Script puppet-naivesigning
Script types:
portrule
Categories:
intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/puppet-naivesigning.nse
Script Summary
Detects if naive signing is enabled on a Puppet server. This enables attackers to create any Certificate Signing Request and have it signed, allowing them to impersonate as a puppet agent. This can leak the configuration of the agents as well as any other sensitive information found in the configuration files.
This script makes use of the Puppet HTTP API interface to sign the request.
This script has been Tested on versions 3.8.5, 4.10.
References:
Script Arguments
- puppet-naivesigning.env
- The environment that is provided to the endpoints -> Default: "production"
- puppet-naivesigning.csr
- The file containing the Certificate Signing Request to replace the default one -> Default: nil
- puppet-naivesigning.node
- The name of the node in the CSR -> Default: "agentzero.localdomain"
- slaxml.debug
See the documentation for the slaxml library.
- http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
nmap -p 8140 --script puppet-naivesigning <target>
nmap -p 8140 --script puppet-naivesigning --script-args puppet-naivesigning.csr=other.csr,puppet-naivesigning.node=agency <target>
Script Output
PORT STATE SERVICE REASON 8140/tcp open puppet syn-ack ttl 64 | puppet-naivesigning: | Puppet Naive autosigning enabled! Naive autosigning causes the Puppet CA to autosign ALL CSRs. | Attackers will be able to obtain a configuration catalog, which might contain sensitive information. | -----BEGIN CERTIFICATE----- | MIIFfjCCA2agAwIBAgIBEjANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDDB1QdXBw |_ ZXQgQ0E6IHVidW50dS5sb2NhbGRvbWFpbjAeFw0xNzA2MjkxNjQzMjZaFw0yMjA
Requires
Author:
License: Same as Nmap--See https://nmap.org/book/man-legal.html