[Openvas-commits] r11581 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Wed Sep 7 13:49:11 CEST 2011


Author: mime
Date: 2011-09-07 13:49:07 +0200 (Wed, 07 Sep 2011)
New Revision: 11581

Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/3com_switches.nasl
   trunk/openvas-plugins/scripts/Accelar_1200.nasl
   trunk/openvas-plugins/scripts/Allied_Telesyn_telnet.nasl
   trunk/openvas-plugins/scripts/avaya_switches.nasl
   trunk/openvas-plugins/scripts/cisco_default_pw.nasl
   trunk/openvas-plugins/scripts/default_credentials.inc
Log:
Modified to use credentials from default_credentials.inc.Added a few more credentials.

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2011-09-07 07:00:34 UTC (rev 11580)
+++ trunk/openvas-plugins/ChangeLog	2011-09-07 11:49:07 UTC (rev 11581)
@@ -1,3 +1,15 @@
+2011-09-07  Michael Meyer <michael.meyer at greenbone.net>
+
+	* scripts/avaya_switches.nasl,
+	scripts/Allied_Telesyn_telnet.nasl,
+	scripts/Accelar_1200.nasl,
+	scripts/3com_switches.nasl,
+	scripts/cisco_default_pw.nasl:
+	Modified to use credentials from default_credentials.inc.
+
+	* scripts/default_credentials.inc:
+	Added a few more credentials.
+
 2011-08-07  Veerendra G.G <veerendragg at secpod.com>
 
 	* scripts/gb_ubuntu_USN_1197_1.nasl,

Modified: trunk/openvas-plugins/scripts/3com_switches.nasl
===================================================================
--- trunk/openvas-plugins/scripts/3com_switches.nasl	2011-09-07 07:00:34 UTC (rev 11580)
+++ trunk/openvas-plugins/scripts/3com_switches.nasl	2011-09-07 11:49:07 UTC (rev 11581)
@@ -62,22 +62,13 @@
 }
 
 include('telnet_func.inc');
+include("default_credentials.inc");
 
 port = 23; # the port can't be changed
 
 banner = get_telnet_banner(port:port);
 if ( "Login : " >!< banner ) exit(0);
 
-login[0] = string("monitor");
-login[1] = string("manager");
-login[2] = string("security");
-login[3] = string("admin");
-
-password[0] = string("monitor");
-password[1] = string("manager");
-password[2] = string("security");
-password[3] = string("");
-
 bfound = 0;
 
 res = string("Standard passwords were found on this 3Com Superstack switch.\n");
@@ -86,25 +77,34 @@
 if(get_port_state(port))
 {
 
- for ( i=0; i<4; i = i + 1 )
- {
+  foreach credential (credentials) 
+  {
+
+     user_pass = split(credential, sep:";",keep:FALSE);
+     if(isnull(user_pass[0]) || isnull(user_pass[1]))continue;
+
+     user = chomp(user_pass[0]);
+     pass = chomp(user_pass[1]);
+
+     if(tolower(pass) == "none")pass = "";
+
      soc = open_sock_tcp(port);
      if(soc)
      {
         r = recv(socket:soc, length:160);
         if("Login: " >< r)
         {
-	    tmp = string(login[i], "\r\n");
+	    tmp = string(user, "\r\n");
 	    send(socket:soc, data:tmp);
 	    r = recv_line(socket:soc, length:2048);
-            tmp = string(password[i], "\r\n");
+            tmp = string(pass, "\r\n");
 	    send(socket:soc, data:tmp);
 	    r = recv(socket:soc, length:4096);
 
 	    if ( "logout" >< r )
 	    {
 		bfound = 1;
-		res = string(res, login[i], ":", login[i], "\n");
+		res = string(res, user, ":", pass, "\n");
      	    }
 
