diff options
Diffstat (limited to 'nselib/data/http-default-accounts-fingerprints.lua')
| -rw-r--r-- | nselib/data/http-default-accounts-fingerprints.lua | 1738 |
1 files changed, 1738 insertions, 0 deletions
diff --git a/nselib/data/http-default-accounts-fingerprints.lua b/nselib/data/http-default-accounts-fingerprints.lua new file mode 100644 index 0000000..c5a5030 --- /dev/null +++ b/nselib/data/http-default-accounts-fingerprints.lua @@ -0,0 +1,1738 @@ +local base64 = require "base64" +local http = require "http" +local json = require "json" +local math = require "math" +local shortport = require "shortport" +local stdnse = require "stdnse" +local table = require "table" +local tableaux = require "tableaux" +local url = require "url" +local have_openssl, openssl = pcall(require, 'openssl') + +--- +-- http-default-accounts-fingerprints.lua +-- This file contains fingerprint data for http-default-accounts.nse +-- +-- STRUCTURE: +-- * <code>name</code> - Descriptive name +-- * <code>cpe</code> - Official CPE Dictionary entry (optional) +-- * <code>category</code> - Category +-- * <code>login_combos</code> - Table of default credential pairs +---- * <code>username</code> +---- * <code>password</code> +-- * <code>paths</code> - Table of likely locations (paths) of the target +-- * <code>target_check</code> - Validation function of the target (optional) +-- * <code>login_check</code> - Login function of the target +--- + +--- +-- Requests given path using http.get() but disabling cache and redirects. +-- @param host The host to connect to +-- @param port The port to connect to +-- @param path The path to retrieve +-- @param options [optional] A table of HTTP request options +-- @return A response table (see library http.lua for description) +--- +local function http_get_simple (host, port, path, options) + local opts = tableaux.tcopy(options or {}) + opts.bypass_cache = true + opts.no_cache = true + opts.redirect_ok = false + return http.get(host, port, path, opts) +end + +--- +-- Requests given path using http.post() but disabling cache and redirects. +-- (The current implementation of http.post() does not use either; this is +-- a defensive wrapper to guard against future problems.) +-- @param host The host to connect to +-- @param port The port to connect to +-- @param path The path to retrieve +-- @param options [optional] A table of HTTP request options +-- @param postdata A string or a table of data to be posted +-- @return A response table (see library http.lua for description) +--- +local function http_post_simple (host, port, path, options, postdata) + local opts = tableaux.tcopy(options or {}) + opts.no_cache = true + opts.redirect_ok = false + return http.post(host, port, path, opts, nil, postdata) +end + +--- +-- Requests given path using basic authentication. +-- @param host Host table +-- @param port Port table +-- @param path Path to request +-- @param user Username for Basic Auth +-- @param pass Password for Basic Auth +-- @param digest_auth Digest Authentication +-- @return True if login in was successful +--- +local function try_http_basic_login(host, port, path, user, pass, digest_auth) + local credentials = {username = user, password = pass, digest = digest_auth} + local resp = http_get_simple(host, port, path, {auth=credentials}) + return resp.status + and resp.status ~= 400 + and resp.status ~= 401 + and resp.status ~= 403 + and resp.status ~= 404 +end + +--- +-- Tries to login with a http post, if the FAIL string is not found +-- we assume login in was successful +-- @param host Host table +-- @param port Port table +-- @param target Target file +-- @param failstr String shown when login in fails +-- @param params Post parameters +-- @param follow_redirects True if you want redirects to be followed +-- @return True if login in was successful +--- +local function try_http_post_login(host, port, path, target, failstr, params, follow_redirects) + local resp = http_post_simple(host, port, url.absolute(path, target), nil, params) + if not resp.status then return false end + local status = tonumber(resp.status) or 0 + if follow_redirects and ( status > 300 and status < 400 ) then + resp = http_get_simple(host, port, url.absolute(path, resp.header.location)) + end + if resp.status and resp.status ~= 404 and not(http.response_contains(resp, failstr)) then + return true + end + return false +end + +--- +-- Returns authentication realm advertised in an HTTP response +-- @param response HTTP response object, such as a result from http.get() +-- @return realm found in response header WWW-Authenticate +-- (or nil if not present) +--- +local function http_auth_realm(response) + local auth = response.header["www-authenticate"] or "" + return auth:match('%srealm%s*=%s*"([^"]*)') +end + +--- +-- Tests whether an HTTP response sets a named cookie with a given value +-- @param response a standard HTTP response object +-- @param name a case-insensitive cookie name that must be set +-- @param pattern to validate the cookie value +-- @return cookie value if such a cookie is found +--- +local function sets_cookie(response, name, pattern) + name = name:lower() + for _, ck in ipairs(response.cookies or {}) do + if ck.name:lower() == name then + return (not pattern or ck.value:find(pattern)) and ck.value + end + end + return false +end + +--- +-- Generates default scheme, host, and port components for a parsed URL. +-- +-- This filter function generates the scheme, host, and port components from +-- the standard <code>host</code> and <code>port</code> script objects. These +-- components can then be passed onto function <code>url.build</code>. +-- +-- As an example, the following code generates a URL for path "/test/" +-- on the current host and port: +-- <code> +-- local testurl = url.build(url_build_defaults(host, port, {path = "/test/"})) +-- </code> +-- or, alternatively, when not used as a filter: +-- <code> +-- local parsed = url_build_defaults(host, port) +-- parsed.path = "/test/" +-- local testurl = url.build(parsed) +-- </code> +-- +-- @param host The host the URL is intended for. +-- @param port The port the URL is intended for. +-- @param parsed Parsed URL, as typically returned by <code>url.parse</code>, +-- or nil. The table can be be missing the scheme, host, and port components. +-- @return A clone of the parsed URL, with any missing scheme, host, and port +-- components added. +-- @see url.parse +-- @see url.build +--- +local