Categories: discovery, auth, intrusive
Tests for access with default credentials used by a variety of web applications and devices.
It works similar to http-enum, we detect applications by matching known paths and launching a login routine using default credentials when found. This script depends on a fingerprint file containing the target's information: name, category, location paths, default credentials and login routine.
You may select a category if you wish to reduce the number of requests. We have categories like:
web- Web applications
security- CCTVs and other security devices
industrial- Industrial systems
printer- Network-attached printers and printer servers
storage- Storage devices
virtualization- Virtualization systems
console- Remote consoles
You can also select a specific fingerprint or a brand, such as BIG-IQ or Siemens. This matching is based on case-insensitive words. This means that "nas" will select Seagate BlackArmor NAS storage but not Netgear ReadyNAS.
For a fingerprint to be used it needs to satisfy both the category and name criteria.
Please help improve this script by adding new entries to nselib/data/http-default-accounts.lua
Remember each fingerprint must have:
name- Descriptive name
login_combos- Table of login combinations
paths- Table containing possible path locations of the target
login_check- Login function of the target
In addition, a fingerprint should have:
target_check- Target validation function. If defined, it will be called to validate the target before attempting any logins.
cpe- Official CPE Dictionary entry (see https://nvd.nist.gov/cpe.cfm)
Default fingerprint file: /nselib/data/http-default-accounts-fingerprints.lua This script was based on http-enum.
Selects a fingerprint category (or a list of categories).
Selects fingerprints by a word (or a list of alternate words) included in their names.
Fingerprint filename. Default: http-default-accounts-fingerprints.lua
Base path to append to requests. Default: "/"
slaxml.debugSee the documentation for the slaxml library.
creds.[service], creds.globalSee the documentation for the creds library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragentSee the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
nmap -p80 --script http-default-accounts host/ip
PORT STATE SERVICE 80/tcp open http | http-default-accounts: | [Cacti] at / | admin:admin | [Nagios] at /nagios/ |_ nagiosadmin:CactiEZ
License: Same as Nmap--See https://nmap.org/book/man-legal.html