nmap/scripts/http-default-accounts.nse

local _G = require "_G"
local creds = require "creds"
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"

description = [[
Tests for access with default credentials used by a variety of web applications and devices.

It works similar to http-enum, we detect applications by matching known paths and launching a login routine using default credentials when found.
This script depends on a fingerprint file containing the target's information: name, category, location paths, default credentials and login routine.

You may select a category if you wish to reduce the number of requests. We have categories like:
* <code>web</code> - Web applications
* <code>routers</code> - Routers
* <code>security</code> - CCTVs and other security devices
* <code>industrial</code> - Industrial systems
* <code>printer</code> - Network-attached printers and printer servers
* <code>storage</code> - Storage devices
* <code>virtualization</code> - Virtualization systems
* <code>console</code> - Remote consoles

Please help improve this script by adding new entries to nselib/data/http-default-accounts.lua

Remember each fingerprint must have:
* <code>name</code> - Descriptive name
* <code>category</code> - Category
* <code>login_combos</code> - Table of login combinations
* <code>paths</code> - Table containing possible path locations of the target
* <code>login_check</code> - Login function of the target

In addition, a fingerprint may have:
* <code>target_check</code> - Target validation function. If defined, it will be called to validate the target before attempting any logins.

Default fingerprint file: /nselib/data/http-default-accounts-fingerprints.lua
This script was based on http-enum.
]]

---
-- @usage
-- nmap -p80 --script http-default-accounts host/ip
--
-- @output
-- PORT   STATE SERVICE
-- 80/tcp open  http
-- | http-default-accounts:
-- |   [Cacti] at /
-- |     admin:admin
-- |   [Nagios] at /nagios/
-- |_    nagiosadmin:CactiEZ
--
-- @xmloutput
-- <table key="Cacti">
--   <elem key="path">/</elem>
--   <table key="credentials">
--     <table>
--       <elem key="username">admin</elem>
--       <elem key="password">admin</elem>
--     </table>
--   </table>
-- </table>
-- <table key="Nagios">
--   <elem key="path">/nagios/</elem>
--   <table key="credentials">
--     <table>
--       <elem key="username">nagiosadmin</elem>
--       <elem key="password">CactiEZ</elem>
--     </table>
--   </table>
-- </table>
--
-- @args http-default-accounts.basepath Base path to append to requests. Default: "/"
-- @args http-default-accounts.fingerprintfile Fingerprint filename. Default: http-default-accounts-fingerprints.lua
-- @args http-default-accounts.category Selects a category of fingerprints to use.

-- Revision History
-- 2013-08-13 nnposter
--   * added support for target_check()
-- 2014-04-27
--   * changed category from safe to intrusive
-- 2016-08-10 nnposter
--   * added sharing of probe requests across fingerprints
-- 2016-10-30 nnposter
--   * removed a limitation that prevented testing of systems returning
--     status 200 for non-existent pages.
-- 2016-12-01 nnposter
--   * implemented XML structured output
--   * changed classic output to report empty credentials as <blank>
---

author = {"Paulino Calderon <calderon@websec.mx>", "nnposter"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "auth", "intrusive"}

portrule = shortport.http

---
--validate_fingerprints(fingerprints)
--Returns an error string if there is something wrong with
--fingerprint table.
--Modified version of http-enums validation code
--@param fingerprints Fingerprint table
--@return Error string if its an invalid fingerprint table
---
local function validate_fingerprints(fingerprints)

  for i, fingerprint in pairs(fingerprints) do
    if(type(i) ~= 'number') then
      return "The 'fingerprints' table is an array, not a table; all indexes should be numeric"
    end
    -- Validate paths
    if(not(fingerprint.paths) or
      (type(fingerprint.paths) ~= 'table' and type(fingerprint.paths) ~= 'string') or
      (type(fingerprint.paths) == 'table' and #fingerprint.paths == 0)) then
      return "Invalid path found in fingerprint entry #" .. i
    end
    if(type(fingerprint.paths) == 'string') then
      fingerprint.paths = {fingerprint.paths}
    end
    for i, path in pairs(fingerprint.paths) do
      -- Validate index
      if(type(i) ~= 'number') then
        return "The 'paths' table is an array, not a table; all indexes should be numeric"
      end
      -- Convert the path to a table if it's a string
      if(type(path) == 'string') then
        fingerprint.paths[i] = {path=fingerprint.paths[i]}
        path = fingerprint.paths[i]
      end
      -- Make sure the paths table has a 'path'
      if(not(path['path'])) then
        return "The 'paths' table requires each element to have a 'path'."
      end
    end
    -- Check login combos
    for i, combo in pairs(fingerprint.login_combos) do
      -- Validate index
      if(type(i) ~= 'number') then
        return "The 'login_combos' table is an array, not a table; all indexes should be numeric"
      end
      -- Make sure the login_combos table has at least one login combo
      if(not(combo['username']) or not(combo["password"])) then
        return "The 'login_combos' table requires each element to have a 'username' and 'password'."
      end
    end

