Re: cisco password (analysis)

From: Noam Rathaus (noamrat_private)
Date: Tue Sep 04 2001 - 05:02:29 PDT

  • Next message: Renaud Deraison: "Re: cisco password (analysis)"

    Hi,
    
    Again as I said, it is much better to consolidate the password / username
    settings (which passwords to try) into a NASL program that will externally
    load them from the accounts.txt
    
    Thanks
    Noam Rathaus
    http://www.SecuriTeam.com
    http://www.BeyondSecurity.com
    
    Know that you're safe (against Code Red and other vulnerabilities):
    http://www.AutomatedScanning.com/
    
    
    ----- Original Message -----
    From: "John Lampe" <j_lampeat_private>
    To: "Renaud Deraison" <deraisonat_private>;
    <plugins-writersat_private>
    Sent: Monday, September 03, 2001 23:26
    Subject: Re: cisco password (analysis)
    
    
    > Might it add some value to look for the "Password:" prompt after the 3-way
    > handshake to port 23?  Incidentally, I wrote such a check and sent to you
    > several months ago.  I'll paste the script in below...
    >
    >
    > #
    > # This script was written by John Lampe (j_lampeat_private)
    > #
    > #
    > # See the Nessus Scripts License for details
    > #
    > if(description)
    > {
    >   script_id();
    >   script_cve_id("");
    >   script_name(english:"Check for Cisco default passwords");
    >   desc["english"] = "
    > Checks to see if the Cisco router still has a default login password
    > Solution : Change your password";
    >
    >   script_description(english:desc["english"]);
    >   script_summary(english:"Check for existence of default Cisco
    Passwords");
    >   script_category(ACT_GATHER_INFO);
    >   script_family(english:"Remote file access");
    >   script_copyright(english:"By John Lampe....j_lampeat_private");
    >   exit(0);
    > }
    >
    >
    >
    >
    > function guess_pass (pass) {
    >   soc=open_sock_tcp(port);
    >   if(!soc)return(0);
    >   incoming = recv (socket:soc, length:1024);
    >   if (egrep(pattern:"^Password:" , string: incoming)) {
    >       send(socket:soc, data:pass);
    >       inbuff=recv(socket:soc, length:1024);
    >       if (!(egrep(pattern:"^Password:", string: inbuff)) ) {
    >           return(pass);
    >       }
    >   } else {
    >       close (soc);
    >       exit(0);
    >   }
    >   close(soc);
    >   return (0);
    > }
    >
    >
    > port=23;
    >
    > passwd[0] = "c";
    > passwd[1] = "cisco";
    > passwd[2] = "cc";
    > passwd[3] = "";
    > passwd[4] = "password";
    > passwd[5] = "secret";
    > passwd[6] = "secrets";
    > passwd[7] = "Cisco router";
    > passwd[8] = "system";
    >
    > mywarning = string ("We were able to log into the router with password ");
    > if(get_port_state(port)) {
    >     for (i=0; i<9; i = i+1) {
    >         mypasswd = string(passwd[i] , "\n");
    >         check = guess_pass(pass:mypasswd);
    >         if (check != 0) {
    >             mymsg = string ("logged into router with passwd " , check,
    "\n");
    >             security_hole (port:port, data:mymsg);
    >             exit(0);
    >         }
    >     }
    > }
    > exit(0);
    >
    >
    >
    > --
    > John Lampe
    > https://f00dikator.hn.org/
    > http://f00dikator.hobbiton.org/
    >
    



    This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 04:09:47 PDT