Script http-default-accounts Script types: portrule Categories: discovery, auth, intrusive Download: https://svn.nmap.org/nmap/scripts/http-default-accounts.nse
Script Summary Tests for access with default credentials used by a variety of web applications and devices.
It works similar to http-enum, we detect applications by matching known paths and launching a login routine using default credentials when found. This script depends on a fingerprint file containing the target's information: name, category, location paths, default credentials and login routine.
You may select a category if you wish to reduce the number of requests. We have categories like:
web - Web applications routers - Routers security - CCTVs and other security devices industrial - Industrial systems printer - Network-attached printers and printer servers storage - Storage devices virtualization - Virtualization systems console - Remote consoles You can also select a specific fingerprint or a brand, such as BIG-IQ or Siemens. This matching is based on case-insensitive words. This means that "nas" will select Seagate BlackArmor NAS storage but not Netgear ReadyNAS.
For a fingerprint to be used it needs to satisfy both the category and name criteria.
By default, the script produces output only when default credentials are found, while staying silent when the target only matches some fingerprints (but no credentials are found). With increased verbosity (option -v), the script will also report all matching fingerprints.
Please help improve this script by adding new entries to nselib/data/http-default-accounts.lua
Remember each fingerprint must have:
name - Descriptive name category - Category login_combos - Table of login combinations paths - Table containing possible path locations of the target login_check - Login function of the target In addition, a fingerprint should have:
target_check - Target validation function. If defined, it will be called to validate the target before attempting any logins. cpe - Official CPE Dictionary entry (see https://nvd.nist.gov/cpe.cfm) Default fingerprint file: /nselib/data/http-default-accounts-fingerprints.lua This script was based on http-enum.
Script Arguments http-default-accounts.category Selects a fingerprint category (or a list of categories).
http-default-accounts.name Selects fingerprints by a word (or a list of alternate words) included in their names.
http-default-accounts.fingerprintfile Fingerprint filename. Default: http-default-accounts-fingerprints.lua
http-default-accounts.basepath Base path to append to requests. Default: "/"
slaxml.debug See the documentation for the slaxml library.
creds.[service], creds.global See the documentation for the creds library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent See the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername See the documentation for the smbauth library.
Example Usage nmap -p80 --script http-default-accounts host/ip Script Output PORT STATE SERVICE 80/tcp open http | http-default-accounts: | [Cacti] at / | admin:admin | [Nagios] at /nagios/ |_ nagiosadmin:CactiEZ