Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] ASUS RT-N10U addition to http-default-accounts-fingerprints

From: nnposter () users sourceforge net
Date: Mon, 13 Oct 2014 16:59:25 +0000
The following patch adds a fingerprint for ASUS RT-N10U wireless
router(*) web UI to http-default-accounts-fingerprints.lua. Tested
with firmware version 1.0.1.3.

* http://www.asus.com/Networking/RTN10U/

In addition the patch contains a previously submitted fingerprint(*)
for Motorola RF Switch. (The fingerprint did not receive any
feedback.)

* http://seclists.org/nmap-dev/2014/q3/420


Cheers,
nnposter



Patch against revision 33720 follows:

--- nselib/data/http-default-accounts-fingerprints.lua.orig     2014-10-11 08:38:48.016343800 +0200
+++ nselib/data/http-default-accounts-fingerprints.lua  2014-10-10 19:28:51.465400300 +0200
@@ -1,3 +1,4 @@
+local bin = require "bin"
 local http = require "http"
 local table = require "table"
 local url = require "url"
@@ -259,6 +260,55 @@
 })
 
 table.insert(fingerprints, {
+  name = "ASUS RT-N10U",
+  category = "routers",
+  paths = {
+    {path = "/as.asp"}
+  },
+  target_check = function (host, port, path, response)
+    return http_auth_realm(response) == "RT-N10U"
+  end,
+  login_combos = {
+    {username = "admin", password = "admin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  name = "Motorola RF Switch",
+  category = "routers",
+  paths = {
+    {path = "/getfwversion.cgi"}
+  },
+  target_check = function (host, port, path, response)
+    -- true if the response is HTTP/200 and returns a firmware version
+    return response.status == 200
+           and not response.header["server"]
+           and response.header["content-type"] == "text/plain"
+           and response.body
+           and response.body:find("\n%d+%.%d+%.%d+%.%d+%-%w+\n")
+  end,
+  login_combos = {
+    {username = "admin", password = "superuser"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local tohex = function (str)
+                    local _, hex = bin.unpack("H" .. #str, str)
+                    return hex:lower()
+                  end
+    local login = string.format("J20K34NMMT89XPIJ34S login %s %s", tohex(user), tohex(pass))
+    local lpath = url.absolute(path, "usmCgi.cgi/?" .. url.escape(login))
+    local req = http.get(host, port, lpath, {no_cache=true, redirect_ok = false})
+    return req
+           and req.status == 200
+           and req.body
+           and req.body:match("^login 0 ")
+  end
+})
+
+table.insert(fingerprints, {
   name = "Nortel VPN Router",
   category = "routers",
   paths = {
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: