Fast Auth Scanner, is a new web security scanner that allows pen-test automatization against routers and other web-based devices that requires HTTP authentication. This tool has the following features: - scan: Fast scanning against a large number of systems, fingerprinting webservers - protocols: Establish connections against http or https - Authentication: bruteforce attacks against servers which require authentication at the index webpage. - Resource search: If the default webpage does not require authentication, the fingerprint database is used to check for alternate resources that need authentication. - Webserver Fingerprinting: Try alternate fingerprinting method (HEAD) instead of GET when servers don't return the right server header - Webforms support: Most routers and webservers force authentication to be performed against a form, instead of using basic/digest auth. fscan includes a dinamic authentication scheme which support bruteforcing against webforms. - Multithreading: multithreadin support (by default 200 threads and 15 secs timeout. Try increasing this value 1 second for every 20 new threads that you add) usage: D:\Programación\sslscanner>fscan Fast HTTP Auth Scanner v0.6 (c) Andres Tarasco - www.514.es Usage: fscan.exe <parameters> --threads <threads> (Number of threds. default 10) --timeout <timeout> (Connection Timeout. default 10) --logfile <logfile> (Save results to <logfile>) --ipfile <ipfile> (load ips from <ipfile>) --hosts <ip1[-ip2]> (ex: --hosts 192.168.1.1-192.168.10.1) --bruteforce <0|1> (Bruteforce (enabled by default) ) --fulluserlist <0|1> (Test all users (slowest) --ports <port>[,<port>,<port>,..] (example -p 80,81,82,8080) --sslports <port>[,<port>,<port>,..] (example -P 443,1443) Example: fscan.exe --ports 80 --sslports 443,1433 --hosts 192.168.0.1-192.168.1.254 --threads 200 Code: D:\fscan>fscan.exe --ports 80 --threads 400 --timeout 20 --hosts 192.168.0.0-89.0.0.0 --logfile logfile.txt Fast HTTP Auth Scanner v0.6 (c) Andres Tarasco - http://www.514.es [+] Loaded 92 user/pass combinations [+] Loaded 41 ignored webservers [+] Loaded 32 Router authentication schemes [+] Loaded 46 webform authentication schemes [+] Loaded 12 Single Users [+] Scanning 16056320 hosts (192.168.0.0 - 89.0.0.0) [+] Scanning 1 ports - bruteforce is active Server Port status password banner 192.168.0.48 80 200 not:found Web Server/4.10 192.168.6.112 80 401 admin:1234 RomPager/4.07 UPnP/1.0 192.168.10.113 80 401 admin:1234 ZyXEL-RomPager/3.02 192.168.11.118 80 200 1234 (Zyxel/Prestige 6xxx) 192.168.5.142 80 401 not:found RomPager/4.07 UPnP/1.0 192.168.10.103 80 401 1234:1234 Unknown/0.0 UPnP/1.0 GlobespanVirata-EmWeb/R6_1_0 192.168.11.105 80 401 1234:1234 Unknown/0.0 UPnP/1.0 GlobespanVirata-EmWeb/R6_1_0 192.168.13.28 80 401 admin:1234 RomPager/4.07 UPnP/1.0 192.168.13.108 80 401 1234:1234 Unknown/0.0 UPnP/1.0 GlobespanVirata-EmWeb/R6_1_0 RouterAuth.ini;UserListMulti.ini;UserListMulti-simple.ini;webforms.ini Code: [b]IgnoreList.ini[/b] Some identified systems throughout scans do not have to be processed as they are not being susceptible to brute force attacks, or just because we know beforehand that the results that they generate will be superfluous. Data is stored as "CODE Server" where code is the HTTP returned code (GET / HTTP/1.0). Set code to 0 to ignore the returned error code. Use HTTP/1.0 if the server does not return the "Server:" header example 400 micro_httpd 400 HTTP/1.0 403 HTTP/1.0 0 Microsoft 0 Apache 0 Netscape 0 Lotus-Domino 0 GWS/2.1 0 Sun 0 Oracle [b]UserListMulti-simple.ini[/b] Users and passwords list for basic authentication. This list contains most common routers