         }

Modified: trunk/openvas-plugins/scripts/Accelar_1200.nasl
===================================================================
--- trunk/openvas-plugins/scripts/Accelar_1200.nasl	2011-09-07 07:00:34 UTC (rev 11580)
+++ trunk/openvas-plugins/scripts/Accelar_1200.nasl	2011-09-07 11:49:07 UTC (rev 11581)
@@ -62,8 +62,7 @@
 #
 
 include("telnet_func.inc");
-usrname = string("rwa\r\n");
-password = string("rwa\r\n");
+include("default_credentials.inc");
 
 port = 23;
 if(get_port_state(port))
@@ -72,15 +71,26 @@
 	if ( ! tnb ) exit(0);
         if ("Accelar 1200" >< tnb)
         {
+
+	  foreach credential (credentials) {
+
+	     user_pass = split(credential, sep:";",keep:FALSE);
+	     if(isnull(user_pass[0]) || isnull(user_pass[1]))continue;
+
+	     user = chomp(user_pass[0]);
+	     pass = chomp(user_pass[1]);
+
+	     if(tolower(pass) == "none")pass = "";
+
                 soc = open_sock_tcp(port);
                 if(soc)
                 {
                         answer = recv(socket:soc, length:4096);
                         if("ogin:" >< answer)
                         {
-                                send(socket:soc, data:usrname);
+                                send(socket:soc,data:string(user,"\r\n"));
                                 answer = recv(socket:soc, length:4096);
-                                send(socket:soc, data:password);
+                                send(socket:soc, data:string(pass,"\r\n"));
                                 answer = recv(socket:soc, length:4096);
                                 if("Accelar-1200" >< answer)
                                 {
@@ -90,6 +100,8 @@
                 close(soc);
                 }
 
+	   }	
+
         }
 }
 

Modified: trunk/openvas-plugins/scripts/Allied_Telesyn_telnet.nasl
===================================================================
--- trunk/openvas-plugins/scripts/Allied_Telesyn_telnet.nasl	2011-09-07 07:00:34 UTC (rev 11580)
+++ trunk/openvas-plugins/scripts/Allied_Telesyn_telnet.nasl	2011-09-07 11:49:07 UTC (rev 11581)
@@ -63,8 +63,6 @@
 #
 
 include("telnet_func.inc");
-usrname = string("manager\r\n");
-password = string("friend\r\n");
 
 port = 23;
 if(get_port_state(port))
@@ -72,15 +70,26 @@
 tnb = get_telnet_banner(port);
         if ("TELNET session" >< tnb)
         {
+
+	  foreach credential (credentials) {
+
+	    user_pass = split(credential, sep:";",keep:FALSE);
+	    if(isnull(user_pass[0]) || isnull(user_pass[1]))continue;
+
+	    user = chomp(user_pass[0]);
+	    pass = chomp(user_pass[1]);
+
+            if(tolower(pass) == "none")pass = "";
+
                 soc = open_sock_tcp(port);
                 if(soc)
                 {
                         answer = recv(socket:soc, length:4096);
                         if("ogin:" >< answer)
                         {
-                                send(socket:soc, data:usrname);
+                                send(socket:soc, data:string(user,"\r\n"));
                                 answer = recv(socket:soc, length:4096);
-                                send(socket:soc, data:password);
+                                send(socket:soc, data:string(pass,"\r\n"));
                                 answer = recv(socket:soc, length:4096);
                                 if("Manager" >< answer)
                                 {
@@ -90,6 +99,8 @@
                 close(soc);
                 }
 
+	  }	
+
         }
 }
 

Modified: trunk/openvas-plugins/scripts/avaya_switches.nasl
===================================================================
--- trunk/openvas-plugins/scripts/avaya_switches.nasl	2011-09-07 07:00:34 UTC (rev 11580)
+++ trunk/openvas-plugins/scripts/avaya_switches.nasl	2011-09-07 11:49:07 UTC (rev 11581)
@@ -62,9 +62,9 @@
 #
 
 include("telnet_func.inc");
-usrname = string("root\r\n");
-password = string("root\r\n");
+include("default_credentials.inc");
 
+
 port = 23;
 if(get_port_state(port))
 {
@@ -72,15 +72,26 @@
 	if ( ! tnb ) exit(0);
         if ("Welcome to P330" >< tnb)
         {
+
+	  foreach credential (credentials) {
+
+	    user_pass = split(credential, sep:";",keep:FALSE);
+            if(isnull(user_pass[0]) || isnull(user_pass[1]))continue;
+
+	    user = chomp(user_pass[0]);
+	    pass = chomp(user_pass[1]);
+
+	    if(tolower(pass) == "none")pass = "";
+
                 soc = open_sock_tcp(port);
                 if(soc)
                 {
                         answer = recv(socket:soc, length:4096);
                         if("ogin:" >< answer)
                         {
-                                send(socket:soc, data:usrname);
+                                send(socket:soc,data:string(user,"\r\n"));
                                 answer = recv(socket:soc, length:4096);
-                                send(socket:soc, data:password);
+                                send(socket:soc, data:string(pass,"\r\n"));
                                 answer = recv(socket:soc, length:4096);
                                 if("Password accepted" >< answer)
                                 {
@@ -89,7 +100,7 @@
                         }
                 close(soc);
                 }
-
+           }
         }
 }
 

