8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.917 High
EPSS
Percentile
98.9%
The script sends a connection request to the server and attempts to
login with default communities. Successful logins are storen in the KB.
# SPDX-FileCopyrightText: 2005 SecuriTeam
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.103914");
script_version("2023-08-01T13:29:10+0000");
script_tag(name:"last_modification", value:"2023-08-01 13:29:10 +0000 (Tue, 01 Aug 2023)");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_tag(name:"cvss_base", value:"0.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
script_xref(name:"IAVA", value:"2001-B-0001");
script_name("Check default community names of the SNMP Agent");
script_category(ACT_SETTINGS);
script_copyright("Copyright (C) 2005 SecuriTeam");
script_family("SNMP");
script_dependencies("gb_open_udp_ports.nasl", "gb_default_credentials_options.nasl");
script_require_udp_ports(161);
script_exclude_keys("default_credentials/disable_brute_force_checks");
script_xref(name:"URL", value:"http://www.securityfocus.com/archive/1/313714/2003-03-01/2003-03-07/0");
script_xref(name:"URL", value:"https://web.archive.org/web/20070428232535/http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?id=advise15");
script_tag(name:"summary", value:"The script sends a connection request to the server and attempts to
login with default communities. Successful logins are storen in the KB.");
script_tag(name:"qod_type", value:"remote_banner");
exit(0);
}
include("list_array_func.inc");
# If optimize_test = no
if( get_kb_item( "default_credentials/disable_brute_force_checks" ) )
exit( 0 );
#nb: Don't use UDP/PORTS or snmp_get_port() as the check below is quite unreliable against other non-snmp UDP services
port = 161;
if (!get_udp_port_state(port))
exit(0);
communities = make_list(
"Cisco router", # for Cisco equipment
"EyesOfNetwork", # Eyes of Network (EON)
"cable-docsis", # for Cisco equipment
"cascade", # for Lucent equipment
"comcomcom", # for 3COM AirConnect AP
"rmonmgmtuicommunity", # 2016/gb_cisco_sg220_cisco-sa-20160831-sps3.nasl
"ROUTERmate", # CVE-1999-0792
"tellmeyoursecrets", # BID 7081
"SmartScanServer", # Default from CVE-2016-6267
"wheel", # https://blogs.cisco.com/security/talos/rockwell-snmp-vuln
# From https://lkhill.com/brocade-vdx-snmp-changes/ and http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0127107
"ConvergedNetwork",
"secret c0de", # Advisories are showing differences between lower/uppercase and quotes/no quotes for these four communities:
'"secret c0de"',
"Secret C0de", # Brocade
'"Secret C0de"',
"common",
"FibreChannel",
# CVE-2002-1229, https://marc.info/?l=bugtraq&m=103470243012971&w=2
"diag",
"manuf",
"danger",
"xxyyzz",
# From https://github.com/fuzzdb-project/fuzzdb/blob/master/wordlists-misc/wordlist-common-snmp-community-strings.txt
"public",
"private",
"0",
"0392a0",
"1234",
"2read",
"4changes",
"ANYCOM", # for 3COM NetBuilder
"Admin",
"C0de",
"CISCO",
"CR52401",
"IBM",
"ILMI",
"I$ilonpublic", # Dell EMC Isilon OneFS (CVE-2020-5364)
"Intermec",
"NoGaH$@!", # Avaya
"OrigEquipMfr", # Brocade
"PRIVATE",
"PUBLIC",
"Private",
"Public",
"SECRET",
"SECURITY",
"SNMP",
"SNMP_trap",
"SUN",
"SWITCH",
"SYSTEM",
"Secret",
"Security",
