Used to detect whether there is a default account fingerprint data set on HTTP

tools
10-10-2018
nmap-org

#1

File http-default-accounts

Script types: portrule
Categories: discovery , auth , intrusive
Download: https://svn.nmap.org/nmap/scripts/http-default-accounts.nse

User Summary

Tests for access with default credentials used by a variety of web applications and devices.

It works similar to http-enum, we detect applications by matching known paths and launching a login routine using default credentials when found. This script depends on a fingerprint file containing the target’s information: name, category, location paths, default credentials and login routine.

You may select a category if you wish to reduce the number of requests. We have categories like:

  • web - Web applications
  • routers - Routers
  • security - CCTVs and other security devices
  • industrial - Industrial systems
  • printer - Network-attached printers and printer servers
  • storage - Storage devices
  • virtualization - Virtualization systems
  • console - Remote consoles

Please help improve this script by adding new entries to nselib/data/http-default-accounts.lua

Remember each fingerprint must have:

  • name - Descriptive name
  • category - Category
  • login_combos - Table of login combinations
  • paths - Table containing possible path locations of the target
  • login_check - Login function of the target

In addition, a fingerprint should have:

  • target_check - Target validation function. If defined, it will be called to validate the target before attempting any logins.
  • cpe - Official CPE Dictionary entry (see https://nvd.nist.gov/cpe.cfm)

Default fingerprint file: /nselib/data/http-default-accounts-fingerprints.lua This script was based on http-enum.

Script Arguments

http-default-accounts.category

Selects a category of fingerprints to use.

http-default-accounts.fingerprintfile

Fingerprint filename. Default: http-default-accounts-fingerprints.lua

http-default-accounts.basepath

Base path to append to requests. Default: “/”

slaxml.debug

See the documentation for the

slaxml

library.

creds.[service], creds.global

See the documentation for the

creds

library.

http.host, http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the

http

library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the

smbauth

library.

Example Usage

nmap -p80 --script http-default-accounts host/ip

Script Output

PORT   STATE SERVICE
80/tcp open  http
| http-default-accounts:
|   [Cacti] at /
|     admin:admin
|   [Nagios] at /nagios/
|_    nagiosadmin:CactiEZ

Requires


Authors:

License: Same as Nmap–See https://nmap.org/book/man-legal.html

Original links

http-default-accounts NSE Script