From 0d47952611198ef6b1163f366dc03922d20b1475 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Wed, 17 Apr 2024 09:42:04 +0200
Subject: Adding upstream version 7.94+git20230807.3be01efb1+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 nselib/data/http-default-accounts-fingerprints.lua | 1738 ++++++++++++++++++++
 1 file changed, 1738 insertions(+)
 create mode 100644 nselib/data/http-default-accounts-fingerprints.lua

(limited to 'nselib/data/http-default-accounts-fingerprints.lua')

diff --git a/nselib/data/http-default-accounts-fingerprints.lua b/nselib/data/http-default-accounts-fingerprints.lua
new file mode 100644
index 0000000..c5a5030
--- /dev/null
+++ b/nselib/data/http-default-accounts-fingerprints.lua
@@ -0,0 +1,1738 @@
+local base64 = require "base64"
+local http = require "http"
+local json = require "json"
+local math = require "math"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local table = require "table"
+local tableaux = require "tableaux"
+local url = require "url"
+local have_openssl, openssl = pcall(require, 'openssl')
+
+---
+-- http-default-accounts-fingerprints.lua
+-- This file contains fingerprint data for http-default-accounts.nse
+--
+-- STRUCTURE:
+-- * <code>name</code> - Descriptive name
+-- * <code>cpe</code> - Official CPE Dictionary entry (optional)
+-- * <code>category</code> - Category
+-- * <code>login_combos</code> - Table of default credential pairs
+---- * <code>username</code>
+---- * <code>password</code>
+-- * <code>paths</code> - Table of likely locations (paths) of the target
+-- * <code>target_check</code> - Validation function of the target (optional)
+-- * <code>login_check</code> - Login function of the target
+---
+
+---
+-- Requests given path using http.get() but disabling cache and redirects.
+-- @param host The host to connect to
+-- @param port The port to connect to
+-- @param path The path to retrieve
+-- @param options [optional] A table of HTTP request options
+-- @return A response table (see library http.lua for description)
+---
+local function http_get_simple (host, port, path, options)
+  local opts = tableaux.tcopy(options or {})
+  opts.bypass_cache = true
+  opts.no_cache = true
+  opts.redirect_ok = false
+  return http.get(host, port, path, opts)
+end
+
+---
+-- Requests given path using http.post() but disabling cache and redirects.
+-- (The current implementation of http.post() does not use either; this is
+-- a defensive wrapper to guard against future problems.)
+-- @param host The host to connect to
+-- @param port The port to connect to
+-- @param path The path to retrieve
+-- @param options [optional] A table of HTTP request options
+-- @param postdata A string or a table of data to be posted
+-- @return A response table (see library http.lua for description)
+---
+local function http_post_simple (host, port, path, options, postdata)
+  local opts = tableaux.tcopy(options or {})
+  opts.no_cache = true
+  opts.redirect_ok = false
+  return http.post(host, port, path, opts, nil, postdata)
+end
+
+---
+-- Requests given path using basic authentication.
+-- @param host Host table
+-- @param port Port table
+-- @param path Path to request
+-- @param user Username for Basic Auth
+-- @param pass Password for Basic Auth
+-- @param digest_auth Digest Authentication
+-- @return True if login in was successful
+---
+local function try_http_basic_login(host, port, path, user, pass, digest_auth)
+  local credentials = {username = user, password = pass, digest = digest_auth}
+  local resp = http_get_simple(host, port, path, {auth=credentials})
+  return resp.status
+         and resp.status ~= 400
+         and resp.status ~= 401
+         and resp.status ~= 403
+         and resp.status ~= 404
+end
+
+---
+-- Tries to login with a http post, if the FAIL string is not found
+-- we assume login in was successful
+-- @param host Host table
+-- @param port Port table
+-- @param target Target file
+-- @param failstr String shown when login in fails
+-- @param params Post parameters
+-- @param follow_redirects True if you want redirects to be followed
+-- @return True if login in was successful
+---
+local function try_http_post_login(host, port, path, target, failstr, params, follow_redirects)
+  local resp = http_post_simple(host, port, url.absolute(path, target), nil, params)
+  if not resp.status then return false end
+  local status = tonumber(resp.status) or 0
+  if follow_redirects and ( status > 300 and status < 400 ) then
+    resp = http_get_simple(host, port, url.absolute(path, resp.header.location))
+  end
+  if resp.status and resp.status ~= 404 and not(http.response_contains(resp, failstr)) then
+    return true
+  end
+  return false
+end
+
+---
+-- Returns authentication realm advertised in an HTTP response
+-- @param response HTTP response object, such as a result from http.get()
+-- @return realm found in response header WWW-Authenticate
+--               (or nil if not present)
+---
+local function http_auth_realm(response)
+  local auth = response.header["www-authenticate"] or ""
+  return auth:match('%srealm%s*=%s*"([^"]*)')
+end
+
+---
+-- Tests whether an HTTP response sets a named cookie with a given value
+-- @param response a standard HTTP response object
+-- @param name a case-insensitive cookie name that must be set
+-- @param pattern to validate the cookie value
+-- @return cookie value if such a cookie is found
+---
+local function sets_cookie(response, name, pattern)
+  name = name:lower()
+  for _, ck in ipairs(response.cookies or {}) do
+    if ck.name:lower() == name then
+      return (not pattern or ck.value:find(pattern)) and ck.value
+    end
+  end
+  return false
+end
+
+---
+-- Generates default scheme, host, and port components for a parsed URL.
+--
+-- This filter function generates the scheme, host, and port components from
+-- the standard <code>host</code> and <code>port</code> script objects. These
+-- components can then be passed onto function <code>url.build</code>.
+--
+-- As an example, the following code generates a URL for path "/test/"
+-- on the current host and port:
+-- <code>
+-- local testurl = url.build(url_build_defaults(host, port, {path = "/test/"}))
+-- </code>
+-- or, alternatively, when not used as a filter:
+-- <code>
+-- local parsed = url_build_defaults(host, port)
+-- parsed.path = "/test/"
+-- local testurl = url.build(parsed)
+-- </code>
+--
+-- @param host The host the URL is intended for.
+-- @param port The port the URL is intended for.
+-- @param parsed Parsed URL, as typically returned by <code>url.parse</code>,
+-- or nil. The table can be be missing the scheme, host, and port components.
+-- @return A clone of the parsed URL, with any missing scheme, host, and port
+-- components added.
