Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New script names

From: Vlatko Kosturjak <kost () linux hr>
Date: Thu, 22 Jan 2009 00:20:04 +0100
David Fifield wrote:

On Fri, Nov 07, 2008 at 07:41:58PM +0100, Vlatko Kosturjak wrote:

xampp-default-auth => ftp-auth
(I just modified xampp-default-auth to be more generic, it's just
default FTP user/check anyway, not some "real" vuln... ).
Changed script is in attachment.

Thanks Vlatko. That's a good idea to give the script a more general
name. As it is the script still only checks for an XAMPP vulnerability
so I'll leave the name alone for now.


In the meantime, I asked FX for approval to include FTP default
passwords from his phenoelit dpl:
http://www.phenoelit-us.org/dpl/

So, I have made new version of the script which is in attachment.

Kost

description = [[
Checks FTP server against default username/password combinations
]]

---
-- @output
-- 21/tcp open  ftp
-- |_ ftp-auth: Login success with u/p: nobody/xampp
--
-- 2008-11-06 Vlatko Kosturjak <kost () linux hr>
-- Modified xampp-default-auth script to generic ftp-auth script
-- FTP passwords taken from Phenoelit dpl: http://www.phenoelit-us.org/dpl/

author = "Diman Todorov <diman.todorov () gmail com>"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html";

categories = {"auth", "vuln", "intrusive"}

require "shortport"

portrule = shortport.port_or_service(21, "ftp")

login = function(socket, user, pass)
        local status, err
        local res = ""
        status, err = socket:send("USER " .. user .. "\n")
        status, err = socket:send("PASS " .. pass .. "\n")

        -- consume the banner and stuff
        while true do
                status, res = socket:receive_lines(1)
                if 
                        not string.match(res, "^220") 
                        and not string.match(res, "^331 ") 
                then
                        break
                end
        end

        -- are we logged in?
        if string.match(res, "^230") then
                return "Login success with u/p: " .. user .. "/" .. pass
        end
end

action = function(host, port)
        local res
        local socket = nmap.new_socket()
        local authcombinations = { 
                {user="nobody", password="e0e0e0e0"}, --- xampp default ftp
                {user="newuser", password="wampp"}, --- xampp default ftp
                {user="nobody", password="xampp"}, --- xampp default ftp
                {user="ftp_admi", password="kilo1987"}, --- alcatel omnipcx off
                {user="ftp_oper", password="help1954"}, --- alcatel omnipcx off
                {user="ftp_inst", password="pbxk1064"}, --- alcatel omnipcx off
                {user="ftp_nmc", password="tuxalize"}, --- alcatel omnipcx off
                {user="admin", password="password"}, --- netgear adsl modem
                {user="admin", password="admin"}, --- seninleyimen @skan
                {user="xbox", password="xbox"}, --- Team Xodus, Xenium OS
                {user="user", password="pass"}, --- Watchguard SOHO(6)
                {user="rapport", password="r@p8p0r+"}, --- Wyse rapport
                {user="root", password="1234"} --- Zyxel Prestige
        }

        for _, combination in pairs (authcombinations) do
                socket:connect(host.ip, port.number)
                res = login(socket, combination.user, combination.password)
                socket:close()
        end
        
        return  res
end



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: