Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] ASUS RT-N10U addition to http-default-accounts-fingerprints

From: Paulino Calderon <paulino () calderonpale com>
Date: Fri, 17 Oct 2014 23:10:23 -0500
Hey,

I’ve included the new signatures in r33736. Thanks for submitting them and sorry for the late response!

Cheers.

On Oct 13, 2014, at 11:59 AM, nnposter () users sourceforge net wrote:


The following patch adds a fingerprint for ASUS RT-N10U wireless
router(*) web UI to http-default-accounts-fingerprints.lua. Tested
with firmware version 1.0.1.3.

* http://www.asus.com/Networking/RTN10U/

In addition the patch contains a previously submitted fingerprint(*)
for Motorola RF Switch. (The fingerprint did not receive any
feedback.)

* http://seclists.org/nmap-dev/2014/q3/420


Cheers,
nnposter



Patch against revision 33720 follows:

--- nselib/data/http-default-accounts-fingerprints.lua.orig   2014-10-11 08:38:48.016343800 +0200
+++ nselib/data/http-default-accounts-fingerprints.lua        2014-10-10 19:28:51.465400300 +0200
@@ -1,3 +1,4 @@
+local bin = require "bin"
local http = require "http"
local table = require "table"
local url = require "url"
@@ -259,6 +260,55 @@
})

table.insert(fingerprints, {
+  name = "ASUS RT-N10U",
+  category = "routers",
+  paths = {
+    {path = "/as.asp"}
+  },
+  target_check = function (host, port, path, response)
+    return http_auth_realm(response) == "RT-N10U"
+  end,
+  login_combos = {
+    {username = "admin", password = "admin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    return try_http_basic_login(host, port, path, user, pass, false)
+  end
+})
+
+table.insert(fingerprints, {
+  name = "Motorola RF Switch",
+  category = "routers",
+  paths = {
+    {path = "/getfwversion.cgi"}
+  },
+  target_check = function (host, port, path, response)
+    -- true if the response is HTTP/200 and returns a firmware version
+    return response.status == 200
+           and not response.header["server"]
+           and response.header["content-type"] == "text/plain"
+           and response.body
+           and response.body:find("\n%d+%.%d+%.%d+%.%d+%-%w+\n")
+  end,
+  login_combos = {
+    {username = "admin", password = "superuser"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local tohex = function (str)
+                    local _, hex = bin.unpack("H" .. #str, str)
+                    return hex:lower()
+                  end
+    local login = string.format("J20K34NMMT89XPIJ34S login %s %s", tohex(user), tohex(pass))
+    local lpath = url.absolute(path, "usmCgi.cgi/?" .. url.escape(login))
+    local req = http.get(host, port, lpath, {no_cache=true, redirect_ok = false})
+    return req
+           and req.status == 200
+           and req.body
+           and req.body:match("^login 0 ")
+  end
+})
+
+table.insert(fingerprints, {
  name = "Nortel VPN Router",
  category = "routers",
  paths = {
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: