File: htpasswd.rb

package info (click to toggle)
whatweb 0.6.1-1
  • links: PTS
  • area: main
  • in suites: forky, sid
  • size: 23,948 kB
  • sloc: ruby: 43,493; sh: 213; makefile: 41
file content (88 lines) | stat: -rw-r--r-- 2,952 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
##
# This file is part of WhatWeb and may be subject to
# redistribution and commercial restrictions. Please see the WhatWeb
# web site for more information on licensing and terms of use.
# https://morningstarsecurity.com/research/whatweb
##
Plugin.define do
name "htpasswd"
authors [
  "Brendan Coles <bcoles@gmail.com>", # 2010-10-23
  # v0.2 # Now requires htpasswd in the URL path to reduce false positives
  # v0.3 # 2011-01-21 # Updated credential extraction. Added SHA1 hashes for common admin passwords. Renamed plugin from "Credentials" to "htpasswd". 
]
version "0.3"
description ".htpasswd is a flat-file used to store usernames and password for basic authentication of Apache HTTP Server. This plugin attempts to retrievs credentials from .htpasswd files in user:pass format. - More info: http://en.wikipedia.org/wiki/Htpasswd"

# Google Results as at 2011-01-21 #
# 110 results for inurl:htpasswd ext:txt
# 181 results for filetype:htpasswd htpasswd
# 179 results for filetype:htpasswd inurl:htpasswd
# 35 results for htpasswd filetype:bak
# 2 results for ext:htpasswd1
# 2 results for inurl:"htpasswd" ext:bak

# Dorks #
dorks [
'inurl:htpasswd ext:txt',
'filetype:htpasswd htpasswd',
'filetype:htpasswd inurl:htpasswd'
]



# Passive #
# Extract credentials in user{2-255}:pass{1-80} format
# Accepts : sha1, md4, md5, plaintext
# The code is pretty ugly, but fast. Formatted for 80x24. Improvements welcomed.
passive do
m=[]

# Check if the current file is a .htpasswd file
if @base_uri.path =~ /htpasswd/i and @body =~ /^([0-9a-z\-_]{2,255}:[^\r^\n^\s^:]{1,80})[\r\n\s:]*/i

	# Loop through the results
	@body.scan(/^([0-9a-z\-_]{2,255}:[^\r^\n^\s^:]{1,80})[\r\n\s:]*/i).each do |line|
	# Compare hash to a few common passwords if the user is "admin"
	if line.to_s =~ /^admin:\$apr1\$/

		# Common passwords # SHA1
		if line.to_s == "admin:$apr1$Ev0Cp...$6R55smBmW.t.uDr01ao5Q."
			m << { :account=>"admin:admin" }
		elsif line.to_s == "admin:$apr1$XNQFp...$HCpZx9aTaQOD1vVFeGXUF1"
			m << { :account=>"admin:password" }
		elsif line.to_s == "admin:$apr1$94APp...$Vs/UEEdcnanhzIvFweeVd."
			m << { :account=>"admin:password1" }
		elsif line.to_s == "admin:$apr1$WqFQp...$xgPFU8Ao92A7eYg8J2cYx/"
			m << { :account=>"admin:Password" }
		elsif line.to_s == "admin:$apr1$3fdSp...$qq4wV9G75szLU/hJsGHYQ1"
			m << { :account=>"admin:12345" }
		elsif line.to_s == "admin:$apr1$b5XTp...$BcezBLeXvd7QT5Rlw.8Ki1"
			m << { :account=>"admin:123456" }
		elsif line.to_s == "admin:$apr1$WRMUp...$THfv/Ixp9HKpKH34dtzO3."
			m << { :account=>"admin:qwerty" }
		elsif line.to_s == "admin:$apr1$cT/Vp...$aOLWPBRTibzuNEhVpiw7V1"
			m << { :account=>"admin:abc123" }
		elsif line.to_s == "admin:$apr1$5PaVp...$gYaTwDl0yviTysvEY4REn0"
			m << { :account=>"admin:letmein" }

		# Display hash if unknown
		else
			m << { :account=>line.to_s }
		end

	# Display hash if user is not "admin"
	else
		m << { :account=>line.to_s }
	end

	end

end

m

end

end