function url_build_defaults (host, port, parsed) + local parts = tableaux.tcopy(parsed or {}) + parts.host = parts.host or stdnse.get_hostname(host, port) + parts.scheme = parts.scheme or shortport.ssl(host, port) and "https" or "http" + if not parts.port and port.number ~= url.get_default_port(parts.scheme) then + parts.port = port.number + end + return parts +end + +--- +-- Encodes a string to make it safe for embedding into XML/HTML. +-- +-- @param s The string to be encoded. +-- @return A string with unsafe characters encoded +--- +local function xmlencode (s) + return s:gsub("%W", function (c) return ("&#x%x;"):format(c:byte()) end) +end + +fingerprints = {} + +--- +--WEB +--- +table.insert(fingerprints, { + -- Version 0.8.8a + name = "Cacti", + cpe = "cpe:/a:cacti:cacti", + category = "web", + paths = { + {path = "/"}, + {path = "/cacti/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and (sets_cookie(response, "Cacti") or sets_cookie(response, "CactiEZ")) + end, + login_combos = { + {username = "admin", password = "admin"} + }, + login_check = function (host, port, path, user, pass) + return try_http_post_login(host, port, path, "index.php", + "%sname%s*=%s*(['\"]?)login_password%1[%s>]", + {action="login", login_username=user, login_password=pass}) + end +}) + +table.insert(fingerprints, { + -- Version 2.0.6 + name = "Zabbix", + cpe = "cpe:/a:zabbix:zabbix", + category = "web", + paths = { + {path = "/zabbix/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 and sets_cookie(response, "zbx_sessionid") + end, + login_combos = { + {username = "admin", password = "zabbix"} + }, + login_check = function (host, port, path, user, pass) + local resp = http_post_simple(host, port, url.absolute(path, "index.php"), nil, + {request="", name=user, password=pass, enter="Sign in"}) + return resp.status == 302 and resp.header["location"] == "dashboard.php" + end +}) + +table.insert(fingerprints, { + -- Version 0.7, 1.0.1 + name = "Xplico", + category = "web", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 302 and sets_cookie(response, "Xplico") + end, + login_combos = { + {username = "admin", password = "xplico"}, + {username = "xplico", password = "xplico"} + }, + login_check = function (host, port, path, user, pass) + local lurl = url.absolute(path, "users/login") + -- harvest all hidden fields from the login form + local resp1 = http_get_simple(host, port, lurl) + if resp1.status ~= 200 then return false end + local html = (resp1.body or ""):match('<form%s+action%s*=%s*"[^"]*/users/login".->(.-)</form>') + if not html then return false end + local form = {} + for n, v in html:gmatch('<input%s+type%s*=%s*"hidden"%s+name%s*=%s*"(.-)"%s+value%s*=%s*"(.-)"') do + form[n] = v + end + -- add username and password to the form and submit it + form["data[User][username]"] = user + form["data[User][password]"] = pass + local resp2 = http_post_simple(host, port, lurl, {cookies=resp1.cookies}, form) + local loc = resp2.header["location"] or "" + return resp2.status == 302 + and (loc:find("/admins$") or loc:find("/pols/index$")) + end +}) + +table.insert(fingerprints, { + --Version 5.3.1.1944 on EH6000 + name = "ExtraHop Web UI", + category = "web", + paths = { + {path = "/extrahop/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:find("csrfmiddlewaretoken", 1, true) + and response.body:lower():find("<title>extrahop login", 1, true) + end, + login_combos = { + {username = "admin", password = "admin"} + }, + login_check = function (host, port, path, user, pass) + -- obtain cookies and a CSRF token + local resp1 = http_get_simple(host, port, path) + if not (resp1.status == 200 and resp1.body) then return false end + local tname, tvalue = resp1.body:match("<input%s+type%s*=%s*'hidden'%s+name%s*=%s*'(csrfmiddlewaretoken)'%s+value%s*=%s*'(.-)'") + if not tname then return false end + local form = {[tname]=tvalue, + next=path, + username=user, + password=pass} + -- Referer header is mandatory + local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=path}))} + local resp2 = http_post_simple(host, port, path, + {cookies=resp1.cookies, header=header}, form) + return resp2.status == 302 + and (resp2.header["location"] or ""):find("/extrahop/$") + end +}) + +table.insert(fingerprints, { + -- Version 3.2.3, 3.4.4, 4.0.8 + name = "Nagios", + cpe = "cpe:/a:nagios:nagios", + category = "web", + paths = { + {path = "/"}, + {path = "/nagios/"} + }, + target_check = function (host, port, path, response) + return http_auth_realm(response) == "Nagios Access" + end, + login_combos = { + {username = "nagiosadmin", password = "nagios"}, + {username = "nagiosadmin", password = "nagiosadmin"}, + -- IBM PurePower Integrated Manager + {username = "nagiosadmin", password = "PASSW0RD"}, + -- CactiEZ + {username = "nagiosadmin", password = "CactiEZ"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, path, user, pass, false) + end +}) + +table.insert(fingerprints, { + -- Version 3.1.1, 4.0.2, 4.1.2 + name = "Grafana", + category = "web", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 302 and sets_cookie(response, "grafana_sess") + end, + login_combos = { + {username = "admin", password = "admin"} + }, + login_check = function (host, port, path, user, pass) + local header = {["Accept"] = "application/json, text/plain, */*", + ["Content-Type"] = "application/json;charset=utf-8"} + local jin = {user=user, email="", password=pass} + json.make_object(jin) + local resp = http_post_simple(host, port, url.absolute(path, "login"), + {header=header}, json.generate(jin)) + return resp.status == 200 and sets_cookie(resp, "grafana_user") == user + end +}) + +table.insert(fingerprints, { + -- Version 8.1, 9.2, 10.3.4, 10.3.6, 12.1.2 + name = "WebLogic Server Console", + cpe = "cpe:/a:bea:weblogic_server", + category = "web", + paths = { + {path = "/console/"} + }, + target_check = function (host, port, path, response) + return response.status == 302 + and (response.header["location"] or ""):find("/console/login/LoginForm%.jsp%f[;\0]") + end, + login_combos = { + -- WebLogic 9.x + {username = "weblogic", password = "weblogic"}, + -- WebLogic 10.x, 12.x + {username = "weblogic", password = "weblogic1"}, + {username = "weblogic", password = "welcome1"}, + -- Adobe LiveCycle ES + {username = "weblogic", password = "password"}, + -- PeopleSoft + {username = "system", password = "Passw0rd"} + }, + login_check = function (host, port, path, user, pass) + local resp = http_post_simple(host, port, + url.absolute(path, "j_security_check"), nil, + {j_username=user,j_password=pass,j_character_encoding="UTF-8"}) + -- WebLogic 8.x, 9.x + if resp.status == 403 then return false end + -- WebLogic 10.x, 12.x + if resp.status == 302 + and (resp.header["location"] or ""):find("/console/login/LoginForm%.jsp$") then + return false + end + return true + end +}) + +table.insert(fingerprints, { + name = "Apache Tomcat", + cpe = "cpe:/a:apache:tomcat", + category = "web", + paths = { + {path = "/manager/html/"}, + {path = "/manager/status/"}, + {path = "/manager/text/"}, + {path = "/tomcat/manager/html/"}, + {path = "/tomcat/manager/status/"}, + {path = "/tomcat/manager/text/"}, + {path = "/cognos_express/manager/html/"} + }, + target_check = function (host, port, path, response) + return http_auth_realm(response) == "Tomcat Manager Application" + end, + login_combos = { + {username = "tomcat", password = "tomcat"}, + {username = "admin", password = "admin"}, + -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3548 + {username = "admin", password = ""}, + -- https://github.com/seshendra/vagrant-ubuntu-tomcat7/ + {username = "admin", password = "tomcat"}, + -- https://github.com/apache/tomcat/blob/2b8f9665dbfb89c78878784cd9b63d2b976ba623/webapps/manager/WEB-INF/jsp/403.jsp#L66 + {username = "tomcat", password = "s3cret"}, + -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4094 + {username = "ADMIN", password = "ADMIN"}, + -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4189 + {username = "ovwebusr", password = "OvW*busr1"}, + -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4188 + {username = "j2deployer", password = "j2deployer"}, + -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0557 + {username = "cxsdk", password = "kdsxc"}, + -- XAMPP https://www.apachefriends.org/index.html + {username = "xampp", password = "xampp"}, + -- QLogic QConvergeConsole http://www.qlogic.com/ + {username = "QCC", password = "QLogic66"}, + -- HAPI FHIR http://hapifhir.io/ + {username = "fhir", password = "FHIRDefaultPassword"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, path, user, pass, false) + end +}) + +table.insert(fingerprints, { + name = "Apache Tomcat Host Manager", + cpe = "cpe:/a:apache:tomcat", + category = "web", + paths = { + {path = "/host-manager/html/"}, + {path = "/host-manager/text/"}, + {path = "/tomcat/host-manager/html/"}, + {path = "/tomcat/host-manager/text/"} + }, + target_check = function (host, port, path, response) + return http_auth_realm(response) == "Tomcat Host Manager Application" + end, + login_combos = { + {username = "tomcat", password = "tomcat"}, + {username = "admin", password = "admin"}, + -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3548 + {username = "admin", password = ""}, + -- https://github.com/seshendra/vagrant-ubuntu-tomcat7/ + {username = "admin", password = "tomcat"}, + -- https://github.com/apache/tomcat/blob/2b8f9665dbfb89c78878784cd9b63d2b976ba623/webapps/manager/WEB-INF/jsp/403.jsp#L66 + {username = "tomcat", password = "s3cret"}, + -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4094 + {username = "ADMIN", password = "ADMIN"}, + -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4189 + {username = "ovwebusr", password = "OvW*busr1"}, + -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4188 + {username = "j2deployer", password = "j2deployer"}, + -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0557 + {username = "cxsdk", password = "kdsxc"}, + -- XAMPP https://www.apachefriends.org/index.html + {username = "xampp", password = "xampp"}, + -- QLogic QConvergeConsole http://www.qlogic.com/ + {username = "QCC", password = "QLogic66"}, + -- HAPI FHIR http://hapifhir.io/ + {username = "fhir", password = "FHIRDefaultPassword"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, path, user, pass, false) + end +}) + +table.insert(fingerprints, { + name = "Apache Felix OSGi Management Console", + category = "web", + paths = { + {path = "/system/console"}, + {path = "/lc/system/console"} + }, + target_check = function (host, port, path, response) + return http_auth_realm(response) == "OSGi Management Console" + end, + login_combos = { + {username = "admin", password = "admin"}, + {username = "karaf", password = "karaf"}, + {username = "smx", password = "smx"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, path, user, pass, false) + end +}) + +table.insert(fingerprints, { + -- Version 1.4.1, 1.5.2, 1.5.3, 1.6.0, 1.6.1 + name = "Apache Axis2", + cpe = "cpe:/a:apache:axis2", + category = "web", + paths = { + {path = "/axis2/axis2-admin/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:lower():find("<title>login to axis2 :: administration page</title>", 1, true) + end, + login_combos = { + {username = "admin", password = "axis2"} + }, + login_check = function (host, port, path, user, pass) + local resp = http_post_simple(host, port, url.absolute(path, "login"), nil, + {userName=user,password=pass,submit=" Login "}) + return resp.status == 200 + and (resp.body or ""):lower():find("<a%s+href%s*=%s*(['\"])axis2%-admin/logout%1") + end +}) + +table.insert(fingerprints, { + name = "Plumtree Portal", + category = "web", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 302 + and (response.header["location"] or ""):find("/portal/server%.pt$") + end, + login_combos = { + {username = "Administrator", password = ""} + }, + login_check = function (host, port, path, user, pass) + local form = {in_hi_space="Login", + in_hi_spaceID="0", + in_hi_control="Login", + in_hi_dologin="true", + in_tx_username=user, + in_pw_userpass=pass, + in_se_authsource=""} + local resp = http_post_simple(host, port, + url.absolute(path, "portal/server.pt"), + nil, form) + return resp.status == 302 + and (resp.header["location"] or ""):find("/portal/server%.pt[;?]") + and sets_cookie(resp, "plloginoccured") == "true" + end +}) + +table.insert(fingerprints, { + -- Version 0.4.4.6.1 on SamuraiWTF 2.6, 0.4.7.0 on Kali 2016.2 + name = "BeEF", + category = "web", + paths = { + {path = "/ui/authentication/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:find("BeEF", 1, true) + and response.body:lower():find("<title>beef authentication</title>", 1, true) + end, + login_combos = { + {username = "beef", password = "beef"} + }, + login_check = function (host, port, path, user, pass) + local resp = http_post_simple(host, port, url.absolute(path, "login"), nil, + {["username-cfrm"]=user, ["password-cfrm"]=pass}) + return