Mailing List Archive

cisco password (analysis)
(This is how I'd like "in-depth" discussion of plugins to be redacted.
This plugin is not really interesting by itself. I could not come up
with a better idea though).

(I'll occasionaly post some explanations of this kind for some plugins I
liked to write. This one was not fun, but it's simple to explain)


Level : EASY
Tested : YES, but against only one version of IOS.

Description :

This plugin determines if the remote cisco router has a password set
(or if the password is "cisco"). To do that, it :
- connects to the remote telnet port
- sends the password
- issues the command "show ver"
- and expects to see the string "Cisco Internetworking Operating
System Software" in the reply.

This plugin does not contain the description part. So if you want to
test it, do :

nasl -t ip.of.your.cisco.device cisco_no_pw.nasl

And expect the string 'Success'.

Let's have a look at it. Once again, this is no rocket science at all.




- The actual testing of a password is done through a function we call
'test_cisco()' which is defined as :

function test_cisco(password, port)
{
# we open a connection to the remote port
soc = open_sock_tcp(port);
if(soc)
{
# if that succeeded, we use telnet_init() to negociate the
# telnet session. We don't care about the banner, so we
# ignore the result
r = telnet_init(soc);
r = recv(socket:soc, length:4096);

# we send our password, followed by \r\n (carriage return)
send(socket:soc, data:string(password, "\r\n"));

# we receive the motd that we ignore too (might be user defined)
r = recv(socket:soc, length:4096);

# then we issue the command 'show ver'
send(socket:soc, data:string("show ver\r\n"));

# we receive the result
r = recv(socket:soc, length:4096);

# if the result contains "Cisco Internetwork Operating System" then
# we consider ourselves as logged in, and we issue an alert

if("Cisco Internetwork Operating System Software" >< r)security_hole(port);
close(soc);
}
}


Then the plugin itself determines the telnet port and calls
test_cisco() :


# we read in the knowledge base what is the value of the
# telnet port. If there's none, we assume it's port 23
port = get_kb_item("Services/telnet");
if(!port)port = 23;

# Then if the port is closed, we go away
if(!get_port_state(port))exit(0);

# We test for an empty password
test_cisco(password:"", port:port);

# We test for the password "cisco" :
test_cisco(password:"cisco", port:port);


# Finished.



Next time, I'll choose a better plugin.

-- Renaud
RE: cisco password (analysis) [ In reply to ]
> # We test for an empty password
> test_cisco(password:"", port:port);
>
> # We test for the password "cisco" :
> test_cisco(password:"cisco", port:port);
>

Wouldn't it be better to take the passwords from the accounts.txt file?
This would enable you to try and brute-force your way into the router.

--
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com
RE: cisco password (analysis) [ In reply to ]
Hello Noam,

>
> As I stated before (privately to Renaud) it would be better to make the
> username/password combination always from the same source, in the Nessus
> case accounts.txt.
>
> It would seem logical to create some NASL function to return a
> username/password combination directly from the accounts.txt and
> to make the
> accounts.txt as versatile as possible (containing as much combinations as
> possible, but not a dictionary :}).
>

Would it be worth allowing the user to specify the 'depth' of password
guessing, e.g. 'light' would only check for common default passwords,
'medium' or 'heavy' (or whatever) would check for more, but obviously take
alot longer to run?

Matt Moore
Re: cisco password (analysis) [ In reply to ]
Hi,

As I stated before (privately to Renaud) it would be better to make the
username/password combination always from the same source, in the Nessus
case accounts.txt.

It would seem logical to create some NASL function to return a
username/password combination directly from the accounts.txt and to make the
accounts.txt as versatile as possible (containing as much combinations as
possible, but not a dictionary :}).

Additional plugins that are currently in Nessus should be modified, the SQL
blank password can be modified to check additional usernames, the POP server
tests. And any other plugin that requires a username/password.

