http-default-accounts-fingerprints-nndefaccts.lua

--[[
This file is part of NNdefaccts, an alternate fingerprint dataset for
Nmap script http-default-accounts.

NNdefaccts is Copyright (c) 2012-2025 by nnposter
(nnposter /at/ users.sourceforge.net, <https://github.com/nnposter>)

NNdefaccts is free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the Free
Software Foundation, either version 3 of the License, or (at your option)
any later version.

NNdefaccts is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
for more details.

You should have received a copy of the GNU General Public License along
with this program.  If not, see <https://www.gnu.org/licenses/>.

Note that NNdefaccts is licensed separately from Nmap.  By obtaining
a custom license for Nmap you are not automatically entitled to modify or
distribute the NNdefaccts dataset to the same extent as Nmap itself and,
conversely, licensing NNdefaccts does not cover Nmap.  For details, see
<https://github.com/nnposter/nndefaccts/blob/master/COPYING>.

You can obtain the latest version of the dataset from its public repository
at <https://github.com/nnposter/nndefaccts/>.

To report bugs and other problems, contribute patches, request a feature,
provide generic feedback, etc., please see instructions posted at
<https://github.com/nnposter/nndefaccts/blob/master/README.md>.
]]

-- luacheck: std lua53, new globals fingerprints
-- luacheck: ignore 212/host 212/port 212/path 212/user 212/pass
-- luacheck: no max line length

local base64 = require "base64"
local http = require "http"
local json = require "json"
local math = require "math"
local os = require "os"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
local url = require "url"
local have_openssl, openssl = pcall(require, "openssl")
local have_rand, rand = pcall(require, "rand")
local have_stringaux, stringaux = pcall(require, "stringaux")
local have_tableaux, tableaux = pcall(require, "tableaux")

---
-- http-default-accounts-fingerprints-nndefaccts.lua
-- This file contains fingerprint data for http-default-accounts.nse
--
-- STRUCTURE:
-- * <code>name</code> - Descriptive name
-- * <code>cpe</code> - Official CPE Dictionary entry (optional)
-- * <code>category</code> - Category
-- * <code>login_combos</code> - Table of default credential pairs
---- * <code>username</code>
---- * <code>password</code>
-- * <code>paths</code> - Table of likely locations (paths) of the target
-- * <code>target_check</code> - Validation function of the target
--                               (optional but highly recommended)
-- * <code>login_check</code> - Login function of the target
---

---
-- Backwards compatibility provisions for library rand
---
if not have_rand then
  rand = {}
end
if not rand.random_string then
  rand.random_string = stdnse.generate_random_string
end

---
-- Generates a random alphanumeric string.
--
-- @param len Length of the output string.
-- @return A random string consisting of letters and digits
---
local function random_alnum (len)
  return rand.random_string(len, "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")
end

---
-- Generates a random hexadecimal string.
--
-- @param len Length of the output string.
-- @return A random string consisting of hexadecimal digits
---
local function random_hex (len)
  return rand.random_string(len, "0123456789abcdef")
end

---
-- Backwards compatibility provisions for library stringaux
---
if not have_stringaux then
  stringaux = {}
end
if not stringaux.ipattern then
  stringaux.ipattern = stdnse.generate_case_insensitive_pattern
end

---
-- Backwards compatibility provisions for library tableaux
---
if not have_tableaux then
  tableaux = {}
end
if not tableaux.tcopy then
  tableaux.tcopy =
    function (tbl)
      local clone = {}
      for k,v in pairs(tbl) do
        clone[k] = type(v) == "table" and tableaux.tcopy(v) or v
      end
      return clone
    end
end
if not tableaux.contains then
  tableaux.contains = stdnse.contains
end

---
-- Requests given path using http.get() but disabling cache and redirects.
-- @param host The host to connect to
-- @param port The port to connect to
-- @param path The path to retrieve
-- @param options [optional] A table of HTTP request options
-- @return A response table (see library http.lua for description)
---
local function http_get_simple (host, port, path, options)
  local opts = tableaux.tcopy(options or {})
  opts.bypass_cache = true
  opts.no_cache = true
  opts.redirect_ok = false
  return http.get(host, port, path, opts)
end

---
-- Requests given path using http.post() but disabling cache and redirects.
-- (The current implementation of http.post() does not use either; this is
-- a defensive wrapper to guard against future problems.)
-- @param host The host to connect to
-- @param port The port to connect to
-- @param path The path to retrieve
-- @param options [optional] A table of HTTP request options
-- @param postdata A string or a table of data to be posted
-- @return A response table (see library http.lua for description)
---
local function http_post_simple (host, port, path, options, postdata)
  local opts = tableaux.tcopy(options or {})
  opts.no_cache = true
  opts.redirect_ok = false
  return http.post(host, port, path, opts, nil, postdata)
end

---
-- Requests given path using http_post_simple() with the body formatted as
-- Content-Type multipart/form-data.
-- @param host The host to connect to
-- @param port The port to connect to
-- @param path The path to retrieve
-- @param options [optional] A table of HTTP request options
-- @param postdata A table of data to be posted
-- @return A response table (see library http.lua for description)
---
local function http_post_multipart (host, port, path, options, postdata)
  local boundary = ("-"):rep(20)
                   .. math.random(1000000, 9999999)
                   .. math.random(1000000, 9999999)
  local opts = tableaux.tcopy(options or {})
  opts.header = opts.header or {}
  opts.header["Content-Type"] = "multipart/form-data; boundary=" .. boundary
  if type(postdata) ~= "table" then
    return {status = nil,
           ["status-line"] = "POST data must be a table",
           header = {},
           rawheader = {}}
  end
  boundary = "--" .. boundary
  local body = {}
  for k, v in pairs(postdata) do
    table.insert(body, boundary)
    table.insert(body, ('Content-Disposition: form-data; name="%s"'):format(k))
    table.insert(body, "")
    table.insert(body, v)
  end
  table.insert(body, boundary .. "--")
  table.insert(body, "")
  return http_post_simple (host, port, path, opts, table.concat(body, "\r\n"))
end

---
-- Requests given path using native HTTP authentication.
-- @param host Host table
-- @param port Port table
-- @param path Path to request
-- @param user HTTP authentication username
-- @param pass HTTP authentication password
-- @param digest true: digest auth, false: basic auth, "any": try to detect
-- @return True if login in was successful
---
local function try_http_auth (host, port, path, user, pass, digest)
  if digest == "any" then
    local resp = http_get_simple(host, port, path)
    local auth = (resp.header["www-authenticate"] or ""):lower():match("^%w+")
    if not auth then return end
    digest = auth == "digest"
  end
  local creds = {username = user, password = pass, digest = digest}
  local resp = http_get_simple(host, port, path, {auth=creds})
  local status = resp.status
  return status and not (status >= 400 and status <= 405 or status >= 500)
end

---
-- Returns authentication realm advertised in an HTTP response
-- @param response HTTP response object, such as a result from http.get()
-- @return realm found in response header WWW-Authenticate
--               (or nil if not present)
---
local function http_auth_realm (response)
  local auth = response.header["www-authenticate"] or ""
  -- NB: "OEM Netcam" devices lack the closing double quote
  return auth:match('%srealm%s*=%s*"([^"]*)')
end

---
-- Tests whether an HTTP response sets a named cookie with a given value
-- @param response a standard HTTP response object
-- @param name a case-insensitive cookie name that must be set
-- @param pattern to validate the cookie value
-- @return cookie value if such a cookie is found
---
local function get_cookie (response, name, pattern)
  name = name:lower()
  for _, ck in ipairs(response.cookies or {}) do
    if ck.name:lower() == name and (not pattern or ck.value:find(pattern)) then
      return ck.value
    end
  end
  return false
end