+-- @see url.parse
+-- @see url.build
+---
+local function url_build_defaults (host, port, parsed)
+  local parts = tableaux.tcopy(parsed or {})
+  parts.host = parts.host or stdnse.get_hostname(host, port)
+  parts.scheme = parts.scheme or shortport.ssl(host, port) and "https" or "http"
+  if not parts.port and port.number ~= url.get_default_port(parts.scheme) then
+    parts.port = port.number
+  end
+  return parts
+end
+
+---
+-- Encodes a string to make it safe for embedding into XML/HTML.
+--
+-- @param s The string to be encoded.
+-- @return A string with unsafe characters encoded
+---
+local function xmlencode (s)
+  return s:gsub("%W", function (c) return ("&#x%x;"):format(c:byte()) end)
+end
+
+fingerprints = {}
+
+---
+--WEB
+---
+table.insert(fingerprints, {
+  -- Version 0.8.8a
+  name = "Cacti",
+  cpe = "cpe:/a:cacti:cacti",
+  category = "web",
+  paths = {
+    {path = "/"},
+    {path = "/cacti/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and (sets_cookie(response, "Cacti") or sets_cookie(response, "CactiEZ"))
+  end,
+  login_combos = {
+    {username = "admin", password = "admin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_post_login(host, port, path, "index.php",
+                              "%sname%s*=%s*(['\"]?)login_password%1[%s>]",
+                              {action="login", login_username=user, login_password=pass})
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 2.0.6
+  name = "Zabbix",
+  cpe = "cpe:/a:zabbix:zabbix",
+  category = "web",
+  paths = {
+    {path = "/zabbix/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200 and sets_cookie(response, "zbx_sessionid")
+  end,
+  login_combos = {
+    {username = "admin", password = "zabbix"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local resp = http_post_simple(host, port, url.absolute(path, "index.php"), nil,
+                                 {request="", name=user, password=pass, enter="Sign in"})
+    return resp.status == 302 and resp.header["location"] == "dashboard.php"
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 0.7, 1.0.1
+  name = "Xplico",
+  category = "web",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 302 and sets_cookie(response, "Xplico")
+  end,
+  login_combos = {
+    {username = "admin", password = "xplico"},
+    {username = "xplico", password = "xplico"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local lurl = url.absolute(path, "users/login")
+    -- harvest all hidden fields from the login form
+    local resp1 = http_get_simple(host, port, lurl)
+    if resp1.status ~= 200 then return false end
+    local html = (resp1.body or ""):match('<form%s+action%s*=%s*"[^"]*/users/login".->(.-)</form>')
+    if not html then return false end
+    local form = {}
+    for n, v in html:gmatch('<input%s+type%s*=%s*"hidden"%s+name%s*=%s*"(.-)"%s+value%s*=%s*"(.-)"') do
+      form[n] = v
+    end
+    -- add username and password to the form and submit it
+    form["data[User][username]"] = user
+    form["data[User][password]"] = pass
+    local resp2 = http_post_simple(host, port, lurl, {cookies=resp1.cookies}, form)
+    local loc = resp2.header["location"] or ""
+    return resp2.status == 302
+           and (loc:find("/admins$") or loc:find("/pols/index$"))
+  end
+})
+
+table.insert(fingerprints, {
+  --Version 5.3.1.1944 on EH6000
+  name = "ExtraHop Web UI",
+  category = "web",
+  paths = {
+    {path = "/extrahop/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:find("csrfmiddlewaretoken", 1, true)
+           and response.body:lower():find("<title>extrahop login", 1, true)
+  end,
+  login_combos = {
+    {username = "admin", password = "admin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    -- obtain cookies and a CSRF token
+    local resp1 = http_get_simple(host, port, path)
+    if not (resp1.status == 200 and resp1.body) then return false end
+    local tname, tvalue = resp1.body:match("<input%s+type%s*=%s*'hidden'%s+name%s*=%s*'(csrfmiddlewaretoken)'%s+value%s*=%s*'(.-)'")
+    if not tname then return false end
+    local form = {[tname]=tvalue,
+                  next=path,
+                  username=user,
+                  password=pass}
+    -- Referer header is mandatory
+    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=path}))}
+    local resp2 = http_post_simple(host, port, path,
+                                  {cookies=resp1.cookies, header=header}, form)
+    return resp2.status == 302
+           and (resp2.header["location"] or ""):find("/extrahop/$")
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 3.2.3, 3.4.4, 4.0.8
+  name = "Nagios",
+  cpe = "cpe:/a:nagios:nagios",
+  category = "web",
+  paths = {
+    {path = "/"},
+    {path = "/nagios/"}
+  },
+  target_check = function (host, port, path, response)
+    return http_auth_realm(response) == "Nagios Access"
+  end,
+  login_combos = {
+    {username = "nagiosadmin", password = "nagios"},
+    {username = "nagiosadmin", password = "nagiosadmin"},
+    -- IBM PurePower Integrated Manager
+    {username = "nagiosadmin", password = "PASSW0RD"},
+    -- CactiEZ
+    {username = "nagiosadmin", password = "CactiEZ"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 3.1.1, 4.0.2, 4.1.2
+  name = "Grafana",
+  category = "web",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 302 and sets_cookie(response, "grafana_sess")
+  end,
+  login_combos = {
+    {username = "admin", password = "admin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local header = {["Accept"] = "application/json, text/plain, */*",
+                    ["Content-Type"] = "application/json;charset=utf-8"}
+    local jin = {user=user, email="", password=pass}
+    json.make_object(jin)
+    local resp = http_post_simple(host, port, url.absolute(path, "login"),
+                                 {header=header}, json.generate(jin))
+    return resp.status == 200 and sets_cookie(resp, "grafana_user") == user
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 8.1, 9.2, 10.3.4, 10.3.6, 12.1.2
+  name = "WebLogic Server Console",
+  cpe = "cpe:/a:bea:weblogic_server",
+  category = "web",
+  paths = {
+    {path = "/console/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 302
+           and (response.header["location"] or ""):find("/console/login/LoginForm%.jsp%f[;\0]")
+  end,
+  login_combos = {
+    -- WebLogic 9.x
+    {username = "weblogic", password = "weblogic"},
+    -- WebLogic 10.x, 12.x
