--- nselib/data/http-default-accounts-fingerprints.lua.orig 2013-08-13 14:58:41.484375000 -0600
+++ nselib/data/http-default-accounts-fingerprints.lua 2013-08-13 19:16:49.843750000 -0600
@@ -13,6 +13,7 @@
---- * username - Default username
---- * password - Default password
-- * paths - Paths table containing the possible location of the target
+-- * target_check - Validation function of the target (optional)
-- * login_check - Login function of the target
---
@@ -59,6 +60,18 @@
end
return false
end
+
+---
+-- Returns authentication realm advertised in an HTTP response
+-- @param response HTTP response object, such as a result from http.get()
+-- @return realm found in response header WWW-Authenticate
+-- (or nil if not present)
+---
+local function http_auth_realm(response)
+ local auth = response.header["www-authenticate"] or ""
+ return auth:match('%srealm="([^"]*)')
+end
+
fingerprints = {}
---
@@ -70,6 +83,9 @@
paths = {
{path = "/cacti/"}
},
+ target_check = function (host, port, path, response)
+ return response.status == 200
+ end,
login_combos = {
{username = "admin", password = "admin"}
},
@@ -85,6 +101,9 @@
{path = "/manager/html/"},
{path = "/tomcat/manager/html/"}
},
+ target_check = function (host, port, path, response)
+ return http_auth_realm(response) == "Tomcat Manager Application"
+ end,
login_combos = {
{username = "tomcat", password = "tomcat"},
{username = "admin", password = "admin"},
@@ -104,6 +123,9 @@
paths = {
{path = "/axis2/axis2-admin/"}
},
+ target_check = function (host, port, path, response)
+ return response.status == 200
+ end,
login_combos = {
{username = "admin", password = "axis2"}
},
@@ -120,6 +142,9 @@
paths = {
{path = "/logo_t.gif"}
},
+ target_check = function (host, port, path, response)
+ return response.status == 200
+ end,
login_combos = {
{username = "", password = ""}
},
@@ -129,7 +154,7 @@
})
table.insert(fingerprints, {
- name = "Cisco 2811",
+ name = "Cisco IOS",
category = "routers",
paths = {
{path = "/exec/show/log/CR"},
@@ -137,6 +162,11 @@
{path = "/level/15/exec/-"},
{path = "/level/15/"}
},
+ target_check = function (host, port, path, response)
+ local realm = http_auth_realm(response) or ""
+ -- Exact PCRE: "^level 15?( or view)? access$"
+ return realm:gsub("_"," "):find("^level 15? .*access$")
+ end,
login_combos = {
{username = "", password = ""},
{username = "cisco", password = "cisco"}
@@ -152,6 +182,9 @@
paths = {
{path = "/StatusLan.htm"}
},
+ target_check = function (host, port, path, response)
+ return http_auth_realm(response) == "Linksys WAP200"
+ end,
login_combos = {
{username = "admin", password = "admin"}
},
@@ -166,6 +199,9 @@
paths = {
{path = "/WPA_Preshared.asp"}
},
+ target_check = function (host, port, path, response)
+ return http_auth_realm(response) == "Linksys WAP55AG"
+ end,
login_combos = {
{username = "", password = "admin"}
},
@@ -174,6 +210,23 @@
end
})
+table.insert(fingerprints, {
+ name = "Nortel VPN Router",
+ category = "routers",
+ paths = {
+ {path = "/manage/bdy_sys.htm"}
+ },
+ target_check = function (host, port, path, response)
+ return http_auth_realm(response) == "Management(1)"
+ end,
+ login_combos = {
+ {username = "admin", password = "setup"}
+ },
+ login_check = function (host, port, path, user, pass)
+ return try_http_basic_login(host, port, path, user, pass, false)
+ end
+})
+
---
--Digital recorders
---
@@ -183,6 +236,9 @@
paths = {
{path = "/frmpages/index.html"}
},
+ target_check = function (host, port, path, response)
+ return http_auth_realm(response) == "WebPage Configuration"
+ end,
login_combos = {
{username = "dm", password = "web"}
},