Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Nortel Baystack Default Password

🗓️ 07 Mar 2003 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 16 Views

Logs into Nortel switch with weak default password; allows unauthorized access and needs updating.

Code
#
# This script was written by Douglas Minderhout <[email protected]>
# This script is based uppon a script by Rui Bernardino <[email protected]>
#
# See the Nessus Scripts License for details
#

# Changes by Tenable:
# - only attempt to login if the policy allows it (10/25/11 and 6/2015)
# - Revised plugin title, output formatting (9/2/09)
# - include global_settings.inc (6/2015)


include("compat.inc");

if (description)
{
  script_id(11327);
  script_version ("$Revision: 1.10 $");
  script_cvs_date("$Date: 2015/10/09 22:45:48 $");

  script_name(english:"Nortel Baystack Default Password");
  script_summary(english:"Logs into the remote Nortel terminal server");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is reachable with known default credentials.");
  script_set_attribute(attribute:"description", value:
"The remote switch has a weak password. This means that anyone who has
(downloaded) a user manual can telnet to it and gain administrative 
access.");
  script_set_attribute(attribute:"solution", value:
"Telnet to this switch and set passwords under 
'Console/Comm Port Configuration' for both read only and read write. 
Then, set the parameter 'Console Switch Password'
or 'Console Stack Password' to 'Required for TELNET' or
'Required for Both'.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");

  script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/07");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"default_account", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2003-2015 Douglas Minderhout");

  script_require_ports(23);
  script_exclude_keys("global_settings/supplied_logins_only");

  exit(0);
}



include('telnet_func.inc');
include("global_settings.inc");
function myrecv(socket, pattern) {
	while(1) {
		r = recv_line(socket:soc, length:1024);
		if(strlen(r) == 0) return(0);
		if(ereg(pattern:pattern, string:r)) return(r);
	}
}



#
# The script code starts here
#
port = 23;

if(get_port_state(port)) {

	if (supplied_logins_only) exit(0, "Policy is configured to prevent trying default user accounts");
	buf = get_telnet_banner(port:port);
	if ( ! buf || "Ctrl-Y" >!< buf ) exit(0);


	soc=open_sock_tcp(port);
	if(!soc)exit(0);
	buf=telnet_negotiate(socket:soc);
	#display(buf);
	# If we catch one of these, it's something else
	if("NetLogin:" >< buf)exit(0);
	if("Login:" >< buf)exit(0);
	# If we get Ctrl-Y in the response we're in business
	if ("Ctrl-Y" >< buf) {
		# Here we send it the Ctrl-y in HEX
		test = raw_string(0x19,0xF0);
		send(socket:soc, data:test);
		resp = recv(socket:soc, length:1024);
		#display(resp);
		if("P Configuration" >< resp) {
			# No password has been set
			e = "There is no password assigned to the remote Baystack switch.";
			security_hole(port:port, extra:e);
		} else {	 
			if ("asswor" >< resp ){
				# A password has been set, now we try some defaults
				test = string("secure\r");
         	send(socket:soc, data:test);
				resp = recv(socket:soc, length:1024);
				if("P Configuration" >< resp) {
					e = "The default password 'secure' is assigned to the remote Baystack switch.";
					security_hole(port:port, extra:e);
				} else {
					if ("asswor" >< resp ){
						# "secure' didn't work, let's try "user"
						test = string("user\r");
         			send(socket:soc, data:test);
						resp = recv(socket:soc, length:1024);
						if("P Configuration" >< resp) {
							e = "The default password 'user' is assigned to the remote Baystack switch.";
							security_hole(port:port, extra: e);
						}
					}
				}
			}
		}
	# The older switches do not do the Ctrl-Y thing, they just let you in
	} else {
		if ("P Configuration" >< buf) {
				e = 
"There is no password assigned to the remote Baystack switch. This switch
is most likely using a very old version of software. It would be best to 
contact Nortel for an upgrade.";
				security_hole(port:port, extra:e);
		}
	}
	close (soc);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Oct 2015 22:45Current
5.5Medium risk
Vulners AI Score5.5
nortel baystackdefault passwordadministrative accesstelnet securityweak password address.
16