+    {username = "weblogic", password = "weblogic1"},
+    {username = "weblogic", password = "welcome1"},
+    -- Adobe LiveCycle ES
+    {username = "weblogic", password = "password"},
+    -- PeopleSoft
+    {username = "system", password = "Passw0rd"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local resp = http_post_simple(host, port,
+                                 url.absolute(path, "j_security_check"), nil,
+                                 {j_username=user,j_password=pass,j_character_encoding="UTF-8"})
+    -- WebLogic 8.x, 9.x
+    if resp.status == 403 then return false end
+    -- WebLogic 10.x, 12.x
+    if resp.status == 302
+       and (resp.header["location"] or ""):find("/console/login/LoginForm%.jsp$") then
+      return false
+    end
+    return true
+  end
+})
+
+table.insert(fingerprints, {
+  name = "Apache Tomcat",
+  cpe = "cpe:/a:apache:tomcat",
+  category = "web",
+  paths = {
+    {path = "/manager/html/"},
+    {path = "/manager/status/"},
+    {path = "/manager/text/"},
+    {path = "/tomcat/manager/html/"},
+    {path = "/tomcat/manager/status/"},
+    {path = "/tomcat/manager/text/"},
+    {path = "/cognos_express/manager/html/"}
+  },
+  target_check = function (host, port, path, response)
+    return http_auth_realm(response) == "Tomcat Manager Application"
+  end,
+  login_combos = {
+    {username = "tomcat", password = "tomcat"},
+    {username = "admin", password = "admin"},
+    -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3548
+    {username = "admin", password = ""},
+    -- https://github.com/seshendra/vagrant-ubuntu-tomcat7/
+    {username = "admin", password = "tomcat"},
+    -- https://github.com/apache/tomcat/blob/2b8f9665dbfb89c78878784cd9b63d2b976ba623/webapps/manager/WEB-INF/jsp/403.jsp#L66
+    {username = "tomcat", password = "s3cret"},
+    -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4094
+    {username = "ADMIN", password = "ADMIN"},
+    -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4189
+    {username = "ovwebusr", password = "OvW*busr1"},
+    -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4188
+    {username = "j2deployer", password = "j2deployer"},
+    -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0557
+    {username = "cxsdk", password = "kdsxc"},
+    -- XAMPP https://www.apachefriends.org/index.html
+    {username = "xampp", password = "xampp"},
+    -- QLogic QConvergeConsole http://www.qlogic.com/
+    {username = "QCC", password = "QLogic66"},
+    -- HAPI FHIR http://hapifhir.io/
+    {username = "fhir", password = "FHIRDefaultPassword"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  name = "Apache Tomcat Host Manager",
+  cpe = "cpe:/a:apache:tomcat",
+  category = "web",
+  paths = {
+    {path = "/host-manager/html/"},
+    {path = "/host-manager/text/"},
+    {path = "/tomcat/host-manager/html/"},
+    {path = "/tomcat/host-manager/text/"}
+  },
+  target_check = function (host, port, path, response)
+    return http_auth_realm(response) == "Tomcat Host Manager Application"
+  end,
+  login_combos = {
+    {username = "tomcat", password = "tomcat"},
+    {username = "admin", password = "admin"},
+    -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3548
+    {username = "admin", password = ""},
+    -- https://github.com/seshendra/vagrant-ubuntu-tomcat7/
+    {username = "admin", password = "tomcat"},
+    -- https://github.com/apache/tomcat/blob/2b8f9665dbfb89c78878784cd9b63d2b976ba623/webapps/manager/WEB-INF/jsp/403.jsp#L66
+    {username = "tomcat", password = "s3cret"},
+    -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4094
+    {username = "ADMIN", password = "ADMIN"},
+    -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4189
+    {username = "ovwebusr", password = "OvW*busr1"},
+    -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4188
+    {username = "j2deployer", password = "j2deployer"},
+    -- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0557
+    {username = "cxsdk", password = "kdsxc"},
+    -- XAMPP https://www.apachefriends.org/index.html
+    {username = "xampp", password = "xampp"},
+    -- QLogic QConvergeConsole http://www.qlogic.com/
+    {username = "QCC", password = "QLogic66"},
+    -- HAPI FHIR http://hapifhir.io/
+    {username = "fhir", password = "FHIRDefaultPassword"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  name = "Apache Felix OSGi Management Console",
+  category = "web",
+  paths = {
+    {path = "/system/console"},
+    {path = "/lc/system/console"}
+  },
+  target_check = function (host, port, path, response)
+    return http_auth_realm(response) == "OSGi Management Console"
+  end,
+  login_combos = {
+    {username = "admin", password = "admin"},
+    {username = "karaf", password = "karaf"},
+    {username = "smx",   password = "smx"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 1.4.1, 1.5.2, 1.5.3, 1.6.0, 1.6.1
+  name = "Apache Axis2",
+  cpe = "cpe:/a:apache:axis2",
+  category = "web",
+  paths = {
+    {path = "/axis2/axis2-admin/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:lower():find("<title>login to axis2 :: administration page</title>", 1, true)
+  end,
+  login_combos = {
+    {username = "admin", password = "axis2"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local resp = http_post_simple(host, port, url.absolute(path, "login"), nil,
+                                 {userName=user,password=pass,submit=" Login "})
+    return resp.status == 200
+           and (resp.body or ""):lower():find("<a%s+href%s*=%s*(['\"])axis2%-admin/logout%1")
+  end
+})
+
+table.insert(fingerprints, {
+  name = "Plumtree Portal",
+  category = "web",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 302
+           and (response.header["location"] or ""):find("/portal/server%.pt$")
+  end,
+  login_combos = {
+    {username = "Administrator", password = ""}
+  },
+  login_check = function (host, port, path, user, pass)
+    local form = {in_hi_space="Login",
+                  in_hi_spaceID="0",
+                  in_hi_control="Login",
+                  in_hi_dologin="true",
+                  in_tx_username=user,
+                  in_pw_userpass=pass,
+                  in_se_authsource=""}
+    local resp = http_post_simple(host, port,
+                                 url.absolute(path, "portal/server.pt"),
+                                 nil, form)
+    return resp.status == 302
+           and (resp.header["location"] or ""):find("/portal/server%.pt[;?]")
