Contributing to the community feed

I’d like to be able to contribute some simple VT’s to the community feed. How does one go about doing that?

1 Like

Did you see this post:

Or maybe your question is how to get your working NASLs into the Community Feed?
That’d be for others than me to answer.

1 Like

Hi there,

The access to the sources for the VTs was restricted not that long ago as announced here and we are not aware of any plans to change this again.

Unfortunately the only way to contribute to the feed is currently to submit posts (maybe including a git diff / patch) here in this community portal / category or share your work with one of our developers (like myself).

Just a small note: This decision was made outside of the control of the team working on the feed.

Cheers

2 Likes

Ok, so I’ll post here and see what happens. I ran this through openvas-nasl and came back with no errors. That does not mean that it actually works. It should, as it’s really a simple check.

###############################################################################
# OpenVAS Vulnerability Test
#
# Kronos 4500 Time Clock Telnet Default Credentials
#
#
# Copyright:
# Copyright (c) 2020 Simmons Foods, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.300000");
  script_version("2020-03-11T14:52:00+0000");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_name("Kronos 4500 Time Clock Telnet Default Credentials");
  script_tag(name:"last_modification", value:"2020-03-11T14:52:00+0000 (Wed, 11 Mar 2020)");
  script_tag(name:"creation_date", value:"2020-03-11T14:52:00+0000 (Wed, 11 Mar 2020)");
  script_category(ACT_ATTACK);
  script_family("Default Accounts");
  script_copyright("This script is Copyright (C) 2020 Simmons Foods, Inc.");
  script_dependencies("telnetserver_detect_type_nd_version.nasl", "gb_default_credentials_options.nasl");
  script_require_ports("Services/telnet", 23);
  script_exclude_keys("default_credentials/disable_default_account_checks");

  script_tag(name:"summary", value:"Kronos 4500 Time Clock has default credentials set.");

  script_tag(name:"impact", value:"This issue may be exploited by a remote attacker to gain
  access to sensitive information or modify system configuration.");

  script_tag(name:"vuldetect", value:"Connect to the telnet service and try to login with default credentials.");

  script_tag(name:"insight", value:"It was possible to login with default credentials of SuperUser:2323098716");

  script_tag(name:"solution", value:"Change/Set the password.");

  script_tag(name:"qod_type", value:"remote_vul");
  script_tag(name:"solution_type", value:"Mitigation");

  exit(0);
}

if(get_kb_item("default_credentials/disable_default_account_checks"))
  exit(0);

include("telnet_func.inc");

vuln = 0;
report = 'It was possible to login using the following credentials:';

port = telnet_get_port( default:23 );

# Only the two most common passwords as the device is locking out
# an IP after three wrong logins. The readonly:apc user is also
# not allowed to login via telnet.
creds = make_array( "SuperUser", "2323098716" );

foreach cred ( keys( creds ) ) {

  soc = open_sock_tcp( port );
  if( ! soc ) exit( 0 );

  recv = recv( socket:soc, length:2048 );

  if ( "VxWorks login:" >< recv ) {

    send( socket:soc, data: cred + '\r\n' );
    recv = recv( socket:soc, length:128 );

    if( "Password:" >< recv ) {
      send( socket:soc, data: creds[cred] + '\r\n' );
      recv = recv( socket:soc, length:1024 );

      if( "->" >< recv ) {
        report += "\n\n" + cred + ":" + creds[cred] + "\n";
        vuln = 1;
      }
    }
  }
  close( soc );
}

if( vuln ) {

  security_message( port:port, data:report );
  exit( 0 );
}

exit( 99 );
5 Likes

Looks great so far; a couple of changes are still needed, though - mainly regarding the script_ tags inside the description -, but that will be done when implementing the script.

Did you just run to check it “if it works”, or were you able to test it against live targets?

1 Like

I was not able to test against live targets, as I am still learning how to do so. But I do have live targets against which to test, both vulnerable and fixed.

1 Like

Testing now. Had to add “unscanned_closed=no” to my /etc/openvas/openvassd.conf.

