local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local http = require "http" local table = require "table" local io = require "io" local base64 = require "base64" description = [[ Detects if naive signing is enabled on a Puppet server. This enables attackers to create any Certificate Signing Request and have it signed, allowing them to impersonate as a puppet agent. This can leak the configuration of the agents as well as any other sensitive information found in the configuration files. This script makes use of the Puppet HTTP API interface to sign the request. This script has been Tested on versions 3.8.5, 4.10. References: * https://docs.puppet.com/puppet/4.10/ssl_autosign.html#security-implications-of-nave-autosigning ]] --- -- @usage nmap -p 8140 --script puppet-naivesigning -- @usage nmap -p 8140 --script puppet-naivesigning --script-args puppet-naivesigning.csr=other.csr,puppet-naivesigning.node=agency -- -- @output -- PORT STATE SERVICE REASON -- 8140/tcp open puppet syn-ack ttl 64 -- | puppet-naivesigning: -- | Puppet Naive autosigning enabled! Naive autosigning causes the Puppet CA to autosign ALL CSRs. -- | Attackers will be able to obtain a configuration catalog, which might contain sensitive information. -- | -----BEGIN CERTIFICATE----- -- | MIIFfjCCA2agAwIBAgIBEjANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDDB1QdXBw -- |_ ZXQgQ0E6IHVidW50dS5sb2NhbGRvbWFpbjAeFw0xNzA2MjkxNjQzMjZaFw0yMjA -- -- @xmloutput --