Thanks
Noam Rathaus
http://www.SecuriTeam.com
http://www.BeyondSecurity.com

Know that you're safe (against Code Red and other vulnerabilities):
http://www.AutomatedScanning.com/


----- Original Message -----
From: "Renaud Deraison" <deraison@cvs.nessus.org>
To: <plugins-writers@list.nessus.org>
Sent: Monday, September 03, 2001 01:17
Subject: cisco password (analysis)


> (This is how I'd like "in-depth" discussion of plugins to be redacted.
> This plugin is not really interesting by itself. I could not come up
> with a better idea though).
>
> (I'll occasionaly post some explanations of this kind for some plugins I
> liked to write. This one was not fun, but it's simple to explain)
>
>
> Level : EASY
> Tested : YES, but against only one version of IOS.
>
> Description :
>
> This plugin determines if the remote cisco router has a password set
> (or if the password is "cisco"). To do that, it :
> - connects to the remote telnet port
> - sends the password
> - issues the command "show ver"
> - and expects to see the string "Cisco Internetworking Operating
> System Software" in the reply.
>
> This plugin does not contain the description part. So if you want to
> test it, do :
>
> nasl -t ip.of.your.cisco.device cisco_no_pw.nasl
>
> And expect the string 'Success'.
>
> Let's have a look at it. Once again, this is no rocket science at all.
>
>
>
>
> - The actual testing of a password is done through a function we call
> 'test_cisco()' which is defined as :
>
> function test_cisco(password, port)
> {
> # we open a connection to the remote port
> soc = open_sock_tcp(port);
> if(soc)
> {
> # if that succeeded, we use telnet_init() to negociate the
> # telnet session. We don't care about the banner, so we
> # ignore the result
> r = telnet_init(soc);
> r = recv(socket:soc, length:4096);
>
> # we send our password, followed by \r\n (carriage return)
> send(socket:soc, data:string(password, "\r\n"));
>
> # we receive the motd that we ignore too (might be user defined)
> r = recv(socket:soc, length:4096);
>
> # then we issue the command 'show ver'
> send(socket:soc, data:string("show ver\r\n"));
>
> # we receive the result
> r = recv(socket:soc, length:4096);
>
> # if the result contains "Cisco Internetwork Operating System" then
> # we consider ourselves as logged in, and we issue an alert
>
> if("Cisco Internetwork Operating System Software" ><
r)security_hole(port);
> close(soc);
> }
> }
>
>
> Then the plugin itself determines the telnet port and calls
> test_cisco() :
>
>
> # we read in the knowledge base what is the value of the
> # telnet port. If there's none, we assume it's port 23
> port = get_kb_item("Services/telnet");
> if(!port)port = 23;
>
> # Then if the port is closed, we go away
> if(!get_port_state(port))exit(0);
>
> # We test for an empty password
> test_cisco(password:"", port:port);
>
> # We test for the password "cisco" :
> test_cisco(password:"cisco", port:port);
>
>
> # Finished.
>
>
>
> Next time, I'll choose a better plugin.
>
> -- Renaud
>
Re: cisco password (analysis) [ In reply to ]
Might it add some value to look for the "Password:" prompt after the 3-way
handshake to port 23? Incidentally, I wrote such a check and sent to you
several months ago. I'll paste the script in below...


#
# This script was written by John Lampe (j_lampe@bellsouth.net)
#
#
# See the Nessus Scripts License for details
#
if(description)
{
script_id();
script_cve_id("");
script_name(english:"Check for Cisco default passwords");
desc["english"] = "
Checks to see if the Cisco router still has a default login password
Solution : Change your password";

script_description(english:desc["english"]);
script_summary(english:"Check for existence of default Cisco Passwords");
script_category(ACT_GATHER_INFO);
script_family(english:"Remote file access");
script_copyright(english:"By John Lampe....j_lampe@bellsouth.net");
exit(0);
}