---
-- Parses an HTML tag and returns parsed attributes
-- @param html a string representing HTML tag. It is expected that the first
--             and last characters are angle brackets.
-- @return table of attributes with their names converted to lowercase
---
local function parse_tag (html)
  local attrs = {}
  local _, pos = html:find("^<%f[%w][%w-]+[^%w-]")
  while true do
    local attr, equal
    _, pos, attr, equal = html:find("%f[%w]([%w-]+)%s*(=?)%s*", pos)
    if not pos then break end
    local oldpos = pos + 1
    if equal == "=" then
      local c = html:sub(oldpos, oldpos)
      if c == "\"" or c == "'" then
        oldpos = oldpos + 1
        pos = html:find(c, oldpos, true)
      else
        pos = html:find("[%s>]", oldpos)
      end
      if not pos then break end
    else
      pos = oldpos
    end
    attrs[attr:lower()] = html:sub(oldpos, pos - 1)
  end
  return attrs
end

---
-- Searches given HTML string for an element tag that meets given attribute
-- critera and returns its position and all its attributes
-- @param html a string representing HTML text
-- @param elem an element to search for (for example "img" or "div")
-- @param criteria a table of attribute names and corresponding patterns,
--                 for example {id="^secret$"}.
--                 The patterns are treated as case-insensitive. (optional)
-- @param init a string position from which to start searching (optional)
-- @return position of the opening angle bracket of the found tag or nil
-- @return position of the closing angle bracket of the found tag or nil
-- @return table of tag attributes with their names converted to lowercase
---
local function find_tag (html, elem, criteria, init)
  local icrit = {}
  for cnam, cptn in pairs(criteria or {}) do
    icrit[cnam:lower()] = stringaux.ipattern(cptn)
  end
  local tptn = stringaux.ipattern("<" .. elem:gsub("%-", "%%-") .. "%f[%s/>].->")
  local start
  local stop = init
  while true do
    start, stop = html:find(tptn, stop)
    if not start then break end
    local attrs = parse_tag(html:sub(start, stop))
    local found = true
    for cnam, cptn in pairs(icrit) do
      local cval = attrs[cnam]
      if not (cval and cval:find(cptn)) then
        found = false
        break
      end
    end
    if found then return start, stop, attrs end
  end
  return
end

---
-- Searches given HTML string for an element tag that meets given attribute
-- critera and returns all its attributes
-- @param html a string representing HTML text
-- @param elem an element to search for (for example "img" or "div")
-- @param criteria a table of attribute names and corresponding patterns,
--                 for example {id="^secret$"}.
--                 The patterns are treated as case-insensitive. (optional)
-- @param init a string position from which to start searching (optional)
-- @return table of tag attributes with their names converted to lowercase
---
local function get_tag (html, elem, criteria, init)
  local _, _, attrs = find_tag(html, elem, criteria, init)
  return attrs
end

---
-- Builds an iterator function that searches given HTML string for element tags
-- that meet given attribute critera
-- @param html a string representing HTML text
-- @param elem an element to search for (for example "img" or "div")
-- @param criteria a table of attribute names and corresponding patterns,
--                 for example {type="^hidden$"}.
--                 The patterns are treated as case-insensitive. (optional)
-- @param init a string position from which to start searching (optional)
-- @return iterator
---
local function get_tags (html, elem, criteria, init)
  init = (init or 1) - 1
  return function ()
           local _, attrs
           _, init, attrs = find_tag(html, elem, criteria, (init or #html) + 1)
           return attrs
         end
end

---
-- Searches given HTML string for an element tag that meets given attribute
-- critera and returns inner HTML of the corresponding element
-- (Nested elements of the same type are not supported.)
-- @param html a string representing HTML text
-- @param elem an element to search for (for example "div" or "title")
-- @param criteria a table of attribute names and corresponding patterns,
--                 for example {id="^secret$"}.
--                 The patterns are treated as case-insensitive. (optional)
-- @param init a string position from which to start searching (optional)
-- @return inner HTML
---
local function get_tag_html (html, elem, criteria, init)
  local _, start = find_tag(html, elem, criteria, init)
  if not start then return end
  if html:sub(start - 1, start - 1) == "/" then
    return ""
  end
  start = start + 1
  local stop = html:find(stringaux.ipattern("</" .. elem:gsub("%-", "%%-") .. "[%s>]"), start)
  return stop and html:sub(start, stop - 1) or nil
end

---
-- Searches given HTML string for a meta refresh tag and returns the target URL
-- @param html a string representing HTML text
-- @param criteria a pattern to validate the extracted target URL
--                 for example "/cgi%-bin/login$".
--                 The pattern is treated as case-insensitive. (optional)
-- @return the target URL or nil (if the HTML does not contain a refresh tag
-- or the target URL does not match the criteria)
---
local function get_refresh_url (html, criteria)
  local refresh = get_tag(html, "meta", {["http-equiv"]="^refresh$", content="^%d;%s*url="})
  if not refresh then return end
  local target = refresh.content:match("=['\"]?([^'\"]*)")
  return target:find(stringaux.ipattern(criteria or "")) and target or nil
end

---
-- Extracts form input fields from a given HTML string
-- @param html a string representing HTML text
-- @param criteria a table of form attribute names and corresponding patterns,
--                 for example {action="/login$"} to identify the appropriate
--                 form. The patterns are treated as case-insensitive. If no
--                 criteria are provided then the entire HTML string is treated
--                 as the form inner HTML. (optional)
-- @return a table of form input fields, together with their values, if any
--         A fields without values are assigned empty strings, just as if they
--         were submitted
---
local function get_form_fields (html, criteria)
  if html and criteria then
    html = get_tag_html(html, "form", criteria)
  end
  if not html then return end
  local form = stdnse.output_table()
  for input in get_tags(html, "input", {name=""}) do
    local type = (input.type or "text"):lower()
    if type == "hidden" or type == "text" or type == "password" then
      form[input.name] = input.value or ""
    end
  end
  return form
end

---
-- Generates default scheme, host, and port components for a parsed URL.
--
-- This filter function generates the scheme, host, and port components from
-- the standard <code>host</code> and <code>port</code> script objects. These
-- components can then be passed onto function <code>url.build</code>.
--
-- As an example, the following code generates a URL for path "/test/"
-- on the current host and port:
-- <code>
-- local testurl = url.build(url_build_defaults(host, port, {path = "/test/"}))
-- </code>
-- or, alternatively, when not used as a filter:
-- <code>
-- local parsed = url_build_defaults(host, port)
-- parsed.path = "/test/"
-- local testurl = url.build(parsed)
-- </code>
--
-- @param host The host the URL is intended for.
-- @param port The port the URL is intended for.
-- @param parsed Parsed URL, as typically returned by <code>url.parse</code>,
--               or nil. The table can be be missing the scheme, host, and port
--               components. (optional)
-- @return A clone of the parsed URL, with any missing scheme, host, and port
--         components added.
-- @see url.parse
-- @see url.build
---
local function url_build_defaults (host, port, parsed)
  local parts = tableaux.tcopy(parsed or {})
  parts.host = parts.host or stdnse.get_hostname(host, port)
  parts.scheme = parts.scheme or shortport.ssl(host, port) and "https" or "http"
  if not parts.port and port.number ~= url.get_default_port(parts.scheme) then
    parts.port = port.number
  end
  return parts
end

---
-- Encodes a string to make it safe for embedding into XML/HTML.
--
-- @param s The string to be encoded.
-- @return A string with unsafe characters encoded
---
local function xmlencode (s)
  return (s:gsub("['\"`<>/\\=&]", function (c) return ("&#x%x;"):format(c:byte()) end))
end

---
-- Decodes an XML-encoded string.
--
-- @param s The string to be decoded.
-- @return A string with XML character references decoded
---
local function xmldecode (s)
  local refmap = {amp = 0x26, quot = 0x22, apos = 0x27, lt = 0x3C, gt = 0x3E}
  return (s:gsub("&(#?%w+);",
                function (e)
                  local cp
                  if e:find("^#x%x+$") then
                    cp = tonumber(e:sub(3), 16)
                  elseif e:find("^#%d+$") then
                    cp = tonumber(e:sub(2))
                  else
                    cp = refmap[e]
                  end
                  return cp and cp <= 0xFF and string.char(cp)
                end))
end

