Script puppet-naivesigning

Script types: portrule
Categories: intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/puppet-naivesigning.nse

Script Summary

Detects if naive signing is enabled on a Puppet server. This enables attackers to create any Certificate Signing Request and have it signed, allowing them to impersonate as a puppet agent. This can leak the configuration of the agents as well as any other sensitive information found in the configuration files.

This script makes use of the Puppet HTTP API interface to sign the request.

This script has been Tested on versions 3.8.5, 4.10.

References:

Script Arguments

puppet-naivesigning.env

- The environment that is provided to the endpoints -> Default: "production"

puppet-naivesigning.csr

- The file containing the Certificate Signing Request to replace the default one -> Default: nil

puppet-naivesigning.node

- The name of the node in the CSR -> Default: "agentzero.localdomain"

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

  • nmap -p 8140 --script puppet-naivesigning <target>
  • nmap -p 8140 --script puppet-naivesigning --script-args puppet-naivesigning.csr=other.csr,puppet-naivesigning.node=agency <target>
    

Script Output

PORT     STATE SERVICE REASON
8140/tcp open  puppet  syn-ack ttl 64
| puppet-naivesigning:
|   Puppet Naive autosigning enabled! Naive autosigning causes the Puppet CA to autosign ALL CSRs.
|   Attackers will be able to obtain a configuration catalog, which might contain sensitive information.
|   -----BEGIN CERTIFICATE-----
|   MIIFfjCCA2agAwIBAgIBEjANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDDB1QdXBw
|_  ZXQgQ0E6IHVidW50dS5sb2NhbGRvbWFpbjAeFw0xNzA2MjkxNjQzMjZaFw0yMjA

Requires


Author:

  • Wong Wai Tuck

License: Same as Nmap--See https://nmap.org/book/man-legal.html