Bill Petersen wrote:
I would like to run a simple test against a group of systems.
I want to only test for
1. No passwords for ids like root, oracle, mysql, etc.
2. Default userid & passwords (like oracle's scott/tiger)
You could base yourself on the plugins that currently exist. Check out
default_account.inc and the NASL plugins that include it (most of the
account_XXX.nasl plugins do). It should be rather easy to base a
plugin that covers your specific needs with that.
Regards
Javier
#
# This script was written by Javier Fernandez-Sanguino
# based on a script written by Renaud Deraison <deraison@cvs.nessus.org>
#
# See the Nessus Scripts License for details
#
if(description)
{
script_id(99999);
script_cve_id("CAN-1999-0508");
script_version ("$Revision: x.x $");
name["english"] = "Cisco default password";
script_name(english:name["english"]);
desc["english"] = "
The remote CISCO router has a default password set.
This allows an attacker to get a lot information
about your network, and possibly to shut it down if
the 'enable' password is not set either or is also a default
password.
Solution : access this device and set a password using
enable secret
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "Checks for a default password";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2001 Renaud Deraison",
francais:"Ce script est Copyright (C) 2001 Renaud Deraison");
family["english"] = "CISCO";
family["francais"] = "CISCO";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes");
script_require_ports("Services/telnet", 23);
exit(0);
}
# We need telnet_func.inc for the get_telnet_banner() function
include telnet_func.inc
# Function to connect to a Cisco system through telnet, send
# a passwword
function check_cisco_telnet(login, password, port)
{
soc = open_sock_tcp(port);
msg = telnet_negotiate(socket:soc);
if(strlen(msg))
{
# The Cisco device might be using an AAA access model
# or have configured users:
if ( "sername:" >!< banner || "ogin:" >!< banner ) {
send(socket:soc, data:string(login, "\r\n"));
msg=recv(socket:soc, length:4096);
}
# Device can answer back with {P,p}assword or {P,p}asscode
# if we don't get it then fail
if ( "assword:" >!< msg || "asscode:" >!< msg ) {
close(soc);
return(0);
}
send(socket:soc, data:string(password, "\r\n"));
r = recv(socket:soc, length:4096);
# TODO: could check for Cisco's prompt here, it is typically
# the device name followed by '>'
# But the actual regexp is quite complex, from Net-Telnet-Cisco:
#
'/(?m:^[\r\b]?[\w.-]+\s?(?:\(config[^\)]*\))?\s?[\$\#>]\s?(?:\(enable\))?\s*$)/')
# Send a 'show ver', most users (regardless of privilege level)
# should be able to do this
send(socket:soc, data:string("show ver\r\n"));
r = recv(socket:soc, length:4096);
# TODO: This is probably not generic enough. Some Cisco devices don't
# use IOS but CatOS for example
if("Cisco Internetwork Operating System Software" >< r) security_hole(port);
# TODO: it could also try 'enable' here and see if it's capable
# of accessing the priviledge mode with the same password, or do it
# in a separate module
close(soc);
}
}
# Functions modified from the code available from default_accounts.inc
# (which is biased to UNIX)
function check_cisco_account(login, password)
{
local_var port, ret, banner, soc, res;
if ( defined_func("bn_random") )
{
# Prefer login thru SSH rather than telnet
port = get_kb_item("Services/ssh");
if ( ! port ) port = 22;
banner = get_kb_item("SSH/banner/" + port);
# GoodTech SSH server does not respect SSH protocol ...
if (banner && ("cryptlib" >!< banner))
{
soc = open_sock_tcp(port);
if ( soc )
{
ret = ssh_login(socket:soc, login:account, password:password);
close(soc);
if ( ret == 0 ) return port;
#else return 0;
}
}
}
port = get_kb_item("Services/telnet");
if(!port) port = 23;
if(get_port_state(port))
{
if ( isnull(password) ) password = "";
banner = get_telnet_banner(port:port);
# Check for banner, covers the case of Cisco telnet as well as the case
# of a console server to a Cisco port
# Note: banners of cisco systems are not necesarily set, so this
# might lead to FP!
if ( ! banner || "User Access Verification" >!< banner and ! banner || "Enter
password:" >!< banner)
return(0);
res = check_cisco_telnet(login:login, password:password, port:port);
if(res)
return(port);
}
return(0);
}
# Try with a blank password first
check_cisco_account(login:"", password:"", port:port);
# Test default access cisco/cisco
check_cisco_account(login:"cisco", password:"cisco", port:port);
# Or admin/cisco:
# TODO: this will make it generate if the device does not have
# users and the password is just "cisco"
check_cisco_account(login:"admin", password:"cisco", port:port);
# Another one (for Cisco Arrowpoint)
check_cisco_account(login:"admin", password:"system", port:port);
# Maybe some more?
check_cisco_account(login:"monitor", password:"monitor", port:port);
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