default passwords Example : admin:admin admin: :admin Admin:Admin admin:1234 admin:epicrouter admin:microbusiness admin:smallbusiness admin:motorola admin:123456 cisco:cisco 1234:1234 operator: root: root:root root:admin root:!root super:super test:test Cisco:Cisco :0000 smc:smcadmin support:support Use the flag "--fulluserlist 1" to perform more accurate tests with more passwords stored in UserListMulti.ini (slower) [b]RouterAuth.ini[/b] This file is used to modify how the basic bruteforce engine behaves when the Web server does not return a 401 error code. The tool checks the return code and server banner. If a match is found, the new url will be requested instead of "/" If the return code and banner matches the default http request ( GET / HTTP/1.0\r\n\r\n) fscan will try to find a page that requests auth. Example: 401|*|/|GET| 200|Rumpus|/Login|GET| 302|HTTP/1.0|/hag/pages/home.ssi|GET| 302|HTTP/1.0|/index.htm|GET| 302|FlexWATCH-Webs|/admin/aindex.htm|GET| 200|Arescom/1.1.0|/adva/admin.html|GET| 401|Arescom/1.1.0|/adva/admin.html|GET| 404|EksosM/0.1|/cgi/login?uri=/cgi_u/main|GET| 200|WebStar/2.12 Linux|/intro.html|GET| 200|HTTP/1.0|/syslog.htm|GET| 200| |/cgi-bin/webcm|POST|nextpage=../html/indextop.htm [b]webforms.ini[/b] fingerprinting information to allow webform authentication. Following data is required ;Model=My ISP router //add router/webserver model description ;status=200 //HTTP status code returned when requesting GET / HTTP/1.0 ;server=testrouter v0.1 //server banner returned in the "GET / HTTP/1.0" request. add HTTP/1.0 if no server header is returned ;matchstring=Welcome to testrouter v0.1. //text to match the router model ;ValidateImage=/Images/dell_logo.gif //additional signature for matching routers (optional) ;authurl=/bin/login.html //url where we will try authentication ;authmethod=POST //authentication method (GET or POST) ;authform=username=!!!RAWUSER!!!&password=!!!MD5PASS!!!&login=submit //form authentication scheme. The following tags are supported: !!!RAWUSER!!! !!!RAWPASS!!!, !!!B64USER!!! , !!!B64PASS!!!, !!!MD5USER!!! , !!!MD5PASS!!!, !!!RAWIPAD!!! ;requireloginandpass=1 // Boolean value. if only is needed a login or password, set this value to 0 ;validauthstring= //text to validate a successful authentication request. (can be null if invalidauthstring specified) ;invalidauthstring="Invalid Username or password" //text to validate an unsuccessful auth (can be null if validauthstring specified) ;invalidauthstringalt=<HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD> //Sometimes you need to add additional ignore string (optional) authform allows the follogin TAGS to be added. Those tags will be replaced at runtime: !!!RAWUSER!!! !!!RAWPASS!!!, !!!B64USER!!! , !!!B64PASS!!!, !!!MD5USER!!! , !!!MD5PASS!!!, !!!RAWIPAD!!! The following strings will be replaced by the engine: '\r' , '\n' y '\t' example: Authentication scheme against a Zyxel router Model=Zyxel/Prestige status=200 server=RomPager/4.51 UPnP/1.0 Matchstring=<form method="post" action="/Forms/rpAuth_1" authurl=/Forms/rpAuth_1 authmethod=POST authform=LoginPassword=ZyXEL+ZyWALL+Series&hiddenPassword=!!!MD5PASS!!!&Prestige_Login=Login requireloginandpass=0 validauthstring=/rpSys.html invalidauthstring=/rpAuth.html [b]Source files:[/b] -------------- * src\base64.cpp - Base64 Implementation * src\BasicAuth.cpp - Basic auth detection & bruteforce implementation * src\config.cpp - Load configuration files * src\md5.cpp - MD5 implementation * src\md5.h * src\sockets.cpp - HTTP and HTTP connection handler * src\sslscanner.cpp - Main file * src\webforms.cpp - Webform bruteforce engine * src\sslscanner.h Download