function guess_pass (pass) {
soc=open_sock_tcp(port);
if(!soc)return(0);
incoming = recv (socket:soc, length:1024);
if (egrep(pattern:"^Password:" , string: incoming)) {
send(socket:soc, data:pass);
inbuff=recv(socket:soc, length:1024);
if (!(egrep(pattern:"^Password:", string: inbuff)) ) {
return(pass);
}
} else {
close (soc);
exit(0);
}
close(soc);
return (0);
}


port=23;

passwd[0] = "c";
passwd[1] = "cisco";
passwd[2] = "cc";
passwd[3] = "";
passwd[4] = "password";
passwd[5] = "secret";
passwd[6] = "secrets";
passwd[7] = "Cisco router";
passwd[8] = "system";

mywarning = string ("We were able to log into the router with password ");
if(get_port_state(port)) {
for (i=0; i<9; i = i+1) {
mypasswd = string(passwd[i] , "\n");
check = guess_pass(pass:mypasswd);
if (check != 0) {
mymsg = string ("logged into router with passwd " , check, "\n");
security_hole (port:port, data:mymsg);
exit(0);
}
}
}
exit(0);



--
John Lampe
https://f00dikator.hn.org/
http://f00dikator.hobbiton.org/
Re: cisco password (analysis) [ In reply to ]
On Tue, Sep 04, 2001 at 12:02:29PM -0000, Noam Rathaus wrote:
> Hi,
>
> Again as I said, it is much better to consolidate the password / username
> settings (which passwords to try) into a NASL program that will externally
> load them from the accounts.txt

Actually, I disagree.

I think that a plugin such as this one should only test for factory
settings.

However, it might be worthwhile to create a family called "Password
Brute forcing", whith plugins dedicated to that and an API dedicated to
reading accounts.txt


-- Renaud
Re: cisco password (analysis) [ In reply to ]
Hi,

Again as I said, it is much better to consolidate the password / username
settings (which passwords to try) into a NASL program that will externally
load them from the accounts.txt

Thanks
Noam Rathaus
http://www.SecuriTeam.com
http://www.BeyondSecurity.com

Know that you're safe (against Code Red and other vulnerabilities):
http://www.AutomatedScanning.com/


----- Original Message -----
From: "John Lampe" <j_lampe@bellsouth.net>
To: "Renaud Deraison" <deraison@cvs.nessus.org>;
<plugins-writers@list.nessus.org>
Sent: Monday, September 03, 2001 23:26
Subject: Re: cisco password (analysis)


> Might it add some value to look for the "Password:" prompt after the 3-way
> handshake to port 23? Incidentally, I wrote such a check and sent to you
> several months ago. I'll paste the script in below...
>
>
> #
> # This script was written by John Lampe (j_lampe@bellsouth.net)
> #
> #
> # See the Nessus Scripts License for details
> #
> if(description)
> {
> script_id();
> script_cve_id("");
> script_name(english:"Check for Cisco default passwords");
> desc["english"] = "
> Checks to see if the Cisco router still has a default login password
> Solution : Change your password";
>
> script_description(english:desc["english"]);
> script_summary(english:"Check for existence of default Cisco
Passwords");
> script_category(ACT_GATHER_INFO);
> script_family(english:"Remote file access");
> script_copyright(english:"By John Lampe....j_lampe@bellsouth.net");
> exit(0);
> }
>
>
>
>
> function guess_pass (pass) {
> soc=open_sock_tcp(port);
> if(!soc)return(0);
> incoming = recv (socket:soc, length:1024);
> if (egrep(pattern:"^Password:" , string: incoming)) {
> send(socket:soc, data:pass);
> inbuff=recv(socket:soc, length:1024);
> if (!(egrep(pattern:"^Password:", string: inbuff)) ) {
> return(pass);
> }
> } else {
> close (soc);
> exit(0);
> }
> close(soc);
> return (0);
> }
>
>
> port=23;
>
> passwd[0] = "c";
> passwd[1] = "cisco";
> passwd[2] = "cc";
> passwd[3] = "";
> passwd[4] = "password";
> passwd[5] = "secret";
> passwd[6] = "secrets";
> passwd[7] = "Cisco router";
> passwd[8] = "system";
>
> mywarning = string ("We were able to log into the router with password ");
> if(get_port_state(port)) {
> for (i=0; i<9; i = i+1) {
> mypasswd = string(passwd[i] , "\n");
> check = guess_pass(pass:mypasswd);
> if (check != 0) {
> mymsg = string ("logged into router with passwd " , check,
"\n");
> security_hole (port:port, data:mymsg);
> exit(0);
> }
> }
> }
> exit(0);
>
>
>
> --
> John Lampe
> https://f00dikator.hn.org/
> http://f00dikator.hobbiton.org/
>
Re: cisco password (analysis) [ In reply to ]
Hi,

