cisco password (analysis)

From: Renaud Deraison (deraisonat_private)
Date: Sun Sep 02 2001 - 18:17:04 PDT

Next message: Renaud Deraison: "bsd lpd overflow (work in progress - not working)"

Previous message: Renaud Deraison: "welcome to plugins-writers (with a slight delay ;)"
Next in thread: Aviram Jenik: "RE: cisco password (analysis)"
Reply: Aviram Jenik: "RE: cisco password (analysis)"
Reply: Noam Rathaus: "Re: cisco password (analysis)"
Reply: John Lampe: "Re: cisco password (analysis)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

(This is how I'd like "in-depth" discussion of plugins to be redacted.
 This plugin is not really interesting by itself. I could not come up 
 with a better idea though).

(I'll occasionaly post some explanations of this kind for some plugins I
liked to write. This one was not fun, but it's simple to explain)


Level : EASY
Tested : YES, but against only one version of IOS.

Description :

This plugin determines if the remote cisco router has a password set
(or if the password is "cisco"). To do that, it :
	- connects to the remote telnet port
	- sends the password
	- issues the command "show ver"
	- and expects to see the string "Cisco Internetworking Operating
	  System Software" in the reply.

This plugin does not contain the description part. So if you want to
test it, do :

	nasl -t ip.of.your.cisco.device cisco_no_pw.nasl

And expect the string 'Success'.

Let's have a look at it. Once again, this is no rocket science at all.




- The actual testing of a password is done through a function we call
  'test_cisco()' which is defined as :

function test_cisco(password, port)
{
 # we open a connection to the remote port
 soc = open_sock_tcp(port);
 if(soc)
 {
  # if that succeeded, we use telnet_init() to negociate the
  # telnet session. We don't care about the banner, so we
  # ignore the result
  r = telnet_init(soc);
  r = recv(socket:soc, length:4096);

  # we send our password, followed by \r\n (carriage return)  
  send(socket:soc, data:string(password, "\r\n"));
 
  # we receive the motd that we ignore too (might be user defined)
  r = recv(socket:soc, length:4096);

  # then we issue the command 'show ver'
  send(socket:soc, data:string("show ver\r\n"));
  
  # we receive the result
  r = recv(socket:soc, length:4096);

  # if the result contains "Cisco Internetwork Operating System" then
  # we consider ourselves as logged in, and we issue an alert

  if("Cisco Internetwork Operating System Software" >< r)security_hole(port);
  close(soc);
 }
}


Then the plugin itself determines the telnet port and calls
test_cisco() :


# we read in the knowledge base what is the value of the
# telnet port. If there's none, we assume it's port 23
port = get_kb_item("Services/telnet");
if(!port)port = 23;

# Then if the port is closed, we go away
if(!get_port_state(port))exit(0);

# We test for an empty password
test_cisco(password:"", port:port);

# We test for the password "cisco" :
test_cisco(password:"cisco", port:port);


# Finished.



Next time, I'll choose a better plugin.

				-- Renaud

text/plain attachment: cisco_no_pw.nasl

Next message: Renaud Deraison: "bsd lpd overflow (work in progress - not working)"
Previous message: Renaud Deraison: "welcome to plugins-writers (with a slight delay ;)"
Next in thread: Aviram Jenik: "RE: cisco password (analysis)"
Reply: Aviram Jenik: "RE: cisco password (analysis)"
Reply: Noam Rathaus: "Re: cisco password (analysis)"
Reply: John Lampe: "Re: cisco password (analysis)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Sep 02 2001 - 18:42:21 PDT