---
-- Performs URL encoding of all characters in a string.
--
-- @param s The string to be encoded.
-- @return A URL-encoded string
---
local function urlencode_all (s)
  return (s:gsub(".", function (c) return ("%%%02X"):format(c:byte()) end))
end

---
-- Decodes a base64-encoded string safely, catching any decoding errors.
--
-- @param s The string to be decoded.
-- @return A decoded string or nil if the input is invalid
---
local function b64decode (s)
  local status, out = pcall(base64.dec, s)
  return status and out or nil
end


fingerprints = {}

---
--WEB
---
table.insert(fingerprints, {
  name = "Ansible AWX",
  cpe = "cpe:/a:ansible:tower",
  category = "web",
  paths = {
    {path = "/api/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and get_cookie(response, "csrftoken", "^%w+$")
           and response.body
           and response.body:find("AWX REST API", 1, true)) then
      return false
    end
    local jstatus, jout = json.parse(response.body)
    return jstatus and jout.description == "AWX REST API"
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if resp1.status ~= 200 then return false end
    local token = get_cookie(resp1, "csrftoken")
    if not token then return false end
    local form = {username=user,
                  password=pass,
                  next=path}
    local header = {["X-CSRFToken"]=token}
    local resp2 = http_post_simple(host, port, url.absolute(path, "login/"),
                                  {cookies=resp1.cookies, header=header}, form)
    return resp2.status == 302
           and resp2.header["location"] == path
           and get_cookie(resp2, "userLoggedIn") == "true"
  end
})

table.insert(fingerprints, {
  name = "Cacti",
  cpe = "cpe:/a:cacti:cacti",
  category = "web",
  paths = {
    {path = "/"},
    {path = "/cacti/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (get_cookie(response, "Cacti") or get_cookie(response, "CactiEZ"))
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {action="login",
                  login_username=user,
                  login_password=pass}
    local resp = http_post_simple(host, port, url.absolute(path, "index.php"),
                                 nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Zabbix",
  cpe = "cpe:/a:zabbix:zabbix",
  category = "web",
  paths = {
    {path = "/zabbix/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200 and get_cookie(response, "zbx_sessionid")
  end,
  login_combos = {
    {username = "admin", password = "zabbix"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {request="",
                  name=user,
                  password=pass,
                  enter="Sign in"}
    local resp = http_post_simple(host, port, url.absolute(path, "index.php"),
                                 nil, form)
    return resp.status == 302 and resp.header["location"] == "dashboard.php"
  end
})

table.insert(fingerprints, {
  name = "Xplico",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302 and get_cookie(response, "Xplico")
  end,
  login_combos = {
    {username = "admin", password = "xplico"},
    {username = "xplico", password = "xplico"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "users/login")
    local resp1 = http_get_simple(host, port, lurl)
    if resp1.status ~= 200 then return false end
    local form = get_form_fields(resp1.body, {action="/users/login$"})
    if not form then return false end
    form["data[User][username]"] = user
    form["data[User][password]"] = pass
    local resp2 = http_post_simple(host, port, lurl,
                                  {cookies=resp1.cookies}, form)
    local loc = resp2.header["location"] or ""
    return resp2.status == 302
           and (loc:find("/admins$") or loc:find("/pols/index$"))
  end
})

table.insert(fingerprints, {
  name = "ExtraHop Web UI",
  category = "web",
  paths = {
    {path = "/extrahop/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("csrfmiddlewaretoken", 1, true)
           and response.body:lower():find("<title>extrahop login", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local token = get_tag(resp1.body, "input", {type="^hidden$", name="^csrfmiddlewaretoken$", value=""})
    if not token then return false end
    local form = {[token.name]=token.value,
                  next=path,
                  username=user,
                  password=pass}
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=path}))}
    local resp2 = http_post_simple(host, port, path,
                                  {cookies=resp1.cookies, header=header}, form)
    return resp2.status == 302
           and (resp2.header["location"] or ""):sub(-#path) == path
  end
})

table.insert(fingerprints, {
  name = "Nagios",
  cpe = "cpe:/a:nagios:nagios",
  category = "web",
  paths = {
    {path = "/"},
    {path = "/nagios/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Nagios Access"
  end,
  login_combos = {
    {username = "nagiosadmin", password = "nagios"},
    {username = "nagiosadmin", password = "nagiosadmin"},
    {username = "nagiosadmin", password = "PASSW0RD"},
    {username = "nagiosadmin", password = "CactiEZ"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "ManageEngine OpManager 10/11",
  cpe = "cpe:/a:zohocorp:manageengine_opmanager",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and response.body
           and response.body:find("%Wwindow%.location%.href%s*=%s*(['\"])[^'\"]-/LoginPage%.do%1")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "LoginPage.do"))
    return resp.status == 200
           and resp.body
           and resp.body:find("ManageEngine", 1, true)
           and resp.body:lower():find("<title>%s*manageengine opmanager%s*</title>")
           and get_tag(resp.body, "form", {action="/jsp/login%.do$"})
  end,
  login_combos = {
    {username = "IntegrationUser", password = "plugin"},
    {username = "admin",           password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, url.absolute(path, "LoginPage.do"))
    if resp1.status ~= 200 then return false end
    local form2 = {clienttype="html",
                   isCookieADAuth="",
                   domainName="NULL",
                   authType="localUserLogin",
                   webstart="",
                   ScreenWidth=1024,
                   ScreenHeight=768,
                   loginFromCookieData="",
                   userName=user,
                   password=pass,
                   uname=""}
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "jsp/Login.do"),
                                  {cookies=resp1.cookies}, form2)
    return (resp2.status == 200 or resp2.status == 302)
           and get_cookie(resp2, "OPUTILSTICKET", "^%x+$")
  end
})

table.insert(fingerprints, {
  name = "ManageEngine OpManager 12",
  cpe = "cpe:/a:zohocorp:manageengine_opmanager",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("ManageEngine", 1, true)
           and response.body:lower():find("<title>%s*manageengine opmanager%s*</title>")
           and get_tag(response.body, "form", {action="^j_security_check%f[;\0]"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if resp1.status ~= 200 then return false end
    local form2 = {AUTHRULE_NAME="Authenticator",
                   clienttype="html",
                   ScreenWidth=1024,
                   ScreenHeight=768,
                   loginFromCookieData="false",
                   ntlmv2="false",
                   j_username=user,
                   j_password=pass,
                   domainNameAD="Authenticator",
                   uname=""}
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "j_security_check"),
                                  {cookies=resp1.cookies}, form2)
    return resp2.status == 303
           and (resp2.header["location"] or ""):sub(-#path) == path
  end
})

table.insert(fingerprints, {
  name = "ntopng",
  cpe = "cpe:/a:ntop:ntopng",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = response.header["location"] or ""
    if not (response.status == 302
           and loc:find("/lua/login.lua?referer=", 1, true)
           and get_cookie(response, "session") == "") then
      return false
    end
    local resp = http_get_simple(host, port, loc)
    return resp.status == 200
           and resp.body
           and resp.body:find("ntopng", 1, true)
           and resp.body:lower():find("<title>welcome to ntopng</title>", 1, true)
           and get_tag(resp.body, "form", {action="/authorize%.html$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {user=user,
                  password=pass,
                  referer=host.name .. path}
    local resp = http_post_simple(host, port,
                                  url.absolute(path, "authorize.html"),
                                  nil, form)
    return resp.status == 302
           and resp.header["location"] == path
           and get_cookie(resp, "user") == user
  end
})

