1## 2# This file is part of WhatWeb and may be subject to 3# redistribution and commercial restrictions. Please see the WhatWeb 4# web site for more information on licensing and terms of use. 5# http://www.morningstarsecurity.com/research/whatweb 6## 7# Version 0.6 # 2016-04-23 # Andrew Horton 8# Moved patterns from passive function to matches[] 9## 10# Version 0.5 Andrew Horton - added version detection for Prestige models 11## 12# Version 0.4 # 2011-06-04 13# Updated regex 14# Added www-authenticate HTTP header matches 15# Added ZyXEL-RomPager and RomPager HTTP server header matches 16## 17# Version 0.3 18# Added signatures by Andrew Horton 19## 20# Version 0.2 # 2011-01-09 # 21# Updated model detection 22## 23Plugin.define "ZyXEL-Router" do 24author "Brendan Coles <bcoles@gmail.com>" # 2010-11-01 25version "0.6" 26description "This plugin indentifies ZyXEL routers" 27website "http://us.zyxel.com/" 28 29# Tested on models: P-660H-D1, P-660HW-D1, P-660R-D1, P-662H-D1, P-662HW-D3, P-2602H-D1A, P-2602HW-D1A, P-2802HWL-I1, P660RU2, P660HT2, Prestige 660H61 30# ZyXEL VSG-1200 V2 is access server that recognizes new users on network and re-routes all the different IP settings pre-configured on users' computers." 31website "http://www.zyxel.com/" 32 33# P-330W EE # Default Login # admin/password 34 35# ShodanHQ results as at 2011-06-04 # 36# 38,316 for WWW-Authenticate: Basic realm Prestige 37# 38,311 for WWW-Authenticate: Basic realm Prestige RomPager 38# 8,583 for ZyXEL-RomPager 39# 422 for WWW-Authenticate: Basic realm="P-330W EE (username: admin)" 40 41# Google results as at 2011-01-09 # 42# 33 for intitle:Top "Vantage Service Gateway" -inurl:zyxel 43# 90 for "Welcome to the Web-Based Configurator" "Welcome to your router Configuration Interface" 44 45# Dorks # 46dorks [ 47'intitle:Top "Vantage Service Gateway" -inurl:zyxel', 48'"Welcome to the Web-Based Configurator" "Welcome to your router Configuration Interface"' 49] 50 51 52 53# Matches # 54matches [ 55 56# Default title 57{ :text=>"<title>.:: Welcome to the Web-Based Configurator::.</title><meta http-equiv='content-type' content='text/html;charset=iso-8859-1'>" }, 58 59# Default form HTML 60{ :text=>'<form method="post" action="/Forms/rpAuth_1" onSubmit="LoginClick(document.forms[0].hiddenPassword, document.forms[0].LoginPassword);"><p> </p>' }, 61 62# Default welcome message HTML 63{ :text=>'Welcome to your router Configuration Interface<p></p>Enter your password and press enter or click "Login"<p></p><img src="Images/i_key.gif" width="11" height="17" align="absmiddle"> <strong>' }, 64 65# Model Detection # Login page HTML 66{ :model=>/<td align=center><p class="style1">[\r\n\s]*([^<^\s]+)[\s]*<br \/><br \/><\/p><\/td><\/tr><tr>/ }, 67 68# Vantage Service Gateway # Default HTML 69{ :text=>'<font size="3" color="3366CC" face="Arial"><b><i>Vantage Service Gateway</i> </b></font>', :model=>"VSG" }, 70 71# Vantage Service Gateway # Default Frameset 72{ :text=>'<frameset rows="75,97%,25" framespacing="0" border="0" frameborder="0">', :model=>"VSG" }, 73 74# JavaScript 75{:text=>'loginPassword.value = "ZyXEL ZyWALL Series";' }, 76 77# Vantage Service Gateway # Version Detection # /top.htm 78{ :url=>"/top.htm", :model=>/<td align="right"><font size="3" color="3366CC" face="Arial"><b><i>(VSG-[\d\ V]+)<\/i> <\/b><\/font><\/td><\/tr>/ }, 79 80# Prestige 81{:version=>/<td height="40" colspan="4" class="Auth">Prestige ([^<]+)</}, 82{:model=>/<td height="40" colspan="4" class="Auth">(Prestige)</}, 83 84# HTTP Server Header # ZyXEL-RomPager 85{ :name=>"HTTP Server Header", :regexp=>/^ZyXEL-RomPager/, :search=>"headers[server]" }, 86 87# HTTP Server Header # ZyXEL-RomPager # Version Detection 88{ :name=>"HTTP Server Header", :version=>/^ZyXEL-RomPager\/([^\s]+)$/, :search=>"headers[server]" }, 89 90# HTTP Server Header # RomPager 91{ :name=>"HTTP Server Header", :regexp=>/^RomPager/, :search=>"headers[server]" }, 92 93 94 95] 96 97# Passive # 98def passive 99 m=[] 100 101 # HTTP Server Header # ZyXEL-RomPager 102 if @headers["server"] =~ /^ZyXEL-RomPager/ 103 104 # Model Detection # WWW-Authenticate # Prestige 105 m << { :model=>@headers["www-authenticate"].scan(/^Basic realm="(Prestige [^"]+)( Web)?"/)[0][0] } if @headers["www-authenticate"] =~ /^Basic realm="(Prestige [^"]+)( Web)?"/ 106 107 # Model Detection # WWW-Authenticate 108 m << { :model=>@headers["www-authenticate"].scan(/^Basic realm="([^"^\s]+)"$/) } if @headers["www-authenticate"] =~ /^Basic realm="([^"^\s]+)"$/ 109 110 end 111 112 # HTTP Server Header # RomPager 113 if @headers["server"] =~ /^RomPager/ 114 115 # Model Detection # WWW-Authenticate # Prestige 116 m << { :model=>@headers["www-authenticate"].scan(/^Basic realm="(Prestige [^"]+)( Web)?"/)[0][0] } if @headers["www-authenticate"] =~ /^Basic realm="(Prestige [^"]+)( Web)?"/ 117 118 end 119 120 # P-330W EE # HTTP Server Header and WWW-Authenticate realm 121 if @headers["www-authenticate"] =~ /Basic realm="P-330W EE \(username: admin\)"/ and @headers["server"] =~ /GoAhead-Webs/ and @status.to_s =~ /^401$/ 122 m << { :model=>"P-330W EE" } 123 end 124 125 # Return passive matches 126 m 127end 128 129end 130 131# An aggressive plugin could determine the module using default logo md5 hashes. 132# md5 hashes are required for these images: 133# { :model=>'Prestige 660H61', :url=>'/dslroutery/imgshop/full/NETZ1431.jpg' }, 134 135