Re: New NSE script: http-default-accounts.nse - Default account access checker - CALL FOR FINGERPRINTS

[Paulino Calderon <paulino () calderonpale com>]

On 07/01/2011 04:47 PM, Paulino Calderon wrote:
> Hi nmap-dev,
>
> I'm attaching http-default-accounts.nse , the purpose of this script 
> is to help us check for applications or devices left with default 
> credentials. It works similar to http-enum by matching known paths to 
> detect applications and it is less invasive than a brute force attack.
>
> description = [[
> http-default-accounts tests for access with default credentials in a 
> variety of web applications and devices.
>
> It works similar to http-enum, we detect applications by matching 
> known paths and launching a login routine with default credentials 
> when found.
> This script depends on a fingerprint file containing the target's 
> information: name, category, location paths, default credentials and 
> login routine.
>
> You may select a category if you wish to reduce the number of 
> requests. We have categories like:
> * <code>web</code> - Web applications
> * <code>router</code> - Routers
> * <code>voip</code> - VOIP devices
> * <code>security</code>
>
> Please help improve this script by adding new entries to 
> nselib/data/http-default-accounts.lua
>
> Remember each fingerprint must have:
> * <code>name</code> - Descriptive name
> * <code>category</code> - Category
> * <code>login_combos</code> - Table of login combinations
> * <code>paths</code> - Paths table containing the possible location of 
> the target
> * <code>login_check</code> - Login function of the target
>
> Default fingerprint file: 
> /nselib/data/http-default-accounts-fingerprints.lua
>
>
> -- @output
> -- PORT   STATE SERVICE REASON
> -- 80/tcp open  http    syn-ack
> -- |_http-default-accounts: [Cacti] credentials found -> admin:admin 
> Path:/cacti/
> -- Final times for host: srtt: 94615 rttvar: 71012  to: 378663
>
> These files were commited to /nmap as r24559 and 24558.
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
Hi nmap-dev,

I thought I should give you an update about the state of this script. 
Right now we support the following services in http-default-accounts:

- Cacti
- Apache Tomcat
- Apache Axis2
- Cisco 2811 routers
- Arris 2307 routers

Unfortunately I have limited access to devices that are usually left 
with default credentials so I'm asking for fingerprints to nmap-dev. If 
you have access to a device commonly found with default credentials and 
you would like to contribute, send my way the http request logs of the 
login process (Even Firefox's Tamper data logs are fine). Note that 
login functions are usually simple and the final fingerprint look like:

table.insert(fingerprints, {
  name = "Apache Tomcat",
  category = "web",
  paths = {
    {path = "/manager/html/"},
    {path = "/tomcat/manager/html/"}
  },
  login_combos = {
    {username = "tomcat", password = "tomcat"},
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_basic_login(host, port, path, user, pass)
  end
})

My wishlist:
- Citrix Access Gateway
- Other Cisco devices
- Web administration consoles
- Any other common router.

Thank you!


--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/