table.insert(fingerprints, {
  name = "OpenNMS",
  cpe = "cpe:/a:opennms:opennms",
  category = "web",
  paths = {
    {path = "/login.jsp"},
    {path = "/opennms/login.jsp"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("OpenNMS", 1, true)
           and response.body:lower():find("<title>%s*opennms web console%s*</title>")
           and get_tag(response.body, "input", {name="^j_username$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "rtc",   password = "rtc"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {j_username=user,
                  j_password=pass,
                  j_usergroups="",
                  Login=""}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "j_spring_security_check"),
                                 nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/index%.jsp%f[?\0]")
  end
})

table.insert(fingerprints, {
  name = "SevOne NMS",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and get_cookie(response, "SEVONE")
           and response.body
           and response.body:lower():find("<title>sevone nms - network manager", 1, true)
  end,
  login_combos = {
    {username = "Admin",       password = "SevOne"},
    {username = "SevOneStats", password = "n3v3rd13"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local token = resp1.body:match("GlobalData%.Utilities%.Xsrf%.setToken%(%s*['\"](%x+)")
    if not token then return false end
    local form = {login=user,
                  passwd=pass,
                  browser="mozilla",
                  version=52,
                  tzString=os.date("!%a %b %d %Y %H:%M:%S GMT+0000"),
                  check_tz=0}
    local refpath = url.absolute(path, "doms/login/index.php")
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=refpath})),
                    ["X-CSRFToken"]=token}
    local resp2 = http_post_simple(host, port,
                                  url.absolute(refpath, "processLogin.php"),
                                  {cookies=resp1.cookies, header=header}, form)
    if not (resp2.status == 200 and resp2.body) then return false end
    local jstatus, jout = json.parse(resp2.body)
    return jstatus and (jout.status == 0 or jout.status == -3)
  end
})

table.insert(fingerprints, {
  name = "Device42 Appliance Manager",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302 and get_cookie(response, "d42amid")
  end,
  login_combos = {
    {username = "d42admin", password = "default"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "accounts/login/")
    local resp1 = http_get_simple(host, port, lurl .. "?next=" .. path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local form = {csrfmiddlewaretoken=get_cookie(resp1, "d42amid_csrftoken"),
                  username=user,
                  password=pass,
                  next=path}
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=lurl}))}
    local resp2 = http_post_simple(host, port, lurl,
                                  {cookies=resp1.cookies, header=header}, form)
    return resp2.status == 302
           and (resp2.header["location"] or ""):sub(-#path) == path
  end
})

table.insert(fingerprints, {
  name = "Grafana",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302 and get_cookie(response, "grafana_sess")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local header = {["Accept"]="application/json, text/plain, */*",
                    ["Content-Type"]="application/json;charset=utf-8"}
    local jin = {user=user, email="", password=pass}
    json.make_object(jin)
    local resp = http_post_simple(host, port, url.absolute(path, "login"),
                                 {header=header}, json.generate(jin))
    return resp.status == 200 and get_cookie(resp, "grafana_user") == user
  end
})

table.insert(fingerprints, {
  name = "Apache Ambari",
  cpe = "cpe:/a:apache:ambari",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find(">Ambari<", 1, true)
           and response.body:lower():find("<title>ambari</title>", 1, true)
           and get_tag(response.body, "script", {src="^javascripts/app%.js$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "api/v1/users/admin"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Cloudera Manager",
  cpe = "cpe:/a:cloudera:cloudera_manager",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and get_cookie(response, "CLOUDERA_MANAGER_SESSIONID")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {j_username=user,
                  j_password=pass,
                  returnUrl="",
                  submit=""}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "j_spring_security_check"),
                                 nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/cmf/postLogin%f[?\0]")
  end
})

table.insert(fingerprints, {
  name = "OpenDaylight",
  cpe = "cpe:/a:opendaylight:opendaylight",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and get_cookie(response, "JSESSIONID", "^%x+$")
           and response.body
           and response.body:find("OpenDaylight", 1, true)
           and response.body:lower():find("<title>opendaylight ", 1, true)
           and get_tag(response.body, "form", {action="^j_security_check%f[;\0]"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if resp1.status ~= 200 then return false end
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "j_security_check"),
                                  {cookies=resp1.cookies},
                                  {j_username=user, j_password=pass})
    return resp2.status == 302
           and (resp2.header["location"] or ""):find(path, -#path, true)
  end
})

table.insert(fingerprints, {
  name = "OrientDB Studio",
  cpe = "cpe:/a:orientdb:orientdb",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("OrientDB", 1, true)
           and get_tag(response.body, "meta", {content="^OrientDB Studio$"})
           and get_refresh_url(response.body, "/studio/index%.html$")
  end,
  login_combos = {
    {username = "reader", password = "reader"},
    {username = "writer", password = "writer"},
    {username = "admin",  password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, url.absolute(path, "listDatabases"))
    if not (resp1.status == 200 and resp1.body) then return false end
    local jstatus, jout = json.parse(resp1.body)
    if not (jstatus and type(jout.databases) == "table") then return false end
    for _, db in ipairs(jout.databases) do
      if try_http_auth(host, port,
                      url.absolute(path, "connect/" .. url.escape(db)),
                      user, pass, false) then
        return true
      end
    end
    return false
  end
})

table.insert(fingerprints, {
  name = "RockMongo",
  cpe = "cpe:/a:rockmongo:rockmongo",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = response.header["location"] or ""
    if not (response.status == 302
           and loc:find("/index.php?action=login.index", 1, true)) then
      return false
    end
    local resp = http_get_simple(host, port, loc)
    return resp.status == 200
           and resp.body
           and resp.body:find("RockMongo", 1, true)
           and resp.body:lower():find("<title>rockmongo</title>")
           and get_tag(resp.body, "select", {name="^host$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {more=0,
                  host=0,
                  username=user,
                  password=pass,
                  db="",
                  lang="en_us",
                  expire=3}
    local resp = http_post_simple(host, port,
                                  url.absolute(path, "index.php?action=login.index&host=0"),
                                  nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("?action=admin.index", 1, true)
           and get_cookie(resp, "ROCK_LANG", "^[%a_]+$")
  end
})

table.insert(fingerprints, {
  name = "Sambar Server",
  cpe = "cpe:/a:sambar:sambar_server",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^SAMBAR%f[%s\0]")
  end,
  login_combos = {
    {username = "admin",     password = ""},
    {username = "anonymous", password = ""},
    {username = "billy-bob", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "session/login"),
                        user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "WebLogic Server Console",
  cpe = "cpe:/a:bea:weblogic_server",
  category = "web",
  paths = {
    {path = "/console/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["location"] or ""):find("/console/login/LoginForm%.jsp%f[;\0]")
  end,
  login_combos = {
    {username = "weblogic", password = "weblogic"},
    {username = "weblogic", password = "weblogic1"},
    {username = "weblogic", password = "welcome1"},
    {username = "weblogic", password = "password"},
    {username = "system",   password = "Passw0rd"},
    {username = "system",   password = "password"},
    {username = "operator", password = "Passw0rd"},
    {username = "operator", password = "password"},
    {username = "monitor",  password = "Passw0rd"},
    {username = "monitor",  password = "password"},
    {username = "oraclesystemuser", password = "Passw0rd"},
    {username = "oraclesystemuser", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {j_username=user,
                  j_password=pass,
                  j_character_encoding="UTF-8"}
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=path}))}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "j_security_check"),
                                 {header=header}, form)
    if not (resp.status >= 200 and resp.status <= 399) then return false end
    if resp.status == 302
       and (resp.header["location"] or ""):find("/console/login/LoginForm%.jsp$") then
      return false
    end
    return true
  end
})

table.insert(fingerprints, {
  name = "WebSphere Community Edition Console",
  cpe = "cpe:/a:ibm:websphere_application_server",
  category = "web",
  paths = {
    {path = "/console/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["location"] or ""):find("/portal%f[/].-/Welcome%f[?\0]")
  end,
  login_combos = {
    {username = "system", password = "manager"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    local resource = resp1.header["location"]
    if not (resp1.status == 302 and resource) then return false end
    local respath = resource:match("%f[/]/%f[^/].*"):gsub("/%.%f[/]", "")
    local resp2 = http_get_simple(host, port, respath)
    if resp2.status ~= 200 then return false end
    local form3 = {j_username=user,
                   j_password=pass,
                   submit="Login"}
    local resp3 = http_post_simple(host, port,
                                  url.absolute(respath, "j_security_check"),
                                  {cookies=resp2.cookies}, form3)
    return resp3.status == 302
       and (resp3.header["location"] or ""):find(respath, 1, true)
  end
})

