September 8, 2014 at 18:02Scrawl - website screenshot and SIP device web interface security
It all started with the fact that some subscribers connecting via SIP to our corporate PBX without using a VPN did not comply with security principles and left access to the web interface or router or IP gateway with a standard login password on the external IP address. This gives potential attackers the opportunity to get the settings, pretend to be our subscriber and make many calls to long-distance destinations.
First, just CURL pulled the IP-addresses of subscribers (it turned out that some devices with a simple HTTP POST request), and then I wanted to somehow scan with a twist and get beauty. In general, it turned out Scrawl - a screenshot of sites ( project site , repository ).
I wanted to try PhantomJS on the trendy wave of headless browsers , which CasperJS gives a more convenient interface for , and then it became desirable to use it together with Node.JS, so I started using SpookyJS .
Installed, launched (detailed installation instructions in the project repository ) and received a web interface for downloading a list of IP addresses or domains for sequential crawling and obtaining screenshots. Now you can get somewhere from your equipment or system a list of addresses to be verified and load them into Scrawl. In succession, Scrawl will bypass the addresses and, in the case of a response to this address, will take a screenshot of the received answer, rendering it in the browser.
As a result, of the three and a half hundred scanned IP addresses, web interfaces were found on two dozen addresses, of which three devices turned out to be with standard login passwords.
From unrealized. On the fly, multithreaded processing of the list of URLs did not work, therefore, so far in turn. For example, 200 IP addresses were checked slowly for an hour and a half. You can also implement automatic verification of the standard password depending on the device, but it is necessary to implement the scripts, because somewhere http authorization, somewhere forms, where the forms there are either a login, a password, or just a password, and the names of the form fields are everywhere different (I saw something like this in John Rezig in the repository ). While it is easier to enter the admin / admin, admin / 1234 pairs on the detected web interfaces with pens, and if they do not fit, then calm down.
I hope someone will find it useful in their daily work, and you will find a use for the Scrawl screenshoter.
First, just CURL pulled the IP-addresses of subscribers (it turned out that some devices with a simple HTTP POST request), and then I wanted to somehow scan with a twist and get beauty. In general, it turned out Scrawl - a screenshot of sites ( project site , repository ).
I wanted to try PhantomJS on the trendy wave of headless browsers , which CasperJS gives a more convenient interface for , and then it became desirable to use it together with Node.JS, so I started using SpookyJS .
Installed, launched (detailed installation instructions in the project repository ) and received a web interface for downloading a list of IP addresses or domains for sequential crawling and obtaining screenshots. Now you can get somewhere from your equipment or system a list of addresses to be verified and load them into Scrawl. In succession, Scrawl will bypass the addresses and, in the case of a response to this address, will take a screenshot of the received answer, rendering it in the browser.
As a result, of the three and a half hundred scanned IP addresses, web interfaces were found on two dozen addresses, of which three devices turned out to be with standard login passwords.
From unrealized. On the fly, multithreaded processing of the list of URLs did not work, therefore, so far in turn. For example, 200 IP addresses were checked slowly for an hour and a half. You can also implement automatic verification of the standard password depending on the device, but it is necessary to implement the scripts, because somewhere http authorization, somewhere forms, where the forms there are either a login, a password, or just a password, and the names of the form fields are everywhere different (I saw something like this in John Rezig in the repository ). While it is easier to enter the admin / admin, admin / 1234 pairs on the detected web interfaces with pens, and if they do not fit, then calm down.
I hope someone will find it useful in their daily work, and you will find a use for the Scrawl screenshoter.