Hi, As I stated before (privately to Renaud) it would be better to make the username/password combination always from the same source, in the Nessus case accounts.txt. It would seem logical to create some NASL function to return a username/password combination directly from the accounts.txt and to make the accounts.txt as versatile as possible (containing as much combinations as possible, but not a dictionary :}). Additional plugins that are currently in Nessus should be modified, the SQL blank password can be modified to check additional usernames, the POP server tests. And any other plugin that requires a username/password. Thanks Noam Rathaus http://www.SecuriTeam.com http://www.BeyondSecurity.com Know that you're safe (against Code Red and other vulnerabilities): http://www.AutomatedScanning.com/ ----- Original Message ----- From: "Renaud Deraison" <deraisonat_private> To: <plugins-writersat_private> Sent: Monday, September 03, 2001 01:17 Subject: cisco password (analysis) > (This is how I'd like "in-depth" discussion of plugins to be redacted. > This plugin is not really interesting by itself. I could not come up > with a better idea though). > > (I'll occasionaly post some explanations of this kind for some plugins I > liked to write. This one was not fun, but it's simple to explain) > > > Level : EASY > Tested : YES, but against only one version of IOS. > > Description : > > This plugin determines if the remote cisco router has a password set > (or if the password is "cisco"). To do that, it : > - connects to the remote telnet port > - sends the password > - issues the command "show ver" > - and expects to see the string "Cisco Internetworking Operating > System Software" in the reply. > > This plugin does not contain the description part. So if you want to > test it, do : > > nasl -t ip.of.your.cisco.device cisco_no_pw.nasl > > And expect the string 'Success'. > > Let's have a look at it. Once again, this is no rocket science at all. > > > > > - The actual testing of a password is done through a function we call > 'test_cisco()' which is defined as : > > function test_cisco(password, port) > { > # we open a connection to the remote port > soc = open_sock_tcp(port); > if(soc) > { > # if that succeeded, we use telnet_init() to negociate the > # telnet session. We don't care about the banner, so we > # ignore the result > r = telnet_init(soc); > r = recv(socket:soc, length:4096); > > # we send our password, followed by \r\n (carriage return) > send(socket:soc, data:string(password, "\r\n")); > > # we receive the motd that we ignore too (might be user defined) > r = recv(socket:soc, length:4096); > > # then we issue the command 'show ver' > send(socket:soc, data:string("show ver\r\n")); > > # we receive the result > r = recv(socket:soc, length:4096); > > # if the result contains "Cisco Internetwork Operating System" then > # we consider ourselves as logged in, and we issue an alert > > if("Cisco Internetwork Operating System Software" >< r)security_hole(port); > close(soc); > } > } > > > Then the plugin itself determines the telnet port and calls > test_cisco() : > > > # we read in the knowledge base what is the value of the > # telnet port. If there's none, we assume it's port 23 > port = get_kb_item("Services/telnet"); > if(!port)port = 23; > > # Then if the port is closed, we go away > if(!get_port_state(port))exit(0); > > # We test for an empty password > test_cisco(password:"", port:port); > > # We test for the password "cisco" : > test_cisco(password:"cisco", port:port); > > > # Finished. > > > > Next time, I'll choose a better plugin. > > -- Renaud >
This archive was generated by hypermail 2b30 : Mon Sep 03 2001 - 03:45:17 PDT