Default credentials are often forgotten in web applications and devices. Nmap's NSE script http-default-accounts automates the process of testing default credentials in popular web applications, such as Apache Tomcat Manager, Cacti, and even the web management interfaces of home routers.
This recipe shows you how to automatically test default credential access in several web applications by using Nmap.
To automatically test default credential access in the supported applications, use the following Nmap command:
$ nmap -p80 --script http-default-accounts <target>
The results will indicate the application and default credentials if successful:
PORT STATE SERVICE REASON 80/tcp open http syn-ack |_http-default-accounts: [Cacti] credentials found -> admin:admin Path:/cacti/
We initiate the NSE script http-default-accounts (--script http-default-accounts) if a web server is found on port 80 (-p80).
I developed this NSE script to save time during web penetration tests, by automatically checking if system administrators have forgotten to change any default passwords in their systems. I've included a few fingerprints for popular services, but this script can be improved a lot by supporting more services. I encourage you to submit new fingerprints to its database, if you have access to a service commonly left with default credential access. The supported services so far are:
- Cacti
- Apache Tomcat
- Apache Axis2
- Arris 2307 routers
- Cisco 2811 routers
The script detects web applications by looking at known paths and initiating a login routine using the stored, default credentials. It depends on a fingerprint file located at /nselib/data/http-default-accounts.nse. Entries are LUA tables and they look like the following:
table.insert(fingerprints, {
name = "Apache Tomcat",
category = "web",
paths = {
{path = "/manager/html/"},
{path = "/tomcat/manager/html/"}
},
login_combos = {
{username = "tomcat", password = "tomcat"},
{username = "admin", password = "admin"}
},
login_check = function (host, port, path, user, pass)
return try_http_basic_login(host, port, path, user, pass)
end
})Each fingerprint entry must have the following fields:
name: This field specifies a descriptive service name.category: This field specifies a category needed for less intrusive scans.login_combos: This field specifies an LUA table of default credentials used by the service.paths: This field specifies an LUA table of paths where a service is commonly found.login_check: This field specifies a login routine of the web service.
For less intrusive scans, filter out probes by category by using the script argument http-default-accounts.category:
$ nmap -p80 --script http-default-accounts --script-args http-default-accounts.category=routers <target>
The available categories are:
web: This category manages web applicationsrouter: This category manages interfaces of routersvoip: This category manages VOIP devicessecurity: This category manages security-related software
This script uses the root folder as the base path by default, but you can set a different one by using the argument http-default-accounts.basepath:
$ nmap -p80 --script http-default-accounts --script-args http-default-accounts.basepath=/web/ <target>
The default fingerprint file is located at /nselib/data/http-default-accounts-fingerprints.lua, but you can use a different file by specifying the argument http-default-accounts.fingerprintfile:
$ nmap -p80 --script http-default-accounts --script-args http-default-accounts.fingerprintfile=./more-signatures.txt <target>
- The Detecting possible XST vulnerabilities recipe
- The Discovering interesting files and directories in various web servers recipe
- The Detecting web application firewalls recipe
- The Brute forcing HTTP authentication recipe
- The Abusing mod_userdir to enumerate user accounts recipe
- The Brute-force password auditing WordPress installations recipe
- The Brute-force password auditing Joomla! installations recipe
- The Finding SQL injection vulnerabilities in web applications recipe