     -- Make sure they include the login function
    if(type(fingerprint.login_check) ~= "function") then
      return "Missing or invalid login_check function in entry #"..i
    end
     -- Make sure that the target validation is a function
    if(fingerprint.target_check and type(fingerprint.target_check) ~= "function") then
      return "Invalid target_check function in entry #"..i
    end
      -- Are they missing any fields?
    if(fingerprint.category and type(fingerprint.category) ~= "string") then
      return "Missing or invalid category in entry #"..i
    end
    if(fingerprint.name and type(fingerprint.name) ~= "string") then
      return "Missing or invalid name in entry #"..i
    end
  end
end

---
-- load_fingerprints(filename, category)
-- Loads data from file and returns table of fingerprints if sanity checks are passed
-- Based on http-enum's load_fingerprints()
-- @param filename Fingerprint filename
-- @param cat Category of fingerprints to use
-- @return Table of fingerprints
---
local function load_fingerprints(filename, cat)
  local file, filename_full, fingerprints

  -- Check if fingerprints are cached
  if(nmap.registry.http_default_accounts_fingerprints ~= nil) then
    stdnse.debug(1, "Loading cached fingerprints")
    return nmap.registry.http_default_accounts_fingerprints
  end

  -- Try and find the file
  -- If it isn't in Nmap's directories, take it as a direct path
  filename_full = nmap.fetchfile('nselib/data/' .. filename)
  if(not(filename_full)) then
    filename_full = filename
  end

  -- Load the file
  stdnse.debug(1, "Loading fingerprints: %s", filename_full)
  local env = setmetatable({fingerprints = {}}, {__index = _G});
  file = loadfile(filename_full, "t", env)
  if( not(file) ) then
    stdnse.debug(1, "Couldn't load the file: %s", filename_full)
    return false, "Couldn't load fingerprint file: " .. filename_full
  end
  file()
  fingerprints = env.fingerprints

  -- Validate fingerprints
  local valid_flag = validate_fingerprints(fingerprints)
  if type(valid_flag) == "string" then
    return false, valid_flag
  end

  -- Category filter
  if ( cat ) then
    local filtered_fingerprints = {}
    for _, fingerprint in pairs(fingerprints) do
      if(fingerprint.category == cat) then
        table.insert(filtered_fingerprints, fingerprint)
      end
    end
    fingerprints = filtered_fingerprints
  end

  -- Check there are fingerprints to use
  if(#fingerprints == 0 ) then
    return false, "No fingerprints were loaded after processing ".. filename
  end

  return true, fingerprints
end

---
-- format_basepath(basepath)
-- Modifies a given path so that it can be later prepended to another absolute
-- path to form a new absolute path.
-- @param basepath Basepath string
-- @return Basepath string with a leading slash and no trailing slashes.
--                   (Empty string is returned if the input is an empty string
--                   or "/".)
---
local function format_basepath(basepath)
  if basepath:sub(1,1) ~= "/" then
    basepath = "/" .. basepath
  end
  return basepath:gsub("/+$","")
end

