Re: check for specific userid/password for cisco

Javier Fernandez-Sanguino <jfernandez_at_germinus.com> · Wed, 03 Aug 2005 10:12:31 +0200

Waheed Qureshi wrote:

Is there a plugin that would test for a specific
userid/password combination on a cisco router? If not
can an existing plugin like "10754 Cisco no password
set" be modified to perform such a test?

There are many plugins available that do just that. Check out 
default_account.inc and the NASL plugins that include it. You will 
need, however, to tweak it so that the pattern matches what you expect 
. Also notice that it is UNIX-specific so that you need to change (or 
remove) the following piece of code:
-----------------------------------------------------------------
 send(socket:soc, data:'id\r\n');
 res = recv_until(socket:soc, pattern:"uid=");
 close(soc);
 if ( res ) return 1;
-----------------------------------------------------------------
As you said, you can also use the plugin #10754. The attached 
(untested) plugin should do the work. I wonder why a similar plugin is 
not in the archive yet.
BTW, the CVE entry CAN-1999-0508 should be added to  #10754 too.
Caveats: will not test SSH (better use Hydra in those cases), and 
might lead to false positives if the banner has been changed.
Regards
Javier

#
# This script was written by Javier Fernandez-Sanguino
# based on a script written by Renaud Deraison <deraison_at_cvs.nessus.org>
#
# See the Nessus Scripts License for details
#

if(description)
{
 script_id(99999);
 script_cve_id("CAN-1999-0508");
 script_version ("$Revision: x.x $");

 name["english"] = "Cisco default password";

 script_name(english:name["english"]);

 desc["english"] = "
The remote CISCO router has a default password set.
This allows an attacker to get a lot information
about your network, and possibly to shut it down if
the 'enable' password is not set either or is also a default
passowrd.

Solution : access this device and set a password using
   enable secret
Risk factor : High";

 script_description(english:desc["english"]);

 summary["english"] = "Checks for a default password";
 script_summary(english:summary["english"]);

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2001 Renaud Deraison",
                francais:"Ce script est Copyright (C) 2001 Renaud Deraison");

 family["english"] = "CISCO";
 family["francais"] = "CISCO";

 script_family(english:family["english"], francais:family["francais"]);
 script_dependencie("find_service.nes");
 script_require_ports("Services/telnet", 23);
 exit(0);
}

function test_cisco(password, port)
{
 soc = open_sock_tcp(port);

 if(soc)
 {
  r = telnet_init(soc);
  r = recv(socket:soc, length:4096);
  send(socket:soc, data:string(password, "\r\n"));
  r = recv(socket:soc, length:4096);
  send(socket:soc, data:string("show ver\r\n"));
  r = recv(socket:soc, length:4096);
  if("Cisco Internetwork Operating System Software" >< r)security_hole(port);
# Note: it could also try 'enable' here and see if it's capable
# of accessing the priviledge mode
  close(soc);
 }
}

port = get_kb_item("Services/telnet");
if(!port)port = 23;
if(!get_port_state(port))exit(0);

banner = get_telnet_banner(port:port);
# Note: banners of cisco systems are not necesarily set, so this
# might lead to FP!
if ( ! banner || "User Access Verification" >!< banner ) exit(0);

test_cisco(password:"cisco", port:port);