A while back [1] I wrote a Cisco default password test plugin Attached is a new (untested) version of it, which testes SSH as well as Telnet access and checks the banner for the Cisco device. Unfortunately, I don't have access to any Cisco stuff right now. If people can test and provide feedback (or patches) I would really appreciate it. I've submitted this as Bug #1328 in Nessus' bugzilla. I was quite surprised at the time that Nessus is not able to find this common misconfiguration. Maybe I've missed something. There is lots of room for enhancement. For example, it could store the CISCO IOS release in the KB so that other plugins (in the Registered feed) could use the functions in cisco_func.inc to determine if the system is vulnerable as is currently done through SNMP (all the CSCXXXX.nasl stuff) Or, it could store the user/password combination in the KB and have another plugin test for common combinations that lead to 'enable' mode. Notice that this plugin overlaps with #10754 (since there is test for empty passwords here too). Regards Javier http://mail.nessus.org/pipermail/nessus/2005-August/msg00034.html # # This script was written by Javier Fernandez-Sanguino # based on a script written by Renaud Deraison <deraison@private> # # See the Nessus Scripts License for details # if(description) { script_id(99999); script_cve_id("CAN-1999-0508"); script_version ("$Revision: x.x $"); name["english"] = "Cisco default password"; script_name(english:name["english"]); desc["english"] = " The remote CISCO router has a default password set. This allows an attacker to get a lot information about your network, and possibly to shut it down if the 'enable' password is not set either or is also a default password. Solution : access this device and set a password using enable secret Risk factor : High"; script_description(english:desc["english"]); summary["english"] = "Checks for a default password"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2001 Renaud Deraison", francais:"Ce script est Copyright (C) 2001 Renaud Deraison"); family["english"] = "CISCO"; family["francais"] = "CISCO"; script_family(english:family["english"], francais:family["francais"]); script_dependencie("find_service.nes"); script_require_ports("Services/telnet", 23); exit(0); } # We need telnet_func.inc for the get_telnet_banner() function include telnet_func.inc # Function to connect to a Cisco system through telnet, send # a passwword function check_cisco_telnet(login, password, port) { soc = open_sock_tcp(port); msg = telnet_negotiate(socket:soc); if(strlen(msg)) { # The Cisco device might be using an AAA access model # or have configured users: if ( "sername:" >!< banner || "ogin:" >!< banner ) { send(socket:soc, data:string(login, "\r\n")); msg=recv(socket:soc, length:4096); } # Device can answer back with {P,p}assword or {P,p}asscode # if we don't get it then fail if ( "assword:" >!< msg || "asscode:" >!< msg ) { close(soc); return(0); } send(socket:soc, data:string(password, "\r\n")); r = recv(socket:soc, length:4096); # TODO: could check for Cisco's prompt here, it is typically # the device name followed by '>' # But the actual regexp is quite complex, from Net-Telnet-Cisco: # '/(?m:^[\r\b]?[\w.-]+\s?(?:\(config[^\)]*\))?\s?[\$\#>]\s?(?:\(enable\))?\s*$)/') # Send a 'show ver', most users (regardless of privilege level) # should be able to do this send(socket:soc, data:string("show ver\r\n")); r = recv(socket:soc, length:4096); # TODO: This is probably not generic enough. Some Cisco devices don't # use IOS but CatOS for example if("Cisco Internetwork Operating System Software" >< r) security_hole(port); # TODO: it could also try 'enable' here and see if it's capable # of accessing the priviledge mode with the same password, or do it # in a separate module close(soc); } } # Functions modified from the code available from default_accounts.inc # (which is biased to UNIX) function check_cisco_account(login, password) { local_var port, ret, banner, soc, res; if ( defined_func("bn_random") ) { # Prefer login thru SSH rather than telnet port = get_kb_item("Services/ssh"); if ( ! port ) port = 22; banner = get_kb_item("SSH/banner/" + port); # GoodTech SSH server does not respect SSH protocol ... if (banner && ("cryptlib" >!< banner)) { soc = open_sock_tcp(port); if ( soc ) { ret = ssh_login(socket:soc, login:account, password:password); close(soc); if ( ret == 0 ) return port; #else return 0; } } } port = get_kb_item("Services/telnet"); if(!port) port = 23; if(get_port_state(port)) { if ( isnull(password) ) password = ""; banner = get_telnet_banner(port:port); # Check for banner, covers the case of Cisco telnet as well as the case # of a console server to a Cisco port # Note: banners of cisco systems are not necesarily set, so this # might lead to FP! if ( ! banner || "User Access Verification" >!< banner and ! banner || "Enter password:" >!< banner) return(0); res = check_cisco_telnet(login:login, password:password, port:port); if(res) return(port); } return(0); } # Try with a blank password first check_cisco_account(login:"", password:"", port:port); # Test default access cisco/cisco check_cisco_account(login:"cisco", password:"cisco", port:port); # Or admin/cisco: # TODO: this will make it generate if the device does not have # users and the password is just "cisco" check_cisco_account(login:"admin", password:"cisco", port:port); # Another one (for Cisco Arrowpoint) check_cisco_account(login:"admin", password:"system", port:port); # Maybe some more? check_cisco_account(login:"monitor", password:"monitor", port:port); _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Fri Sep 30 2005 - 04:24:40 PDT