Modified: trunk/openvas-plugins/scripts/cisco_default_pw.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cisco_default_pw.nasl	2011-09-07 07:00:34 UTC (rev 11580)
+++ trunk/openvas-plugins/scripts/cisco_default_pw.nasl	2011-09-07 11:49:07 UTC (rev 11581)
@@ -60,8 +60,8 @@
  script_id(23938);
  script_cve_id("CVE-1999-0508");
  script_version ("$Revision: 1.9 $");
- script_tag(name:"cvss_base", value:"4.6");
- script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"cvss_base", value:"10.0");
+ script_tag(name:"risk_factor", value:"Critical");
 
 
  name = "Cisco default password";
@@ -91,6 +91,7 @@
 include('default_account.inc');
 include('telnet_func.inc');
 include('global_settings.inc');
+include("default_credentials.inc");
 
 if ( supplied_logins_only ) exit(0);
 
@@ -165,21 +166,27 @@
  local_var port, ret, banner, soc, res;
 
 
- if ( ssh_port )
- {
+ if ( ssh_port && get_port_state(ssh_port))
+ { 
   # Prefer login thru SSH rather than telnet
    soc = open_sock_tcp(ssh_port);
    if ( soc )
    {
-   ret = ssh_login(socket:soc, login:account, password:password);
-   close(soc);
+   ret = ssh_login(socket:soc, login:login, password:password);
    if ( ret == 0 ) {
-	desc += '\n\nPlugin Output :\n\nIt was possible to log in as \'' + login + '\'/\'' + password + '\'\n';
-	security_hole(port:ssh_port, data:desc);
-	exit(0);
-	}
-   else return 0;
+        r = ssh_cmd(socket:soc, cmd: string("show ver\r\n"), timeout:60);
+	if("Cisco Internetwork Operating System Software" >< r || "Cisco IOS Software" >< r) {
+  	  desc += '\n\nPlugin Output :\n\nIt was possible to log in as \'' + login + '\'/\'' + password + '\'\n';
+	  security_hole(port:ssh_port, data:desc);
+	  close(soc);
+	  exit(0);
+	}  
    }
+   else {
+     close(soc);
+     return 0;
+   }   
+  }
    else
      ssh_port = 0;
  }
@@ -211,8 +218,8 @@
 
 
 # SSH disabled for now
-#ssh_port = get_kb_item("Services/ssh");
-#if ( ! ssh_port ) ssh_port = 22;
+ssh_port = get_kb_item("Services/ssh");
+if ( ! ssh_port ) ssh_port = 22;
 
 
 telnet_port = get_kb_item("Services/telnet");
@@ -224,11 +231,18 @@
 check_cisco_account(login:"", password:"");
 if ( safe_checks() == 0 )
 {
- check_cisco_account(login:"cisco", password:"");
- check_cisco_account(login:"admin", password:"cisco");
- check_cisco_account(login:"admin", password:"diamond");
- check_cisco_account(login:"admin", password:"admin");
- check_cisco_account(login:"admin", password:"system");
- check_cisco_account(login:"monitor", password:"monitor");
+ foreach credential (credentials) { 
+
+   user_pass = split(credential, sep:";",keep:FALSE);
+   if(isnull(user_pass[0]) || isnull(user_pass[1]))continue;
+
+   user = chomp(user_pass[0]);
+   pass = chomp(user_pass[1]);
+
+   if(tolower(pass) == "none")pass = "";
+
+   check_cisco_account(login:user, password:pass);
+
+ }  
 }
 

Modified: trunk/openvas-plugins/scripts/default_credentials.inc
===================================================================
--- trunk/openvas-plugins/scripts/default_credentials.inc	2011-09-07 07:00:34 UTC (rev 11580)
+++ trunk/openvas-plugins/scripts/default_credentials.inc	2011-09-07 11:49:07 UTC (rev 11581)
@@ -207,5 +207,7 @@
 "superuser;(none)",
 "recovery;recovery",
 "NETOP;none",
-"IntraSwitch;Asante" 
+"IntraSwitch;Asante",
+"cisco;none",
+"rwa;rwa"  
 );



More information about the Openvas-commits mailing list