Re: New NSE script: http-default-accounts.nse - Default account access checker - CALL FOR FINGERPRINTS

[Paulino Calderon <paulino () calderonpale com>]

On 07/23/2011 06:35 PM, Hani Benhabiles wrote:
> Just checked a d-link DSL-2640U, it has admin/admin creds as default.
>
> Request/Response:
>
> GET / HTTP/1.1
> Host: 192.168.1.1
> Connection: keep-alive
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like
> Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Encoding: gzip,deflate,sdch
> Accept-Language: en-US,en;q=0.8
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
>
> HTTP/1.1 200 Ok
> Server: micro_httpd
> Cache-Control: no-cache
> Date: Sat, 01 Jan 2000 00:36:33 GMT
> Content-Type: text/html
> Connection: close
>
> On Sat, Jul 23, 2011 at 10:13 AM, Shinnok<admin () shinnok com>  wrote:
>
> > On 07/23/2011 12:02 PM, Shinnok wrote:
> > > Hey Paulino,
> > >
> > > You should probably check the emulators for d-link routers available on
> > > d-link's website. The give you access to the interface of d-link routers
> > > as well as their login process.
> > >
> > > Examples:
> > > http://support.dlink.com/emulators/dir825/113NA/Login.html
> > > http://support.dlink.com/emulators/di624s/
> > > http://support.dlink.com/EMULATORS/DI524/
> > >
> > > They should provide insight you into urls and for some the http post
> > > login process. However, I don't own a d-link router and thus I can't
> > > attest to their exact fidelity as presented on the website's sandbox,
> > > so, if someone reading this e-mail owns a d-link router, can you please
> > > find the emulator for it on the website and check that the urls and the
> > > login process match the ones on the actual device?
> > >
> > > You can find a list of all emulators available here:
> > > http://www.dlink.com/support/faq/?prod_id=1457
> > >
> > > The default username and password for D-Link DI(http auth) and WBR(http
> > > post) series are "admin" and blank password.
> > > http://www.dlink.com/support/faq/
> > >
> > > More default router logins:
> > > http://www.routerpasswords.com/
> > > http://www.phenoelit-us.org/dpl/dpl.html
> > > http://cirt.net/passwords
> > > http://defaultpasswords.in/
> > > http://portforward.com/default_username_password/
> > > http://www.virus.org/default-password/
> > > http://www.3ice.hu/tool/dpl/DefaultRouterPasswordList.html
> > > http://urbanwireless.info/default-router-passwords
> > >
> > > Set top boxes logins:
> > > http://www.receiverpasswords.com/
> > >
> > > Regards,
> > > Shinnok
> > Forgot to mention this:
> >
> > Another good way of fingerprinting routers and other devices besides url
> > probes, that authenticate via http-auth is by checking the
> > WWW-Authenticate http header field realm:
> >
> > http://www.shodanhq.com/?q=d-link
> > http://www.shodanhq.com/?q=d-link+router
> > http://www.shodanhq.com/?q=linksys
> >
> > You can cross-check identifier strings with lists like:
> > http://www.http-stats.com/header/Www-Authenticate
> >
> > Shinnok
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://seclists.org/nmap-dev/
Thanks! I'll add these signatures ASAP.

Shinook: Great suggestions! I'll look into it.

Cheers.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/