From e8adfb9599cd7fb2c982caa6951014ee7dac34e6 Mon Sep 17 00:00:00 2001
From: david <david@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Fri, 7 Nov 2008 17:16:20 +0000
Subject: [PATCH] o http-auth.nse now properly checks for default
 authentication   credentials. A bug prevented it from working before. [Vlatko
   Kosturjak]

---
 CHANGELOG             |  4 ++++
 scripts/http-auth.nse | 25 +++++++++++++++----------
 2 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 0361c4a41..bf33fccfc 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o http-auth.nse now properly checks for default authentication
+  credentials. A bug prevented it from working before. [Vlatko
+  Kosturjak]
+
 o Renamed irc-zombie.nse to auth-spoof and improved its description
   and output a bit. [Fyodor]
 
diff --git a/scripts/http-auth.nse b/scripts/http-auth.nse
index 58b97a311..1f568eed3 100644
--- a/scripts/http-auth.nse
+++ b/scripts/http-auth.nse
@@ -5,11 +5,16 @@ authentication.
 
 ---
 -- @output
+-- 80/tcp open  http
 -- |  http-auth: HTTP Service requires authentication
--- |_   Auth type: Basic, realm = DSL Router
+-- |    Auth type: Basic, realm = Password Required
+-- |_   HTTP server may accept admin:admin combination for Basic authentication
 
 -- HTTP authentication information gathering script
 -- rev 1.1 (2007-05-25)
+-- 2008-11-06 Vlatko Kosturjak <kost@linux.hr>
+-- * bug fixes against base64 encoded strings, more flexible auth/pass check,
+--   corrected sample output
 
 author = "Thomas Buchanan <tbuchanan@thecompassgrp.net>"
 
@@ -19,12 +24,14 @@ categories = {"default", "auth", "intrusive"}
 
 require "shortport"
 require "http"
+require "base64"
 
 portrule = shortport.port_or_service({80, 443, 8080}, {"http","https"})
 
 action = function(host, port)
-  local realm,scheme,result
+  local realm,scheme,result,authheader
   local basic = false
+  local authcombinations= {"admin:", "admin:admin"}
 
   local answer = http.get( host, port, "/" )
 
@@ -53,14 +60,12 @@ action = function(host, port)
   end
 
   if basic then
-    answer = http.get(host, port, '/', {header={Authorization="Basic YWRtaW46C"}})
-    if answer.status ~= 401 and answer.status ~= 403 then
-      result = result .. "  HTTP server may accept user=\"admin\" with blank password for Basic authentication\n"
-    end
-
-    answer = http.get(host, port, '/', {header={Authorization="Basic YWRtaW46YWRtaW4"}})
-    if answer.status ~= 401 and answer.status ~= 403 then
-      result = result .. "  HTTP server may accept user=\"admin\" with password=\"admin\" for Basic authentication\n"
+    for _, combination in pairs (authcombinations) do 
+	    authheader = "Basic " .. base64.enc(combination)
+	    answer = http.get(host, port, '/', {header={Authorization=authheader}})
+	    if answer.status ~= 401 and answer.status ~= 403 then
+	      result = result .. "  HTTP server may accept " .. combination .. " combination for Basic authentication\n"
+	    end
     end
   end