PageRenderTime 50ms CodeModel.GetById 22ms RepoModel.GetById 0ms app.codeStats 0ms

/nselib/data/http-default-accounts-fingerprints.lua

https://github.com/prakashgamit/nmap
Lua | 252 lines | 181 code | 15 blank | 56 comment | 12 complexity | 1e4835611d99bf6ded2141234a74d016 MD5 | raw file
Possible License(s): BSD-3-Clause, GPL-2.0, LGPL-2.0, LGPL-2.1 
    

  1. local http = require "http"
    2. 

  2. local table = require "table"
    3. 

  3. local url = require "url"
    4. 

  4. 

  5. ---
    6. 

  6. -- http-default-accounts-fingerprints.lua
    7. 

  7. -- This file contains fingerprint data for http-default-accounts.nse
    8. 

  8. --
    9. 

  9. -- STRUCTURE:
    10. 

  10. -- * <code>name</code> - Descriptive name
    11. 

  11. -- * <code>category</code> - Category
    12. 

  12. -- * <code>login_combos</code>
    13. 

  13. ---- * <code>username</code> - Default username
    14. 

  14. ---- * <code>password</code> - Default password
    15. 

  15. -- * <code>paths</code> - Paths table containing the possible location of the target
    16. 

  16. -- * <code>target_check</code> - Validation function of the target (optional)
    17. 

  17. -- * <code>login_check</code> - Login function of the target
    18. 

  18. --
    19. 

  19. -- TODO: Update the functionality of <code>target_check</code> to differentiate 
    20. 

  20. --       between valid HTTP/200 and a custom error page.
    21. 

  21. ---
    22. 

  22. 

  23. ---
    24. 

  24. -- Requests given path using basic authentication.
    25. 

  25. -- @param host Host table
    26. 

  26. -- @param port Port table
    27. 

  27. -- @param path Path to request
    28. 

  28. -- @param user Username for Basic Auth
    29. 

  29. -- @param pass Password for Basic Auth
    30. 

  30. -- @param digest_auth Digest Authentication
    31. 

  31. -- @return True if login in was successful
    32. 

  32. ---
    33. 

  33. local function try_http_basic_login(host, port, path, user, pass, digest_auth)
    34. 

  34.     local credentials = {username = user, password = pass, digest = digest_auth}
    35. 

  35.     local req = http.get(host, port, path, {no_cache=true, auth=credentials, redirect_ok = false})
    36. 

  36.     if req.status and req.status ~= 401 and req.status ~= 403 then
    37. 

  37.       return true
    38. 

  38.     end
    39. 

  39.     return false
    40. 

  40. end
    41. 

  41. 

  42. ---
    43. 

  43. -- Tries to login with a http post, if the FAIL string is not found
    44. 

  44. -- we assume login in was successful
    45. 

  45. -- @param host Host table
    46. 

  46. -- @param port Port table
    47. 

  47. -- @param target Target file
    48. 

  48. -- @param failstr String shown when login in fails
    49. 

  49. -- @param params Post parameters
    50. 

  50. -- @param follow_redirects True if you want redirects to be followed
    51. 

  51. -- @return True if login in was successful
    52. 

  52. ---
    53. 

  53. local function try_http_post_login(host, port, path, target, failstr, params, follow_redirects)
    54. 

  54.     local req = http.post(host, port, url.absolute(path, target), {no_cache=true}, nil, params)
    55. 

  55.     
    56. 

  56.     if not req.status then return false end
    57. 

  57.     local status = tonumber(req.status) or 0
    58. 

  58.     if follow_redirects and ( status > 300 and status < 400 ) then
    59. 

  59.       req = http.get(host, port, url.absolute(path, req.header.location), { no_cache = true, redirect_ok = false })
    60. 

  60.     end
    61. 

  61.     if req.status and req.status ~= 404 and not(http.response_contains(req, failstr)) then
    62. 

  62.       return true
    63. 

  63.     end
    64. 

  64.     return false
    65. 

  65. end
    66. 

  66. 

  67. ---
    68. 

  68. -- Returns authentication realm advertised in an HTTP response
    69. 

  69. -- @param response HTTP response object, such as a result from http.get()
    70. 

  70. -- @return realm found in response header WWW-Authenticate
    71. 

  71. --               (or nil if not present) 
    72. 

