PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-18 13:39:02 +00:00
Code Issues Projects Releases Wiki Activity

New default accounts from nnposter. Closes #301

Browse Source
This commit is contained in:
dmiller
2016-02-14 14:42:18 +00:00
parent 1cde9a4ed7
commit b5f5690bb0
2 changed files with 65 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG
View File

@@ -1,5 +1,8 @@
# Nmap Changelog ($Id$); -*-text-*- # Nmap Changelog ($Id$); -*-text-*-
o [NSE][GH#301] Added default credential checks for RICOH Web Image Monitor and
BeEF to http-default-accounts. [nnposter]
o Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation o Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation
Required messages when tracing packets or in Nping output. Improper offset Required messages when tracing packets or in Nping output. Improper offset
meant we were printing the total IP length. [Sławomir Demeszko] meant we were printing the total IP length. [Sławomir Demeszko]

62
nselib/data/http-default-accounts-fingerprints.lua
View File

@@ -1,3 +1,4 @@
local base64 = require "base64"
local bin = require "bin" local bin = require "bin"
local http = require "http" local http = require "http"
local table = require "table" local table = require "table"
@@ -199,6 +200,27 @@ table.insert(fingerprints, {
return try_http_post_login(host, port, path, "login", "Invalid auth credentials!", {submit="+Login+", userName=user, password=pass}) return try_http_post_login(host, port, path, "login", "Invalid auth credentials!", {submit="+Login+", userName=user, password=pass})
end end
}) })
table.insert(fingerprints, {
name = "BeEF",
category = "web",
paths = {
{path = "/ui/authentication/"}
},
target_check = function (host, port, path, response)
return response.body
and response.body:lower():find("<title>beef authentication</title>", 1, true)
end,
login_combos = {
{username = "beef", password = "beef"}
},
login_check = function (host, port, path, user, pass)
return try_http_post_login(host, port, path, "login",
"{%s*success%s*:%s*false%s*}",
{["username-cfrm"]=user, ["password-cfrm"]=pass})
end
})
--- ---
--ROUTERS --ROUTERS
--- ---
@@ -424,6 +446,46 @@ table.insert(fingerprints, {
end end
}) })
table.insert(fingerprints, {
name = "RICOH Web Image Monitor",
category = "printer",
paths = {
{path = "/web/guest/en/websys/webArch/header.cgi"}
},
target_check = function (host, port, path, response)
return response.header["server"]
and response.header["server"]:find("^Web%-Server/%d+%.%d+$")
and response.body
and response.body:find("RICOH", 1, true)
end,
login_combos = {
{username = "admin", password = ""},
{username = "supervisor", password = ""}
},
login_check = function (host, port, path, user, pass)
-- harvest the login form token
local req1 = http.get(host, port, url.absolute(path, "authForm.cgi"), {no_cache=true, redirect_ok = false, cookies = "cookieOnOffChecker=on"})
if req1.status ~= 200 then return false end
local token = req1.body and req1.body:match('<input%s+type%s*=%s*"hidden"%s+name%s*=%s*"wimToken"%s+value%s*=%s*"(.-)"')
if not token then return false end
-- build the login form and submit it
local form = {wimToken = token,
userid_work = "",
userid = base64.enc(user),
password_work = "",
password = base64.enc(pass),
open = ""}
local req2 = http.post(host, port, url.absolute(path, "login.cgi"), {no_cache=true, cookies=req1.cookies}, nil, form)
local loc = req2.header["location"] or ""
-- successful login is a 302-redirect that sets a session cookie with numerical value
if not (req2.status == 302 and loc:find("/mainFrame%.cgi$")) then return false end
for _, ck in ipairs(req2.cookies or {}) do
if ck.name:lower() == "wimsesid" then return ck.value:find("^%d+$") end
end
return false
end
})
--- ---
--Remote consoles --Remote consoles
--- ---