[Openvas-commits] r11571 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Sep 6 14:38:14 CEST 2011


Author: mime
Date: 2011-09-06 14:38:09 +0200 (Tue, 06 Sep 2011)
New Revision: 11571

Added:
   trunk/openvas-plugins/scripts/default_credentials.inc
   trunk/openvas-plugins/scripts/default_http_auth_credentials.nasl
   trunk/openvas-plugins/scripts/default_ssh_credentials.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/ssh_func.inc
Log:
Added new plugins. Added new include with a list of default credentials. Login names where forced to lowercase. No idea why. Removed.

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2011-09-06 12:05:16 UTC (rev 11570)
+++ trunk/openvas-plugins/ChangeLog	2011-09-06 12:38:09 UTC (rev 11571)
@@ -1,3 +1,15 @@
+2011-09-06  Michael Meyer <michael.meyer at greenbone.net>
+
+	* cripts/default_ssh_credentials.nasl,
+	scripts/default_http_auth_credentials.nasl:
+	Added new plugins.
+
+	* scripts/default_credentials.inc:
+	Added new include with a list of default credentials.
+
+	* scripts/ssh_func.inc (ssh_login()):
+	Login names where forced to lowercase. No idea why. Removed.
+
 2011-09-06 Thomas Reinke <reinke at securityspace.com>
 
