API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 6th, 2016
121
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.38 KB | None | 0 0
raw download clone embed print report
  1. ##############################################################################
  2. # OpenVAS Vulnerability Test
  3. # $Id$
  4. #
  5. # Loxone Default Login Credentials Vulenrability
  6. #
  7. # Authors:
  8. # Tameem Eissa <tameem.eissa@greenbone.net>
  9. #
  10. # Copyright:
  11. # Copyright (c) 2016 Greenbone Networks GmbH
  12. #
  13. # This program is free software; you can redistribute it and/or
  14. # modify it under the terms of the GNU General Public License
  15. # as published by the Free Software Foundation; either version 2
  16. # of the License, or (at your option) any later version.
  17. #
  18. # This program is distributed in the hope that it will be useful,
  19. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  20. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  21. # GNU General Public License for more details.
  22. #
  23. # You should have received a copy of the GNU General Public License
  24. # along with this program; if not, write to the Free Software
  25. # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  26. ###############################################################################
  27.  
  28.  
  29.  
  30. if (description)
  31. {
  32. script_oid("1.3.6.1.4.1.25623.1.0.105756");
  33. script_version ("$Revision$");
  34. script_tag(name:"cvss_base", value:"7.5");
  35. script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  36. script_name("Loxone Smart Home Default Admin HTTP Login");
  37.  
  38. script_tag(name: "impact" , value:"Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.");
  39. script_tag(name: "vuldetect" , value:"Try to login with default credentials admin:admin");
  40. script_tag(name: "solution" , value:"Change the password");
  41. script_tag(name: "summary" , value:"The remote Loxone installation has default credentials set.");
  42. script_tag(name:"solution_type", value: "Workaround");
  43.  
  44. script_tag(name:"qod_type", value:"remote_vul");
  45.  
  46. script_tag(name:"last_modification", value:"$Date$");
  47. script_tag(name:"creation_date", value:"2016-08-31 13:18:59 +0200 (Wed, 31 Aug 2016)");
  48. script_summary("Try to login with admin:admin");
  49. script_category(ACT_ATTACK);
  50. script_family("Web application abuses");
  51. script_copyright("This script is Copyright (C) 2016 Greenbone Networks GmbH");
  52. script_dependencies("http_version.nasl");
  53. script_require_ports("Services/www", 12900);
  54. script_exclude_keys("Settings/disable_cgi_scanning");
  55.  
  56. exit(0);
  57. }
  58.  
  59. include("http_func.inc");
  60. include("http_keepalive.inc");
  61. include("host_details.inc");
  62. include("misc_func.inc");
  63.  
  64.  
  65. function newHandshakekey()
  66. {
  67. rand = rand_str( length:16, charset: "0123456789");
  68. return base64( str: rand );
  69.  
  70. }
  71.  
  72. url = "";
  73. Banner = "";
  74. http_port = "";
  75.  
  76. ## Get HTTP Port
  77. http_port = get_http_port(default:80);
  78.  
  79.  
  80.  
  81. user = "admin";
  82. pass = "admin";
  83. host = get_host_name();
  84.  
  85. rand = rand_str( length:17, charset: "0123456789");
  86.  
  87.  
  88. req = string("GET /jdev/sys/getkey?0.", rand, " HTTP/1.1\r\n",
  89. "Host: ", host,":",http_port, "\r\n",
  90. "Content-Type: application/x-www-form-urlencoded\r\n",
  91. "Content-Length: ", strlen(data), "\r\n"
  92. );
  93. res = http_keepalive_send_recv( port:http_port, data:req, bodyonly:FALSE );
  94. display ("req = ", req, "\n");
  95. if ( res !~ "HTTP/1\.. 200" || '{"LL": {' >!< res ) exit( 0 );
  96. display ("res = ", res, "\n");
  97. if ( res =~ '"LL": [{] "control": "dev/sys/getkey", "value": "([A-F0-9]+)", "Code": "200"}}') display ("success\n");
  98.  