Will this API be ready for Nessus 1.1?

Thanks
Noam Rathaus
http://www.SecuriTeam.com
http://www.BeyondSecurity.com

Know that you're safe (against Code Red and other vulnerabilities):
http://www.AutomatedScanning.com/


----- Original Message -----
From: "Renaud Deraison" <deraison@cvs.nessus.org>
To: <plugins-writers@list.nessus.org>
Sent: Tuesday, September 04, 2001 11:41
Subject: Re: cisco password (analysis)


> On Tue, Sep 04, 2001 at 12:02:29PM -0000, Noam Rathaus wrote:
> > Hi,
> >
> > Again as I said, it is much better to consolidate the password /
username
> > settings (which passwords to try) into a NASL program that will
externally
> > load them from the accounts.txt
>
> Actually, I disagree.
>
> I think that a plugin such as this one should only test for factory
> settings.
>
> However, it might be worthwhile to create a family called "Password
> Brute forcing", whith plugins dedicated to that and an API dedicated to
> reading accounts.txt
>
>
> -- Renaud
>
>
>
Re: cisco password (analysis) [ In reply to ]
On Tue, Sep 04, 2001 at 11:09:14PM -0000, Noam Rathaus wrote:
> Hi,
>
> Will this API be ready for Nessus 1.1?

This can be done. However, I'm not really convinced about the need for
brute force attacks plugins, except while doing a pen-test.

Most of the time, you'd better off logguing in the system, extract the
password base, and bruteforce the passwords locally.

But if people see an interest in doing that over the network, well, I
guess I'll implement get_next_username() and get_next_password() (or
whatever I'll call them)

-- Renaud
Re: cisco password (analysis) [ In reply to ]
Hi,

The idea is not to brute force, but rather centralized standard used
passwords, such as Guest/Guest, Administrator/, etc... rather than looking
for them inside plugins.

The accounts.txt should not include more than 20-40pairs.

Thanks
Noam Rathaus
http://www.SecuriTeam.com
http://www.BeyondSecurity.com

Know that you're safe (against Code Red and other vulnerabilities):
http://www.AutomatedScanning.com/


----- Original Message -----
From: "Renaud Deraison" <deraison@cvs.nessus.org>
To: <plugins-writers@list.nessus.org>
Sent: Thursday, September 06, 2001 15:57
Subject: Re: cisco password (analysis)


> On Tue, Sep 04, 2001 at 11:09:14PM -0000, Noam Rathaus wrote:
> > Hi,
> >
> > Will this API be ready for Nessus 1.1?
>
> This can be done. However, I'm not really convinced about the need for
> brute force attacks plugins, except while doing a pen-test.
>
> Most of the time, you'd better off logguing in the system, extract the
> password base, and bruteforce the passwords locally.
>
> But if people see an interest in doing that over the network, well, I
> guess I'll implement get_next_username() and get_next_password() (or
> whatever I'll call them)
>
> -- Renaud
>
>
>