 	* scripts/12planet_chat_server_xss.nasl,

Added: trunk/openvas-plugins/scripts/default_credentials.inc
===================================================================
--- trunk/openvas-plugins/scripts/default_credentials.inc	2011-09-06 12:05:16 UTC (rev 11570)
+++ trunk/openvas-plugins/scripts/default_credentials.inc	2011-09-06 12:38:09 UTC (rev 11571)
@@ -0,0 +1,211 @@
+###############################################################################
+# Default Credentials
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software
+# Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
+# USA.
+###############################################################################
+
+credentials = make_list(
+"root;pass",
+"MGR;REGO",
+"MAIL;TELESUP",
+"storwatch;specialist",
+"admin;hp.com",
+"user;public",
+"MGR;HPP196",
+"at4400;at4400",
+"FIELD;HPWORD PUB",
+"Username;Password",
+"root;letacla",
+"HELLO;MGR.SYS",
+"mtch;mtch",
+"User;none",
+"device;device",
+"Administrator;admin",
+"MANAGER;COGNOS",
+"MAIL;HPOFFICE",
+"admin;diamond",
+"patrol;patrol",
+"MAIL;MAIL",
+"admin;changeme",
+"admin;default",
+"dhs3pms;dhs3pms",
+"root;Mau'dib",
+"login;password",
+"PFCUser;240653C9467E45",
+"Administrator;letmein",
+"davox;davox",
+"debug;synnet",
+"MANAGER;SECURITY",
+"FIELD;SERVICE",
+"sa;none",
+"Cisco;Cisco",
+"root;attack",
+"guest;none",
+"MGR;CONV",
+"MANAGER;TELESUP",
+"volition;volition",
+"administrator;administrator",
+"FIELD;HPP187 SYS",
+"public;none",
+"cmaker;cmaker",
+"OPERATOR;DISC",
+"OPERATOR;SUPPORT",
+"admin;synnet",
+"SYSDBA;masterkey",
+"PBX;PBX",
+"apc;apc",
+"acc;acc",
+"root;tslinux",
+"tech;tech",
+"root;ascend",
+"operator;none",
+"FIELD;MANAGER",
+"MGR;WORD",
+"root;root",
+"OPERATOR;COGNOS",
+"super;surt",
+"netrangr;attack",
+"install;llatsni",
+"Manager;none",
+"admin;hello",
+"admin;bintec",
+"craft;none",
+"MGR;TELESUP",
+"manager;manager",
+"MANAGER;TCH",
+"cgadmin;cgadmin",
+"adm;none",
+"monitor;monitor",
+"MGR;VESOFT",
+"admin;my_DEMARC",
+"WP;HPOFFICE",
+"manager;friend",
+"diag;switch",
+"Anonymous;none",
+"netman;netman",
+"root;davox",
+"MANAGER;HPOFFICE",
+"MGR;HPOFFICE",
+"Guest;none",
+"admin;radius",
+"security;security",
+"admin;epicrouter",
+"supervisor;supervisor",
+"MGR;RJE",
+"MAIL;MPE",
+"root;none",
+"DTA;TJM",
+"admin;cisco",
+"NICONEX;NICONEX",
+"MGR;ROBELLE",
+"FIELD;SUPPORT",
+"FIELD;HPONLY",
+"MGR;CNAS",
+"RSBCMON;SYS",
+"HELLO;OP.OPERATOR",
+"NETWORK;NETWORK",
+"admin;linga",
+"admin;switch",
+"hscroot;abc123",
+"admin;none",
+"Administrator;the same all over",
+"MGR;XLSERVER",
+"HELLO;MANAGER.SYS",
+"kermit;kermit",
+"MGR;CAROLIAN",
+"ADVMAIL;HP",
+"D-Link;D-Link",
+"MDaemon;MServer",
+"MGR;ITF3000",
+"admin;netadmin",
+"admin;secure",
+"admin;system",
+"tech;none",
+"customer;none",
+"MGR;SYS",
+"MGR;NETBASE",
+"root;fivranne",
+"bbsd-client;changeme2",
+"user;user",
+"vt100;public",
+"root;ROOT500",
+"cellit;cellit",
+"anonymous;none",
+"netman;none",
+"Administrator;none",
+"MAIL;REMOTE",
+"manager;admin",
+"intel;intel",
+"MGR;SECURITY",
+"MGR;HPP189",
+"operator;operator",
+"mediator;mediator",
+"MGR;HPDESK",
+"adminttd;adminttd",
+"sysadm;anicust",
+"setup;setup",
+"HELLO;FIELD.SUPPORT",
+"mtcl;mtcl",
+"MGR;CCC",
+"bbsd-client;NULL",
+"root;cms500",
+"admin;comcomcom",
+"MANAGER;ITF3000",
+"admin;password",
+"OPERATOR;SYSTEM",
+"IntraStack;Asante",
+"MGR;INTX3",
+"Root;none",
+"admin;1234",
+"root;tini",
+"FIELD;MGR",
+"anonymous;any@",
+"Administrator;changeme",
+"FIELD;LOTUS",
+"root;permit",
+"adfexc;adfexc",
+"root;default",
+"halt;tlah",
+"MGR;HPP187",
+"PCUSER;SYS",
+"readonly;lucenttech2",
+"SPOOLMAN;HPOFFICE",
+"MGR;HPONLY",
+"MANAGER;SYS",
+"diag;danger",
+"user;none",
+"craft;crftpw",
+"login;admin",
+"admin;admin",
+"client;client",
+"OPERATOR;SYS",
+"MGR;COGNOS",
+"manuf;xxyyzz",
+"3comcso;RIP000",
+"dhs3mt;dhs3mt",
+"ADVMAIL;HPOFFICE DATA",
+"superadmin;secret",
+"superuser;(none)",
+"recovery;recovery",
+"NETOP;none",
+"IntraSwitch;Asante" 
+);


Property changes on: trunk/openvas-plugins/scripts/default_credentials.inc
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/default_http_auth_credentials.nasl
===================================================================
--- trunk/openvas-plugins/scripts/default_http_auth_credentials.nasl	2011-09-06 12:05:16 UTC (rev 11570)
+++ trunk/openvas-plugins/scripts/default_http_auth_credentials.nasl	2011-09-06 12:38:09 UTC (rev 11571)
@@ -0,0 +1,105 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# HTTP Brute Force Logins with default Credentials 
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc = "Overview:
+It was possible to login into the remote Web Application using default credentials.
+
+Solution:
+Change the password as soon as possible.
+";
+
+if (description)
+{
+
+ script_tag(name:"risk_factor", value:"Critical");
+ script_id(103240);
+ script_version ("1.0-$Revision$");
+ script_name("HTTP Brute Force Logins with default Credentials");
+ script_description(desc);
+ script_summary("Checks if login with default credentials is possible");
+ script_category(ACT_ATTACK);
+ script_family("Default Accounts");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("misc_func.inc");
+include("default_credentials.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(! url = get_kb_item(string("www/", port, "/content/auth_required")))exit(0);
+
+foreach credential (credentials) {
+
+  user_pass = split(credential, sep:";",keep:FALSE);
+  if(isnull(user_pass[0]) || isnull(user_pass[1]))continue;
+
+  user = chomp(user_pass[0]);
+  pass = chomp(user_pass[1]);
+
+  if(tolower(pass) == "none")pass = "";
+
+  userpass = string(user,":",pass);
+  userpass64 = base64(str:userpass);
+
+  req = string("GET ", url," HTTP/1.1\r\n", "Host: ",  get_host_name(),"\r\n\r\n");
+  resp = http_keepalive_send_recv(port:port, data:req);
+
+  if(resp !~ "HTTP/1.. 401")exit(0); # just to be sure
+
+  req = string("GET ", url," HTTP/1.1\r\n",
+               "Host: ", get_host_name(),"\r\n",
+               "Authorization: Basic ",userpass64,"\r\n",
+               "\r\n"); 
+
+  resp = http_keepalive_send_recv(port:port, data:req);
+
+  if(resp =~ "HTTP/1.. 200" || resp =~ "HTTP/1.. 30") {
+
+    default_credential_found = TRUE;
+    report += string(user,':',pass,"\n");  
+
+ }
+
+}
+
+if(default_credential_found) {
+
+  report = string("It was possible to login with the following credentials\n\nUser:Password\n\n",report);
+  report = string(desc,"\n",report);
+
+  security_hole(port:port,data:report);
+  exit(0);
+
+}  


