Add iDRAC9 fingerprint to http-default-accounts. Closes #2096

nmap · Aug 20, 2020 · ae84080 · ae84080
1 parent cfff367
commit ae84080
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 2 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -148,8 +148,8 @@ o [NSE][GH#1720] Functions lsa_lookupnames2 and lsa_lookupsids2 in library
   msrpc were incorrectly referencing function strjoin when called with debug
   level 2 or higher. [Ivan Ivanov]
 
-o [NSE][GH#1755] Added a default account fingerprint for Tomcat Host Manager.
-  [Clément Notin]
+o [NSE][GH#1755][GH#2096] Added HTTP default account fingerprints for Tomcat
+  Host Manager and Dell iDRAC9. [Clément Notin]
 
 o [NSE][GH#1476][GH#1707] A MS-SMB spec non-compliance in Samba was causing
   protocol negotiation to fail with data string too short error.

diff --git a/nselib/data/http-default-accounts-fingerprints.lua b/nselib/data/http-default-accounts-fingerprints.lua
@@ -1675,6 +1675,44 @@ table.insert(fingerprints, {
   end
 })
 
+table.insert(fingerprints, {
+  name = "Dell iDRAC9",
+  cpe = "cpe:/o:dell:idrac9_firmware",
+  category = "console",
+  paths = {
+    {path = "/"}
+  },
+  target_check = function (host, port, path, response)
+    -- analyze response for 1st request to "/"
+    if not (response.status == 302 and (response.header["location"] or ""):find("/restgui/start%.html$")) then return false end
+
+    -- check with 2nd request to "/restgui/start.html" to be sure
+    local resp = http_get_simple(host, port, url.absolute(path, "restgui/start.html"))  
+    return resp.status == 200
+           and resp.body
+           and resp.body:find("idrac-start-screen", 1, true)
+  end,
+  login_combos = {
+    {username = "root", password = "calvin"}
+  },
+  login_check = function (host, port, path, user, pass)
+    local headers = {
+                      ["user"]='"'..user..'"',
+                      ["password"]='"'..pass..'"'
+                    }
+    local resp = http_post_simple(host, port, url.absolute(path, "sysmgmt/2015/bmc/session"),
+                                 {header=headers})
+    local body = resp.body or ""
+
+    return (resp.status == 201 and (
+                body:find('"authResult":0') -- standard login success
+                or body:find('"authResult":7') -- login success with default credentials
+                or body:find('"authResult":9') -- login success with password reset required
+              )
+            )
+  end
+})
+
 table.insert(fingerprints, {
   --Version 1.1 on Supermicro X7SB3
   name = "Supermicro WPCM450",