+           and sets_cookie(resp, "plloginoccured") == "true"
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 0.4.4.6.1 on SamuraiWTF 2.6, 0.4.7.0 on Kali 2016.2
+  name = "BeEF",
+  category = "web",
+  paths = {
+    {path = "/ui/authentication/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:find("BeEF", 1, true)
+           and response.body:lower():find("<title>beef authentication</title>", 1, true)
+  end,
+  login_combos = {
+    {username = "beef", password = "beef"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local resp = http_post_simple(host, port, url.absolute(path, "login"), nil,
+                                 {["username-cfrm"]=user, ["password-cfrm"]=pass})
+    return resp.status == 200
+           and (resp.body or ""):find("{%s*success%s*:%s*true%s*}")
+  end
+})
+
+table.insert(fingerprints, {
+  name = "Pure Storage",
+  category = "web",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body:find("<title>Pure Storage Login</title>", 1, true)
+  end,
+  login_combos = {
+    {username = "pureuser", password = "pureuser"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_post_login(host, port, path, "login",
+                               "{%s*Welcome%s*:%s*Invalid%s*}",
+                               {["username"]=user, ["password"]=pass})
+  end
+})
+
+table.insert(fingerprints, {
+  name = "Active MQ",
+  category = "web",
+  paths = {
+    {path = "/admin"}
+  },
+  target_check = function (host, port, path, response)
+    return http_auth_realm(response) == "ActiveMQRealm"
+  end,
+  login_combos = {
+    {username = "admin", password = "admin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+---
+--ROUTERS
+---
+table.insert(fingerprints, {
+  name = "Arris 2307",
+  category = "routers",
+  paths = {
+    {path = "/logo_t.gif"}
+  },
+  login_combos = {
+    {username = "", password = ""}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_post_login(host, port, path, "login.cgi", "Login Error !!", {action="submit", page="", logout="", pws=pass})
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 12.2SE on Catalyst 3750, 3845, CBS3020, 12.3 on Aironet 1300
+  name = "Cisco IOS",
+  cpe = "cpe:/o:cisco:ios",
+  category = "routers",
+  paths = {
+    {path = "/"},
+    -- TODO: Remove these paths completely unless a bug gets filed (9/1/2016)
+    -- (The paths are likely redundant. "/" should be covering all the cases.)
+    -- {path = "/exec/show/log/CR"},
+    -- {path = "/level/15/exec/-/configure/http"},
+    -- {path = "/level/15/exec/-"},
+    -- {path = "/level/15/"}
+  },
+  target_check = function (host, port, path, response)
+    local realm = http_auth_realm(response) or ""
+    -- Exact PCRE: "^level 15?( or view)? access$"
+    return realm:gsub("_"," "):find("^level 15?%f[ ].* access$")
+  end,
+  login_combos = {
+    {username = "", password = ""},
+    {username = "cisco", password = "cisco"},
+    {username = "Cisco", password = "Cisco"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version (see below)
+  name = "Cisco Linksys",
+  cpe = "cpe:/h:linksys:*",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    -- realm="Linksys WAP200", "Linksys WAP55AG", "Linksys E2000"
+    return (http_auth_realm(response) or ""):find("^Linksys %u[%u%d]+$")
+  end,
+  login_combos = {
+    -- WAP55AG, version 1.07.01
+    -- E2000, version 1.0.03 (any username is valid)
+    {username = "", password = "admin"},
+    -- WAP200, version 1.0.22
+    {username = "admin", password = "admin"},
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version ESIP-12-v302r125573-131230c_upc on EPC3925
+  --         ES-16-E138-c3220r55103-150810 on EPC3928AD
+  name = "Cisco EPC39xx",
+  cpe = "cpe:/h:cisco:epc39*",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:find("Docsis", 1, true)
+           and response.body:find("window%.location%.href%s*=%s*(['\"])Docsis_system%.asp%1")
+  end,
+  login_combos = {
+    {username = "",      password = ""},
+    {username = "admin", password = "admin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local form = {username_login=user,
+                  password_login=pass,
+                  LanguageSelect="en",
+                  Language_Submit="0",
+                  login="Log In"}
+    local resp = http_post_simple(host, port,
+                                 url.absolute(path, "goform/Docsis_system"),
+                                 nil, form)
+    local loc = resp.header["location"] or ""
+    return resp.status == 302
+           and (loc:find("/Quick_setup%.asp$") or loc:find("/Administration%.asp$"))
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 1.0.1.3 on RT-N10U, RT-N66U
+  name = "ASUS RT",
+  cpe = "cpe:/h:asus:rt-*",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    -- realm="RT-N10U", "RT-N66U"
+    return (http_auth_realm(response) or ""):find("^RT%-%u[%u%d]+$")
+  end,
+  login_combos = {
+    {username = "admin", password = "admin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 5.00.12 on F5D7234-4
+  name = "Belkin G Wireless Router",
+  cpe = "cpe:/h:belkin:f5d7234-4",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return have_openssl
+           and response.status == 200
+           and response.body
+           and response.body:find("setup_top.htm", 1, true)
+           and response.body:find("status.stm", 1, true)
+  end,
+  login_combos = {
+    {username = "", password = ""}
+  },
+  login_check = function (host, port, path, user, pass)
+    local resp = http_post_simple(host, port,
+                                 url.absolute(path, "cgi-bin/login.exe"), nil,
+                                 -- this should be local time, not UTC
+                                 {totalMSec = stdnse.clock_ms()/1000,
+                                 pws = stdnse.tohex(openssl.md5(pass))})
+    return resp.status == 302
+           and (resp.header["location"] or ""):find("/index%.htm$")
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 1.00.12 on F9K1001 v1
+  name = "Belkin N150",
+  cpe = "cpe:/h:belkin:n150_f9k1001",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return have_openssl
+           and response.status == 200
+           and response.body
+           and response.body:find("Belkin", 1, true)
+           and response.body:find("isAPmode", 1, true)
+           and response.body:lower():find("showmenu.js", 1, true)
+  end,
+  login_combos = {
+    {username = "", password = ""}
+  },
+  login_check = function (host, port, path, user, pass)
+    local form = {page="",
+                  logout="",
+                  action="submit",
+                  pws=base64.enc(pass),
+                  itsbutton1="Submit",
+                  h_language="en",
+                  is_parent_window="1"}
+    local resp = http_post_simple(host, port, url.absolute(path, "login.cgi"),
+                                 nil, form)
+    return resp.status == 200
+           and resp.body
+           and resp.body:find("index.html", 1, true)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version H131-310CTU-C07_R01_4.5.5.27
+  name = "Comtrend NexusLink-5631",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return http_auth_realm(response) == "DSL Router"
+  end,
+  login_combos = {
+    {username = "apuser", password = "apuser"},
+    {username = "root", password = "12345"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 1.0.1-00 on model 5554
+  name = "Zoom ADSL X5",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 301
+           and (response.header["server"] or ""):find("^Nucleus/%d+%.")