resp.status == 200 + and (resp.body or ""):find("{%s*success%s*:%s*true%s*}") + end +}) + +table.insert(fingerprints, { + name = "Pure Storage", + category = "web", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body:find("<title>Pure Storage Login</title>", 1, true) + end, + login_combos = { + {username = "pureuser", password = "pureuser"} + }, + login_check = function (host, port, path, user, pass) + return try_http_post_login(host, port, path, "login", + "{%s*Welcome%s*:%s*Invalid%s*}", + {["username"]=user, ["password"]=pass}) + end +}) + +table.insert(fingerprints, { + name = "Active MQ", + category = "web", + paths = { + {path = "/admin"} + }, + target_check = function (host, port, path, response) + return http_auth_realm(response) == "ActiveMQRealm" + end, + login_combos = { + {username = "admin", password = "admin"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, path, user, pass, false) + end +}) +--- +--ROUTERS +--- +table.insert(fingerprints, { + name = "Arris 2307", + category = "routers", + paths = { + {path = "/logo_t.gif"} + }, + login_combos = { + {username = "", password = ""} + }, + login_check = function (host, port, path, user, pass) + return try_http_post_login(host, port, path, "login.cgi", "Login Error !!", {action="submit", page="", logout="", pws=pass}) + end +}) + +table.insert(fingerprints, { + -- Version 12.2SE on Catalyst 3750, 3845, CBS3020, 12.3 on Aironet 1300 + name = "Cisco IOS", + cpe = "cpe:/o:cisco:ios", + category = "routers", + paths = { + {path = "/"}, + -- TODO: Remove these paths completely unless a bug gets filed (9/1/2016) + -- (The paths are likely redundant. "/" should be covering all the cases.) + -- {path = "/exec/show/log/CR"}, + -- {path = "/level/15/exec/-/configure/http"}, + -- {path = "/level/15/exec/-"}, + -- {path = "/level/15/"} + }, + target_check = function (host, port, path, response) + local realm = http_auth_realm(response) or "" + -- Exact PCRE: "^level 15?( or view)? access$" + return realm:gsub("_"," "):find("^level 15?%f[ ].* access$") + end, + login_combos = { + {username = "", password = ""}, + {username = "cisco", password = "cisco"}, + {username = "Cisco", password = "Cisco"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, path, user, pass, false) + end +}) + +table.insert(fingerprints, { + -- Version (see below) + name = "Cisco Linksys", + cpe = "cpe:/h:linksys:*", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + -- realm="Linksys WAP200", "Linksys WAP55AG", "Linksys E2000" + return (http_auth_realm(response) or ""):find("^Linksys %u[%u%d]+$") + end, + login_combos = { + -- WAP55AG, version 1.07.01 + -- E2000, version 1.0.03 (any username is valid) + {username = "", password = "admin"}, + -- WAP200, version 1.0.22 + {username = "admin", password = "admin"}, + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, path, user, pass, false) + end +}) + +table.insert(fingerprints, { + -- Version ESIP-12-v302r125573-131230c_upc on EPC3925 + -- ES-16-E138-c3220r55103-150810 on EPC3928AD + name = "Cisco EPC39xx", + cpe = "cpe:/h:cisco:epc39*", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:find("Docsis", 1, true) + and response.body:find("window%.location%.href%s*=%s*(['\"])Docsis_system%.asp%1") + end, + login_combos = { + {username = "", password = ""}, + {username = "admin", password = "admin"} + }, + login_check = function (host, port, path, user, pass) + local form = {username_login=user, + password_login=pass, + LanguageSelect="en", + Language_Submit="0", + login="Log In"} + local resp = http_post_simple(host, port, + url.absolute(path, "goform/Docsis_system"), + nil, form) + local loc = resp.header["location"] or "" + return resp.status == 302 + and (loc:find("/Quick_setup%.asp$") or loc:find("/Administration%.asp$")) + end +}) + +table.insert(fingerprints, { + -- Version 1.0.1.3 on RT-N10U, RT-N66U + name = "ASUS RT", + cpe = "cpe:/h:asus:rt-*", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + -- realm="RT-N10U", "RT-N66U" + return (http_auth_realm(response) or ""):find("^RT%-%u[%u%d]+$") + end, + login_combos = { + {username = "admin", password = "admin"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, path, user, pass, false) + end +}) + +table.insert(fingerprints, { + -- Version 5.00.12 on F5D7234-4 + name = "Belkin G Wireless Router", + cpe = "cpe:/h:belkin:f5d7234-4", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return have_openssl + and response.status == 200 + and response.body + and response.body:find("setup_top.htm", 1, true) + and response.body:find("status.stm", 1, true) + end, + login_combos = { + {username = "", password = ""} + }, + login_check = function (host, port, path, user, pass) + local resp = http_post_simple(host, port, + url.absolute(path, "cgi-bin/login.exe"), nil, + -- this should be local time, not UTC + {totalMSec = stdnse.clock_ms()/1000, + pws = stdnse.tohex(openssl.md5(pass))}) + return resp.status == 302 + and (resp.header["location"] or ""):find("/index%.htm$") + end +}) + +table.insert(fingerprints, { + -- Version 1.00.12 on F9K1001 v1 + name = "Belkin N150", + cpe = "cpe:/h:belkin:n150_f9k1001", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return have_openssl + and response.status == 200 + and response.body + and response.body:find("Belkin", 1, true) + and response.body:find("isAPmode", 1, true) + and response.body:lower():find("showmenu.js", 1, true) + end, + login_combos = { + {username = "", password = ""} + }, + login_check = function (host, port, path, user, pass) + local form = {page="", + logout="", + action="submit", + pws=base64.enc(pass), + itsbutton1="Submit", + h_language="en", + is_parent_window="1"} + local resp = http_post_simple(host, port, url.absolute(path, "login.cgi"), + nil, form) + return resp.status == 200 + and resp.body + and resp.body:find("index.html", 1, true) + end +}) + +table.insert(fingerprints, { + -- Version H131-310CTU-C07_R01_4.5.5.27 + name = "Comtrend NexusLink-5631", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return http_auth_realm(response) == "DSL Router" + end, + login_combos = { + {username = "apuser", password = "apuser"}, + {username = "root", password = "12345"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, path, user, pass, false) + end +}) + +table.insert(fingerprints, { + -- Version 1.0.1-00 on model 5554 + name = "Zoom ADSL X5", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 