1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
##
# This file is part of WhatWeb and may be subject to
# redistribution and commercial restrictions. Please see the WhatWeb
# web site for more information on licensing and terms of use.
# https://morningstarsecurity.com/research/whatweb
##
Plugin.define do
name "ZyXEL-Router"
authors [
"Brendan Coles <bcoles@gmail.com>", # 2010-11-01
# v0.2 # 2011-01-09 # Updated model detection.
"Andrew Horton", # v0.3 # Added signatures
# v0.4 # 2011-06-04 # Updated regex. Added www-authenticate HTTP header matches. Added ZyXEL-RomPager and RomPager HTTP server header matches.
# Andrew Horton # v0.5 # added version detection for Prestige models
# Andrew Horton # v0.6 # 2016-04-23 # Moved patterns from passive function to matches[].
]
version "0.6"
description "This plugin indentifies ZyXEL routers"
website "http://us.zyxel.com/"
# Tested on models: P-660H-D1, P-660HW-D1, P-660R-D1, P-662H-D1, P-662HW-D3, P-2602H-D1A, P-2602HW-D1A, P-2802HWL-I1, P660RU2, P660HT2, Prestige 660H61
# ZyXEL VSG-1200 V2 is access server that recognizes new users on network and re-routes all the different IP settings pre-configured on users' computers."
website "http://www.zyxel.com/"
# P-330W EE # Default Login # admin/password
# ShodanHQ results as at 2011-06-04 #
# 38,316 for WWW-Authenticate: Basic realm Prestige
# 38,311 for WWW-Authenticate: Basic realm Prestige RomPager
# 8,583 for ZyXEL-RomPager
# 422 for WWW-Authenticate: Basic realm="P-330W EE (username: admin)"
# Google results as at 2011-01-09 #
# 33 for intitle:Top "Vantage Service Gateway" -inurl:zyxel
# 90 for "Welcome to the Web-Based Configurator" "Welcome to your router Configuration Interface"
# Dorks #
dorks [
'intitle:Top "Vantage Service Gateway" -inurl:zyxel',
'"Welcome to the Web-Based Configurator" "Welcome to your router Configuration Interface"'
]
# Matches #
matches [
# Default title
{ :text=>"<title>.:: Welcome to the Web-Based Configurator::.</title><meta http-equiv='content-type' content='text/html;charset=iso-8859-1'>" },
# Default form HTML
{ :text=>'<form method="post" action="/Forms/rpAuth_1" onSubmit="LoginClick(document.forms[0].hiddenPassword, document.forms[0].LoginPassword);"><p> </p>' },
# Default welcome message HTML
{ :text=>'Welcome to your router Configuration Interface<p></p>Enter your password and press enter or click "Login"<p></p><img src="Images/i_key.gif" width="11" height="17" align="absmiddle"> <strong>' },
# Model Detection # Login page HTML
{ :model=>/<td align=center><p class="style1">[\r\n\s]*([^<^\s]+)[\s]*<br \/><br \/><\/p><\/td><\/tr><tr>/ },
# Vantage Service Gateway # Default HTML
{ :text=>'<font size="3" color="3366CC" face="Arial"><b><i>Vantage Service Gateway</i> </b></font>', :model=>"VSG" },
# Vantage Service Gateway # Default Frameset
{ :text=>'<frameset rows="75,97%,25" framespacing="0" border="0" frameborder="0">', :model=>"VSG" },
# JavaScript
{:text=>'loginPassword.value = "ZyXEL ZyWALL Series";' },
# Vantage Service Gateway # Version Detection # /top.htm
{ :url=>"/top.htm", :model=>/<td align="right"><font size="3" color="3366CC" face="Arial"><b><i>(VSG-[\d\ V]+)<\/i> <\/b><\/font><\/td><\/tr>/ },
# Prestige
{:version=>/<td height="40" colspan="4" class="Auth">Prestige ([^<]+)</},
{:model=>/<td height="40" colspan="4" class="Auth">(Prestige)</},
# HTTP Server Header # ZyXEL-RomPager
{ :name=>"HTTP Server Header", :regexp=>/^ZyXEL-RomPager/, :search=>"headers[server]" },
# HTTP Server Header # ZyXEL-RomPager # Version Detection
{ :name=>"HTTP Server Header", :version=>/^ZyXEL-RomPager\/([^\s]+)$/, :search=>"headers[server]" },
# HTTP Server Header # RomPager
{ :name=>"HTTP Server Header", :regexp=>/^RomPager/, :search=>"headers[server]" },
]
# Passive #
passive do
m=[]
# HTTP Server Header # ZyXEL-RomPager
if @headers["server"] =~ /^ZyXEL-RomPager/
# Model Detection # WWW-Authenticate # Prestige
m << { :model=>@headers["www-authenticate"].scan(/^Basic realm="(Prestige [^"]+)( Web)?"/)[0][0] } if @headers["www-authenticate"] =~ /^Basic realm="(Prestige [^"]+)( Web)?"/
# Model Detection # WWW-Authenticate
m << { :model=>@headers["www-authenticate"].scan(/^Basic realm="([^"^\s]+)"$/) } if @headers["www-authenticate"] =~ /^Basic realm="([^"^\s]+)"$/
end
# HTTP Server Header # RomPager
if @headers["server"] =~ /^RomPager/
# Model Detection # WWW-Authenticate # Prestige
m << { :model=>@headers["www-authenticate"].scan(/^Basic realm="(Prestige [^"]+)( Web)?"/)[0][0] } if @headers["www-authenticate"] =~ /^Basic realm="(Prestige [^"]+)( Web)?"/
end
# P-330W EE # HTTP Server Header and WWW-Authenticate realm
if @headers["www-authenticate"] =~ /Basic realm="P-330W EE \(username: admin\)"/ and @headers["server"] =~ /GoAhead-Webs/ and @status.to_s =~ /^401$/
m << { :model=>"P-330W EE" }
end
# Return passive matches
m
end
end
# An aggressive plugin could determine the module using default logo md5 hashes.
# md5 hashes are required for these images:
# { :model=>'Prestige 660H61', :url=>'/dslroutery/imgshop/full/NETZ1431.jpg' },
|
