contributions by Gareth M Phillips <[EMAIL PROTECTED]> (additional
logins and passwords)
+#
+# GPLv2
+#
+# TODO:
+# - dump the device configuration to the knowdledge base (requires
+# 'enable' access being possible)
+# - store the CISCO IOS release in the KB so that other plugins (in the
Registered
+# feed) could use the functions in cisco_func.inc to determine if the system
is
+# vulnerable as is currently done through SNMP (all the CSCXXXX.nasl stuff)
+# - store the user/password combination in the KB and have another plugin test
+# for common combinations that lead to 'enable' mode.
+#
+
+ desc["english"] = "
+Synopsis :
+
+The remote device has a factory password set.
+
+Description :
+
+The remote CISCO router has a default password set.
+This allows an attacker to get a lot information
+about the network, and possibly to shut it down if
+the 'enable' password is not set either or is also a default
+password.
+
+Solution :
+
+Access this device and set a password using 'enable secret'
+
+Risk factor :
+
+Critical / CVSS Base Score : 10
+(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)";
+
+if(description)
+{
+ script_id(23938);
+ script_cve_id("CAN-1999-0508");
+ script_version ("$Revision: 1.9 $");
+
+
+ name["english"] = "Cisco default password";
+
+ script_name(english:name["english"]);
+
+
+
+ script_description(english:desc["english"]);
+
+ summary["english"] = "Checks for a default password";
+ script_summary(english:summary["english"]);
+
+ script_category(ACT_GATHER_INFO);
+
+
+ script_copyright(english:"This script is Copyright (C) 2001 - 2006 Javier
Fernandez-Sanguino and Renaud Deraison");
+
+ family["english"] = "CISCO";
+ family["francais"] = "CISCO";
+
+ script_family(english:family["english"], francais:family["francais"]);
+ script_dependencie("find_service2.nasl");
+ script_require_ports("Services/telnet", 23);
+ exit(0);
+}
+
+include('telnet_func.inc');
+include('ssh_func.inc');
+include('global_settings.inc');
+
+if ( supplied_logins_only ) exit(0);
+
+# Function to connect to a Cisco system through telnet, send
+# a password
+
+function check_cisco_telnet(login, password, port)
+{
+ soc = open_sock_tcp(port);
+ if ( ! soc )
+ {
+ telnet_port = 0;
+ return;
+ }
+ msg = telnet_negotiate(socket:soc, pattern:"(ogin:|asscode:|assword:)");
+
+ if(strlen(msg))
+ {
+ # The Cisco device might be using an AAA access model
+ # or have configured users:
+ if ( stridx(msg, "sername:") != -1 || stridx(msg, "ogin:") != -1 ) {
+ send(socket:soc, data:string(login, "\r\n"));
+ msg=recv_until(socket:soc, pattern:"(assword:|asscode:)");
+ }
+
+ # Device can answer back with {P,p}assword or {P,p}asscode
+ # if we don't get it then fail and close
+ if ( stridx(msg, "assword:") == -1 && stridx(msg, "asscode:") == -1 ) {
+ close(soc);
+ return(0);
+ }
+
+ send(socket:soc, data:string(password, "\r\n"));
+ r = recv(socket:soc, length:4096);
+
+ # TODO: could check for Cisco's prompt here, it is typically
+ # the device name followed by '>'
+ # But the actual regexp is quite complex, from Net-Telnet-Cisco:
+ #
'/(?m:^[\r\b]?[\w.-]+\s?(?:\(config[^\)]*\))?\s?[\$\#>]\s?(?:\(enable\))?\s*$)/')
+
+ # Send a 'show ver', most users (regardless of privilege level)
+ # should be able to do this
+ send(socket:soc, data:string("show ver\r\n"));
+ r = recv_until(socket:soc, pattern:"(Cisco (Internetwork Operating
System|IOS) Software|assword:|asscode:|ogin:|% Bad password)");
+
+ # TODO: This is probably not generic enough. Some Cisco devices don't
+ # use IOS but CatOS for example
+
+ # TODO: It might want to change the report so it tells which user / passwords
+ # have been found
+ if("Cisco Internetwork Operating System Software" >< r ||
+ "Cisco IOS Software" >< r)
+ {
+ desc += '\n\nPlugin Output :\n\nIt was possible to log in as \'' +
login + '\'/\'' + password + '\'\n';
+ security_hole(port:port, data:desc);
+ exit(0);
+ }
+
+# TODO: it could also try 'enable' here and see if it's capable
+# of accessing the priviledge mode with the same password, or do it
+# in a separate module
+
+ close(soc);
+
+ }
+}
+
+# Functions modified from the code available from default_accounts.inc
+# (which is biased to UNIX)
+function check_cisco_account(login, password)
+{
+ local_var port, ret, banner, soc, res;
+
+
+ if ( ssh_port )
+ {
+ # Prefer login thru SSH rather than telnet
+ soc = open_sock_tcp(ssh_port);
+ if ( soc )
+ {
+ ret = ssh_login(socket:soc, login:account, password:password);
+ close(soc);
+ if ( ret == 0 ) {
+ desc += '\n\nPlugin Output :\n\nIt was possible to log in as \'' +
login + '\'/\'' + password + '\'\n';
+ security_hole(port:ssh_port, data:desc);
+ exit(0);
+ }
+ else return 0;
+ }
+ else
+ ssh_port = 0;
+ }
+
+
+ if(telnet_port && get_port_state(telnet_port))
+ {
+ if ( isnull(password) ) password = "";
+ if ( ! telnet_checked )
+ {
+ banner = get_telnet_banner(port:telnet_port);
+ if ( banner == NULL ) { telnet_port = 0 ; return 0; }
+ # Check for banner, covers the case of Cisco telnet as well as the case
+ # of a console server to a Cisco port
+ # Note: banners of cisco systems are not necesarily set, so this
+ # might lead to false negatives !
+ if ( stridx(banner,"User Access Verification") == -1 &&
stridx(banner,"assword:") == -1)
+ {
+ telnet_port = 0;
+ return(0);
+ }
+ telnet_checked ++;
+ }
+
+ check_cisco_telnet(login:login, password:password, port:telnet_port);
+ }
+ return(0);
+}
+
+
+# SSH disabled for now
+#ssh_port = get_kb_item("Services/ssh");
+#if ( ! ssh_port ) ssh_port = 22;
+
+
+telnet_port = get_kb_item("Services/telnet");
+if ( ! telnet_port ) telnet_port = 23;
+
+telnet_checked = 0;
+
+check_cisco_account(login:"cisco", password:"cisco");
+check_cisco_account(login:"", password:"");
+if ( safe_checks() == 0 )
+{
+ check_cisco_account(login:"cisco", password:"");
+ check_cisco_account(login:"admin", password:"cisco");
+ check_cisco_account(login:"admin", password:"diamond");
+ check_cisco_account(login:"admin", password:"admin");
+ check_cisco_account(login:"admin", password:"system");
+ check_cisco_account(login:"monitor", password:"monitor");
+}
+
_______________________________________________
Openvas-commits mailing list
[email protected]
http://lists.wald.intevation.org/mailman/listinfo/openvas-commits
