1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
##
# This file is part of WhatWeb and may be subject to
# redistribution and commercial restrictions. Please see the WhatWeb
# web site for more information on licensing and terms of use.
# http://www.morningstarsecurity.com/research/whatweb
##
# Version 0.5 Andrew Horton - added version detection for Prestige models
# Version 0.4 # 2011-06-04
# Updated regex
# Added www-authenticate HTTP header matches
# Added ZyXEL-RomPager and RomPager HTTP server header matches
##
# Version 0.3
# Added signatures by Andrew Horton
##
# Version 0.2 # 2011-01-09 #
# Updated model detection
##
Plugin.define "ZyXEL-Router" do
author "Brendan Coles <bcoles@gmail.com>" # 2010-11-01
version "0.5"
description "This plugin indentifies ZyXEL routers - Homepage: http://us.zyxel.com/"
# Tested on models: P-660H-D1, P-660HW-D1, P-660R-D1, P-662H-D1, P-662HW-D3, P-2602H-D1A, P-2602HW-D1A, P-2802HWL-I1, P660RU2, P660HT2, Prestige 660H61
# ZyXEL VSG-1200 V2 is access server that recognizes new users on network and re-routes all the different IP settings pre-configured on users' computers. - homepage: http://www.zyxel.com/"
# P-330W EE # Default Login # admin/password
# ShodanHQ results as at 2011-06-04 #
# 38,316 for WWW-Authenticate: Basic realm Prestige
# 38,311 for WWW-Authenticate: Basic realm Prestige RomPager
# 8,583 for ZyXEL-RomPager
# 422 for WWW-Authenticate: Basic realm="P-330W EE (username: admin)"
# Google results as at 2011-01-09 #
# 33 for intitle:Top "Vantage Service Gateway" -inurl:zyxel
# 90 for "Welcome to the Web-Based Configurator" "Welcome to your router Configuration Interface"
# Dorks #
dorks [
'intitle:Top "Vantage Service Gateway" -inurl:zyxel',
'"Welcome to the Web-Based Configurator" "Welcome to your router Configuration Interface"'
]
# Examples #
examples %w|
80.32.183.41
81.187.164.217
81.223.235.86
80.175.97.245
88.88.90.185
83.251.216.232
24.34.19.225
190.60.247.134
80.38.76.93
198.68.199.247
spamdns.com
195.210.177.1
195.210.180.229
www.brts.webhop.net
66.178.129.151
213.180.170.149
210.176.164.58/top.htm
24.153.183.242/top.htm
67.53.102.106/top.htm
213.236.165.126/top.htm
fleta.org/top.htm
68.185.53.190/top.htm
67.79.70.218/top.htm
65.23.108.18/top.htm
74.218.130.219/top.htm
24.199.41.82/top.htm
https://207.190.252.194/top.htm
83.167.114.66
|
# Matches #
matches [
# Default title
{ :text=>"<title>.:: Welcome to the Web-Based Configurator::.</title><meta http-equiv='content-type' content='text/html;charset=iso-8859-1'>" },
# Default form HTML
{ :text=>'<form method="post" action="/Forms/rpAuth_1" onSubmit="LoginClick(document.forms[0].hiddenPassword, document.forms[0].LoginPassword);"><p> </p>' },
# Default welcome message HTML
{ :text=>'Welcome to your router Configuration Interface<p></p>Enter your password and press enter or click "Login"<p></p><img src="Images/i_key.gif" width="11" height="17" align="absmiddle"> <strong>' },
# Model Detection # Login page HTML
{ :model=>/<td align=center><p class="style1">[\r\n\s]*([^<^\s]+)[\s]*<br \/><br \/><\/p><\/td><\/tr><tr>/ },
# Vantage Service Gateway # Default HTML
{ :text=>'<font size="3" color="3366CC" face="Arial"><b><i>Vantage Service Gateway</i> </b></font>', :model=>"VSG" },
# Vantage Service Gateway # Default Frameset
{ :text=>'<frameset rows="75,97%,25" framespacing="0" border="0" frameborder="0">', :model=>"VSG" },
# JavaScript
{:text=>'loginPassword.value = "ZyXEL ZyWALL Series";' },
# Vantage Service Gateway # Version Detection # /top.htm
{ :url=>"/top.htm", :model=>/<td align="right"><font size="3" color="3366CC" face="Arial"><b><i>(VSG-[\d\ V]+)<\/i> <\/b><\/font><\/td><\/tr>/ },
# Prestige
{:version=>/<td height="40" colspan="4" class="Auth">Prestige ([^<]+)</},
{:model=>/<td height="40" colspan="4" class="Auth">(Prestige)</}
]
# Passive #
def passive
m=[]
# HTTP Server Header # ZyXEL-RomPager
if @headers["server"] =~ /^ZyXEL-RomPager/
m << { :name=>"HTTP Server Header" }
# Version Detection
m << { :version=>@headers["server"].scan(/^ZyXEL-RomPager\/([^\s]+)$/) } if @headers["server"] =~ /^ZyXEL-RomPager\/([^\s]+)$/
# Model Detection # WWW-Authenticate # Prestige
m << { :model=>@headers["www-authenticate"].scan(/^Basic realm="(Prestige [^"]+)( Web)?"/)[0][0] } if @headers["www-authenticate"] =~ /^Basic realm="(Prestige [^"]+)( Web)?"/
# Model Detection # WWW-Authenticate
m << { :model=>@headers["www-authenticate"].scan(/^Basic realm="([^"^\s]+)"$/) } if @headers["www-authenticate"] =~ /^Basic realm="([^"^\s]+)"$/
end
# HTTP Server Header # RomPager
if @headers["server"] =~ /^RomPager/
# Model Detection # WWW-Authenticate # Prestige
m << { :model=>@headers["www-authenticate"].scan(/^Basic realm="(Prestige [^"]+)( Web)?"/)[0][0] } if @headers["www-authenticate"] =~ /^Basic realm="(Prestige [^"]+)( Web)?"/
end
# P-330W EE # HTTP Server Header and WWW-Authenticate realm
if @headers["www-authenticate"] =~ /Basic realm="P-330W EE \(username: admin\)"/ and @headers["server"] =~ /GoAhead-Webs/ and @status.to_s =~ /^401$/
m << { :model=>"P-330W EE" }
end
# Return passive matches
m
end
end
# An aggressive plugin could determine the module using default logo md5 hashes.
# md5 hashes are required for these images:
# { :model=>'Prestige 660H61', :url=>'/dslroutery/imgshop/full/NETZ1431.jpg' },
|
