Cisco Device Default Password

#TRUSTED 262eef3d3250c2183cd95939bd5dc6dfd1f70bb14a1b5b2664241dce5a7e480e14e515779c976462ebc03d9bf6708b5d8b453c2f572c637ac6d1109a83768773b17ac31468628183d359ae9139ee4ffff0e1bc7e1625db6b942f83b0ee76022f49734095e92267aa95776babbb8999cb66d07bbffe874f0fe0356cde8ffc6b670f7387afdaa23fc51ac4bea9395407250388e87ae2862424186354156b1d1932a8b79cc685d4f39a0ceb5a26fb3539246206f2a69db89ae032931305f8af8143717af11f43b18baade48f7a5954d20892891d3329ddcfd640cfd2422f0bdcf6d6414fc4b1ced81e94056e3ecb631eb84782578ef2973304499f533e947d9a04bb30e7dc5a4b6cf993192e93b3207e5279fff588d75e0ce5a7cbbc56e9b04b8e0ec4974bed58a352d45de03c33c51ab74473f17c55dd3056118b8d745d0afe4734968d6a7b45482b6826c4edc9b138c3b9f7e188d17134ca93cf63cc811514e78e9047f19a45256d38af443a2b06dfddc6bcbc5eda61d3edb33dbdc4d6d19e46475b76f34d10b4bb65479dd754c4f91892c5e6b76275f4e45a64c510b05f31c37356925cfe6778c9079b8821b7d09cceddcaf7aa27284d78a9972e61da96ab601e220d9e599f0b1b0ab5c74e07282dc75355d648e3412b07e54c48d64974ffa688c9bfb519a7658eab748d81f103029425ff0e15d8408571cbc27c837ed8f923d
#TRUST-RSA-SHA256 014530237a7302a6f3a81f61e9e3c104dd2e1aac743ea5b22437cd94f1a7e3c033179ed0c618877f6d4c7ee965a545ecf52ef0bb241e02badde8fba5caeecb710696d868563981b8cc351cb2436663bf2328da0950c03047b15543624d9769caaf599cc91e25b92a9ebd550f7a381295d14f06eb57508ac40e74b1c6ac9d9ae7bcd8be1edd8277d57b940215825aaeca305e9f278966a79e3af21c44c3956bed6d5fa86288fb3cf1a67c3c673c5d694d343749518824d68cad20698655fd5d7a2f5aa86440c0123bb9e56401baafb9aa8d3e65c078ba9bcd3fcd1f94c17607aed8ae0314e9d798e2deea2753cebf1714a38ed930b0e0713f3841da7f1c59bd88d5eb3040598ed1e98777d847b2a5e083b3c4b5f46cb3f9146bdd2f7b1fabbaed8e50da92609df3aa05fdda9e66ad049dbf4e4a862317aa5ed9b21ba5166e350cd65eb1b616273accd23ac6e3e81ae602cc1b29c60f3cbcd1c8b1dfb3c450217ec2965b03ac177cd3d8f7c4b8e7f3d1bc8f7a7c80380814ba2a3a4d170943965e708d0e416a1b06f38a4ed07ab2e25eb623022766739bbec65367b932d8ea2708a836bc272d0e8beef0ed7e49894b2dce4cf3202e4a5a75fe5ac40fa0ed41c5b3b25c38df263d6190a2ffcc24f62e45247d520b76e9e92b61723eb53dc0938d70061546706f71d73569f392b3c0ec4ec8dca905a73a9191a9f30caeabd1f076e1
#
# This script was written by Javier Fernandez-Sanguino
# based on a script written by Renaud Deraison <[email protected]>
# with contributions by Gareth M Phillips <[email protected]> (additional logins and passwords)
#
# GPLv2
#
# TODO:
# - dump the device configuration to the knowledge base (requires
#   'enable' access being possible)
# - store the CISCO IOS release in the KB so that other plugins (in the Registered
#   feed) could use the functions in cisco_func.inc to determine if the system is
#   vulnerable as is currently done through SNMP (all the CSCXXXX.nasl stuff)
# - store the user/password combination in the KB and have another plugin test
#   for common combinations that lead to 'enable' mode.
#
# Changes by Tenable:
# - Coding changes regarding Cisco IOS XR/XE, along with some minor
#   tweaks in description block, were done (2017/01/13).