+           and (response.header["location"] or ""):find("/hag/pages/home%.htm$")
+  end,
+  login_combos = {
+    {username = "admin", password = "zoomadsl"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port,
+                               url.absolute(path, "hag/pages/home.htm"),
+                               user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 2.3, 2.4 on FVS318
+  name = "Netgear ProSafe Firewall FVS318",
+  cpe = "cpe:/h:netgear:fvs318",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.header["server"] == "Netgear"
+           and response.body
+           and response.body:lower():find("<frame%s+src%s*=%s*(['\"]?)top.html%1%s")
+  end,
+  login_combos = {
+    {username = "admin", password = "password"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, url.absolute(path, "top.html"),
+                               user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 2.00.03, .05, .07, .08 on GS108Ev3, GS108PEv3
+  name = "Netgear ProSafe Plus Switch",
+  cpe = "cpe:/h:netgear:gs108*",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:find("loginTData", 1, true)
+           and response.body:lower():find("<title>netgear ", 1, true)
+  end,
+  login_combos = {
+    {username = "", password = "password"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local resp = http_post_simple(host, port, url.absolute(path, "login.cgi"),
+                                 nil, {password=pass})
+    return resp.status == 200 and sets_cookie(resp, "GS108SID", ".")
+  end
+})
+
+table.insert(fingerprints, {
+  -- AP6521, AP6522, AP7522, AP7532
+  name = "Motorola AP",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and (response.header["server"] or ""):find("^lighttpd/%d+%.")
+           and response.body
+           and response.body:lower():find("<title>motorola solutions</title>", 1, true)
+  end,
+  login_combos = {
+    {username = "admin", password = "motorola"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local form = {_dc = math.floor(stdnse.clock_ms()),
+                  username = user,
+                  password = pass}
+    local lurl = url.absolute(path, "rest.fcgi/services/rest/login?" .. url.build_query(form))
+    local resp = http_get_simple(host, port, lurl)
+    if not (resp.status == 200 and resp.body) then return false end
+    local jstatus, jout = json.parse(resp.body)
+    return jstatus and jout.status
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 3.3.2, 4.3.1, 4.4.0, 4.4.1 on RFS6000
+  name = "Motorola RF Switch",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and (response.header["server"] or ""):find("^thttpd/%d+%.")
+           and response.body
+           and response.body:lower():find("<title>motorola wireless network management</title>", 1, true)
+  end,
+  login_combos = {
+    {username = "admin", password = "superuser"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local login = ("J20K34NMMT89XPIJ34S login %s %s"):format(stdnse.tohex(user), stdnse.tohex(pass))
+    local lurl = url.absolute(path, "usmCgi.cgi/?" .. url.escape(login))
+    local resp = http_get_simple(host, port, lurl)
+    return resp.status == 200
+           and (resp.body or ""):find("^login 0 ")
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 3.4.5.1 on Aruba800
+  name = "ArubaOS WebUI",
+  cpe = "cpe:/o:arubanetworks:arubaos",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 401
+           and response.body
+           and response.body:find("/images/arubalogo.gif", 1, true)
+           and response.body:find("/screens/wms/wms.login", 1, true)
+  end,
+  login_combos = {
+    {username = "admin", password = "admin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local resp = http_post_simple(host, port,
+                                 url.absolute(path, "screens/wms/wms.login"),
+                                 nil,
+                                 {opcode="login", url="/", needxml="0",
+                                 uid=user, passwd=pass})
+    return resp.status == 200
+           and (resp.body or ""):find("/screens/wmsi/monitor.summary.html", 1, true)
+  end
+})
+
+table.insert(fingerprints, {
+  name = "Aruba AirWave",
+  cpe = "cpe:/a:arubanetworks:airwave",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 401
+           and response.body
+           and response.body:find("/noauth/theme/airwave/favicon.ico", 1, true)
+           and response.body:find("/api/user_prefs.json", 1, true)
+  end,
+  login_combos = {
+    {username = "admin", password = "admin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_post_login(host, port, path, "LOGIN",
+                              "403 Forbidden",
+                              {credential_0=user, credential_1=pass,
+                              destination=url.absolute(path, "index.html")})
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 08.05.100 on NVR 1750D
+  name = "Nortel VPN Router",
+  cpe = "cpe:/h:nortel:vpn_router_*",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.header["server"] == "HTTP Server"
+           and response.body
+           and response.body:lower():find("<title>nortel vpn router</title>", 1, true)
+  end,
+  login_combos = {
+    {username = "admin", password = "setup"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port,
+                               url.absolute(path, "manage/bdy_sys.htm"),
+                               user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 5.0.0r8 on NetScreen 5XT
+  name = "ScreenOS",
+  cpe = "cpe:/o:juniper:netscreen_screenos",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and (response.header["server"] or ""):find("^Virata%-EmWeb/R%d+_")
+           and response.body
+           and response.body:lower():find("admin_pw", 1, true)
+  end,
+  login_combos = {
+    {username = "netscreen", password = "netscreen"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local form = {admin_id="",
+                  admin_pw="",
+                  time=tostring(math.floor(stdnse.clock_ms())):sub(5),
+                  un=base64.enc(user),
+                  pw=base64.enc(pass)}
+    local resp = http_post_simple(host, port, url.absolute(path, "index.html"),
+                                 nil, form)
+    return resp.status == 303
+           and (resp.header["location"] or ""):find("/nswebui.html?", 1, true)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 11.4.1, 11.5.3
+  name = "F5 TMOS",
+  cpe = "cpe:/o:f5:tmos",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:find("F5 Networks", 1, true)
+           and response.body:find("BIG-IP", 1, true)
+           and response.body:find("/tmui/tmui/system/settings/redirect.jsp", 1, true)
+  end,
+  login_combos = {
+    {username = "admin", password = "admin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_post_login(host, port, path, "tmui/logmein.html",
+                              "login%.jsp%?msgcode=1",
+                              {username=user, passwd=pass})
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 10.5 on MPX 8005
+  name = "Citrix NetScaler",
+  cpe = "cpe:/a:citrix:netscaler",
+  category = "routers",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:find("NetScaler", 1, true)
+           and response.body:lower():find("<title>citrix login</title>", 1, true)
+  end,
+  login_combos = {