Property changes on: trunk/openvas-plugins/scripts/default_http_auth_credentials.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/default_ssh_credentials.nasl
===================================================================
--- trunk/openvas-plugins/scripts/default_ssh_credentials.nasl	2011-09-06 12:05:16 UTC (rev 11570)
+++ trunk/openvas-plugins/scripts/default_ssh_credentials.nasl	2011-09-06 12:38:09 UTC (rev 11571)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# SSH Brute Force Logins with default Credentials 
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc = "Overview:
+It was possible to login into the remote host using default credentials.
+
+Solution:
+Change the password as soon as possible.
+";
+
+if (description)
+{
+
+ script_tag(name:"risk_factor", value:"Critical");
+ script_id(103239);
+ script_version ("1.0-$Revision$");
+ script_name("SSH Brute Force Logins with default Credentials");
+ script_description(desc);
+ script_summary("Checks if login with default credentials is possible");
+ script_category(ACT_ATTACK);
+ script_family("Default Accounts");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("ssh_detect.nasl");
+ script_require_ports("Services/ssh", 22);
+ exit(0);
+}
+
+include("default_credentials.inc");
+include("ssh_func.inc");
+
+port = get_kb_item("Services/ssh");
+
+if(!port ) port = 22;
+if(!get_port_state(port))exit(0);
+
+foreach credential (credentials) {
+
+    user_pass = split(credential, sep:";",keep:FALSE);
+
+    if(isnull(user_pass[0]) || isnull(user_pass[1]))continue;
+
+    if(!soc = open_sock_tcp(port))exit(0);
+
+    user = chomp(user_pass[0]);
+    pass = chomp(user_pass[1]);
+
+    if(tolower(pass) == "none")pass = "";
+
+    login = ssh_login (socket:soc, login:user, password:pass, pub:NULL, priv:NULL, passphrase:NULL);
+
+    if(login == 0) {
+        default_credential_found = TRUE;
+        report += string(user,':',pass,"\n");
+    }
+
+    close(soc);
+    usleep(50000);
+}
+
+if(default_credential_found) {
+
+  report = string("It was possible to login with the following credentials\n\nUser:Password\n\n",report);
+  report = string(desc,"\n",report);
+
+  security_hole(port:port,data:report);
+  exit(0);
+
+} 
+


Property changes on: trunk/openvas-plugins/scripts/default_ssh_credentials.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Modified: trunk/openvas-plugins/scripts/ssh_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/ssh_func.inc	2011-09-06 12:05:16 UTC (rev 11570)
+++ trunk/openvas-plugins/scripts/ssh_func.inc	2011-09-06 12:38:09 UTC (rev 11571)
@@ -1675,8 +1675,11 @@
 {
  local_var server_user, ret;
 
- server_user = tolower(login);
+# server_user = tolower(login); # commented out because i don't see any
+# reason for this. This break uppercase logins. (mime)
 
+ server_user = login;
+
  init();
 
  # Exchange protocol version identification strings with the server.



More information about the Openvas-commits mailing list