指令類型:portrule
下載:https://svn.nmap.org/nmap/scripts/puppet-naivesigning.nse
Nmap Script指令摘要
檢測 Puppet 伺服器是否啟用了簡單簽名機制。這可能使攻擊者能夠創建任意證書簽名請求並獲得簽名,從而冒充 Puppet 代理。這樣一來,攻擊者可能會取得代理的配置以及配置文件中包含的其他敏感信息。
此腳本利用 Puppet HTTP API 接口來簽署請求。
此腳本已在 Puppet 3.8.5 和 4.10 版本上進行測試。
參考資料:
Nmap Script指令參數
puppet-naivesigning.env提供給端點的環境 -> 默認值:"production"
puppet-naivesigning.csr包含證書簽名請求的文件,用以替換默認文件 -> 默認值:nil
puppet-naivesigning.nodeCSR中的節點名稱 -> 默認值:"agentzero.localdomain"
slaxml.debug查看slaxml庫的文檔。
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent查看http庫的文檔。
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername查看smbauth庫的文檔。
Nmap Script指令範例
nmap -p 8140 --script puppet-naivesigning <target>nmap -p 8140 --script puppet-naivesigning --script-args puppet-naivesigning.csr=other.csr,puppet-naivesigning.node=agency <target>Nmap Script指令輸出
PORT STATE SERVICE REASON
8140/tcp open puppet syn-ack ttl 64
| puppet-naivesigning:
| Puppet Naive autosigning enabled! Naive autosigning causes the Puppet CA to autosign ALL CSRs.
| Attackers will be able to obtain a configuration catalog, which might contain sensitive information.
| -----BEGIN CERTIFICATE-----
| MIIFfjCCA2agAwIBAgIBEjANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDDB1QdXBw
|_ ZXQgQ0E6IHVidW50dS5sb2NhbGRvbWFpbjAeFw0xNzA2MjkxNjQzMjZaFw0yMjANmap Script作者:
Wong Wai Tuck
License: Same as Nmap--See https://nmap.org/book/man-legal.html