+    {username = "nsroot", password = "nsroot"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_post_login(host, port, path, "login/do_login",
+                              "Invalid username or password",
+                              {username=user, password=pass, url="", timezone_offset="0"},
+                              false)
+  end
+})
+
+---
+--Digital recorders
+---
+table.insert(fingerprints, {
+  -- UI Version 03.2 (4.8), 03.2 (5.5)
+  name = "DM Digital Sprite 2",
+  category = "security",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:find("Dedicated Micros", 1, true)
+           and response.body:find("webpages/index.shtml", 1, true)
+           and response.body:lower():find('<meta%s+name%s*=%s*"author"%s+content%s*=%s*"dedicated micros ')
+  end,
+  login_combos = {
+    {username = "dm", password = "web"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port,
+                               url.absolute(path, "frmpages/index.html"),
+                               user, pass, true)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version SD32L30, ECS116/A
+  name = "DM NetVu",
+  category = "security",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:find("Dedicated Micros", 1, true)
+           and response.body:find("/gui/gui_outer_frame.shtml", 1, true)
+           and response.body:lower():find('<meta%s+name%s*=%s*"author"%s+content%s*=%s*"dedicated micros ')
+  end,
+  login_combos = {
+    {username = "", password = ""}
+  },
+  login_check = function (host, port, path, user, pass)
+    local lurl = url.absolute(path, "gui/frmpages/gui_system.shtml")
+    -- Check if authentication is required at all
+    local resp = http_get_simple(host, port, lurl)
+    if resp.status == 200 then
+      return (resp.body or ""):find('top.render_table("System Page"', 1, true)
+    end
+    return try_http_basic_login(host, port, lurl, user, pass, true)
+  end
+})
+
+table.insert(fingerprints, {
+  name = "AXIS Network Camera (M Series)",
+  category = "security",
+  paths = {
+    {path = "/view/viewer_index.shtml"},
+  },
+  target_check = function (host, port, path, response)
+    local realm = http_auth_realm(response) or ""
+    return realm:find("AXIS")
+  end,
+  login_combos = {
+    {username = "admin", password = "admin"},
+    {username = "admin", password = ""},
+    {username = "root", password = ""},
+    {username = "root", password = "root"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  name = "Hikvision DS-XXX Network Camera",
+  category = "security",
+  paths = {
+    {path = "/PSIA/Custom/SelfExt/userCheck"},
+  },
+  target_check = function (host, port, path, response)
+    return response.header["server"] == "App-webs/"
+ 
+  end,
+  login_combos = {
+    {username = "admin", password = "12345"},
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  name = "NUOO DVR",
+  category = "security",
+  paths = {
+    {path = "/"},
+  },
+  target_check = function (host, port, path, response)
+    return response.header['server'] and response.header["server"]:find("lighttpd") 
+      and response.body and response.body:lower():find("<title>network video recorder login</title>")
+  end,
+  login_combos = {
+    {username = "admin", password = "admin"},
+  },
+  login_check = function (host, port, path, user, pass)
+    local resp = http_post_simple(host, port,
+                                 url.absolute(path, "login.php"), nil,
+                                 {language="en", user=user, pass=pass,submit="Login"})
+    if resp.status == 302 and not(resp.body:find("loginfail")) then return true end
+  end
+})
+
+---
+--Industrial systems
+---
+table.insert(fingerprints, {
+  -- Version 2.1.2, 2.2.0 on TSX ETY Port, 1.0.4, 2.2.0 on TSX ETY410
+  name = "Schneider Modicon Web",
+  category = "industrial",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 302
+           and (response.header["server"] or ""):find("^Schneider%-WEB/V%d+%.")
+           and (response.header["location"] or ""):find("/index%.htm$")
+  end,
+  login_combos = {
+    {username = "USER", password = "USER"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port,
+                               url.absolute(path, "secure/system/globaldata.htm?Language=English"),
+                               user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 06.05.00/6.0.1 on QD2040 HW 675
+  name = "TCS Basys Controls Communication Center",
+  category = "industrial",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return http_auth_realm(response) == "Private"
+           and (response.header["server"] or ""):find("^lighttpd/%d+%.")
+  end,
+  login_combos = {
+    {username = "admin", password = "password"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 01.01
+  name = "Riello UPS NetMan 204",
+  category = "industrial",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and (response.header["server"] or ""):find("^mini_httpd/%d+%.")
+           and response.body
+           and response.body:lower():find("<title>netman 204 login</title>", 1, true)
+  end,
+  login_combos = {
+    {username = "admin",     password = "admin"},
+    {username = "fwupgrade", password = "fwupgrade"},
+    {username = "user",      password = "user"},
+    {username = "eurek",     password = "eurek"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local resp = http_post_simple(host, port,
+                                 url.absolute(path, "cgi-bin/login.cgi"),
+                                 nil, {username=user, password=pass})
+    return resp.status == 200
+           and resp.body
+           and (resp.body:find(">window.location.replace(", 1, true)
+             or resp.body:find("Another user is logged in", 1, true))
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 3.2.5 on AP9606, 2.5.0, 2.6.4 on AP9617, AP9619, 1.1.6 on AP7900
+  name = "APC Management Card (basic auth)",
+  category = "industrial",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return http_auth_realm(response) == "APC Management Card"
+  end,
+  login_combos = {
+    {username = "apc", password = "apc"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+---
+--Printers
+---
+table.insert(fingerprints, {
+  -- Version 61.17.5Z on ZTC GK420d
+  name = "Zebra Printer",
+  category = "printer",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:find("Zebra Technologies", 1, true)
+           and response.body:lower():find('<a href="config.html">view printer configuration</a>', 1, true)
+  end,
+  login_combos = {
+    {username = "", password = "1234"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_post_login(host, port, path, "authorize",
+                              "incorrect password", {["0"]=pass})
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 61.17.5Z on ZTC GK420d, 1.01.4
+  name = "Zebra Print Server",
+  category = "printer",
+  paths = {
+    {path = "/server/TCPIPGEN.htm"}
+  },
+  target_check = function (host, port, path, response)
+    return http_auth_realm(response) == "Network Print Server"
+  end,
+  login_combos = {
+    {username = "admin", password = "1234"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 1.04.9 on RICOH MP C4503, 1.05 on MP 5054, 1.12 on MP C5000
+  name = "RICOH Web Image Monitor",
+  category = "printer",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and (response.header["server"] or ""):find("^Web%-Server/%d+%.")