  99. json_key = eregmatch (pattern: '"LL": [{] "control": "dev/sys/getkey", "value": "([A-F0-9]+)", "Code": "200"}}', string: res, icase:TRUE);
  100. display ("json_key = ", json_key, "\n");
  101. key = json_key[1];# it should be decoded from Hexadecimal
  102. username = "admin";
  103. password = "admin";
  104. passphrase = "admin:admin";
  105. #passphrase = "61646d696e3a61646d696e";
  106. display ( "\npassphrase = " , passphrase, "\n");
  107. #protocol = hmac.new(r.json()['LL']['value'].decode("hex"), LOX_USER+":"+LOX_PASS, digestmod=hashlib.sha1).digest().encode("hex")
  108. #factory = WebSocketClientFactory("ws://"+LOX_ADDR+"/ws/",protocols = [protocol], debug=True)
  109. #key = "4545453030304234303039452035343938393333383020323031362d30392d30352030383a34343a3139";
  110. display ("key = ", key, "\n");
  111. key = hex2str(key);
  112. display ("key = ", key, "\n");
  113. protocol = HMAC_SHA1(data: passphrase, key: key);
  114. display ("protocol = ", protocol, "\n");
  115. protocol1 =hexstr( protocol);
  116. display ("protocol1 = ", protocol1, "\n");
  117. protocol2 = hexstr (protocol1);
  118. display ("protocol2 = ", protocol2, "\n");
  119. websockey_key = newHandshakekey();# should be base64 encoded and then to string converted
  120. display( "websockkey before = ", websockey_key, "\n");
  121. websockkey_key1 = base64_decode ( str: websockey_key);
  122. display( "websockkey after = ", websockkey_key1, "\n");
  123.  
  124. req2 = string ("GET /jdev/cfg/mac HTTP/1.1", "\r\n",
  125. "Host: 77.88.87.58", "\r\n",
  126. "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "\r\n",
  127. "Accept: */*", "\r\n",
  128. "Accept-Language: en-US,en;q=0.5", "\r\n",
  129. "Accept-Encoding: gzip, deflate", "\r\n",
  130. "X-Requested-With: XMLHttpRequest", "\r\n",
  131. "Referer: http://77.88.87.58/", "\r\n",
  132. "Connection: keep-alive", "\r\n",
  133. "\r\n");
  134.  
  135.  
  136. display ("req2 = ", req2, "\n");
  137.  
  138. res2 = http_keepalive_send_recv( port:http_port, data:req2 );
  139.  
  140. display ("res2 ", res2, "\n");
  141.  
  142.  
  143. req3 = string("GET /ws HTTP/1.1", "\r\n",
  144. "Host: ", host, "\r\n",
  145. "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\n",
  146. "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n",
  147. "Accept-Language: en-US,en;q=0.5\r\n",
  148. "Accept-Encoding: gzip, deflate\r\n",
  149. "Sec-WebSocket-Version: 13\r\n",
  150. "origin: http://", host, "\r\n",
  151. # "origin: http://77.88.87.58\r\n",
  152. "Sec-WebSocket-Protocol: ", protocol1, "\r\n",
  153. "Sec-WebSocket-Extensions: permessage-deflate\r\n",
  154. "Sec-WebSocket-Key: SxObjwIAylwW0O9U1FD4NQ==\r\n",
  155. # "Sec-WebSocket-Key: SxObjwIAylwW0O9U1FD4NQ==\r\n",
  156. "Connection: keep-alive, Upgrade\r\n",
  157. "Pragma: no-cache\r\n",
  158. "Cache-Control: no-cache\r\n",
  159. "Upgrade: websocket\r\n",
  160. "\r\n");
  161.  
  162.  
  163. display ("req3 = ", req3, "\n");
  164.  
  165. res3 = http_keepalive_send_recv( port:http_port, data:req3 );
  166.  
  167.  
  168.  
  169.  
  170. display ("res3 ", res3, "\n");
  171.  
  172. exit( 99 );
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!