Lantronix SLC",1,true) end, login_combos = { {username = "sysadmin", password = "PASS"} }, login_check = function (host, port, path, user, pass) return try_http_post_login(host, port, path, "./", "%sname%s*=%s*(['\"]?)slcpassword%1[%s>]", {slclogin=user, slcpassword=pass}) end })

local bin = require "bin" local http = require "http" local table = require "table" local url = require "url" --- -- http-default-accounts-fingerprints.lua -- This file contains fingerprint data for http-default-accounts.nse -- -- STRUCTURE: -- * name - Descriptive name -- * category - Category -- * login_combos ---- * username - Default username ---- * password - Default password -- * paths - Paths table containing the possible location of the target -- * target_check - Validation function of the target (optional) -- * login_check - Login function of the target -- -- TODO: Update the functionality of target_check to differentiate -- between valid HTTP/200 and a custom error page. --- --- -- Requests given path using basic authentication. -- @param host Host table -- @param port Port table -- @param path Path to request -- @param user Username for Basic Auth -- @param pass Password for Basic Auth -- @param digest_auth Digest Authentication -- @return True if login in was successful --- local function try_http_basic_login(host, port, path, user, pass, digest_auth) local credentials = {username = user, password = pass, digest = digest_auth} local req = http.get(host, port, path, {no_cache=true, auth=credentials, redirect_ok = false}) if req.status and req.status ~= 401 and req.status ~= 403 then return true end return false end --- -- Tries to login with a http post, if the FAIL string is not found -- we assume login in was successful -- @param host Host table -- @param port Port table -- @param target Target file -- @param failstr String shown when login in fails -- @param params Post parameters -- @param follow_redirects True if you want redirects to be followed -- @return True if login in was successful --- local function try_http_post_login(host, port, path, target, failstr, params, follow_redirects) local req = http.post(host, port, url.absolute(path, target), {no_cache=true}, nil, params) if not req.status then return false end local status = tonumber(req.status) or 0 if follow_redirects and ( status > 300 and status < 400 ) then req = http.get(host, port, url.absolute(path, req.header.location), { no_cache = true, redirect_ok = false }) end if req.status and req.status ~= 404 and not(http.response_contains(req, failstr)) then return true end return false end --- -- Returns authentication realm advertised in an HTTP response -- @param response HTTP response object, such as a result from http.get() -- @return realm found in response header WWW-Authenticate -- (or nil if not present) --- local function http_auth_realm(response) local auth = response.header["www-authenticate"] or "" return auth:match('%srealm="([^"]*)') end fingerprints = {} --- --WEB --- table.insert(fingerprints, { name = "Cacti", category = "web", paths = { {path = "/cacti/"} }, target_check = function (host, port, path, response) -- true if the response is HTTP/200 and sets cookie "Cacti" if response.status == 200 then for _, ck in ipairs(response.cookies or {}) do if ck.name:lower() == "cacti" then return true end end end return false end, login_combos = { {username = "admin", password = "admin"} }, login_check = function (host, port, path, user, pass) return try_http_post_login(host, port, path, "index.php", "Invalid User Name/Password", {action="login", login_username=user, login_password=pass}, false) end }) table.insert(fingerprints, { name = "Xplico", category = "web", paths = { {path = "/users/login"} }, target_check = function (host, port, path, response) -- true if the response is HTTP/200 and sets cookie "Xplico" if response.status == 200 then for _, ck in ipairs(response.cookies or {}) do if ck.name:lower() == "xplico" then return true end end end return false end, login_combos = { {username = "admin", password = "xplico"}, {username = "xplico", password = "xplico"} }, login_check = function (host, port, path, user, pass) -- harvest all hidden fields from the login form local req1 = http.get(host, port, path, {no_cache=true, redirect_ok = false}) if req1.status ~= 200 then return false end local html = req1.body and req1.body:match('(.-)') if not html then return false end local form = {} for n, v in html:gmatch('zebra technologies
", 1, true) end, login_combos = { {username = "", password = "1234"} }, login_check = function (host, port, path, user, pass) local form = {} form["0"] = pass return try_http_post_login(host, port, path, "authorize", "incorrect password", form) end }) table.insert(fingerprints, { name = "Zebra Print Server", category = "printer", paths = { {path = "/server/TCPIPGEN.htm"} }, target_check = function (host, port, path, response) return http_auth_realm(response) == "Network Print Server" and response.header["server"] and response.header["server"] == "Micro-Web" end, login_combos = { {username = "admin", password = "1234"} }, login_check = function (host, port, path, user, pass) return try_http_basic_login(host, port, path, user, pass, false) end }) --- --Remote consoles --- table.insert(fingerprints, { name = "Lantronix SLC", category = "console", paths = { {path = "/scsnetwork.htm"} }, target_check = function (host, port, path, response) return response.status == 200 and response.header["server"] and response.header["server"]:find("^mini_httpd") and response.body and response.body:find("Lantronix SLC",1,true) end, login_combos = { {username = "sysadmin", password = "PASS"} }, login_check = function (host, port, path, user, pass) return try_http_post_login(host, port, path, "./", "%sname%s*=%s*(['\"]?)slcpassword%1[%s>]", {slclogin=user, slcpassword=pass}) end })