  72. ---
    73. 

  73. local function http_auth_realm(response)
    74. 

  74.     local auth = response.header["www-authenticate"] or ""
    75. 

  75.     return auth:match('%srealm="([^"]*)')
    76. 

  76. end
    77. 

  77. 

  78. fingerprints = {}
    79. 

  79. 

  80. ---
    81. 

  81. --WEB
    82. 

  82. ---
    83. 

  83. table.insert(fingerprints, {
    84. 

  84.   name = "Cacti",
    85. 

  85.   category = "web",
    86. 

  86.   paths = {
    87. 

  87.     {path = "/cacti/"}
    88. 

  88.   },
    89. 

  89.   target_check = function (host, port, path, response)
    90. 

  90.     return response.status == 200
    91. 

  91.   end,
    92. 

  92.   login_combos = {
    93. 

  93.     {username = "admin", password = "admin"}
    94. 

  94.   },
    95. 

  95.   login_check = function (host, port, path, user, pass)
    96. 

  96.     return try_http_post_login(host, port, path, "index.php", "Invalid User Name/Password", {action="login", login_username=user, login_password=pass}, false)
    97. 

  97.   end
    98. 

  98. })
    99. 

  99. 

  100. table.insert(fingerprints, {
    101. 

  101.   name = "Apache Tomcat",
    102. 

  102.   category = "web",
    103. 

  103.   paths = {
    104. 

  104.     {path = "/manager/html/"},
    105. 

  105.     {path = "/tomcat/manager/html/"}
    106. 

  106.   },
    107. 

  107.   target_check = function (host, port, path, response)
    108. 

  108.     return http_auth_realm(response) == "Tomcat Manager Application"
    109. 

  109.   end,
    110. 

  110.   login_combos = {
    111. 

  111.     {username = "tomcat", password = "tomcat"},
    112. 

  112.     {username = "admin", password = "admin"},
    113. 

  113. 	-- http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4189
    114. 

  114. 	{username = "ovwebusr", password = "OvW*busr1"},
    115. 

  115. 	-- http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4188
    116. 

  116. 	{username = "j2deployer", password = "j2deployer"}
    117. 

  117.   },
    118. 

  118.   login_check = function (host, port, path, user, pass)
    119. 

  119.     return try_http_basic_login(host, port, path, user, pass, false)
    120. 

  120.   end
    121. 

  121. })
    122. 

  122. 

  123. table.insert(fingerprints, {
    124. 

  124.   name = "Apache Axis2",
    125. 

  125.   category = "web",
    126. 

  126.   paths = {
    127. 

  127.     {path = "/axis2/axis2-admin/"}
    128. 

  128.   },
    129. 

  129.   target_check = function (host, port, path, response)
    130. 

  130.     return response.status == 200
    131. 

  131.   end,
    132. 

  132.   login_combos = {
    133. 

  133.     {username = "admin", password = "axis2"}
    134. 

  134.   },
    135. 

  135.   login_check = function (host, port, path, user, pass)
    136. 

  136.     return try_http_post_login(host, port, path, "login", "Invalid auth credentials!", {submit="+Login+", userName=user, password=pass})
    137. 

  137.   end
    138. 

  138. })
    139. 

  139. ---
    140. 

  140. --ROUTERS
    141. 

  141. ---
    142. 

  142. table.insert(fingerprints, {
    143. 

  143.   name = "Arris 2307",
    144. 

  144.   category = "routers",
    145. 

  145.   paths = {
    146. 

  146.     {path = "/logo_t.gif"}
    147. 

  147.   },
    148. 

  148.   target_check = function (host, port, path, response)
    149. 

  149.     return response.status == 200
    150. 

  150.   end,
    151. 

  151.   login_combos = {
    152. 

  152.     {username = "", password = ""}
    153. 

  153.   },
    154. 

  154.   login_check = function (host, port, path, user, pass)
    155. 

  155.     return try_http_post_login(host, port, path, "login.cgi", "Login Error !!", {action="submit", page="", logout="", pws=pass})
    156. 

  156.   end
    157. 

  157. })
    158. 

  158. 

  159. table.insert(fingerprints, {
    160. 

  160.   name = "Cisco IOS",
    161. 

  161.   category = "routers",
    162. 

  162.   paths = {
    163. 

  163.     {path = "/exec/show/log/CR"},
    164. 

  164.     {path = "/level/15/exec/-/configure/http"},
    165. 

  165.     {path = "/level/15/exec/-"},
    166. 

  166.     {path = "/level/15/"}
    167. 

  167.   },
    168. 

  168.   target_check = function (host, port, path, response)
    169. 

  169.     local realm = http_auth_realm(response) or ""
    170. 

  170.     -- Exact PCRE: "^level 15?( or view)? access$"
    171. 

  171.     return realm:gsub("_"," "):find("^level 15? .*access$")
    172. 

  172.   end,
    173. 

  173.   login_combos = {
    174. 

  174.     {username = "", password = ""},
    175. 

  175.     {username = "cisco", password = "cisco"}
    176. 

  176.   },
    177. 

  177.   login_check = function (host, port, path, user, pass)
    178. 

  178.     return try_http_basic_login(host, port, path, user, pass, false)
    179. 

  179.   end
    180. 

  180. })
    181. 

  181. 

  182. table.insert(fingerprints, {
    183. 

  183.   name = "Cisco WAP200",
    184. 

  184.   category = "routers",
    185. 

  185.   paths = {
    186. 

  186.     {path = "/StatusLan.htm"}
    187. 

  187.   },
    188. 

  188.   target_check = function (host, port, path, response)
    189. 

  189.     return http_auth_realm(response) == "Linksys WAP200"
    190. 

  190.   end,
    191. 

  191.   login_combos = {
    192. 

  192.     {username = "admin", password = "admin"}
    193. 

  193.   },
    194. 

  194.   login_check = function (host, port, path, user, pass)
    195. 

  195.     return try_http_basic_login(host, port, path, user, pass, false)
    196. 

  196.   end
    197. 

  197. })
    198. 

  198. 

  199. table.insert(fingerprints, {
    200. 

  200.   name = "Cisco WAP55AG",
    201. 

  201.   category = "routers",
    202. 

  202.   paths = {
    203. 

  203.     {path = "/WPA_Preshared.asp"}
    204. 

  204.   },
    205. 

  205.   target_check = function (host, port, path, response)
    206. 

  206.     return http_auth_realm(response) == "Linksys WAP55AG"
    207. 

  207.   end,
    208. 

  208.   login_combos = {
    209. 

  209.     {username = "", password = "admin"}
    210. 

  210.   },
    211. 

  211.   login_check = function (host, port, path, user, pass)
    212. 

  212.     return try_http_basic_login(host, port, path, user, pass, false)
    213. 

  213.   end
    214. 

  214. })
    215. 

  215. 

  216. table.insert(fingerprints, {
    217. 

  217.   name = "Nortel VPN Router",
    218. 

  218.   category = "routers",
    219. 

  219.   paths = {
    220. 

  220.     {path = "/manage/bdy_sys.htm"}
    221. 

  221.   },
    222. 

  222.   target_check = function (host, port, path, response)
    223. 

  223.     return http_auth_realm(response) == "Management(1)"
    224. 

  224.   end,
    225. 

  225.   login_combos = {
    226. 

  226.     {username = "admin", password = "setup"}
    227. 

  227.   },
    228. 

  228.   login_check = function (host, port, path, user, pass)
    229. 

  229.     return try_http_basic_login(host, port, path, user, pass, false)
    230. 

  230.   end
    231. 

  231. })
    232. 

  232. 

  233. ---
    234. 

  234. --Digital recorders
    235. 

  235. ---
    236. 

  236. table.insert(fingerprints, {
    237. 

  237.   name = "Digital Sprite 2",
    238. 

  238.   category = "security",
    239. 

  239.   paths = {
    240. 

  240.     {path = "/frmpages/index.html"}
    241. 

  241.   },
    242. 

  242.   target_check = function (host, port, path, response)
    243. 

  243.     return http_auth_realm(response) == "WebPage Configuration"
    244. 

  244.   end,
    245. 

  245.   login_combos = {
    246. 

  246.     {username = "dm", password = "web"}
    247. 

  247.   },
    248. 

  248.   login_check = function (host, port, path, user, pass)
    249. 

  249.     return try_http_basic_login(host, port, path, user, pass, true)
    250. 

  250.   end
    251. 

  251. })
    252. 

  252. 

  253.