include("compat.inc");

if (description)
{
  script_id(23938);
  script_version("1.50");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");

  script_cve_id("CVE-1999-0508");

  script_name(english:"Cisco Device Default Password");
  script_summary(english:"Checks for a default password.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device has a default factory password set.");
  script_set_attribute(attribute:"description", value:
"The remote Cisco router has a default password set. A remote,
unauthenticated attacker can exploit this to gain administrative
access.");
  script_set_attribute(attribute:"solution", value:
"Change the Cisco device default password via the command 'enable secret'.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:TF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"cvss_score_source", value:"CVE-1999-0508");
  script_set_attribute(attribute:"cvss_score_rationale", value:"AV:N is justified since the plugin tries to login via SSH or Telnet. While the NVD score implies the the device is only accessible locally, that's not explicitly specified in the CVE description: An account on a router, firewall, or other network device has a default, null, blank, or missing password. It is a reasonable assumption that if the plugin can log in with one of the sets of credentials attempted in the plugin, it can own the device (hence CIA complete instead of partial).");
  script_set_attribute(attribute:"vuln_publication_date", value:"1999/01/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/23");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco");
  script_set_attribute(attribute:"default_account", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2006-2023 Javier Fernandez-Sanguino and Renaud Deraison");

  script_dependencies("find_service2.nasl", "ssh_get_info.nasl");
  script_require_ports("Services/telnet", 23, "Services/ssh", 22);
  script_exclude_keys("global_settings/supplied_logins_only");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("telnet_func.inc");
include("misc_func.inc");
include("ssh_func.inc");


enable_ssh_wrappers();

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

global_var ssh_port, telnet_checked, telnet_port, ssh_found, telnet_found;
global_var cisco_pw_report_ssh, cisco_pw_report_telnet;
cisco_pw_report_ssh = "";
cisco_pw_report_telnet = "";

cisco_pw_report = "";
ssh_found = FALSE;
telnet_found = FALSE;

# Function to connect to a Cisco system through telnet, send
# a password

function check_cisco_telnet(login, password, port)
{
 local_var msg, r, r2, soc, report, pass_only;
 local_var i, info, line, ver;

 pass_only = TRUE;
 soc = open_sock_tcp(port);
 if ( ! soc )
 	{
	  telnet_port = 0;
	  return(0);
	}
 msg = telnet_negotiate(socket:soc, pattern:"(ogin:|asscode:|assword:)");
 if(strlen(msg))
 {
  # The Cisco device might be using an AAA access model
  # or have configured users:
  if ( stridx(msg, "sername:") != -1 || stridx(msg, "ogin:") != -1  )  {
    send(socket:soc, data:login + '\r\n');
    msg=recv_until(socket:soc, pattern:"(assword:|asscode:)");
    pass_only = FALSE;
  }

  # Device can answer back with {P,p}assword or {P,p}asscode
  # if we don't get it then fail and close
  if ( strlen(msg) == 0 || (stridx(msg, "assword:") == -1 && stridx(msg, "asscode:") == -1)  )  {
    close(soc);
    return(0);
  }

  send(socket:soc, data:password + '\r\n');
  r = recv(socket:soc, length:4096);

  # TODO: could check for Cisco's prompt here, it is typically
  # the device name followed by '>'
  # But the actual regexp is quite complex, from Net-Telnet-Cisco:
  #  '/(?m:^[\r\b]?[\w.-]+\s?(?:\(config[^\)]*\))?\s?[\$\#>]\s?(?:\(enable\))?\s*$)/')

  # Send a 'show ver', most users (regardless of privilege level)
  # should be able to do this
  send(socket:soc, data:'show ver\r\n');
  r = recv_until(socket:soc, pattern:"(Cisco (Internetwork Operating System|IOS|Adaptive Security Appliance) Software|assword:|asscode:|ogin:|% Bad password|% Login invalid)");
  # TODO: This is probably not generic enough. Some Cisco devices don't
  # use IOS but CatOS for example

  # TODO: It might want to change the report so it tells which user / passwords
  # have been found
  if (
     strlen(r) &&
     (
       "Cisco Internetwork Operating System Software" >< r ||
       "Cisco IOS Software" >< r ||
       "Cisco IOS XR Software" >< r ||
       "Cisco IOS XE Software" >< r ||
       "Cisco Adaptive Security Appliance Software" >< r
     )
  )
  {
    r2 = recv_until(socket:soc, pattern:'^System image file is "[^"]+"');
    if (strlen(r2)) r = strstr(r, "Cisco") + chomp(r2) + '\n' + '(truncated)';

    ver = egrep(pattern:"^.*IOS.*Version [0-9.]+(?:\(.*\))?.*", string:r);
    if (ver) {
        if ( !get_kb_item("Host/Cisco/show_ver" ) )
  		set_kb_item(name:"Host/Cisco/show_ver", value:ereg_replace(string:ver, pattern:".*(Cisco.*)", replace:"\1"));
	info = '\n  ' + chomp(ver);
    }
    else
    {
      info = '';
      i = 0;
      foreach line (split(r, keep:FALSE))
      {
        if (++i >= 5) break;
        info += '\n  ' + line;
      }
    }
    telnet_found = TRUE;

    report =
      '\n' + 'It was possible to log into the remote Cisco device via Telnet' +
      '\n' + 'using the following credentials :' +
      '\n';
    if (!pass_only) {
      report +=
        '\n' + '  User     : ' + login;
    }
    report +=
      '\n' + '  Password : ' + password +
      '\n' +
      '\n' + 'and to run the \'show ver\' command, which returned in part :'+
      '\n' +
      info + '\n';
    if (get_kb_item("Settings/PCI_DSS"))
      cisco_pw_report_telnet += '\n' + report;
    else
      security_hole(port:port, extra:report);
  }