301 + and (response.header["server"] or ""):find("^Nucleus/%d+%.") + and (response.header["location"] or ""):find("/hag/pages/home%.htm$") + end, + login_combos = { + {username = "admin", password = "zoomadsl"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, + url.absolute(path, "hag/pages/home.htm"), + user, pass, false) + end +}) + +table.insert(fingerprints, { + -- Version 2.3, 2.4 on FVS318 + name = "Netgear ProSafe Firewall FVS318", + cpe = "cpe:/h:netgear:fvs318", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.header["server"] == "Netgear" + and response.body + and response.body:lower():find("<frame%s+src%s*=%s*(['\"]?)top.html%1%s") + end, + login_combos = { + {username = "admin", password = "password"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, url.absolute(path, "top.html"), + user, pass, false) + end +}) + +table.insert(fingerprints, { + -- Version 2.00.03, .05, .07, .08 on GS108Ev3, GS108PEv3 + name = "Netgear ProSafe Plus Switch", + cpe = "cpe:/h:netgear:gs108*", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:find("loginTData", 1, true) + and response.body:lower():find("<title>netgear ", 1, true) + end, + login_combos = { + {username = "", password = "password"} + }, + login_check = function (host, port, path, user, pass) + local resp = http_post_simple(host, port, url.absolute(path, "login.cgi"), + nil, {password=pass}) + return resp.status == 200 and sets_cookie(resp, "GS108SID", ".") + end +}) + +table.insert(fingerprints, { + -- AP6521, AP6522, AP7522, AP7532 + name = "Motorola AP", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and (response.header["server"] or ""):find("^lighttpd/%d+%.") + and response.body + and response.body:lower():find("<title>motorola solutions</title>", 1, true) + end, + login_combos = { + {username = "admin", password = "motorola"} + }, + login_check = function (host, port, path, user, pass) + local form = {_dc = math.floor(stdnse.clock_ms()), + username = user, + password = pass} + local lurl = url.absolute(path, "rest.fcgi/services/rest/login?" .. url.build_query(form)) + local resp = http_get_simple(host, port, lurl) + if not (resp.status == 200 and resp.body) then return false end + local jstatus, jout = json.parse(resp.body) + return jstatus and jout.status + end +}) + +table.insert(fingerprints, { + -- Version 3.3.2, 4.3.1, 4.4.0, 4.4.1 on RFS6000 + name = "Motorola RF Switch", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and (response.header["server"] or ""):find("^thttpd/%d+%.") + and response.body + and response.body:lower():find("<title>motorola wireless network management</title>", 1, true) + end, + login_combos = { + {username = "admin", password = "superuser"} + }, + login_check = function (host, port, path, user, pass) + local login = ("J20K34NMMT89XPIJ34S login %s %s"):format(stdnse.tohex(user), stdnse.tohex(pass)) + local lurl = url.absolute(path, "usmCgi.cgi/?" .. url.escape(login)) + local resp = http_get_simple(host, port, lurl) + return resp.status == 200 + and (resp.body or ""):find("^login 0 ") + end +}) + +table.insert(fingerprints, { + -- Version 3.4.5.1 on Aruba800 + name = "ArubaOS WebUI", + cpe = "cpe:/o:arubanetworks:arubaos", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 401 + and response.body + and response.body:find("/images/arubalogo.gif", 1, true) + and response.body:find("/screens/wms/wms.login", 1, true) + end, + login_combos = { + {username = "admin", password = "admin"} + }, + login_check = function (host, port, path, user, pass) + local resp = http_post_simple(host, port, + url.absolute(path, "screens/wms/wms.login"), + nil, + {opcode="login", url="/", needxml="0", + uid=user, passwd=pass}) + return resp.status == 200 + and (resp.body or ""):find("/screens/wmsi/monitor.summary.html", 1, true) + end +}) + +table.insert(fingerprints, { + name = "Aruba AirWave", + cpe = "cpe:/a:arubanetworks:airwave", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 401 + and response.body + and response.body:find("/noauth/theme/airwave/favicon.ico", 1, true) + and response.body:find("/api/user_prefs.json", 1, true) + end, + login_combos = { + {username = "admin", password = "admin"} + }, + login_check = function (host, port, path, user, pass) + return try_http_post_login(host, port, path, "LOGIN", + "403 Forbidden", + {credential_0=user, credential_1=pass, + destination=url.absolute(path, "index.html")}) + end +}) + +table.insert(fingerprints, { + -- Version 08.05.100 on NVR 1750D + name = "Nortel VPN Router", + cpe = "cpe:/h:nortel:vpn_router_*", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.header["server"] == "HTTP Server" + and response.body + and response.body:lower():find("<title>nortel vpn router</title>", 1, true) + end, + login_combos = { + {username = "admin", password = "setup"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, + url.absolute(path, "manage/bdy_sys.htm"), + user, pass, false) + end +}) + +table.insert(fingerprints, { + -- Version 5.0.0r8 on NetScreen 5XT + name = "ScreenOS", + cpe = "cpe:/o:juniper:netscreen_screenos", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and (response.header["server"] or ""):find("^Virata%-EmWeb/R%d+_") + and response.body + and response.body:lower():find("admin_pw", 1, true) + end, + login_combos = { + {username = "netscreen", password = "netscreen"} + }, + login_check = function (host, port, path, user, pass) + local form = {admin_id="", + admin_pw="", + time=tostring(math.floor(stdnse.clock_ms())):sub(5), + un=base64.enc(user), + pw=base64.enc(pass)} + local resp = http_post_simple(host, port, url.absolute(path, "index.html"), + nil, form) + return resp.status == 303 + and (resp.header["location"] or ""):find("/nswebui.html?", 1, true) + end +}) + +table.insert(fingerprints, { + -- Version 11.4.1, 11.5.3 + name = "F5 TMOS", + cpe = "cpe:/o:f5:tmos", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:find("F5 Networks", 1, true) + and response.body:find("BIG-IP", 1, true) + and response.body:find("/tmui/tmui/system/settings/redirect.jsp", 1, true) + end, + login_combos = { + {username = "admin", password = "admin"} + }, + login_check = function (host, port, path, user, pass) + return try_http_post_login(host, port, path, "tmui/logmein.html", + "login%.jsp%?msgcode=1", + {username=user, passwd=pass}) + end +}) + +table.insert(fingerprints, { + -- Version 10.5 on MPX 8005 + name = "Citrix NetScaler", + cpe = "cpe:/a:citrix:netscaler", + category = "routers", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:find("NetScaler", 1, true) + and response.body:lower():find("<title>citrix login</title>", 1, true) + end, + login_combos = { + {username = "nsroot", password = "nsroot"} + }, + login_check = function (host, port, path, user, pass) + return try_http_post_login(host, port, path, "login/do_login", + "Invalid username or password", + {username=user, password=pass, url="", timezone_offset="0"}, + false) + end +}) + +--- +--Digital recorders +--- +table.insert(fingerprints, { + -- UI Version 03.2 (4.8), 03.2 (5.5) + name = "DM Digital Sprite 2", + category = "security", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:find("Dedicated Micros", 1, true) + and response.body:find("webpages/index.shtml", 1, true) + and response.body:lower():find('<meta%s+name%s*=%s*"author"%s+content%s*=%s*"dedicated micros ') + end, + login_combos = { + {username = "dm", password = "web"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, + url.absolute(path, "frmpages/index.html"), + user, pass, true) + end +}) + +table.insert(fingerprints, { + -- Version SD32L30, ECS116/A + name = "DM NetVu", + category = "security", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:find("Dedicated Micros", 1, true) + and response.body:find("/gui/gui_outer_frame.shtml", 1, true) + and response.body:lower():find('<meta%s+name%s*=%s*"author"%s+content%s*=%s*"dedicated micros ') + end, + login_combos = { + {username = "", password = ""} + }, + login_check = function (host, port, path, user, pass) + local lurl = url.absolute(path, "gui/frmpages/gui_system.shtml") + -- Check if authentication is required at all + local resp = http_get_simple(host, port, lurl) + if resp.status == 200 then + return (resp.body or ""):find('top.render_table("System Page"', 1, true) + end + return try_http_basic_login(host, port, lurl, user, pass, true) + end +}) + +table.insert(fingerprints, { + name = "AXIS Network Camera (M Series)", + category = "security", + paths = { + {path = "/view/viewer_index.shtml"}, + }, + target_check = function (host, port, path, response) + local realm = http_auth_realm(response) or "" + return realm:find("AXIS") + end, + login_combos = { + {username = "admin", password = "admin"}, + {username = "admin", password = ""}, + {username = "root", password = ""}, + {username = "root", password = "root"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, path, user, pass, false) + end +}) + +table.insert(fingerprints, { + name = "Hikvision DS-XXX Network Camera", + category = "security", + paths = { + {path = "/PSIA/Custom/SelfExt/userCheck"}, + }, + target_check = function (host, port, path, response) + return response.header["server"] == "App-webs/" + + end, + login_combos = { + {username = "admin", password = "12345"}, + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, path, user, pass, false) + end +}) + +table.insert(fingerprints, { + name = "NUOO DVR", + category = "security", + paths = { + {path = "/"}, + }, + target_check = function (host, port, path, response) + return response.header['server'] and response.header["server"]:find("lighttpd") + and response.body and response.body:lower():find("<title>network video recorder login</title>") + end, + login_combos = { + {username = "admin", password = "admin"}, + }, + login_check = function (host, port, path, user, pass) + local resp = http_post_simple(host, port, + url.absolute(path, "login.php"), nil, + {language="en", user=user, pass=pass,submit="Login"}) + if resp.status == 302 and not(resp.body:find("loginfail")) then return true end + end +}) + +--- +--Industrial systems +--- +table.insert(fingerprints, { + -- Version 2.1.2, 2.2.0 on TSX ETY Port, 1.0.4, 2.2.0 on TSX ETY410 + name = "Schneider Modicon Web", + category = "industrial", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 302 + and (response.header["server"] or ""):find("^Schneider%-WEB/V%d+%.") + and (response.header["location"] or ""):find("/index%.htm$") + end, + login_combos = { + {username = "USER", password = "USER"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, + url.absolute(path, "secure/system/globaldata.htm?Language=English"), + user, pass, false) + end +}) + +table.insert(fingerprints, { + -- Version 06.05.00/6.0.1 on QD2040 HW 675 + name = "TCS Basys Controls Communication Center", + category = "industrial", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return http_auth_realm(response) == "Private" + and (response.header["server"] or ""):find("^lighttpd/%d+%.") + end, + login_combos = { + {username = "admin", password = "password"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, path, user, pass, false) + end +}) + +table.insert(fingerprints, { + -- Version 01.01 + name = "Riello UPS NetMan 204", + category = "industrial", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and (response.header["server"] or ""):find("^mini_httpd/%d+%.") + and response.body + and response.body:lower():find("<title>netman 204 login</title>", 1, true) + end, + login_combos = { + {username = "admin", password = "admin"}, + {username = "fwupgrade", password = "fwupgrade"}, + {username = "user", password = "user"}, + {username = "eurek", password = "eurek"} + }, + login_check = function (host, port, path, user, pass) + local resp = http_post_simple(host, port, + url.absolute(path, "cgi-bin/login.cgi"), + nil, {username=user, password=pass}) + return resp.status == 200 + and resp.body + and (resp.body:find(">window.location.replace(", 1, true) + or resp.body:find("Another user is logged in", 1, true)) + end +}) + +table.insert(fingerprints, { + -- Version 3.2.5 on AP9606, 2.5.0, 2.6.4 on AP9617, AP9619, 1.1.6 on AP7900 + name = "APC Management Card (basic auth)", + category = "industrial", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return http_auth_realm(response) == "APC Management Card" + end, + login_combos = { + {username = "apc", password = "apc"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, path, user, pass, false) + end +}) + +--- +--Printers +--- +table.insert(fingerprints, { + -- Version 61.17.5Z on ZTC GK420d + name = "Zebra Printer", + category = "printer", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:find("Zebra Technologies", 1, true) + and response.body:lower():find('<a href="config.html">view printer configuration</a>', 1, true) + end, + login_combos = { + {username = "", password = "1234"} + }, + login_check = function (host, port, path, user, pass) + return try_http_post_login(host, port, path, "authorize", + "incorrect password", {["0"]=pass}) + end +}) + +table.insert(fingerprints, { + -- Version 61.17.5Z on ZTC GK420d, 1.01.4 + name = "Zebra Print Server", + category = "printer", + paths = { + {path = "/server/TCPIPGEN.htm"} + }, + target_check = function (host, port, path, response) + return http_auth_realm(response) == "Network Print Server" + end, + login_combos = { + {username = "admin", password = "1234"} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, path, user, pass, false) + end +}) + +table.insert(fingerprints, { + -- Version 1.04.9 on RICOH MP C4503, 1.05 on MP 5054, 1.12 on MP C5000 + name = "RICOH Web Image Monitor", + category = "printer", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and (response.header["server"] or ""):find("^Web%-Server/%d+%.") + and response.body + and response.body:find("/websys/webArch/mainFrame.cgi", 1, true) + end, + login_combos = { + {username = "admin", password = ""}, + {username = "supervisor", password = ""} + }, + login_check = function (host, port, path, user, pass) + -- determine proper login path by locale + local resp0 = http.get(host, port, path) + if resp0.status ~= 200 then return false end + local lurl = (resp0.body or ""):match('location%.href="(/[^"]+/)mainFrame%.cgi"') + if not lurl then return false end + -- harvest the login form token + local resp1 = http_get_simple(host, port, url.absolute(lurl, "authForm.cgi"), + {cookies="cookieOnOffChecker=on"}) + if resp1.status ~= 200 then return false end + local token = (resp1.body or ""):match('<input%s+type%s*=%s*"hidden"%s+name%s*=%s*"wimToken"%s+value%s*=%s*"(.-)"') + if not token then return false end + -- build the login form and submit it + local form = {wimToken = token, + userid_work = "", + userid = base64.enc(user), + password_work = "", + password = base64.enc(pass), + open = ""} + local resp2 = http_post_simple(host, port, url.absolute(lurl, "login.cgi"), + {cookies=resp1.cookies}, form) + return resp2.status == 302 + and (resp2.header["location"] or ""):find("/mainFrame%.cgi$") + and sets_cookie(resp2, "wimsesid", "^%d+$") + end +}) + +table.insert(fingerprints, { + -- Version 071.*, 072.* on WorkCentre 7835, 7845, ColorQube 8900X + name = "Xerox WorkCentre/ColorQube", + cpe = "cpe:/h:xerox:workcentre", + category = "printer", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:find('SuppliesType != "InkStick"', 1, true) + and response.body:find("XEROX WORKCENTRE", 1, true) + end, + login_combos = { + {username = "admin", password = "1111"} + }, + login_check = function (host, port, path, user, pass) + local form = {_fun_function="HTTP_Authenticate_fn", + NextPage=url.absolute(path, "properties/authentication/luidLogin.php"), + webUsername=user, + webPassword=pass, + frmaltDomain="default"} + return try_http_post_login(host, port, path, "userpost/xerox.set", + "/login%.php%?invalid=t", form) + end +}) + +table.insert(fingerprints, { + -- Version 1.1, 1.1 SP7 + name = "EFI Fiery Webtools", + category = "printer", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and (response.header["content-location"] or ""):find("^redirect%.html%.") + and response.body + and response.body:lower():find('content="0;url=wt2parser.cgi?home_', 1, true) + end, + login_combos = { + {username = "Administrator", password = ""}, + {username = "Administrator", password = "Fiery.1"} + }, + login_check = function (host, port, path, user, pass) + -- sessionId normally includes the client IP, not the target, + -- but this would be too revealing + local sessionid = host.ip + .. "_" + .. math.floor(stdnse.clock_ms()) + .. math.random(100000, 999999) + local encpass = xmlencode(pass) + local header = {["Content-Type"]="text/xml", ["SOAPAction"]='""'} + local soapmsg = [[ + <?xml version='1.0' encoding='UTF-8'?> + <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> + <SOAP-ENV:Body> + <ns1:doLogin xmlns:ns1="urn:FierySoapService" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> + <sessionId xsi:type="xsd:string">__SESS__</sessionId> + <in xsi:type="ns1:Login"> + <fieldsMask xsi:type="xsd:int">0</fieldsMask> + <password xsi:type="xsd:string">__PASS__</password> + <timeout xsi:type="xsd:int">30</timeout> + <userName xsi:type="xsd:string" xsi:nil="true"/> + </in> + </ns1:doLogin> + </SOAP-ENV:Body> + </SOAP-ENV:Envelope> + ]] + -- strip off indentation + soapmsg = soapmsg:gsub("%f[^\0\n]%s+", "") + -- username is not injected into the payload because it is implied + soapmsg = soapmsg:gsub("__%w+__", {__SESS__=sessionid, __PASS__=encpass}) + local resp = http_post_simple(host, port, url.absolute(path, "soap"), + {header=header}, soapmsg) + return resp.status == 200 + and (resp.body or ""):find('<result xsi:type="xsd:boolean">true</result>', 1, true) + end +}) + +table.insert(fingerprints, { + -- Version 3.6/4 + name = "Lantronix ThinWeb Manager", + category = "printer", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return have_openssl + and response.status == 200 + and (response.header["server"] or ""):find("^Gordian Embedded") + and response.body + and response.body:lower():find("<title>lantronix thinweb manager", 1, true) + end, + login_combos = { + {username = "", password = "system"} + }, + login_check = function (host, port, path, user, pass) + local lurl = url.absolute(path, "server_eps.html") + -- obtain login nonce + local resp1 = http_get_simple(host, port, lurl) + local nonce = resp1.status == 403 and sets_cookie(resp1, "SrvrNonce", ".") + if not nonce then return false end + -- credential is the MD5 hash of the nonce and the password (in upper case) + local creds = stdnse.tohex(openssl.md5(nonce .. ":" .. pass:upper())) + local cookies = ("SrvrNonce=%s; SrvrCreds=%s"):format(nonce, creds) + local resp2 = http_get_simple(host, port, lurl, {cookies=cookies}) + return resp2.status == 200 + end +}) + +--- +--Storage +--- +table.insert(fingerprints, { + -- Version TS200R021 on MSA 2000 G3 + name = "HP Storage Management Utility", + category = "storage", + paths = { + {path = "/api/id/"} + }, + -- TODO: Change the probe path to "/" and use the following target_check + -- once the http library adds support for gzip encoding. Don't forget + -- to change url.absolute() argument from "../" to "api/" in login_check. + --target_check = function (host, port, path, response) + -- return have_openssl + -- and response.status == 200 + -- and response.body + -- and response.body:find("brandStrings", 1, true) + -- and response.body:find("checkAuthentication", 1, true) + -- and response.body:find("hp stuff init", 1, true) + --end, + target_check = function (host, port, path, response) + return have_openssl + and response.status == 200 + and response.header["command-status"] + and response.header["command-status"]:find("^0 %({%s*systemName:.