"s!a@m#n$p%c", # 2012/secpod_samsung_printer_snmp_auth_bypass_vuln.nasl
"Switch",
"System",
"TENmanUFactOryPOWER",
"TEST",
"access",
"adm",
"admin",
"agent",
"agent_steal", # CVE-2001-1210
"all",
# Advisories are showing differences between lower/uppercase and quotes/no quotes for these two communities:
"all private", # Solaris 2.5.1 and 2.6
'"all private"', # Solaris 2.5.1 and 2.6
"all public",
"apc", # for APC Web/SNMP Management Card AP9606
"bintec",
"blue", # HP JetDirect equipement
"c", # for Cisco equipment
"cable-d",
"canon_admin",
"carel", # CAREL pCOWeb
"cc", # for Cisco equipment
"cisco",
"community",
"core", # Cisco Aironet
"debug",
"default",
"dilbert",
"enable",
"field",
"field-service",
"freekevin", # CVE-2001-1210
"fubar", # CVE-2001-1210
"guest",
"hello",
"hp_admin",
"ibm",
"ilmi",
"intermec",
"internal", # HP JetDirect equipement
"l2",
"l3",
"manager",
"mngt",
"monitor",
"netman",
"network",
"none",
"openview",
"pass",
"password",
"pr1v4t3",
"proxy", # Cisco Aironet
"publ1c",
"read",
"read-only",
"read-write",
"readwrite",
"red",
"regional", # Cisco Aironet
"rmon",
"rmon_admin",
"ro",
"root",
"router",
"rw",
"rwa",
"san-fran",
"sanfran",
"scotty",
"secret", # for Cisco equipment
"security",
"seri",
"snmp",
"snmpd", # HP SNMP agent
"snmptrap",
"solaris",
"sun",
"superuser",
"switch",
"system",
"tech",
"test",
"test2",
"tiv0li",
"tivoli",
"trap",
"world",
"write", # for Cisco equipment
"xyzzy", # CVE-2001-1210
"yellow", # HP JetDirect equipement
# From http://www.phenoelit.org/dpl/dpl.html
"volition",
"MiniAP",
"snmp-Trap"
);
# Add device/host name
name = get_host_name();
if( name !~ "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$" && ":" >!< name ) {
# We have a name, not an IP/IPv6
names[0] = name;
dot = strstr( name, '.' );
if( dot ) {
name = name - dot; # Use short name
names[1] = name;
}
foreach name( names ) {
if( ! in_array( search:name, array:communities ) ) {
communities = make_list( communities, name ); # The name is not already in the list
}
}
}
count = 0;
# We don't use the SNMP functions from snmp_func.inc since they are too slow for brute forcing
for( i = 0; communities[i]; i++ ) {
community = communities[i];
SNMP_BASE = 31;
COMMUNITY_SIZE = strlen( community );
sz = COMMUNITY_SIZE % 256;
len = SNMP_BASE + COMMUNITY_SIZE;
len_hi = len / 256;
len_lo = len % 256;
sendata = raw_string( 0x30, 0x82, len_hi, len_lo,
0x02, 0x01, 0x00, 0x04, sz );
sendata = sendata + community +
raw_string( 0xA1, 0x18, 0x02, 0x01, 0x01,
0x02, 0x01, 0x00, 0x02, 0x01,
0x00, 0x30, 0x0D, 0x30, 0x82,
0x00, 0x09, 0x06, 0x05, 0x2B,
0x06, 0x01, 0x02, 0x01, 0x05,
0x00 );
dstport = port;
soc[i] = open_sock_udp( dstport );
send( socket:soc[i], data:sendata );
usleep( 10000 ); # Cisco don't like to receive too many packets at the same time
}
for( j = 0; communities[j]; j++ ) {
result = recv( socket:soc[j], length:200, timeout:1 );
close( soc[j] );
if( result ) {
count++;
set_kb_item( name:"SNMP/" + port + "/v12c/detected_community", value:communities[j] );
set_kb_item( name:"SNMP/v12c/detected_community", value:TRUE );
}
}
if( count > 4 ) {
set_kb_item( name:"SNMP/" + port + "/v12c/all_communities", value:TRUE );
}
exit( 0 );
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.917 High
EPSS
Percentile
98.9%