# TODO: it could also try 'enable' here and see if it's capable
# of accessing the privilege mode with the same password, or do it
# in a separate module

  close(soc);

 }
}

# Functions modified from the code available from default_accounts.inc
# (which is biased to UNIX)
function check_cisco_account(login, password)
{
 local_var port, ret, banner, soc, res, report;
 local_var buf, i, info, line, ver;

 checking_default_account_dont_report = TRUE;

 if (ssh_port && get_port_state(ssh_port))
 {
  # Prefer login thru SSH rather than telnet
   _ssh_socket= open_sock_tcp(ssh_port);
   if ( _ssh_socket)
   {
   ret = ssh_login(login:login, password:password);
   if (ret == 0) buf = ssh_cmd(cmd:"show ver", nosh:TRUE, nosudo:TRUE, cisco:TRUE);
   else buf = "";
   ssh_close_connection();
   if (
     buf &&
     (
       "Cisco Internetwork Operating System Software" >< buf ||
       "Cisco IOS Software" >< buf ||
       "Cisco IOS XR Software" >< buf ||
       "Cisco IOS XE Software" >< buf ||
       "Cisco Adaptive Security Appliance Software" >< buf
     )
   )
   {
     ver = egrep(pattern:"^.*IOS.*Version [0-9.]+(?:\(.*\))?.*", string:buf);
     if (ver) {
	info = '\n  ' + chomp(ver);
    	if ( !get_kb_item("Host/Cisco/show_ver" ) )
		set_kb_item(name:"Host/Cisco/show_ver", value:ereg_replace(string:ver, pattern:".*(Cisco.*)", replace:"\1"));
	}
     else
     {
       info = '';
       i = 0;
       foreach line (split(buf, keep:FALSE))
       {
         if (++i >= 5) break;
         info += '\n  ' + line;
       }
     }
     ssh_found = TRUE;

     report =
       '\n' + 'It was possible to log into the remote Cisco device via SSH' +
       '\n' + 'using the following credentials :' +
       '\n' +
       '\n' + '  User     : ' + login +
       '\n' + '  Password : ' + password +
       '\n' +
       '\n' + 'and to run the \'show ver\' command, which returned in part :'+
       '\n' +
       info + '\n';
     if (get_kb_item("Settings/PCI_DSS"))
       cisco_pw_report_ssh += '\n' + report;
     else
       security_hole(port:ssh_port, extra:report);
   }
   }
   else
     ssh_port = 0;
 }

 if(telnet_port && get_port_state(telnet_port))
 {
  if ( isnull(password) ) password = "";
  if ( ! telnet_checked )
  {
  banner = get_telnet_banner(port:telnet_port);
  if ( banner == NULL ) { telnet_port = 0 ; return 0; }
  # Check for banner, covers the case of Cisco telnet as well as the case
  # of a console server to a Cisco port
  # Note: banners of cisco systems are not necessarily set, so this
  # might lead to false negatives !
  if ( stridx(banner,"User Access Verification") == -1 && stridx(banner,"assword:") == -1)
    {
     telnet_port = 0;
     return(0);
    }
   telnet_checked ++;
  }

  check_cisco_telnet(login:login, password:password, port:telnet_port);
 }
 if (get_kb_item("Settings/PCI_DSS")) return 0;
 if (ssh_found || telnet_found) exit(0);
 return(0);
}

ssh_port = get_kb_item("Services/ssh");
if ( ! ssh_port ) ssh_port = 22;


telnet_port = get_kb_item("Services/telnet");
if ( ! telnet_port ) telnet_port = 23;
telnet_checked = 0;

check_cisco_account(login:"cisco", password:"cisco");
check_cisco_account(login:"Cisco", password:"Cisco");
check_cisco_account(login:"", password:"");
if ( safe_checks() == 0 || get_kb_item("Settings/PCI_DSS"))
{
 check_cisco_account(login:"cisco", password:"");
 check_cisco_account(login:"admin", password:"cisco");
 check_cisco_account(login:"admin", password:"diamond");
 check_cisco_account(login:"admin", password:"admin");
 check_cisco_account(login:"admin", password:"system");
 check_cisco_account(login:"monitor", password:"monitor");
}

if (get_kb_item("Settings/PCI_DSS"))
{
  if(ssh_found)
    security_hole(port:ssh_port, extra:cisco_pw_report_ssh);
  if(telnet_found)
    security_hole(port:telnet_port, extra:cisco_pw_report_telnet);
  else
    exit(0,"Host not affected.");
}