*,%s*controller:.*}%)") + end, + login_combos = { + {username = "monitor", password = "!monitor"}, + {username = "manage", password = "!manage"}, + {username = "admin", password = "!admin"} + }, + login_check = function (host, port, path, user, pass) + local creds = stdnse.tohex(openssl.md5(user .. "_" .. pass)) + local header = {["Content-Type"] = "application/x-www-form-urlencoded", + ["datatype"] = "json"} + local resp = http_post_simple(host, port, url.absolute(path, "../"), + {header=header}, "/api/login/" .. creds) + return resp.status == 200 + and (resp.header["command-status"] or ""):find("^1 ") + end +}) + +table.insert(fingerprints, { + -- Version 7.5.0.3 on 2072-24C + name = "IBM Storwize V3700", + cpe = "cpe:/a:ibm:storwize_v3700_software", + category = "storage", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:find("V3700", 1, true) + and response.body:lower():find("<title>[^<]-%sibm storwize v3700%s*</title>") + end, + login_combos = { + {username = "superuser", password = "passw0rd"} + }, + login_check = function (host, port, path, user, pass) + local form = {login=user, + password=pass, + newPassword="", + confirmPassword="", + tzoffset="0", -- present twice in the original form + nextURL="", -- present twice in the original form + licAccept=""} + local resp = http_post_simple(host, port, url.absolute(path, "login"), + nil, form) + return resp.status == 302 + and (resp.header["location"] or ""):find("/gui$") + end +}) + +--- +--Virtualization systems +--- +table.insert(fingerprints, { + -- Version 5.0.0 + name = "VMware ESXi", + cpe = "cpe:/o:vmware:esxi", + category = "virtualization", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:find("ID_EESX_Welcome", 1, true) + and response.body:find("/folder?dcPath=ha-datacenter", 1, true) + end, + login_combos = { + {username = "root", password = ""} + }, + login_check = function (host, port, path, user, pass) + return try_http_basic_login(host, port, + url.absolute(path, "folder?dcPath=ha-datacenter"), + user, pass, false) + end +}) + +table.insert(fingerprints, { + -- Version 4.0.0 + name = "PCoIP Zero Client", + cpe = "cpe:/a:teradici:pcoip_host_software", + category = "virtualization", + paths = { + {path = "/login.html"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:find("PCoIP® Zero Client", 1, true) + and response.body:find("password_value", 1, true) + end, + login_combos = { + {username = "", password = "Administrator"} + }, + login_check = function (host, port, path, user, pass) + local resp = http_post_simple(host, port, url.absolute(path, "cgi-bin/login"), + nil, {password_value=pass, idle_timeout=60}) + -- successful login is a 302-redirect that sets a session cookie with hex + -- value; failed login is the same but the cookie contains an error message + return resp.status == 302 and sets_cookie(resp, "session_id", "^%x+$") + end +}) + +--- +--Remote consoles +--- +table.insert(fingerprints, { + -- Version 5.5, 6.1, 6.2, 7.2 on SLC16, SLC32, SLC48, SLC 8016 + name = "Lantronix SLC", + category = "console", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and (response.header["server"] or ""):find("^mini_httpd/%d+%.") + and response.body + and response.body:find("lantronix", 1, true) + and response.body:find("slcpassword", 1, true) + end, + login_combos = { + {username = "sysadmin", password = "PASS"} + }, + login_check = function (host, port, path, user, pass) + return try_http_post_login(host, port, path, "./", + "%sname%s*=%s*(['\"]?)slcpassword%1[%s>]", + {slclogin=user, slcpassword=pass}) + end +}) + +table.insert(fingerprints, { + --Version 1.10.12, 1.80 + name = "Dell iDRAC6", + cpe = "cpe:/o:dell:idrac6_firmware", + category = "console", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 301 + and (response.header["server"] or ""):find("^Mbedthis%-Appweb/%d+%.") + and (response.header["location"] or ""):find("/start%.html$") + end, + login_combos = { + {username = "root", password = "calvin"} + }, + login_check = function (host, port, path, user, pass) + return try_http_post_login(host, port, path, "data/login", + "<authResult>1</authResult>", + {user=user, password=pass}) + end +}) + +table.insert(fingerprints, { + name = "Dell iDRAC9", + cpe = "cpe:/o:dell:idrac9_firmware", + category = "console", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + -- analyze response for 1st request to "/" + if not (response.status == 302 and (response.header["location"] or ""):find("/restgui/start%.html$")) then return false end + + -- check with 2nd request to "/restgui/start.html" to be sure + local resp = http_get_simple(host, port, url.absolute(path, "restgui/start.html")) + return resp.status == 200 + and resp.body + and resp.body:find("idrac-start-screen", 1, true) + end, + login_combos = { + {username = "root", password = "calvin"} + }, + login_check = function (host, port, path, user, pass) + local headers = { + ["user"]='"'..user..'"', + ["password"]='"'..pass..'"' + } + local resp = http_post_simple(host, port, url.absolute(path, "sysmgmt/2015/bmc/session"), + {header=headers}) + local body = resp.body or "" + + return (resp.status == 201 and ( + body:find('"authResult":0') -- standard login success + or body:find('"authResult":7') -- login success with default credentials + or body:find('"authResult":9') -- login success with password reset required + ) + ) + end +}) + +table.insert(fingerprints, { + --Version 1.1 on Supermicro X7SB3 + name = "Supermicro WPCM450", + category = "console", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + return response.status == 200 + and response.body + and response.body:find("ATEN International", 1, true) + and response.body:find("/cgi/login.cgi", 1, true) + end, + login_combos = { + {username = "ADMIN", password = "ADMIN"} + }, + login_check = function (host, port, path, user, pass) + local resp = http_post_simple(host, port, url.absolute(path, "cgi/login.cgi"), + nil, {name=user, pwd=pass}) + return resp.status == 200 + and (resp.body or ""):find("../cgi/url_redirect.cgi?url_name=mainmenu", 1, true) + end +}) |