Re: [Plugins-writers] Cisco default password test

From: Javier Fernandez-Sanguino (jfernandez@private)
Date: Tue Oct 04 2005 - 07:03:42 PDT

Javier Fernandez-Sanguino wrote:

> A while back [1] I wrote a Cisco default password test plugin
> Attached is a new (untested) version of it, which testes SSH as well as 
> Telnet access and checks the banner for the Cisco device.

I have received no feedback from this plugin, probably many out there 
are just using Hydra for this task... Attached is a newer version that 
hihglists some of the differences with Hydra. Let me menction a few here:

- Hydra does not do SSH for the Cisco plugin (it does do Telnet-SSL, 
which this plugin does not)

- If you take a look at Hydra Cisco code you will notice that it will 
generate false positives for some devices (such as a device named 
'lasswan' or 'bcnfail104'. The Hydra plugin does not try to run 
anything to make sure it has a CISCO command prompt there.

- The use of this plugin, storing results in the KB has a potential to 
enhance the CSC* plugins (which use just SNMP to retrieve the IOS 

Well, I don't know if there are any Cisco shops out there... but they 
might want to look at this, enhance it and send those enhancements 
over here. It might not be as good for some stuff as rat ('Router 
audit Tool') but this one is integrated into Nessus :-)



# This script was written by Javier Fernandez-Sanguino
# based on a script written by Renaud Deraison <deraison@private>
# See the Nessus Scripts License for details
# Notice that this plugin overlaps with #10754 (since there is test for empty
# passwords here too).
# It does _not_ overlap with the account_XXXX_XXXS.nasl plugins since those
# only work for UNIX systems (since 'id' is run in the UNIX shell in order
# to determine if the plugin succeeded). Some user/password combinations
# might match, however.
# This script overlaps with the Hydra 15869 plugin with some differences:
# - it does not require uses to use a password file, it uses common
#   Cisco passwords (typically device defaults). If you want to add 
#   passwords seen "on the field" it's better for you to use the hydra
#   plugin.
# - it uses both SSH and Telnet (newer Cisco devices use SSH per default)
# - it is _not_ license encumbered (see Hydra's LICENSE.HYDRA), contrary
#   to what most people believe, Hydra is not "free" software (nor fully GPL)
# - dump the device configuration to the knowdledge base (requires
#   'enable' access being possible)
# - store the CISCO IOS release in the KB so that other plugins (in the Registered
#   feed) could use the functions in to determine if the system is
#   vulnerable as is currently done through SNMP (all the CSCXXXX.nasl stuff)
# - store the user/password combination in the KB and have another plugin test
#   for common combinations that lead to 'enable' mode.

 script_version ("$Revision: x.x $");

 name["english"] = "Cisco default password";


 desc["english"] = "
The remote CISCO router has a default password set.
This allows an attacker to get a lot information
about your network, and possibly to shut it down if
the 'enable' password is not set either or is also a default

Solution : access this device and set a password using
   enable secret
Risk factor : High";


 summary["english"] = "Checks for a default password";


 script_copyright(english:"This script is Copyright (C) 2001 Renaud Deraison",
                francais:"Ce script est Copyright (C) 2001 Renaud Deraison");

 family["english"] = "CISCO";
 family["francais"] = "CISCO";

 script_family(english:family["english"], francais:family["francais"]);
 script_require_ports("Services/telnet", 23);

# We need for the get_telnet_banner() function
# We need ssh_func for the ssh_login() function
# NOTE: Unfortunately this means that this (GPL) plugin is only
# half-useful for people w/o the Tenable Feed

# Function to connect to a Cisco system through telnet, send
# a passwword
function check_cisco_telnet(login, password, port)
 soc = open_sock_tcp(port);
 msg = telnet_negotiate(socket:soc);

  # The Cisco device might be using an AAA access model
  # or have configured users:
  if ( stridx(msg, "sername:") != -1 || stridx(msg, "ogin:") != -1  )  {
    send(socket:soc, data:string(login, "\r\n"));
    msg=recv(socket:soc, length:4096);

  # Device can answer back with {P,p}assword or {P,p}asscode
  # if we don't get it then fail and close
  if ( stridx(msg, "assword:") == -1 && stridx(msg, "asscode:") == -1  )  {

  send(socket:soc, data:string(password, "\r\n"));
  r = recv(socket:soc, length:4096);

  # TODO: could check for Cisco's prompt here, it is typically
  # the device name followed by '>'  
  # But the actual regexp is quite complex, from Net-Telnet-Cisco:
  #  '/(?m:^[\r\b]?[\w.-]+\s?(?:\(config[^\)]*\))?\s?[\$\#>]\s?(?:\(enable\))?\s*$)/')
  # Send a 'show ver', most users (regardless of privilege level)
  # should be able to do this
  send(socket:soc, data:string("show ver\r\n"));
  r = recv(socket:soc, length:4096);

  # TODO: This is probably not generic enough. Some Cisco devices don't 
  # use IOS but CatOS for example

  # TODO: It might want to change the report so it tells which user / passwords
  # have been found
  if("Cisco Internetwork Operating System Software" >< r) security_hole(port);

# TODO: it could also try 'enable' here and see if it's capable
# of accessing the priviledge mode with the same password, or do it
# in a separate module



# Functions modified from the code available from
# (which is biased to UNIX)
function check_cisco_account(login, password)
 local_var port, ret, banner, soc, res;

 if ( defined_func("bn_random") )
  # Prefer login thru SSH rather than telnet
  port = get_kb_item("Services/ssh");
  if ( ! port ) port = 22;
  banner = get_kb_item("SSH/banner/" + port);
  # GoodTech SSH server does not respect SSH protocol ...
  if (banner && ("cryptlib" >!< banner))
   soc = open_sock_tcp(port);
   if ( soc )
   ret = ssh_login(socket:soc, login:account, password:password);
   if ( ret == 0 ) return port;
   #else return 0;

 port = get_kb_item("Services/telnet");
 if(!port) port = 23;

  if ( isnull(password) ) password = "";

  banner = get_telnet_banner(port:port);
  # Check for banner, covers the case of Cisco telnet as well as the case
  # of a console server to a Cisco port
  # Note: banners of cisco systems are not necesarily set, so this
  # might lead to FP!
  if ( stridx(banner,"User Access Verification") == -1 && stridx(banner,"Enter password:") == -1)  
  res = check_cisco_telnet(login:login, password:password, port:port);

# Try with a blank password first
check_cisco_account(login:"", password:"");

# Test default access cisco/cisco
check_cisco_account(login:"cisco", password:"cisco");

# Or admin/cisco: 
# TODO: will this make it generate two reports if the device does not have 
# users and the password is just "cisco"?
check_cisco_account(login:"admin", password:"cisco");

# Another one (for Cisco Arrowpoint)
check_cisco_account(login:"admin", password:"system");

# Maybe some more?
check_cisco_account(login:"monitor", password:"monitor");

Plugins-writers mailing list

This archive was generated by hypermail 2.1.3 : Wed Oct 05 2005 - 12:54:58 PDT