table.insert(fingerprints, {
  name = "JBoss EAP Admin Console",
  cpe = "cpe:/a:redhat:jboss_enterprise_application_platform",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/admin-console/", 1, true)
           and get_tag(response.body, "a", {href="/admin%-console/$"})
           and response.body:lower():find("<title>welcome to jboss", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local curl = url.absolute(path, "admin-console/")
    local resp1 = http_get_simple(host, port,
                                 url.absolute(curl, "secure/summary.seam"))
    local lurl = resp1.header["location"]
    if not (resp1.status == 302 and lurl) then return false end
    local lpath = lurl:match("%f[/]/%f[^/].*")
    local resp2 = http_get_simple(host, port, lpath)
    if resp2.status ~= 200 then return false end
    local form3 = {login_form="login_form",
                   ["login_form:name"]=user,
                   ["login_form:password"]=pass,
                   ["login_form:submit"]="Login",
                   ["javax.faces.ViewState"]="j_id1"}
    local resp3 = http_post_simple(host, port, lpath:gsub("[;?].*$", ""),
                                  {cookies=resp1.cookies}, form3)
    return resp3.status == 302
       and (resp3.header["location"] or ""):find("/admin-console/secure/summary.seam?conversationId=", 1, true)
  end
})

table.insert(fingerprints, {
  name = "JBoss JMX Console",
  cpe = "cpe:/a:redhat:jboss_enterprise_application_platform",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/jmx-console/", 1, true)
           and get_tag(response.body, "a", {href="/jmx%-console/$"})
           and response.body:lower():find("<title>welcome to jboss", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "jmx-console/"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "JBoss Web Console",
  cpe = "cpe:/a:redhat:jboss_enterprise_web_platform",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/web-console/", 1, true)
           and get_tag(response.body, "a", {href="/web%-console/$"})
           and response.body:lower():find("<title>welcome to jboss", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "web-console/"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Apache Tomcat Manager",
  cpe = "cpe:/a:apache:tomcat",
  category = "web",
  paths = {
    {path = "/manager/html/"},
    {path = "/manager/status/"},
    {path = "/tomcat/manager/html/"},
    {path = "/tomcat/manager/status/"},
    {path = "/cognos_express/manager/html/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Tomcat Manager Application"
  end,
  login_combos = {
    {username = "tomcat", password = "tomcat"},
    {username = "admin", password = "admin"},
    {username = "admin", password = ""},
    {username = "admin", password = "tomcat"},
    {username = "ADMIN", password = "ADMIN"},
    {username = "ovwebusr", password = "OvW*busr1"},
    {username = "j2deployer", password = "j2deployer"},
    {username = "cxsdk", password = "kdsxc"},
    {username = "xampp", password = "xampp"},
    {username = "QCC", password = "QLogic66"},
    {username = "fhir", password = "FHIRDefaultPassword"},
    {username = "username", password = "password"},
    {username = "username1", password = "password"},
    {username = "pippo", password = "paperino"},
    {username = "topolino", password = "minnie"},
    {username = "root", password = "vagrant"},
    {username = "tomcat", password = "s3cret"},
    {username = "root", password = "owaspbwa"},
    {username = "admin", password = "owaspbwa"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Apache Tomcat Host Manager",
  cpe = "cpe:/a:apache:tomcat",
  category = "web",
  paths = {
    {path = "/host-manager/html/"},
    {path = "/host-manager/text/"},
    {path = "/tomcat/host-manager/html/"},
    {path = "/tomcat/host-manager/text/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Tomcat Host Manager Application"
  end,
  login_combos = {
    {username = "tomcat", password = "tomcat"},
    {username = "admin", password = "admin"},
    {username = "admin", password = ""},
    {username = "ADMIN", password = "ADMIN"},
    {username = "xampp", password = "xampp"},
    {username = "QCC", password = "QLogic66"},
    {username = "fhir", password = "FHIRDefaultPassword"},
    {username = "username", password = "password"},
    {username = "pippo", password = "paperino"},
    {username = "root", password = "vagrant"},
    {username = "tomcat", password = "s3cret"},
    {username = "root", password = "owaspbwa"},
    {username = "admin", password = "owaspbwa"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Apache ActiveMQ",
  cpe = "cpe:/a:apache:activemq",
  category = "web",
  paths = {
    {path = "/admin/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "ActiveMQRealm"
  end,
  login_combos = {
    {username = "user",  password = "user"},
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Pivotal RabbitMQ",
  cpe = "cpe:/a:pivotal_software:rabbitmq",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("RabbitMQ", 1, true)
           and response.body:lower():find("<title>rabbitmq management</title>", 1, true)
           and get_tag(response.body, "div", {id="^outer$"})
  end,
  login_combos = {
    {username = "guest", password = "guest"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "api/whoami"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "OSGi Management Console",
  category = "web",
  paths = {
    {path = "/system/console"},
    {path = "/lc/system/console"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "OSGi Management Console"
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "karaf", password = "karaf"},
    {username = "smx",   password = "smx"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Apache Axis2",
  cpe = "cpe:/a:apache:axis2",
  category = "web",
  paths = {
    {path = "/axis2/axis2-admin/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Axis2", 1, true)
           and response.body:lower():find("<title>login to axis2 :: administration page</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "axis2"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, url.absolute(path, "login"), nil,
                                 {userName=user,password=pass,submit=" Login "})
    return resp.status == 200
           and get_tag(resp.body or "", "a", {href="^axis2%-admin/logout$"})
  end
})

table.insert(fingerprints, {
  name = "webMethods Integration Server",
  cpe = "cpe:/a:softwareag:webmethods",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and get_cookie(response, "ssnid", "^%x+$")
           and response.body
           and get_tag(response.body, "div", {id="^integration%-admin%-ui%-container$"})
  end,
  login_combos = {
    {username = "Administrator", password = "manage"},
    {username = "Developer",     password = "isdev"},
    {username = "Replicator",    password = "iscopy"}
  },
  login_check = function (host, port, path, user, pass)
    local header = {["Accept"]="application/json, text/plain, */*",
                    ["Content-Type"]="application/json;charset=utf-8"}
    local jin = {username=user, password=pass}
    json.make_object(jin)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "invoke/wm.server/login"),
                                 {header=header}, json.generate(jin))
    if not (resp.status == 200 and get_cookie(resp, "ssnid", "^%x+$")) then
      return false
    end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.username == user
  end
})

table.insert(fingerprints, {
  name = "My webMethods Server",
  cpe = "cpe:/a:softwareag:webmethods",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("webMethods", 1, true)
           and get_tag(response.body, "input", {id="^jsfwmp.*:passwordInput$"})
  end,
  login_combos = {
    {username = "Administrator", password = "manage"},
    {username = "SysAdmin",      password = "manage"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, path, nil,
                                 {username=user, password=pass})
    return resp.status == 302
           and (resp.header["location"] or ""):sub(-#path) == path
  end
})

table.insert(fingerprints, {
  name = "Apache Ofbiz",
  cpe = "cpe:/a:apache:ofbiz",
  category = "web",
  paths = {
    {path = "/webtools/"}
  },
  target_check = function (host, port, path, response)
    local loc = response.header["location"] or ""
    if not (response.status == 302
           and loc:find(url.absolute(path, "control/main"), 1, true)) then
      return false
    end
    local resp = http_get_simple(host, port, loc)
    return resp.status == 200
           and resp.body
           and resp.body:find(url.absolute(loc, "checkLogin"), 1, true)
           and resp.body:lower():find("powered by%s+<a%f[%s][^>]-%shref%s*=%s*['\"]https?://ofbiz%.apache%.org%W")
  end,
  login_combos = {
    {username = "admin", password = "ofbiz"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {USERNAME=user,
                  PASSWORD=pass,
                  JavaScriptEnabled="Y"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "control/login"),
                                 nil, form)
    return resp.status == 200
           and get_cookie(resp, path:match("/([^/]+)/$") .. ".autoUserLoginId") == user
  end
})

