Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] Lantronix SLC addition to http-default-accounts-fingerprints

From: nnposter () users sourceforge net
Date: Fri, 5 Sep 2014 23:06:25 +0000
The following patch adds a fingerprint for Motorola RF Switch(*) web UI
to http-default-accounts-fingerprints.lua. Tested on WS5100 and RFS6000
with firmware versions 3.3.2, 4.3.1, and 4.4.1.

* 
http://www.motorolasolutions.com/XP-EN/Business+Product+and+Services/Wireless+Broadband+Networks/Wireless+LAN/Wireless+Switches


PORT    STATE SERVICE
443/tcp open  https
|_http-default-accounts: [Motorola RF Switch] credentials found -> admin:superuser Path:/getfwversion.cgi


Cheers,
nnposter



Patch against revision 33654 follows:

--- nselib/data/http-default-accounts-fingerprints.lua.orig     2014-08-22 18:38:56.992998300 -0600
+++ nselib/data/http-default-accounts-fingerprints.lua  2014-09-05 16:50:54.072641400 -0600
@@ -1,3 +1,4 @@
+local bin = require "bin"
 local http = require "http"
 local table = require "table"
 local url = require "url"
@@ -259,6 +260,38 @@
 })
 
 table.insert(fingerprints, {
+  name = "Motorola RF Switch",
+  category = "routers",
+  paths = {
+    {path = "/getfwversion.cgi"}
+  },
+  target_check = function (host, port, path, response)
+    -- true if the response is HTTP/200 and returns a firmware version
+    return response.status == 200
+           and not response.header["server"]
+           and response.header["content-type"] == "text/plain"
+           and response.body
+           and response.body:find("\n%d+%.%d+%.%d+%.%d+%-%w+\n")
+  end,
+  login_combos = {
+    {username = "admin", password = "superuser"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local tohex = function (str)
+                    local _, hex = bin.unpack("H" .. str:len(), str)
+                    return hex:lower()
+                  end
+    local login = string.format("J20K34NMMT89XPIJ34S login %s %s", tohex(user), tohex(pass))
+    local lpath = url.absolute(path, "usmCgi.cgi/?" .. url.escape(login))
+    local req = http.get(host, port, lpath, {no_cache=true, redirect_ok = false})
+    return req
+           and req.status == 200
+           and req.body
+           and req.body:match("^login 0 ")
+  end
+})
+
+table.insert(fingerprints, {
   name = "Nortel VPN Router",
   category = "routers",
   paths = {
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: