Hello there,
During some testing I found Nessus missed a Cisco device with default Cisco
credentials set on telnet, I looked for a nasl but strangely didn't find a
nasl that checks for this, only one or two to test a specific Cisco device
for a blank login. So attached is a nasl that checks for a number of default
Cisco credentials on telnet for a variety of Cisco devices.
Regards
Gareth
----nasl----
#
# This script was written by Gareth M Phillips
# SensePost PTY Ltd
#
if(description)
{
script_id(1234567);
script_cve_id("CAN-1999-0505");
script_version ("$Revision: 1.10 $");
name["english"] = "Cisco Devices Default Password Login";
script_name(english:name["english"]);
desc["english"] = "
The remote Cisco device has default Cisco/Weak user credentials set.
An attacker may be able to lock the owner out, perform traffic sniffing or
shutdown the network/device entirely.
Solution : telnet to this device and set a strong password,
access to this service should also be restircted to
authorized networks or hosts only or should be replaced with SSH.
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "Checks for the default Cisco passwords";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2006 SensePost PTY
Ltd");
family["english"] = "CISCO";
script_family(english:family["english"]);
script_dependencie("find_service.nes");
script_require_ports("Services/telnet", 23);
exit(0);
}
include('telnet_func.inc');
function test_cisco(username, password, show, port)
{
soc = open_sock_tcp(port);
if(soc)
{
r = telnet_negotiate(socket:soc);
r = recv_until(socket:soc, pattern:"(Username:|ogin:)");
send(socket:soc, data:string(username, "\r\n"));
r = recv_until(socket:soc, pattern:"(assword:|asswd:)");
send(socket:soc, data:string(password, "\r\n"));
r = recv(socket:soc, length:4096);
send(socket:soc, data:string(show, "show ver \r\n"));
r = recv_until(socket:soc, pattern:"(www.cisco.com|cisco)");
if("cisco" >< r)
{
report = string(
desc["english"],
"\n\n",
"Username/Password : \n",
username,"/",password
);
security_hole(port:port, data:report);
exit(0);
}
close(soc);
}
}
port = get_kb_item("Services/telnet");
if(!port)port = 23;
if(!get_port_state(port))exit(0);
banner = get_telnet_banner(port:port);
if (! banner || "User Access Verification" >!< banner) exit(0);
test_cisco(username:"cisco", password:"cisco", show:"", port:port);
test_cisco(username:"admin", password:"system", show:"", port:port);
test_cisco(username:"admin", password:"diamond", show:"", port:port);
test_cisco(username:"admin", password:"admin", show:"", port:port);
test_cisco(username:"cisco", password:"", show:"", port:port);
test_cisco(username:"admin", password:"cisco", show:"", port:port);
test_cisco(username:"monitor", password:"monitor", show:"", port:port);
----/nasl----
During some testing I found Nessus missed a Cisco device with default Cisco
credentials set on telnet, I looked for a nasl but strangely didn't find a
nasl that checks for this, only one or two to test a specific Cisco device
for a blank login. So attached is a nasl that checks for a number of default
Cisco credentials on telnet for a variety of Cisco devices.
Regards
Gareth
----nasl----
#
# This script was written by Gareth M Phillips
# SensePost PTY Ltd
#
if(description)
{
script_id(1234567);
script_cve_id("CAN-1999-0505");
script_version ("$Revision: 1.10 $");
name["english"] = "Cisco Devices Default Password Login";
script_name(english:name["english"]);
desc["english"] = "
The remote Cisco device has default Cisco/Weak user credentials set.
An attacker may be able to lock the owner out, perform traffic sniffing or
shutdown the network/device entirely.
Solution : telnet to this device and set a strong password,
access to this service should also be restircted to
authorized networks or hosts only or should be replaced with SSH.
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "Checks for the default Cisco passwords";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2006 SensePost PTY
Ltd");
family["english"] = "CISCO";
script_family(english:family["english"]);
script_dependencie("find_service.nes");
script_require_ports("Services/telnet", 23);
exit(0);
}
include('telnet_func.inc');
function test_cisco(username, password, show, port)
{
soc = open_sock_tcp(port);
if(soc)
{
r = telnet_negotiate(socket:soc);
r = recv_until(socket:soc, pattern:"(Username:|ogin:)");
send(socket:soc, data:string(username, "\r\n"));
r = recv_until(socket:soc, pattern:"(assword:|asswd:)");
send(socket:soc, data:string(password, "\r\n"));
r = recv(socket:soc, length:4096);
send(socket:soc, data:string(show, "show ver \r\n"));
r = recv_until(socket:soc, pattern:"(www.cisco.com|cisco)");
if("cisco" >< r)
{
report = string(
desc["english"],
"\n\n",
"Username/Password : \n",
username,"/",password
);
security_hole(port:port, data:report);
exit(0);
}
close(soc);
}
}
port = get_kb_item("Services/telnet");
if(!port)port = 23;
if(!get_port_state(port))exit(0);
banner = get_telnet_banner(port:port);
if (! banner || "User Access Verification" >!< banner) exit(0);
test_cisco(username:"cisco", password:"cisco", show:"", port:port);
test_cisco(username:"admin", password:"system", show:"", port:port);
test_cisco(username:"admin", password:"diamond", show:"", port:port);
test_cisco(username:"admin", password:"admin", show:"", port:port);
test_cisco(username:"cisco", password:"", show:"", port:port);
test_cisco(username:"admin", password:"cisco", show:"", port:port);
test_cisco(username:"monitor", password:"monitor", show:"", port:port);
----/nasl----