(feat) poc of default credential pattern matching

wip for #241
sensepost · Oct 12, 2024 · 7850a10 · 7850a10
1 parent 4ff862a
commit 7850a10
Show file tree

Hide file tree

Showing 3 changed files with 134 additions and 0 deletions.
diff --git a/cmd/report_creds.go b/cmd/report_creds.go
@@ -0,0 +1,74 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/sensepost/gowitness/internal/ascii"
+	"github.com/sensepost/gowitness/pkg/creds"
+	"github.com/sensepost/gowitness/pkg/database"
+	"github.com/sensepost/gowitness/pkg/log"
+	"github.com/sensepost/gowitness/pkg/models"
+	"github.com/spf13/cobra"
+	"gorm.io/gorm/clause"
+)
+
+var credsCmdFlags = struct {
+	DbURI    string
+	JsonFile string
+}{}
+var credsCmd = &cobra.Command{
+	Use:   "creds",
+	Short: "List sites that may have default credentials",
+	Long: ascii.LogoHelp(ascii.Markdown(`
+# report creds
+
+List sites that may have default credentials.`)),
+	Example: ascii.Markdown(`
+- gowitness report creds
+`),
+	Run: func(cmd *cobra.Command, args []string) {
+		log.Warn("this command is a *work in progress*.")
+		log.Warn("this command is a *work in progress*.")
+
+		var results = []*models.Result{}
+
+		conn, err := database.Connection(credsCmdFlags.DbURI, true, false)
+		if err != nil {
+			log.Error("could not connect to database", "err", err)
+			return
+		}
+
+		if err := conn.Model(&models.Result{}).Preload(clause.Associations).
+			Find(&results).Error; err != nil {
+			log.Error("could not get list", "err", err)
+			return
+		}
+
+		matchCreds(results)
+	},
+}
+
+func init() {
+	reportCmd.AddCommand(credsCmd)
+
+	credsCmd.Flags().StringVar(&credsCmdFlags.DbURI, "db-uri", "sqlite://gowitness.sqlite3", "The location of a gowitness database")
+}
+
+func matchCreds(results []*models.Result) {
+	for _, result := range results {
+		log.Debug("processing result", "url", result.URL, "tile", result.Title)
+
+		credentials := creds.Find(result.HTML)
+		if len(credentials) == 0 {
+			continue
+		}
+
+		fmt.Printf("%s (%s)\n", result.URL, result.Title)
+
+		for _, c := range credentials {
+			for _, candidate := range c.Credentials {
+				fmt.Printf(" - %s = %s\n", c.Name, candidate)
+			}
+		}
+	}
+}
diff --git a/pkg/creds/creds.go b/pkg/creds/creds.go
@@ -0,0 +1,26 @@
+package creds
+
+import "strings"
+
+type Credential struct {
+	Name        string   `json:"name"`
+	Patterns    []string `json:"patterns"`
+	Credentials []string `json:"credentials"`
+	References  []string `json:"references"`
+}
+
+// Find potential credentials matching an HTML input
+func Find(html string) []*Credential {
+	var results = []*Credential{}
+
+	for _, cred := range Credentials {
+		for _, pat := range cred.Patterns {
+			if strings.Contains(strings.ToLower(html), strings.ToLower(pat)) {
+				results = append(results, cred)
+				break
+			}
+		}
+	}
+
+	return results
+}
diff --git a/pkg/creds/values.go b/pkg/creds/values.go
@@ -0,0 +1,34 @@
+package creds
+
+// Credentials are known credential patterns
+var Credentials = []*Credential{
+	{
+		Name: "Integrated Dell Remote Access Controller (iDRAC)",
+		Patterns: []string{
+			"var thisIDRACText;",
+			"thisIDRACText = _jsonData['log_thisDRAC']",
+		},
+		Credentials: []string{
+			"root/calvin",
+			"root/<random password>",
+		},
+		References: []string{
+			"https://www.dell.com/support/kbdoc/en-us/000133536/dell-poweredge-what-is-the-default-username-and-password-for-idrac",
+		},
+	},
+	{
+		Name: "PRTG Network Monitor",
+		Patterns: []string{
+			"<link id=\"prtgfavicon\" ",
+			"<title>Welcome | PRTG Network Monitor",
+			"'appName':'PRTG Network Monitor ",
+			"alt=\"The PRTG Network Monitor logo\"",
+		},
+		Credentials: []string{
+			"prtgadmin/prtgadmin",
+		},
+		References: []string{
+			"https://www.paessler.com/manuals/prtg/login",
+		},
+	},
+}