diff --git a/cmd/report_creds.go b/cmd/report_creds.go new file mode 100644 index 00000000..985c3dd0 --- /dev/null +++ b/cmd/report_creds.go @@ -0,0 +1,74 @@ +package cmd + +import ( + "fmt" + + "github.com/sensepost/gowitness/internal/ascii" + "github.com/sensepost/gowitness/pkg/creds" + "github.com/sensepost/gowitness/pkg/database" + "github.com/sensepost/gowitness/pkg/log" + "github.com/sensepost/gowitness/pkg/models" + "github.com/spf13/cobra" + "gorm.io/gorm/clause" +) + +var credsCmdFlags = struct { + DbURI string + JsonFile string +}{} +var credsCmd = &cobra.Command{ + Use: "creds", + Short: "List sites that may have default credentials", + Long: ascii.LogoHelp(ascii.Markdown(` +# report creds + +List sites that may have default credentials.`)), + Example: ascii.Markdown(` +- gowitness report creds +`), + Run: func(cmd *cobra.Command, args []string) { + log.Warn("this command is a *work in progress*.") + log.Warn("this command is a *work in progress*.") + + var results = []*models.Result{} + + conn, err := database.Connection(credsCmdFlags.DbURI, true, false) + if err != nil { + log.Error("could not connect to database", "err", err) + return + } + + if err := conn.Model(&models.Result{}).Preload(clause.Associations). + Find(&results).Error; err != nil { + log.Error("could not get list", "err", err) + return + } + + matchCreds(results) + }, +} + +func init() { + reportCmd.AddCommand(credsCmd) + + credsCmd.Flags().StringVar(&credsCmdFlags.DbURI, "db-uri", "sqlite://gowitness.sqlite3", "The location of a gowitness database") +} + +func matchCreds(results []*models.Result) { + for _, result := range results { + log.Debug("processing result", "url", result.URL, "tile", result.Title) + + credentials := creds.Find(result.HTML) + if len(credentials) == 0 { + continue + } + + fmt.Printf("%s (%s)\n", result.URL, result.Title) + + for _, c := range credentials { + for _, candidate := range c.Credentials { + fmt.Printf(" - %s = %s\n", c.Name, candidate) + } + } + } +} diff --git a/pkg/creds/creds.go b/pkg/creds/creds.go new file mode 100644 index 00000000..7bc29006 --- /dev/null +++ b/pkg/creds/creds.go @@ -0,0 +1,26 @@ +package creds + +import "strings" + +type Credential struct { + Name string `json:"name"` + Patterns []string `json:"patterns"` + Credentials []string `json:"credentials"` + References []string `json:"references"` +} + +// Find potential credentials matching an HTML input +func Find(html string) []*Credential { + var results = []*Credential{} + + for _, cred := range Credentials { + for _, pat := range cred.Patterns { + if strings.Contains(strings.ToLower(html), strings.ToLower(pat)) { + results = append(results, cred) + break + } + } + } + + return results +} diff --git a/pkg/creds/values.go b/pkg/creds/values.go new file mode 100644 index 00000000..7d9730e7 --- /dev/null +++ b/pkg/creds/values.go @@ -0,0 +1,34 @@ +package creds + +// Credentials are known credential patterns +var Credentials = []*Credential{ + { + Name: "Integrated Dell Remote Access Controller (iDRAC)", + Patterns: []string{ + "var thisIDRACText;", + "thisIDRACText = _jsonData['log_thisDRAC']", + }, + Credentials: []string{ + "root/calvin", + "root/", + }, + References: []string{ + "https://www.dell.com/support/kbdoc/en-us/000133536/dell-poweredge-what-is-the-default-username-and-password-for-idrac", + }, + }, + { + Name: "PRTG Network Monitor", + Patterns: []string{ + "Welcome | PRTG Network Monitor", + "'appName':'PRTG Network Monitor ", + "alt=\"The PRTG Network Monitor logo\"", + }, + Credentials: []string{ + "prtgadmin/prtgadmin", + }, + References: []string{ + "https://www.paessler.com/manuals/prtg/login", + }, + }, +}