A while back [1] I wrote a Cisco default password test plugin
Attached is a new (untested) version of it, which testes SSH as well
as Telnet access and checks the banner for the Cisco device.
Unfortunately, I don't have access to any Cisco stuff right now. If
people can test and provide feedback (or patches) I would really
appreciate it.
I've submitted this as Bug #1328 in Nessus' bugzilla. I was quite
surprised at the time that Nessus is not able to find this common
misconfiguration. Maybe I've missed something.
There is lots of room for enhancement. For example, it could store the
CISCO IOS release in the KB so that other plugins (in the Registered
feed) could use the functions in cisco_func.inc to determine if the
system is vulnerable as is currently done through SNMP (all the
CSCXXXX.nasl stuff)
Or, it could store the user/password combination in the KB and have
another plugin test for common combinations that lead to 'enable' mode.
Notice that this plugin overlaps with #10754 (since there is test for
empty passwords here too).
Regards
Javier
http://mail.nessus.org/pipermail/nessus/2005-August/msg00034.html
#
# This script was written by Javier Fernandez-Sanguino
# based on a script written by Renaud Deraison <deraison@private>
#
# See the Nessus Scripts License for details
#
if(description)
{
script_id(99999);
script_cve_id("CAN-1999-0508");
script_version ("$Revision: x.x $");
name["english"] = "Cisco default password";
script_name(english:name["english"]);
desc["english"] = "
The remote CISCO router has a default password set.
This allows an attacker to get a lot information
about your network, and possibly to shut it down if
the 'enable' password is not set either or is also a default
password.
Solution : access this device and set a password using
enable secret
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "Checks for a default password";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2001 Renaud Deraison",
francais:"Ce script est Copyright (C) 2001 Renaud Deraison");
family["english"] = "CISCO";
family["francais"] = "CISCO";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes");
script_require_ports("Services/telnet", 23);
exit(0);
}
# We need telnet_func.inc for the get_telnet_banner() function
include telnet_func.inc
# Function to connect to a Cisco system through telnet, send
# a passwword
function check_cisco_telnet(login, password, port)
{
soc = open_sock_tcp(port);
msg = telnet_negotiate(socket:soc);
if(strlen(msg))
{
# The Cisco device might be using an AAA access model
# or have configured users:
if ( "sername:" >!< banner || "ogin:" >!< banner ) {
send(socket:soc, data:string(login, "\r\n"));
msg=recv(socket:soc, length:4096);
}
# Device can answer back with {P,p}assword or {P,p}asscode
# if we don't get it then fail
if ( "assword:" >!< msg || "asscode:" >!< msg ) {
close(soc);
return(0);
}
send(socket:soc, data:string(password, "\r\n"));
r = recv(socket:soc, length:4096);
# TODO: could check for Cisco's prompt here, it is typically
# the device name followed by '>'
# But the actual regexp is quite complex, from Net-Telnet-Cisco:
# '/(?m:^[\r\b]?[\w.-]+\s?(?:\(config[^\)]*\))?\s?[\$\#>]\s?(?:\(enable\))?\s*$)/')
# Send a 'show ver', most users (regardless of privilege level)
# should be able to do this
send(socket:soc, data:string("show ver\r\n"));
r = recv(socket:soc, length:4096);
# TODO: This is probably not generic enough. Some Cisco devices don't
# use IOS but CatOS for example
if("Cisco Internetwork Operating System Software" >< r) security_hole(port);
# TODO: it could also try 'enable' here and see if it's capable
# of accessing the priviledge mode with the same password, or do it
# in a separate module
close(soc);
}
}
# Functions modified from the code available from default_accounts.inc
# (which is biased to UNIX)
function check_cisco_account(login, password)
{
local_var port, ret, banner, soc, res;
if ( defined_func("bn_random") )
{
# Prefer login thru SSH rather than telnet
port = get_kb_item("Services/ssh");
if ( ! port ) port = 22;
banner = get_kb_item("SSH/banner/" + port);
# GoodTech SSH server does not respect SSH protocol ...
if (banner && ("cryptlib" >!< banner))
{
soc = open_sock_tcp(port);
if ( soc )
{
ret = ssh_login(socket:soc, login:account, password:password);
close(soc);
if ( ret == 0 ) return port;
#else return 0;
}
}
}
port = get_kb_item("Services/telnet");
if(!port) port = 23;
if(get_port_state(port))
{
if ( isnull(password) ) password = "";
banner = get_telnet_banner(port:port);
# Check for banner, covers the case of Cisco telnet as well as the case
# of a console server to a Cisco port
# Note: banners of cisco systems are not necesarily set, so this
# might lead to FP!
if ( ! banner || "User Access Verification" >!< banner and ! banner || "Enter password:" >!< banner)
return(0);
res = check_cisco_telnet(login:login, password:password, port:port);
if(res)
return(port);
}
return(0);
}
# Try with a blank password first
check_cisco_account(login:"", password:"", port:port);
# Test default access cisco/cisco
check_cisco_account(login:"cisco", password:"cisco", port:port);
# Or admin/cisco:
# TODO: this will make it generate if the device does not have
# users and the password is just "cisco"
check_cisco_account(login:"admin", password:"cisco", port:port);
# Another one (for Cisco Arrowpoint)
check_cisco_account(login:"admin", password:"system", port:port);
# Maybe some more?
check_cisco_account(login:"monitor", password:"monitor", port:port);
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Fri Sep 30 2005 - 04:24:40 PDT