1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
##
# This file is part of WhatWeb and may be subject to
# redistribution and commercial restrictions. Please see the WhatWeb
# web site for more information on licensing and terms of use.
# http://www.morningstarsecurity.com/research/whatweb
##
# Version 0.5 Andrew Horton - added version detection for Prestige models
# Version 0.4 # 2011-06-04
# Updated regex
# Added www-authenticate HTTP header matches
# Added ZyXEL-RomPager and RomPager HTTP server header matches
##
# Version 0.3
# Added signatures by Andrew Horton
##
# Version 0.2 # 2011-01-09 #
# Updated model detection
##
Plugin.define "ZyXEL-Router" do
author "Brendan Coles <bcoles@gmail.com>" # 2010-11-01
version "0.5"
description "This plugin indentifies ZyXEL routers - Homepage: http://us.zyxel.com/"
# Tested on models: P-660H-D1, P-660HW-D1, P-660R-D1, P-662H-D1, P-662HW-D3, P-2602H-D1A, P-2602HW-D1A, P-2802HWL-I1, P660RU2, P660HT2, Prestige 660H61
# ZyXEL VSG-1200 V2 is access server that recognizes new users on network and re-routes all the different IP settings pre-configured on users' computers. - homepage: http://www.zyxel.com/"
# P-330W EE # Default Login # admin/password
# ShodanHQ results as at 2011-06-04 #
# 38,316 for WWW-Authenticate: Basic realm Prestige
# 38,311 for WWW-Authenticate: Basic realm Prestige RomPager
# 8,583 for ZyXEL-RomPager
# 422 for WWW-Authenticate: Basic realm="P-330W EE (username: admin)"
# Google results as at 2011-01-09 #
# 33 for intitle:Top "Vantage Service Gateway" -inurl:zyxel
# 90 for "Welcome to the Web-Based Configurator" "Welcome to your router Configuration Interface"
# Dorks #
dorks [
'intitle:Top "Vantage Service Gateway" -inurl:zyxel',
'"Welcome to the Web-Based Configurator" "Welcome to your router Configuration Interface"'
]
# Matches #
matches [
# Default title
{ :text=>"<title>.:: Welcome to the Web-Based Configurator::.</title><meta http-equiv='content-type' content='text/html;charset=iso-8859-1'>" },
# Default form HTML
{ :text=>'<form method="post" action="/Forms/rpAuth_1" onSubmit="LoginClick(document.forms[0].hiddenPassword, document.forms[0].LoginPassword);"><p> </p>' },
# Default welcome message HTML
{ :text=>'Welcome to your router Configuration Interface<p></p>Enter your password and press enter or click "Login"<p></p><img src="Images/i_key.gif" width="11" height="17" align="absmiddle"> <strong>' },
# Model Detection # Login page HTML
{ :model=>/<td align=center><p class="style1">[\r\n\s]*([^<^\s]+)[\s]*<br \/><br \/><\/p><\/td><\/tr><tr>/ },
# Vantage Service Gateway # Default HTML
{ :text=>'<font size="3" color="3366CC" face="Arial"><b><i>Vantage Service Gateway</i> </b></font>', :model=>"VSG" },
# Vantage Service Gateway # Default Frameset
{ :text=>'<frameset rows="75,97%,25" framespacing="0" border="0" frameborder="0">', :model=>"VSG" },
# JavaScript
{:text=>'loginPassword.value = "ZyXEL ZyWALL Series";' },
# Vantage Service Gateway # Version Detection # /top.htm
{ :url=>"/top.htm", :model=>/<td align="right"><font size="3" color="3366CC" face="Arial"><b><i>(VSG-[\d\ V]+)<\/i> <\/b><\/font><\/td><\/tr>/ },
# Prestige
{:version=>/<td height="40" colspan="4" class="Auth">Prestige ([^<]+)</},
{:model=>/<td height="40" colspan="4" class="Auth">(Prestige)</}
]
# Passive #
def passive
m=[]
# HTTP Server Header # ZyXEL-RomPager
if @headers["server"] =~ /^ZyXEL-RomPager/
m << { :name=>"HTTP Server Header" }
# Version Detection
m << { :version=>@headers["server"].scan(/^ZyXEL-RomPager\/([^\s]+)$/) } if @headers["server"] =~ /^ZyXEL-RomPager\/([^\s]+)$/
# Model Detection # WWW-Authenticate # Prestige
m << { :model=>@headers["www-authenticate"].scan(/^Basic realm="(Prestige [^"]+)( Web)?"/)[0][0] } if @headers["www-authenticate"] =~ /^Basic realm="(Prestige [^"]+)( Web)?"/
# Model Detection # WWW-Authenticate
m << { :model=>@headers["www-authenticate"].scan(/^Basic realm="([^"^\s]+)"$/) } if @headers["www-authenticate"] =~ /^Basic realm="([^"^\s]+)"$/
end
# HTTP Server Header # RomPager
if @headers["server"] =~ /^RomPager/
# Model Detection # WWW-Authenticate # Prestige
m << { :model=>@headers["www-authenticate"].scan(/^Basic realm="(Prestige [^"]+)( Web)?"/)[0][0] } if @headers["www-authenticate"] =~ /^Basic realm="(Prestige [^"]+)( Web)?"/
end
# P-330W EE # HTTP Server Header and WWW-Authenticate realm
if @headers["www-authenticate"] =~ /Basic realm="P-330W EE \(username: admin\)"/ and @headers["server"] =~ /GoAhead-Webs/ and @status.to_s =~ /^401$/
m << { :model=>"P-330W EE" }
end
# Return passive matches
m
end
end
# An aggressive plugin could determine the module using default logo md5 hashes.
# md5 hashes are required for these images:
# { :model=>'Prestige 660H61', :url=>'/dslroutery/imgshop/full/NETZ1431.jpg' },
|