1 Like

Vulnerable host

# openvas-nasl -X -B -d -i /var/lib/openvas/plugins -t xxx.xxx.xxx.xxx kronos.nasl
It was possible to login using the following credentials:\n\nSuperUser:2323098716\n
1 Like

Not vulnerable host

# openvas-nasl -X -B -d -i /var/lib/openvas/plugins -t xxx.xxx.xxx.xxx kronos.nasl
lib  misc-Message: 14:56:10.466: set key HostDetails -> EXIT_CODE
lib  misc-Message: 14:56:10.466: set key HostDetails/NVT -> 1.3.6.1.4.1.25623.1.0.300000
lib  misc-Message: 14:56:10.467: set key HostDetails/NVT/1.3.6.1.4.1.25623.1.0.300000/EXIT_CODE -> EXIT_NOTVULN
1 Like

Offline host

# openvas-nasl -X -B -d -i /var/lib/openvas/plugins -t xxx.xxx.xxx.xxx kronos.nasl
lib misc-Message: 15:41:47.680: open_sock_tcp: xxx.xxx.xxx.xxx:23 time-out.
1 Like

Would it be possible for you to share your live targets in a private message? If they are out there in the open, we would be able to test your script, too.

1 Like

Thank you very much for your contribution. This VT was added to the feed yesterday with the following OID:

Greenbone Enterprise Appliance (Note: could be not available yet)

We had to do a few additional modifications to that VT as well as to two additional Telnet VTs (telnetserver_detect_type_nd_version.nasl and telnet.nasl).

The main problem we have seen is that those devices (at least the ones we got a hand on) are very fragile. Sometimes it took one minute or more until the device responded, sometimes it didn’t responded at all (even when using a telnet command line tool). This happened quite often on concurrent connections / repeated connections in a short amount of time.

A reliable testing of such fragile devices is not really possible in a standard scan config and with a “full” scan (a command line run is something different because less VTs are running) because many VTs might query the device concurrently making it even more unstable.

But once such a device was detected (based on the VxWorks banner) we’re now giving the following advice in the “Telnet Banner Reporting” VT (OID: 1.3.6.1.4.1.25623.1.0.10281):

Note: Some specific variants of this service (e.g. running on Kronos 4500) are known to be “fragile” or slow to respond. If you don’t get any results for this service please consider to:

  • raise the “time_between_request” scanner preference
  • add “Services/telnet, 23” to the “non_simult_ports” scanner preference

If you already know that you’re scanning such a device you could also update your scan config with the hints above which might improve the scanning against such kind of devices.

The documentation for both scanner preferences mentioned above can be found here:

https://docs.greenbone.net/GSM-Manual/gos-6/en/scanning.html#description-of-scanner-preferences

3 Likes

Looks like these clocks are failing to be detected as VXworks. For some reason, the ICMP OS Fingerprinting is showing them as FreeBSD.

I wasn’t able to reproduce this:

$ openvas-nasl -X -B -d -t xxx telnet.nasl telnetserver_detect_type_nd_version.nasl sw_telnet_os_detection.nasl os_detection.nasl

Best matching OS:

OS:           Wind River VxWorks
CPE:          cpe:/o:windriver:vxworks
Found by NVT: 1.3.6.1.4.1.25623.1.0.111069 (Telnet OS Identification)
Concluded from Telnet banner on port 23/tcp:       VxWorks login:
Setting key "Host/runs_unixoide" based on this information

This observation might be a side-effect of the instability of the service.

Yes, this could always happen. The ICMP OS Fingerprinting is the most unreliable one and is only running / reporting if no other OS detection was possible.

2 Likes

Yeah, these things are super-sketch. Here’s what O/S detection finds.

# openvas-nasl -X -B -d -t 10.19.30.50 telnet.nasl telnetserver_detect_type_nd_version.nasl sw_telnet_os_detection.nasl os_detection.nasl lib misc-Message: 08:07:04.608: set key Host/runs_unixoide -> 1 No Best matching OS identified. Please see the NVT 'Unknown OS and Service Banner Reporting' (OID: 1.3.6.1.4.1.25623.1.0.108441) for possible ways to identify this OS.

I suspect that fragility is being caused by a session limit. When I manually attempted two simultaneous telnet connections, it said Sorry, session limit reached.

Incidentally, O/S detection works with a fixed ftpd_no_cmd.nasl. Instead of using the telnet banner or ICMP for O/S detection, it properly detects it as VxWorks from the FTP banner. Here’s a reference to the changes I tested for ftpd_no_cmd.nasl: Ftpd_no_cmd.nasl

1 Like