table.insert(fingerprints, {
  name = "Pentaho Admin Console",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response)
    return (realm == "Pentaho" or realm == "Pentaho Enterprise Console")
           and (response.header["server"] or ""):find("^Jetty%f[%W]")
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Pentaho User Console",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Pentaho", 1, true)
           and response.body:lower():find("<title>%s*pentaho business analytics%s*</title>")
           and get_refresh_url(response.body, "/pentaho/?$")
  end,
  login_combos = {
    {username = "admin", password = "password"},
    {username = "joe",   password = "password"},
    {username = "suzy",  password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {j_username=user,
                  j_password=pass,
                  locale="en_US"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "pentaho/j_spring_security_check"),
                                 nil, form)
    local loc = resp.header["location"] or ""
    return resp.status == 302
           and (loc:find("/pentaho/Home%f[;?\0]")
             or loc:find("/pentaho/index%.jsp%f[?\0]"))
  end
})

table.insert(fingerprints, {
  name = "ComfortableMexicanSofa",
  category = "web",
  paths = {
    {path = "/admin/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 302 and response.body) then return false end
    local loc = response.header["location"] or ""
    local _, pos = loc:find(url.absolute(path, "sites/"), 1, true)
    if not pos then return false end
    loc = loc:sub(pos)
    if not (loc == "/new" or loc:find("^/%d+/")) then return false end
    for _, ck in ipairs(response.cookies or {}) do
      if ck.name:find("_session$") then return ck.value:find("%-%-%x+$") end
    end
    return false
  end,
  login_combos = {
    {username = "username", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "sites/new"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Hippo CMS",
  category = "web",
  paths = {
    {path = "/"},
    {path = "/cms/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("hippo-login", 1, true)
           and get_tag(response.body, "input", {name="^id2_hf_0$"})
  end,
  login_combos = {
    {username = "admin",  password = "admin"},
    {username = "editor", password = "editor"},
    {username = "author", password = "author"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl;
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local submit = get_tag(resp1.body, "input", {name="^:submit$", onclick=""})
    if submit then
      local qry = submit.onclick:match("=%s*wicketSubmitFormById%(['\"]id%d+['\"],%s*['\"](.-)['\"]")
      if not qry then return false end
      lurl = xmldecode(qry) .. "&random=" .. math.random()
    else
      local frm = get_tag(resp1.body, "form", {name="^signInForm$", action=""})
      if not frm then return false end
      lurl = frm.action
    end
    local form = {id2_hf_0="",
                  username=user,
                  password=pass,
                  locale="en",
                  [":submit"]="log in"}
    local resp2 = http_post_simple(host, port, url.absolute(path, lurl),
                                  {cookies=resp1.cookies}, form)
    return resp2.status == 302
           and (resp2.header["location"] or ""):sub(-#path) == path
  end
})

table.insert(fingerprints, {
  name = "Nuxeo Platform",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
              and response.body
              and response.body:find("/nuxeo", 1, true)
              and get_refresh_url(response.body, "/nuxeo/?$")
            or response.status == 302
              and (response.header["location"] or ""):find("/nuxeo/$")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "nuxeo/"))
    return resp.status == 302
           and (resp.header["location"] or ""):find("/nuxeo/nxstartup%.faces$")
  end,
  login_combos = {
    {username = "Administrator", password = "Administrator"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {user_name=user,
                  user_password=pass,
                  requestedUrl="",
                  forceAnonymousLogin="",
                  form_submitted_marker="",
                  Submit="Log in"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "nuxeo/nxstartup.faces"),
                                 nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/nuxeo/nxpath/default[/@]")
  end
})

table.insert(fingerprints, {
  name = "Opencast Matterhorn",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = response.header["location"] or ""
    if not (response.status == 302
           and loc:find("/login%.html%f[;\0]")
           and get_cookie(response, "JSESSIONID", "^%w+$")) then
      return false
    end
    local resp = http_get_simple(host, port, loc)
    return resp.status == 200
           and resp.body
           and resp.body:find("Matterhorn", 1, true)
           and resp.body:lower():find("<title>opencast matterhorn ", 1, true)
           and get_tag(resp.body, "form", {action="/j_spring_security_check$"})
  end,
  login_combos = {
    {username = "admin", password = "opencast"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {j_username=user,
                  j_password=pass,
                  submit="Login"}
    local resp = http_post_simple(host, port,
                                  url.absolute(path, "j_spring_security_check"),
                                  nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/welcome%.html$")
           and get_cookie(resp, "JSESSIONID", "^%w+$")
  end
})

table.insert(fingerprints, {
  name = "Opencast",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["location"] or ""):find("/admin%-ng/login%.html%f[;\0]")
           and get_cookie(response, "JSESSIONID", "^%w+$")
  end,
  login_combos = {
    {username = "admin", password = "opencast"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "admin-ng/j_spring_security_check"),
                                 nil, {j_username=user, j_password=pass})
    return resp.status == 302
           and (resp.header["location"] or ""):find("/admin%-ng/index%.html$")
           and get_cookie(resp, "JSESSIONID", "^%w+$")
  end
})

table.insert(fingerprints, {
  name = "Plumtree Portal",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["location"] or ""):find("/portal/server%.pt$")
  end,
  login_combos = {
    {username = "Administrator", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local form = {in_hi_space="Login",
                  in_hi_spaceID="0",
                  in_hi_control="Login",
                  in_hi_dologin="true",
                  in_tx_username=user,
                  in_pw_userpass=pass,
                  in_se_authsource=""}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "portal/server.pt"),
                                 nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/portal/server%.pt[;?]")
           and get_cookie(resp, "plloginoccured") == "true"
  end
})

table.insert(fingerprints, {
  name = "GLPI",
  cpe = "cpe:/a:glpi-project:glpi",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("GLPI", 1, true)
           and response.body:lower():find("<title>glpi ", 1, true)
           and get_tag(response.body, "input", {name="^login_name$"})
  end,
  login_combos = {
    {username = "glpi",      password = "glpi"},
    {username = "tech",      password = "tech"},
    {username = "post-only", password = "postonly"},
    {username = "normal",    password = "normal"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local token = get_tag(resp1.body, "input", {type="^hidden$", name="^_glpi_csrf_token$", value=""})
    if not token then return false end
    local form2 = {login_name=user,
                   login_password=pass,
                   submit="Post",
                   [token.name]=token.value}
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=path}))}
    local resp2 = http_post_simple(host, port, url.absolute(path, "login.php"),
                                  {cookies=resp1.cookies, header=header}, form2)
    return resp2.status == 200
           and (resp2.body or ""):find("%Wwindow%.location%s*=%s*(['\"])[^'\"]-/front/[%w.]+%.php%1")
  end
})

table.insert(fingerprints, {
  name = "OTRS",
  cpe = "cpe:/a:otrs:otrs",
  category = "web",
  paths = {
    {path = "/otrs/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("OTRS", 1, true)
           and response.body:find(url.absolute(path, "index.pl"), 1, true)
           and get_tag(response.body, "input", {name="^requestedurl$"})
  end,
  login_combos = {
    {username = "root@localhost", password = "root"},
    {username = "root@localhost", password = "changeme"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {Action="Login",
                  RequestedURL="",
                  Lang="en",
                  TimeOffset=0,
                  User=user,
                  Password=pass}
    local resp = http_post_simple(host, port, url.absolute(path, "index.pl"),
                                 nil, form)
    return resp.status == 302
           and get_cookie(resp, "OTRSAgentInterface", "^%w+$")
  end
})

