-
Notifications
You must be signed in to change notification settings - Fork 20
/
http-polycom-soundpoint-info.nse
106 lines (85 loc) · 3.63 KB
/
http-polycom-soundpoint-info.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
description = [[
Attempts to retrieve the configuration settings from a Polycom SoundPoint VoIP
phone. The information is retrieved from "/reg_1.htm" and "/reg_2.htm" which is
only available when authentication is disabled.
The web administration interface runs on port 80 by default.
]]
---
-- @usage
-- nmap --script http-polycom-soundpoint-info -p <port> <host>
--
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | http-polycom-soundpoint-info:
-- | [Line #1]
-- | Username: 21009
-- | Display Name: John Doe
-- | Address: 21009
-- | Server #1: sip.example.com
-- | Server #2: sip2.example.com
-- | [Line #2]
-- | Server #1: sip.example.com
-- |_ Server #2: sip2.example.com
--
-- @changelog
-- 2011-09-22 - created by Brendan Coles - itsecuritysolutions.org
--
author = "Brendan Coles [itsecuritysolutions.org]"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery"}
require("url")
require("http")
require("stdnse")
require("shortport")
portrule = shortport.port_or_service (80, "VoIP phone", {"tcp"})
action = function(host, port)
local result = {}
local paths = {"/reg_1.htm","/reg_2.htm"}
local config_file = ""
-- Retrieve file
stdnse.print_debug(1, ("%s: Connecting to %s:%s"):format(SCRIPT_NAME, host.targetname or host.ip, port.number))
for line, path in ipairs(paths) do
-- Check if file exists
data = http.get(host, port, tostring(path))
if data and data.status and tostring(data.status):match("200") and data.body and data.body ~= "" then
-- Check if the config file is valid
stdnse.print_debug(1, "%s: HTTP %s: %s", SCRIPT_NAME, data.status, tostring(path))
if string.match(data.body, "<title>SoundPoint IP Configuration Utility") and string.match(data.body, '<div align="center" class="bN">SoundPoint IP Configuration</div>') then
config_file = data.body
else
stdnse.print_debug(1, ("%s: %s:%s uses an invalid config file."):format(SCRIPT_NAME, host.targetname or host.ip, port.number))
return
end
else
stdnse.print_debug(1, "%s: Failed to retrieve file: %s", SCRIPT_NAME, tostring(path))
return
end
-- Extract system info from config file
stdnse.print_debug(1, "%s: Extracting line #%s info from %s", SCRIPT_NAME, line, path)
table.insert(result, string.format("[Line #%s]", line))
local vars = {
-- System settings --
{"Display Name","reg."..line..".displayName"},
{"Label","reg."..line..".label"},
{"Address","reg."..line..".address"},
-- Server 1 settings
{"Server #1","reg."..line..".server.1.address"},
{"Server #1 Port","reg."..line..".server.1.port"},
-- Server 2 settings
{"Server #2","reg."..line..".server.2.address"},
{"Server #2 Port","reg."..line..".server.2.port"},
}
-- username and password
local var_match = string.match(config_file, string.format('<td width="200" bgcolor="#999999"><input value="([^"]+)" name="%s"\/><\/td>', "reg."..line..".auth.userId"))
if var_match then table.insert(result, string.format("Username: %s", var_match)) end
local var_match = string.match(config_file, string.format('<td width="200" bgcolor="#999999"><input value="([^"]+)" type="password" name="%s"\/><\/td>', "reg."..line..".auth.password"))
if var_match then table.insert(result, string.format("Password: %s", var_match)) end
for _, var in ipairs(vars) do
local var_match = string.match(config_file, string.format('<td width="200" bgcolor="#999999"><input value="([^"]+)" name="%s"\/><\/td>', var[2]))
if var_match then table.insert(result, string.format("%s: %s", var[1], var_match)) end
end
end
-- Return results
return stdnse.format_output(true, result)
end