diff --git a/nselib/data/http-default-accounts-fingerprints.lua b/nselib/data/http-default-accounts-fingerprints.lua index 34411feaa..12b24b960 100644 --- a/nselib/data/http-default-accounts-fingerprints.lua +++ b/nselib/data/http-default-accounts-fingerprints.lua @@ -4,6 +4,7 @@ local http = require "http" local stdnse = require "stdnse" local table = require "table" local url = require "url" +local have_openssl, openssl = pcall(require, 'openssl') --- -- http-default-accounts-fingerprints.lua @@ -555,6 +556,47 @@ table.insert(fingerprints, { end }) +table.insert(fingerprints, { + -- Version 3.6/4 + name = "Lantronix ThinWeb Manager", + category = "printer", + paths = { + {path = "/"} + }, + target_check = function (host, port, path, response) + -- This fingerprint needs OpenSSL for MD5 + return have_openssl + and response.status == 200 + and response.header["server"] + and response.header["server"]:find("^Gordian Embedded") + and response.body + and response.body:lower():find("lantronix thinweb manager", 1, true) + end, + login_combos = { + {username = "", password = "system"} + }, + login_check = function (host, port, path, user, pass) + local lurl = url.absolute(path, "server_eps.html") + -- obtain login nonce + local req1 = http.get(host, port, lurl, {no_cache=true, redirect_ok=false}) + if req1.status ~= 403 then return false end + local nonce = nil + for _, ck in ipairs(req1.cookies or {}) do + if ck.name == "SrvrNonce" then + nonce = ck.value + break + end + end + if not nonce then return false end + -- credential is the MD5 hash of the nonce and the password (in upper case) + local creds = stdnse.tohex(openssl.md5(nonce .. ":" .. pass:upper())) + local cookies = ("SrvrNonce=%s; SrvrCreds=%s"):format(nonce, creds) + local req2 = http.get(host, port, lurl, + {cookies=cookies, no_cache=true, redirect_ok=false}) + return req2.status == 200 + end +}) + --- --Remote consoles ---