+           and response.body
+           and response.body:find("/websys/webArch/mainFrame.cgi", 1, true)
+  end,
+  login_combos = {
+    {username = "admin",      password = ""},
+    {username = "supervisor", password = ""}
+  },
+  login_check = function (host, port, path, user, pass)
+    -- determine proper login path by locale
+    local resp0 = http.get(host, port, path)
+    if resp0.status ~= 200 then return false end
+    local lurl = (resp0.body or ""):match('location%.href="(/[^"]+/)mainFrame%.cgi"')
+    if not lurl then return false end
+    -- harvest the login form token
+    local resp1 = http_get_simple(host, port, url.absolute(lurl, "authForm.cgi"),
+                                 {cookies="cookieOnOffChecker=on"})
+    if resp1.status ~= 200 then return false end
+    local token = (resp1.body or ""):match('<input%s+type%s*=%s*"hidden"%s+name%s*=%s*"wimToken"%s+value%s*=%s*"(.-)"')
+    if not token then return false end
+    -- build the login form and submit it
+    local form = {wimToken = token,
+                  userid_work = "",
+                  userid = base64.enc(user),
+                  password_work = "",
+                  password = base64.enc(pass),
+                  open = ""}
+    local resp2 = http_post_simple(host, port, url.absolute(lurl, "login.cgi"),
+                                  {cookies=resp1.cookies}, form)
+    return resp2.status == 302
+           and (resp2.header["location"] or ""):find("/mainFrame%.cgi$")
+           and sets_cookie(resp2, "wimsesid", "^%d+$")
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 071.*, 072.* on WorkCentre 7835, 7845, ColorQube 8900X
+  name = "Xerox WorkCentre/ColorQube",
+  cpe = "cpe:/h:xerox:workcentre",
+  category = "printer",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:find('SuppliesType != "InkStick"', 1, true)
+           and response.body:find("XEROX WORKCENTRE", 1, true)
+  end,
+  login_combos = {
+    {username = "admin", password = "1111"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local form = {_fun_function="HTTP_Authenticate_fn",
+                  NextPage=url.absolute(path, "properties/authentication/luidLogin.php"),
+                  webUsername=user,
+                  webPassword=pass,
+                  frmaltDomain="default"}
+    return try_http_post_login(host, port, path, "userpost/xerox.set",
+                              "/login%.php%?invalid=t", form)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 1.1, 1.1 SP7
+  name = "EFI Fiery Webtools",
+  category = "printer",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and (response.header["content-location"] or ""):find("^redirect%.html%.")
+           and response.body
+           and response.body:lower():find('content="0;url=wt2parser.cgi?home_', 1, true)
+  end,
+  login_combos = {
+    {username = "Administrator", password = ""},
+    {username = "Administrator", password = "Fiery.1"}
+  },
+  login_check = function (host, port, path, user, pass)
+    -- sessionId normally includes the client IP, not the target,
+    -- but this would be too revealing
+    local sessionid = host.ip
+                      .. "_"
+                      .. math.floor(stdnse.clock_ms())
+                      .. math.random(100000, 999999)
+    local encpass = xmlencode(pass)
+    local header = {["Content-Type"]="text/xml", ["SOAPAction"]='""'}
+    local soapmsg = [[
+      <?xml version='1.0' encoding='UTF-8'?>
+      <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+        <SOAP-ENV:Body>
+          <ns1:doLogin xmlns:ns1="urn:FierySoapService" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+            <sessionId xsi:type="xsd:string">__SESS__</sessionId>
+            <in xsi:type="ns1:Login">
+              <fieldsMask xsi:type="xsd:int">0</fieldsMask>
+              <password xsi:type="xsd:string">__PASS__</password>
+              <timeout xsi:type="xsd:int">30</timeout>
+              <userName xsi:type="xsd:string" xsi:nil="true"/>
+            </in>
+          </ns1:doLogin>
+        </SOAP-ENV:Body>
+      </SOAP-ENV:Envelope>
+      ]]
+    -- strip off indentation
+    soapmsg = soapmsg:gsub("%f[^\0\n]%s+", "")
+    -- username is not injected into the payload because it is implied
+    soapmsg = soapmsg:gsub("__%w+__", {__SESS__=sessionid, __PASS__=encpass})
+    local resp = http_post_simple(host, port, url.absolute(path, "soap"),
+                                 {header=header}, soapmsg)
+    return resp.status == 200
+           and (resp.body or ""):find('<result xsi:type="xsd:boolean">true</result>', 1, true)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 3.6/4
+  name = "Lantronix ThinWeb Manager",
+  category = "printer",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return have_openssl
+           and response.status == 200
+           and (response.header["server"] or ""):find("^Gordian Embedded")
+           and response.body
+           and response.body:lower():find("<title>lantronix thinweb manager", 1, true)
+  end,
+  login_combos = {
+    {username = "", password = "system"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local lurl = url.absolute(path, "server_eps.html")
+    -- obtain login nonce
+    local resp1 = http_get_simple(host, port, lurl)
+    local nonce = resp1.status == 403 and sets_cookie(resp1, "SrvrNonce", ".")
+    if not nonce then return false end
+    -- credential is the MD5 hash of the nonce and the password (in upper case)
+    local creds = stdnse.tohex(openssl.md5(nonce .. ":" .. pass:upper()))
+    local cookies = ("SrvrNonce=%s; SrvrCreds=%s"):format(nonce, creds)
+    local resp2 = http_get_simple(host, port, lurl, {cookies=cookies})
+    return resp2.status == 200
+  end
+})
+
+---
+--Storage
+---
+table.insert(fingerprints, {
+  -- Version TS200R021 on MSA 2000 G3
+  name = "HP Storage Management Utility",
+  category = "storage",
+  paths = {
+    {path = "/api/id/"}
+  },
+  -- TODO: Change the probe path to "/" and use the following target_check
+  -- once the http library adds support for gzip encoding. Don't forget
+  -- to change url.absolute() argument from "../" to "api/" in login_check.
