(This is how I'd like "in-depth" discussion of plugins to be redacted.
This plugin is not really interesting by itself. I could not come up
with a better idea though).
(I'll occasionaly post some explanations of this kind for some plugins I
liked to write. This one was not fun, but it's simple to explain)
Level : EASY
Tested : YES, but against only one version of IOS.
Description :
This plugin determines if the remote cisco router has a password set
(or if the password is "cisco"). To do that, it :
- connects to the remote telnet port
- sends the password
- issues the command "show ver"
- and expects to see the string "Cisco Internetworking Operating
System Software" in the reply.
This plugin does not contain the description part. So if you want to
test it, do :
nasl -t ip.of.your.cisco.device cisco_no_pw.nasl
And expect the string 'Success'.
Let's have a look at it. Once again, this is no rocket science at all.
- The actual testing of a password is done through a function we call
'test_cisco()' which is defined as :
function test_cisco(password, port)
{
# we open a connection to the remote port
soc = open_sock_tcp(port);
if(soc)
{
# if that succeeded, we use telnet_init() to negociate the
# telnet session. We don't care about the banner, so we
# ignore the result
r = telnet_init(soc);
r = recv(socket:soc, length:4096);
# we send our password, followed by \r\n (carriage return)
send(socket:soc, data:string(password, "\r\n"));
# we receive the motd that we ignore too (might be user defined)
r = recv(socket:soc, length:4096);
# then we issue the command 'show ver'
send(socket:soc, data:string("show ver\r\n"));
# we receive the result
r = recv(socket:soc, length:4096);
# if the result contains "Cisco Internetwork Operating System" then
# we consider ourselves as logged in, and we issue an alert
if("Cisco Internetwork Operating System Software" >< r)security_hole(port);
close(soc);
}
}
Then the plugin itself determines the telnet port and calls
test_cisco() :
# we read in the knowledge base what is the value of the
# telnet port. If there's none, we assume it's port 23
port = get_kb_item("Services/telnet");
if(!port)port = 23;
# Then if the port is closed, we go away
if(!get_port_state(port))exit(0);
# We test for an empty password
test_cisco(password:"", port:port);
# We test for the password "cisco" :
test_cisco(password:"cisco", port:port);
# Finished.
Next time, I'll choose a better plugin.
-- Renaud
This plugin is not really interesting by itself. I could not come up
with a better idea though).
(I'll occasionaly post some explanations of this kind for some plugins I
liked to write. This one was not fun, but it's simple to explain)
Level : EASY
Tested : YES, but against only one version of IOS.
Description :
This plugin determines if the remote cisco router has a password set
(or if the password is "cisco"). To do that, it :
- connects to the remote telnet port
- sends the password
- issues the command "show ver"
- and expects to see the string "Cisco Internetworking Operating
System Software" in the reply.
This plugin does not contain the description part. So if you want to
test it, do :
nasl -t ip.of.your.cisco.device cisco_no_pw.nasl
And expect the string 'Success'.
Let's have a look at it. Once again, this is no rocket science at all.
- The actual testing of a password is done through a function we call
'test_cisco()' which is defined as :
function test_cisco(password, port)
{
# we open a connection to the remote port
soc = open_sock_tcp(port);
if(soc)
{
# if that succeeded, we use telnet_init() to negociate the
# telnet session. We don't care about the banner, so we
# ignore the result
r = telnet_init(soc);
r = recv(socket:soc, length:4096);
# we send our password, followed by \r\n (carriage return)
send(socket:soc, data:string(password, "\r\n"));
# we receive the motd that we ignore too (might be user defined)
r = recv(socket:soc, length:4096);
# then we issue the command 'show ver'
send(socket:soc, data:string("show ver\r\n"));
# we receive the result
r = recv(socket:soc, length:4096);
# if the result contains "Cisco Internetwork Operating System" then
# we consider ourselves as logged in, and we issue an alert
if("Cisco Internetwork Operating System Software" >< r)security_hole(port);
close(soc);
}
}
Then the plugin itself determines the telnet port and calls
test_cisco() :
# we read in the knowledge base what is the value of the
# telnet port. If there's none, we assume it's port 23
port = get_kb_item("Services/telnet");
if(!port)port = 23;
# Then if the port is closed, we go away
if(!get_port_state(port))exit(0);
# We test for an empty password
test_cisco(password:"", port:port);
# We test for the password "cisco" :
test_cisco(password:"cisco", port:port);
# Finished.
Next time, I'll choose a better plugin.
-- Renaud