Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / modules / nessus-2.2.8.mo / usr / lib / nessus / plugins / rsh_users.nasl < prev next >

Wrap

Text File | 2005-01-14 | 3.3 KB | 126 lines

# # This script was written by Renaud Deraison <deraison@cvs.nessus.org> # # See the Nessus Scripts License for details # if(description) { script_id(10380); script_version ("$Revision: 1.15 $"); name["english"] = "rsh on finger output"; name["francais"] = "rsh on finger output"; script_name(english:name["english"], francais:name["francais"]); desc["english"] = " This plugin attempts to log into the remote host using rsh and uses the names given by the output of finger. Risk factor : High"; desc["francais"] = " Ce plugin essaye de se logguer sur la machine distante en utilisant rsh et les noms donnΘs par la sortie de la commande finger"; script_description(english:desc["english"], francais:desc["francais"]); summary["english"] = "attempts to log in using rsh"; summary["francais"] = "essaye de se logguer en utilisant rsh"; script_summary(english:summary["english"], francais:summary["francais"]); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2000 Renaud Deraison", francais:"Ce script est Copyright (C) 2000 Renaud Deraison"); family["english"] = "Gain a shell remotely"; family["francais"] = "Obtenir un shell α distance"; script_family(english:family["english"], francais:family["francais"]); script_dependencie("find_service.nes", "finger.nasl", "rsh.nasl"); script_require_ports("Services/rsh", 514); script_require_keys("rsh/active"); exit(0); } function login(port, name) { soc = open_priv_sock_tcp(dport:port); if(soc) { s1 = raw_string(0); s2 = name + raw_string(0) + name + raw_string(0) + "id" + raw_string(0); send(socket:soc, data:s1); send(socket:soc, data:s2); a = recv(socket:soc, length:1024); a = recv(socket:soc, length:1024); if(egrep(string:a, pattern:"^uid.*$")) { data = "It was possible to log into this host using the account '" + name + "' !" + string("\n") + "Either it is passwordless or the file " + "~/.rhosts is not configured properly." + string("\n") + "Here is the output of the command 'id' : " + string("\n") + string("\n") + a + string("\n") + "Solution : remove ~/.rhosts or set a password" + string("\n") + "Risk factor : High"; security_hole(port:port, data:data); } close(soc); } } port = get_kb_item("Services/rsh"); if(!port)port = 514; if(!get_port_state(port))exit(0); login(port:port, name:"root"); # # these will most likely find backdoor rather # than real unconfigured systems # login(port:port, name:"toor"); login(port:port, name:"bin"); login(port:port, name:"daemon"); login(port:port, name:"operator"); login(port:port, name:"nobody"); login(port:port, name:"adm"); login(port:port, name:"ftp"); login(port:port, name:"postgres"); login(port:port, name:"gdm"); finger_port = get_kb_item("Services/finger"); if(!finger_port)finger_port = 79; if(!get_port_state(finger_port))exit(0); finger = open_sock_tcp(finger_port); if(!finger)exit(0); send(socket:finger, data:string("\r\n")); r = recv_line(socket:finger, length:1024); if(!r)exit(0); r = recv_line(socket:finger, length:1024); tested = " root toor bin daemon operator nobody adm ftp postgres gdm "; while(r) { s = strstr(r," "); r = r - s; pat = ".* " + r + " .*"; if(!egrep(string:tested, pattern:pat)) { tested = tested + " " + r + " "; login(name:r, port:port); } r = recv_line(socket:finger, length:1024); } close(finger);