table.insert(fingerprints, {
  name = "Ilias (var.1)",
  cpe = "cpe:/a:ilias:ilias",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and get_cookie(response, "ilClientId")
           and (response.header["location"] or ""):find("%f[^/\0]login%.php%?.*%f[^?&]client_id=")
  end,
  login_combos = {
    {username = "root", password = "homer"}
  },
  login_check = function (host, port, path, user, pass)
    local resp0 = http_get_simple(host, port, path)
    local furl = (resp0.header["location"] or ""):gsub("^https?://[^/]*", "")
    if not (resp0.status == 302 and furl:find("%f[^/\0]login%.php%?")) then
      return false
    end
    furl = url.absolute(path, furl)
    local resp1 = http_get_simple(host, port, furl, {cookies=resp0.cookies})
    if not (resp1.status == 200 and resp1.body) then return false end
    local frm = get_tag(resp1.body, "form", {name="^formlogin$", action="[?&;]client_id="})
    if not frm then return false end
    local form = {username=user,
                  password=pass,
                  ["cmd[doStandardAuthentication]"]="Anmelden"}
    local resp2 = http_post_simple(host, port,
                                  url.absolute(furl, xmldecode(frm.action)),
                                  {cookies=resp0.cookies}, form)
    return resp2.status == 302
           and (resp2.header["location"] or ""):find("/ilias%.php?%?")
  end
})

table.insert(fingerprints, {
  name = "Ilias (var.2)",
  cpe = "cpe:/a:ilias:ilias",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and get_cookie(response, "ilClientId")
           and (response.header["location"] or ""):find("%f[^/\0]ilias%.php%f[?\0]")
  end,
  login_combos = {
    {username = "root", password = "homer"}
  },
  login_check = function (host, port, path, user, pass)
    local resp0 = http_get_simple(host, port, path)
    if resp0.status ~= 302 then return false end
    local form1 = {target="",
                   client_id=get_cookie(resp0, "ilClientId"),
                   cmd="force_login",
                   lang="en"}
    local furl = url.absolute(path, "login.php?" .. url.build_query(form1))
    local resp1 = http_get_simple(host, port, furl, {cookies=resp0.cookies})
    if not (resp1.status == 200 and resp1.body) then return false end
    local frm = get_tag(resp1.body, "form", {name="^formlogin$", action="[?&;]client_id="})
    if not frm then return false end
    local form = {username=user,
                  password=pass,
                  ["cmd[doStandardAuthentication]"]="Anmelden"}
    local resp2 = http_post_simple(host, port,
                                  url.absolute(furl, xmldecode(frm.action)),
                                  {cookies=resp0.cookies}, form)
    return resp2.status == 302
           and (resp2.header["location"] or ""):find("/ilias%.php?%?")
  end
})

table.insert(fingerprints, {
  name = "Jitamin",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["location"] or ""):find("%?controller=Auth/AuthController&action=login$")
           and get_cookie(response, "JM_SID")
  end,
  login_combos = {
    {username = "admin",           password = "admin"},
    {username = "admin@admin.com", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = path .. "?controller=Auth/AuthController&action="
    local resp1 = http_get_simple(host, port, lurl .. "login")
    if not (resp1.status == 200 and resp1.body) then return false end
    local token = get_tag(resp1.body, "input", {type="^hidden$", name="^csrf_token$", value=""})
    if not token then return false end
    local form = {[token.name]=token.value,
                  username=user,
                  password=pass}
    local resp2 = http_post_simple(host, port, lurl .. "check",
                                  {cookies=resp1.cookies}, form)
    return resp2.status == 302
           and (resp2.header["location"] or ""):find("%?controller=Dashboard/DashboardController&action=index$")
  end
})

table.insert(fingerprints, {
  name = "Kanboard",
  cpe = "cpe:/a:kanboard:kanboard",
  category = "web",
  paths = {
    {path = "/"},
    {path = "/kanboard/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["location"] or ""):find("%?controller=AuthController&action=login$")
           and get_cookie(response, "KB_SID")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = path .. "?controller=AuthController&action="
    local resp1 = http_get_simple(host, port, lurl .. "login")
    if not (resp1.status == 200 and resp1.body) then return false end
    local token = get_tag(resp1.body, "input", {type="^hidden$", name="^csrf_token$", value=""})
    if not token then return false end
    local form = {[token.name]=token.value,
                  username=user,
                  password=pass}
    local resp2 = http_post_simple(host, port, lurl .. "check",
                                  {cookies=resp1.cookies}, form)
    return resp2.status == 302
           and (resp2.header["location"] or ""):find("%?controller=DashboardController&action=show$")
  end
})

table.insert(fingerprints, {
  name = "RainLoop Webmail",
  category = "web",
  paths = {
    {path = "/"},
    {path = "/rainloop/"},
    {path = "/webmail/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("rainloop/v/", 1, true)
           and get_tag(response.body, "link", {href="^rainloop/v/%d[%d.]+%d/static/css/app%.min%.css%f[?\0]"})
  end,
  login_combos = {
    {username = "admin", password = "12345"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path .. "?/AdminAppData")
    if not (resp1.status == 200 and resp1.body) then return false end
    local jstr = resp1.body:match('{[^{]*"Auth"%s*:.*"PluginsLink"%s*:[^}]*}')
    local jstatus, jout = json.parse(jstr or "{}")
    local token = jstatus and (jout.Token or jout.System and jout.System.token)
    if not token then return false end
    local form2 = {Login=user,
                   Password=pass,
                   Action="AdminLogin",
                   XToken=token}
    local resp2 = http_post_simple(host, port, path .. "?/Ajax/&q[]=/0/",
                                  {cookies = resp1.cookies}, form2)
    if not (resp2.status == 200 and resp2.body) then return false end
    jstatus, jout = json.parse(resp2.body)
    return jstatus and jout.Action == "AdminLogin" and jout.Result
  end
})

table.insert(fingerprints, {
  name = "TeamPass",
  cpe = "cpe:/a:teampass:teampass",
  category = "web",
  paths = {
    {path = "/"},
    {path = "/teampass/"},
    {path = "/TeamPass/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and tableaux.contains(openssl.supported_ciphers(), "aes-256-ecb")
           and tableaux.contains(openssl.supported_ciphers(), "aes-256-ctr")
           and response.status == 200
           and response.body
           and response.body:find("TeamPass", 1, true)
           and response.body:find("(['\"])sources/main%.queries%.php%1")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local lurl = resp1.body:match("['\"]([^'\"]+)['\"]%s*,%s*{%s*type%s*:%s*['\"]identify_user['\"]")
    local aespwd = resp1.body:match("%Wreturn%s+Aes%.Ctr%.encrypt%s*%(%s*%w+%s*,%s*['\"](.-)['\"]%s*,%s*256%s*%)")
                or resp1.body:match("['\"]identify_user['\"]%s*,%s*data%s*:%s*prepareExchangedData%(%s*%w+%s*,%s*['\"]encode['\"]%s*,%s*['\"](.-)['\"]")
    if not (lurl and aespwd) then return false end
    aespwd = aespwd .. ("\0"):rep(32-#aespwd)
    local aeskey = openssl.encrypt("aes-256-ecb", aespwd, nil, aespwd):sub(1, 16):rep(2)
    local nonce = ("<I4"):pack(math.floor(stdnse.clock_ms() / 1000))
                  .. string.char(math.random(0, 255)):rep(4)
    local randstr = random_alnum(10)
    local jin = {login=user,
                 pw=pass,
                 duree_session="60",
                 screenHeight=tostring(math.random(480, 1024)),
                 randomstring=randstr}
    json.make_object(jin)
    local ctext = base64.enc(nonce .. openssl.encrypt("aes-256-ctr", aeskey, nonce .. ("\0"):rep(8), json.generate(jin)))
    local resp2 = http_post_simple(host, port, url.absolute(path, lurl),
                                  {cookies = resp1.cookies},
                                  {type="identify_user",data=ctext})
    if not (resp2.status == 200 and resp2.body) then return false end
    local jstatus, jout = json.parse(resp2.body)
    return jstatus and jout[1] and jout[1].value == randstr
  end
})