---
-- test_credentials(host, port, fingerprint, path)
-- Tests default credentials of a given fingerprint against a given path.
-- Any successful credentials are registered in the Nmap credential repository.
-- @param host table as received by the scripts action method
-- @param port table as received by the scripts action method
-- @param fingerprint as defined in the fingerprint file
-- @param path againt which the the credentials will be tested
-- @return out table suitable for inclusion in the script structured output
--             (or nil if no credentials succeeded)
-- @return txtout table suitable for inclusion in the script textual output
---
local function  test_credentials (host, port, fingerprint, path)
  local credlst = {}
  for _, login_combo in ipairs(fingerprint.login_combos) do
    local user = login_combo.username
    local pass = login_combo.password
    stdnse.debug(2, "Trying login combo -> %s:%s", user, pass)
    if fingerprint.login_check(host, port, path, user, pass) then
      stdnse.debug(1, "[%s] valid default credentials found.", fingerprint.name)
      local cred = stdnse.output_table()
      cred.username = user
      cred.password = pass
      table.insert(credlst, cred)
    end
  end
  if #credlst == 0 then return nil end
  -- Some credentials found. Generate the fingerprint output report
  local out = stdnse.output_table()
  out.path = path
  out.credentials = credlst
  local txtout = {}
  txtout.name = ("[%s] at %s"):format(fingerprint.name, path)
  for _, cred in ipairs(credlst) do
    table.insert(txtout,("%s:%s"):format(stdnse.string_or_blank(cred.username),
                                         stdnse.string_or_blank(cred.password)))
  end
  -- Register the credentials
  local credreg = creds.Credentials:new(SCRIPT_NAME, host, port)
  for _, cred in ipairs(credlst) do
    credreg:add(cred.username, cred.password, creds.State.VALID )
  end
  return out, txtout
end


action = function(host, port)
  local fingerprintload_status, status, fingerprints, pathmap, requests, results
  local fingerprint_filename = stdnse.get_script_args("http-default-accounts.fingerprintfile") or "http-default-accounts-fingerprints.lua"
  local category = stdnse.get_script_args("http-default-accounts.category") or false
  local basepath = stdnse.get_script_args("http-default-accounts.basepath") or "/"
  local output = stdnse.output_table()
  local text_output = {}

  -- Determine the target's response to "404" HTTP requests.
  local status_404, result_404, known_404 = http.identify_404(host,port)
  -- The default target_check is the existence of the probe path on the target.
  -- To reduce false-positives, fingerprints that lack target_check() will not
  -- be tested on targets on which a "404" response is 200.
  local default_target_check =
    function (host, port, path, response)
      if status_404 and result_404 == 200 then return false end
      return http.page_exists(response, result_404, known_404, path, true)
    end

  --Load fingerprint data or abort
  status, fingerprints = load_fingerprints(fingerprint_filename, category)
  if(not(status)) then
    return stdnse.format_output(false, fingerprints)
  end
  stdnse.debug(1, "%d fingerprints were loaded", #fingerprints)

  --Format basepath: Removes or adds slashs
  basepath = format_basepath(basepath)

  -- Add requests to the http pipeline
  pathmap = {}
  requests = nil
  stdnse.debug(1, "Trying known locations under path '%s' (change with '%s.basepath' argument)", basepath, SCRIPT_NAME)
  for _, fingerprint in ipairs(fingerprints) do
    for _, probe in ipairs(fingerprint.paths) do
      -- Multiple fingerprints may share probe paths so only unique paths will
      -- be added to the pipeline. Table pathmap keeps track of their position
      -- within the pipeline.
      local path = probe.path
      if not pathmap[path] then
        requests = http.pipeline_add(basepath .. path,
                                    {bypass_cache=true, redirect_ok=false},
                                    requests, 'GET')
        pathmap[path] = #requests
      end
    end
  end

  -- Nuclear launch detected!
  results = http.pipeline_go(host, port, requests)
  if results == nil then
    return stdnse.format_output(false,
      "HTTP request table is empty. This should not happen since we at least made one request.")
  end

  -- Iterate through fingerprints to find a candidate for login routine
  for _, fingerprint in ipairs(fingerprints) do
    local target_check = fingerprint.target_check or default_target_check
    local credentials_found = false
    stdnse.debug(1, "Processing %s", fingerprint.name)
    for _, probe in ipairs(fingerprint.paths) do
      local result = results[pathmap[probe.path]]
      if result and not credentials_found then
        local path = basepath .. probe.path
        if target_check(host, port, path, result) then
          local out, txtout = test_credentials(host, port, fingerprint, path)
          if out then
            output[fingerprint.name] = out
            table.insert(text_output, txtout)
            credentials_found = true
          end
        end
      end
    end
  end
  return output, stdnse.format_output(true, text_output)
end