Nessus has always been weak at testing cisco-specific issues. Here is a
set of plugins that should (start to) solve this situation.
Note that all the plugins do pattern matching instead of actually
testing for the flaw, mostly because :
- It's not always possible to easily determine if an attack was
successful or not, remotely speaking. Filling the remote device
arp table to prevent it to communicate with third-party host is fun,
but not easily and reliably doable ;
- Crashing a printer or a server might not be a big deal, but crashing
a router almost always is. So the less intrusive security checks are
towards a router, the better it is ;
- It's easier that way.
Anyway, writing cisco plugins is not fun at all. When you test for a
flaw, you can't assume that version < x.y won't be affected. There are
so many versions of IOS for so many devices, it's a jungle. You end up
with testing the revision of each major release of IOS - there's a lot
of ereg() and patterns.
I'd like people to test these plugins against your routers. Be sure to
enable :
- SNMP/SNMP default communities (and possibly provide the SNMP
community you want to use if it's not "public" :)
- SNMP/Obtain OS type via SNMP
- SNMP/Obtain Cisco type via SNMP
- Cisco/*
The patterns have been tested "in theory", but not really in practice,
so these plugins might produce false positives / negatives. Please
report failures (and eventually successes). I hope some of you have old
versions of IOS installed - I'm running 12.2(8)T and I feel lazy today,
so I probably won't downgrade it for a while.
BUGS
----
When reporting a bug, please send me the output of :
snmpwalk <yourrouter> <yourcommunitystring> system
(I need system.sysDescr.0 and system.sysObjectID.0).
If your favorite cisco advisory has not been implemented yet, feel free
to send it to me. I'm currently digging ciscos advisories from various
places, that makes me waste some time.
PATCHES
-------
If you see errors and if you want to send me patches back, *DO NOT PATCH
EVERY PLUGIN*. As you can notice, they've been auto-generated from a
simpler-to-read-and-write file format, so patches won't go in.
HOW TO INSTALL THE PLUGINS
--------------------------
tar -zxvf cisco.tar.gz
mv cisco/*.nasl /usr/local/lib/nessus/plugins/
kill -9 `cat /usr/local/var/nessus/nessusd.pid`
/usr/local/sbin/nessusd -D
I'm really curious to see how these plugin do, please send some
feedback.
-- Renaud
set of plugins that should (start to) solve this situation.
Note that all the plugins do pattern matching instead of actually
testing for the flaw, mostly because :
- It's not always possible to easily determine if an attack was
successful or not, remotely speaking. Filling the remote device
arp table to prevent it to communicate with third-party host is fun,
but not easily and reliably doable ;
- Crashing a printer or a server might not be a big deal, but crashing
a router almost always is. So the less intrusive security checks are
towards a router, the better it is ;
- It's easier that way.
Anyway, writing cisco plugins is not fun at all. When you test for a
flaw, you can't assume that version < x.y won't be affected. There are
so many versions of IOS for so many devices, it's a jungle. You end up
with testing the revision of each major release of IOS - there's a lot
of ereg() and patterns.
I'd like people to test these plugins against your routers. Be sure to
enable :
- SNMP/SNMP default communities (and possibly provide the SNMP
community you want to use if it's not "public" :)
- SNMP/Obtain OS type via SNMP
- SNMP/Obtain Cisco type via SNMP
- Cisco/*
The patterns have been tested "in theory", but not really in practice,
so these plugins might produce false positives / negatives. Please
report failures (and eventually successes). I hope some of you have old
versions of IOS installed - I'm running 12.2(8)T and I feel lazy today,
so I probably won't downgrade it for a while.
BUGS
----
When reporting a bug, please send me the output of :
snmpwalk <yourrouter> <yourcommunitystring> system
(I need system.sysDescr.0 and system.sysObjectID.0).
If your favorite cisco advisory has not been implemented yet, feel free
to send it to me. I'm currently digging ciscos advisories from various
places, that makes me waste some time.
PATCHES
-------
If you see errors and if you want to send me patches back, *DO NOT PATCH
EVERY PLUGIN*. As you can notice, they've been auto-generated from a
simpler-to-read-and-write file format, so patches won't go in.
HOW TO INSTALL THE PLUGINS
--------------------------
tar -zxvf cisco.tar.gz
mv cisco/*.nasl /usr/local/lib/nessus/plugins/
kill -9 `cat /usr/local/var/nessus/nessusd.pid`
/usr/local/sbin/nessusd -D
I'm really curious to see how these plugin do, please send some
feedback.
-- Renaud
Attached Files:
-
cisco.tar.gz (11.7 KB)