+  --target_check = function (host, port, path, response)
+  --  return have_openssl
+  --         and response.status == 200
+  --         and response.body
+  --         and response.body:find("brandStrings", 1, true)
+  --         and response.body:find("checkAuthentication", 1, true)
+  --         and response.body:find("hp stuff init", 1, true)
+  --end,
+  target_check = function (host, port, path, response)
+    return have_openssl
+           and response.status == 200
+           and response.header["command-status"]
+           and response.header["command-status"]:find("^0 %({%s*systemName:.*,%s*controller:.*}%)")
+  end,
+  login_combos = {
+    {username = "monitor", password = "!monitor"},
+    {username = "manage",  password = "!manage"},
+    {username = "admin",   password = "!admin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local creds = stdnse.tohex(openssl.md5(user .. "_" .. pass))
+    local header = {["Content-Type"] = "application/x-www-form-urlencoded",
+                    ["datatype"] = "json"}
+    local resp = http_post_simple(host, port, url.absolute(path, "../"),
+                                 {header=header}, "/api/login/" .. creds)
+    return resp.status == 200
+           and (resp.header["command-status"] or ""):find("^1 ")
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 7.5.0.3 on 2072-24C
+  name = "IBM Storwize V3700",
+  cpe = "cpe:/a:ibm:storwize_v3700_software",
+  category = "storage",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:find("V3700", 1, true)
+           and response.body:lower():find("<title>[^<]-%sibm storwize v3700%s*</title>")
+  end,
+  login_combos = {
+    {username = "superuser", password = "passw0rd"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local form = {login=user,
+                 password=pass,
+                 newPassword="",
+                 confirmPassword="",
+                 tzoffset="0", -- present twice in the original form
+                 nextURL="",   -- present twice in the original form
+                 licAccept=""}
+    local resp = http_post_simple(host, port, url.absolute(path, "login"),
+                                 nil, form)
+    return resp.status == 302
+           and (resp.header["location"] or ""):find("/gui$")
+  end
+})
+
+---
+--Virtualization systems
+---
+table.insert(fingerprints, {
+  -- Version 5.0.0
+  name = "VMware ESXi",
+  cpe = "cpe:/o:vmware:esxi",
+  category = "virtualization",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:find("ID_EESX_Welcome", 1, true)
+           and response.body:find("/folder?dcPath=ha-datacenter", 1, true)
+  end,
+  login_combos = {
+    {username = "root", password = ""}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port,
+                               url.absolute(path, "folder?dcPath=ha-datacenter"),
+                               user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  -- Version 4.0.0
+  name = "PCoIP Zero Client",
+  cpe = "cpe:/a:teradici:pcoip_host_software",
+  category = "virtualization",
+  paths = {
+    {path = "/login.html"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:find("PCoIP&#174 Zero Client", 1, true)
+           and response.body:find("password_value", 1, true)
+  end,
+  login_combos = {
+    {username = "", password = "Administrator"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local resp = http_post_simple(host, port, url.absolute(path, "cgi-bin/login"),
+                                 nil, {password_value=pass, idle_timeout=60})
+    -- successful login is a 302-redirect that sets a session cookie with hex
+    -- value; failed login is the same but the cookie contains an error message
+    return resp.status == 302 and sets_cookie(resp, "session_id", "^%x+$")
+  end
+})
+
+---
+--Remote consoles
+---
+table.insert(fingerprints, {
+  -- Version 5.5, 6.1, 6.2, 7.2 on SLC16, SLC32, SLC48, SLC 8016
+  name = "Lantronix SLC",
+  category = "console",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and (response.header["server"] or ""):find("^mini_httpd/%d+%.")
+           and response.body
+           and response.body:find("lantronix", 1, true)
+           and response.body:find("slcpassword", 1, true)
+  end,
+  login_combos = {
+    {username = "sysadmin", password = "PASS"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_post_login(host, port, path, "./",
+                              "%sname%s*=%s*(['\"]?)slcpassword%1[%s>]",
+                              {slclogin=user, slcpassword=pass})
+  end
+})
+
+table.insert(fingerprints, {
+  --Version 1.10.12, 1.80
+  name = "Dell iDRAC6",
+  cpe = "cpe:/o:dell:idrac6_firmware",
+  category = "console",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 301
+           and (response.header["server"] or ""):find("^Mbedthis%-Appweb/%d+%.")
+           and (response.header["location"] or ""):find("/start%.html$")
+  end,
+  login_combos = {
+    {username = "root", password = "calvin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_post_login(host, port, path, "data/login",
+                              "<authResult>1</authResult>",
+                              {user=user, password=pass})
+  end
+})
+
+table.insert(fingerprints, {
+  name = "Dell iDRAC9",
+  cpe = "cpe:/o:dell:idrac9_firmware",
+  category = "console",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    -- analyze response for 1st request to "/"
+    if not (response.status == 302 and (response.header["location"] or ""):find("/restgui/start%.html$")) then return false end
+
+    -- check with 2nd request to "/restgui/start.html" to be sure
+    local resp = http_get_simple(host, port, url.absolute(path, "restgui/start.html"))  
+    return resp.status == 200
+           and resp.body
+           and resp.body:find("idrac-start-screen", 1, true)
+  end,
+  login_combos = {
+    {username = "root", password = "calvin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local headers = {
+                      ["user"]='"'..user..'"',
+                      ["password"]='"'..pass..'"'
+                    }
+    local resp = http_post_simple(host, port, url.absolute(path, "sysmgmt/2015/bmc/session"),
+                                 {header=headers})
+    local body = resp.body or ""
+
+    return (resp.status == 201 and (
+                body:find('"authResult":0') -- standard login success
+                or body:find('"authResult":7') -- login success with default credentials
+                or body:find('"authResult":9') -- login success with password reset required
+              )
+            )
+  end
+})
+
+table.insert(fingerprints, {
+  --Version 1.1 on Supermicro X7SB3
+  name = "Supermicro WPCM450",
+  category = "console",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    return response.status == 200
+           and response.body
+           and response.body:find("ATEN International", 1, true)
+           and response.body:find("/cgi/login.cgi", 1, true)
+  end,
+  login_combos = {
+    {username = "ADMIN", password = "ADMIN"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local resp = http_post_simple(host, port, url.absolute(path, "cgi/login.cgi"),
+                                 nil, {name=user, pwd=pass})
+    return resp.status == 200
+           and (resp.body or ""):find("../cgi/url_redirect.cgi?url_name=mainmenu", 1, true)
+  end
+})
-- 
cgit v1.2.3