Created
January 24, 2012 11:51
-
-
Save bcoles/1669787 to your computer and use it in GitHub Desktop.
http-asus-wl500-info.nse - Attempts to retrieve the configuration settings from an Asus WL500 series wireless router. The information is retrieved from "/Settings.CFG" which is only available when authentication is disabled.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
description = [[ | |
Attempts to retrieve the configuration settings from an Asus WL500 series | |
wireless router. The information is retrieved from "/Settings.CFG" which is only | |
available when authentication is disabled. | |
The web administration interface runs on port 80 by default. | |
]] | |
--- | |
-- @usage | |
-- nmap --script http-asus-wl500-info -p <port> <host> | |
-- | |
-- @output | |
-- PORT STATE SERVICE REASON | |
-- 80/tcp open http syn-ack | |
-- | http-asus-wl500-info: | |
-- | Device Model: WL520gc | |
-- | Hardware Version: WL520GC-01-07-02-00 | |
-- | Software Version: 4.131.31.0 | |
-- | Operating System: linux | |
-- | IP Address: 192.168.1.1 | |
-- | LAN Gateway: 192.168.1.1 | |
-- | DHCP Enabled: 1 | |
-- | PPPoE Username: pppoe_username | |
-- | PPPoE Password: pppoe_password | |
-- | WAN DNS: 127.0.0.1 | |
-- | Wireless Primary SSID: wireless_ssid1 | |
-- | Wireless Secondary SSID: wireless_ssid2 | |
-- | Wireless Channel: 1 | |
-- | Wireless Preshared Key: wireless_password | |
-- | HTTP Username: admin | |
-- |_ DDNS Enabled: 0 | |
-- | |
-- @changelog | |
-- 2012-01-24 - created by Brendan Coles - itsecuritysolutions.org | |
-- | |
author = "Brendan Coles [itsecuritysolutions.org]" | |
license = "Same as Nmap--See http://nmap.org/book/man-legal.html" | |
categories = {"discovery"} | |
require("url") | |
require("http") | |
require("stdnse") | |
require("shortport") | |
portrule = shortport.port_or_service (80, "http", {"tcp"}) | |
action = function(host, port) | |
local result = {} | |
local path = "/Settings.CFG" | |
local config_file = "" | |
-- Retrieve file | |
stdnse.print_debug(1, ("%s: Connecting to %s:%s"):format(SCRIPT_NAME, host.targetname or host.ip, port.number)) | |
data = http.get(host, port, tostring(path)) | |
-- Check if file exists | |
if data and data.status and tostring(data.status):match("200") and data.body and data.body ~= "" then | |
-- Check if the config file is valid | |
stdnse.print_debug(1, "%s: HTTP %s: %s", SCRIPT_NAME, data.status, tostring(path)) | |
if string.match(data.body, "productid=") and string.match(data.body, "hardware_version=") and string.match(data.body, "s_version=") then | |
config_file = data.body | |
else | |
stdnse.print_debug(1, ("%s: %s:%s uses an invalid config file."):format(SCRIPT_NAME, host.targetname or host.ip, port.number)) | |
return | |
end | |
else | |
stdnse.print_debug(1, "%s: Failed to retrieve file: %s", SCRIPT_NAME, tostring(path)) | |
return | |
end | |
-- Extract system info from config file | |
stdnse.print_debug(1, "%s: Extracting system info from %s", SCRIPT_NAME, path) | |
local vars = { | |
-- System settings -- | |
{"Device Model", "productid"}, | |
{"Hardware Version","hardware_version"}, | |
{"Software Version","s_version"}, | |
{"Operating System","os_name"}, | |
-- LAN settings -- | |
{"IP Address","lan_ipaddr_t"}, | |
{"LAN Gateway","lan_gateway_t"}, | |
-- DHCP settings -- | |
{"DHCP Enabled","dhcp_enable_x"}, | |
--{"DHCP Range Start","dhcp_start"}, | |
--{"DHCP Range End","dhcp_end"}, | |
-- PPPoE settings -- | |
{"PPPoE Username","wan_pppoe_username"}, | |
{"PPPoE Password","wan_pppoe_passwd"}, | |
-- WAN settings -- | |
--{"WAN IP Address","wan_ipaddr_t"}, | |
{"WAN DNS","wan_dns_t"}, | |
-- Wireless settings -- | |
{"Wireless Primary SSID","wl_ssid"}, | |
{"Wireless Secondary SSID","wl_ssid2"}, | |
{"Wireless Channel","wl_radio_x"}, | |
{"Wireless Preshared Key","wl_wpa_psk"}, | |
--{"Wireless Encryption","wl_auth_mode"}, | |
-- username and password -- | |
{"HTTP Username","http_username"}, | |
{"HTTP Password","http_passwd"}, | |
-- DDNS settings -- | |
{"DDNS Enabled","ddns_enable_x"}, | |
{"DDNS Username","ddns_username_x"}, | |
{"DDNS Password","ddns_passwd_x"}, | |
} | |
for _, var in ipairs(vars) do | |
local var_match = string.match(config_file, string.format('%s=(%s)%s', var[2], "[^%c]+", "\0x00")) | |
if var_match then table.insert(result, string.format("%s: %s", var[1], var_match)) end | |
end | |
-- Return results | |
return stdnse.format_output(true, result) | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment