Might it add some value to look for the "Password:" prompt after the 3-way handshake to port 23? Incidentally, I wrote such a check and sent to you several months ago. I'll paste the script in below... # # This script was written by John Lampe (j_lampeat_private) # # # See the Nessus Scripts License for details # if(description) { script_id(); script_cve_id(""); script_name(english:"Check for Cisco default passwords"); desc["english"] = " Checks to see if the Cisco router still has a default login password Solution : Change your password"; script_description(english:desc["english"]); script_summary(english:"Check for existence of default Cisco Passwords"); script_category(ACT_GATHER_INFO); script_family(english:"Remote file access"); script_copyright(english:"By John Lampe....j_lampeat_private"); exit(0); } function guess_pass (pass) { soc=open_sock_tcp(port); if(!soc)return(0); incoming = recv (socket:soc, length:1024); if (egrep(pattern:"^Password:" , string: incoming)) { send(socket:soc, data:pass); inbuff=recv(socket:soc, length:1024); if (!(egrep(pattern:"^Password:", string: inbuff)) ) { return(pass); } } else { close (soc); exit(0); } close(soc); return (0); } port=23; passwd[0] = "c"; passwd[1] = "cisco"; passwd[2] = "cc"; passwd[3] = ""; passwd[4] = "password"; passwd[5] = "secret"; passwd[6] = "secrets"; passwd[7] = "Cisco router"; passwd[8] = "system"; mywarning = string ("We were able to log into the router with password "); if(get_port_state(port)) { for (i=0; i<9; i = i+1) { mypasswd = string(passwd[i] , "\n"); check = guess_pass(pass:mypasswd); if (check != 0) { mymsg = string ("logged into router with passwd " , check, "\n"); security_hole (port:port, data:mymsg); exit(0); } } } exit(0); -- John Lampe https://f00dikator.hn.org/ http://f00dikator.hobbiton.org/
This archive was generated by hypermail 2b30 : Mon Sep 03 2001 - 16:37:46 PDT