table.insert(fingerprints, {
  name = "Amano TS-3000i",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("atvsUserPassword", 1, true)
           and get_tag(response.body, "img", {src="/amano_header%.jpg$"})
  end,
  login_combos = {
    {username = "Admin", password = "6569"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {atvsUserName=user,
                  atvsUserPassword=pass,
                  Submit="Login"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "Forms/index_1"),
                                 nil, form)
    return resp.status == 303
           and (resp.header["location"] or ""):find("/Admin/device_info%.html$")
  end
})

table.insert(fingerprints, {
  name = "CapeSoft TimeClock",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("TimeClock", 1, true)
           and response.body:lower():find("<title>capesoft time clock web ", 1, true)
           and response.body:lower():find("%Whref%s*=%s*(['\"])employees%.php%1")
  end,
  login_combos = {
    {username = "9970", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "employees.php"), nil,
                                 {login=user,password=pass,action="Login"})
    return resp.status == 200
           and (resp.body or ""):find("%sclass%s*=%s*(['\"]?)logout%1[%s>]")
  end
})

table.insert(fingerprints, {
  name = "BeEF",
  category = "web",
  paths = {
    {path = "/ui/authentication/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("BeEF", 1, true)
           and response.body:lower():find("<title>beef authentication</title>", 1, true)
  end,
  login_combos = {
    {username = "beef", password = "beef"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, url.absolute(path, "login"), nil,
                                 {["username-cfrm"]=user, ["password-cfrm"]=pass})
    return resp.status == 200
           and (resp.body or ""):find("{%s*success%s*:%s*true%s*}")
  end
})

table.insert(fingerprints, {
  name = "Greenbone Security Assistant",
  cpe = "cpe:/a:greenbone:greenbone_security_assistant",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = (response.header["location"] or ""):gsub("^https?://[^/]*", "")
    if not (response.status == 303
           and loc:find("/login/login%.html$")) then
      return false
    end
    local resp = http_get_simple(host, port, loc)
    return resp.status == 200
           and resp.body
           and resp.body:find("Greenbone", 1, true)
           and resp.body:lower():find("<title>greenbone security assistant</title>", 1, true)
           and get_tag(resp.body, "form", {action="/omp$"})
  end,
  login_combos = {
    {username = "admin",  password = "admin"},
    {username = "sadmin", password = "changeme"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "omp")
    local form = {cmd="login",
                  text=lurl.."?r=1",
                  login=user,
                  password=pass}
    local resp = http_post_simple(host, port, lurl, nil, form)
    return resp.status == 303
           and (resp.header["location"] or ""):find("/omp%?.*%f[^?&]token=")
  end
})

table.insert(fingerprints, {
  name = "Attivo ACM/BOTsink",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and get_cookie(response, "XID", "^%w+$")
           and response.body
           and response.body:find("AUI-login", 1, true)
           and get_tag(response.body, "body", {class="%f[%w]AUI%-Login%f[%W]"})
  end,
  login_combos = {
    {username = "admin", password = "Attivo1$"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local token = get_tag(resp1.body, "meta", {name="^_csrf$", content="^%x+$"})
    if not token then return false end
    local header = {["x-csrf-token"]=token.content,
                    ["Content-Type"]="application/json"}
    local jin = {username=user, password=base64.enc(pass):reverse()}
    json.make_object(jin)
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "api/webauth/login"),
                                  {cookies=resp1.cookies, header=header},
                                  json.generate(jin))
    if not (resp2.status == 200 and resp2.body) then return false end
    local jstatus, jout = json.parse(resp2.body)
    return jstatus and jout.username == user
  end
})

table.insert(fingerprints, {
  name = "Attivo ThreatDirectVM",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and get_cookie(response, "PHPSESSID", "^%w+$")
           and response.body
           and response.body:find("AUI-login", 1, true)
           and get_tag(response.body, "body", {class="%f[%w]AUI%-Login%f[%W]"})
  end,
  login_combos = {
    {username = "admin", password = "Attivo1$"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local token = get_tag(resp1.body, "meta", {name="^_csrf$", content="^%x+$"})
    if not token then return false end
    local form = {api="login",
                  username=user,
                  password=base64.enc(pass):reverse()}
    local header = {["X-CSRF-TOKEN"]=token.content}
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "loginval.php"),
                                  {cookies=resp1.cookies, header=header}, form)
    if not (resp2.status == 200 and resp2.body) then return false end
    local jstatus, jout = json.parse(resp2.body)
    return jstatus and jout.authStatus == true
  end
})

table.insert(fingerprints, {
  name = "Sagitta Hashstack",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = (response.header["location"] or ""):gsub("^https?://[^/]*", "")
    if not (response.status == 302 and loc:find("/login$")) then
      return false
    end
    local resp = http_get_simple(host, port, loc)
    return resp.status == 200
           and resp.body
           and resp.body:find("hashstack", 1, true)
           and resp.body:lower():find("<title>hashstack - login</title>", 1, true)
           and get_tag(resp.body, "form", {class="^form%-signin$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local header = {["Accept"]="application/json, text/plain, */*",
                    ["Content-Type"]="application/json"}
    local jin = {username=user, password=pass}
    json.make_object(jin)
    local resp = http_post_simple(host, port, url.absolute(path, "login"),
                                 {header=header}, json.generate(jin))
    return resp.status == 200 and get_cookie(resp, "sid", ".")
  end
})

table.insert(fingerprints, {
  name = "ZKSoftware WebServer",
  category = "web",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "ZK Web Server"
           and response.body
           and response.body:find("%Wlocation%.href%s*=%s*(['\"])[^'\"]-/csl/login%1")
  end,
  login_combos = {
    {username = "administrator", password = "123456"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if resp1.status ~= 200 then return false end
    local resp2 = http_post_simple(host, port, url.absolute(path, "csl/check"),
                                  {cookies=resp1.cookies},
                                  {username=user, userpwd=pass})
    return resp2.status == 200
           and get_tag(resp2.body or "", "frame", {src="/csl/menu$"})
  end
})

---
--ROUTERS
---
table.insert(fingerprints, {
  name = "Cisco IOS",
  cpe = "cpe:/o:cisco:ios",
  category = "routers",
  paths = {
    {path = "/"},
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response) or ""
    return realm:gsub("_"," "):find("^level 15?%f[ ].* access$")
  end,
  login_combos = {
    {username = "", password = ""},
    {username = "cisco", password = "cisco"},
    {username = "Cisco", password = "Cisco"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Cisco RV180",
  cpe = "cpe:/h:cisco:rv180_vpn_router",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local lurl = url.absolute(path, "platform.cgi")
    local resp = response
    if response.status == 200
       and response.body
       and response.body:find(lurl, 1, true)
       and get_refresh_url(response.body, "/platform%.cgi$") then
      resp = http_get_simple(host, port, lurl)
    end
    if resp.status == 200
       and resp.body
       and resp.body:find("frmRedirectToTop", 1, true)
       and get_tag(resp.body, "body", {onload="frmRedirectToTop"}) then
      local form = stdnse.output_table()
      form.thispage = "index.htm"
      form.statusMsg = ""
      form.reload = 0
      local header = {["User-Agent"]="Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko",
                      ["Referer"]=url.build(url_build_defaults(host, port, {path=lurl}))}
      resp = http_post_simple(host, port, lurl, {header=header}, form)
    end
    return resp.status == 200
           and resp.body
           and resp.body:find("Cisco", 1, true)
           and get_tag(resp.body, "input", {type="^text$", name="^users%.username$"})
  end,
  login_combos = {
    {username = "cisco", password = "cisco"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "platform.cgi")
    local header = {["User-Agent"]="Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko",
                    ["Referer"]=url.build(url_build_defaults(host, port, {path=lurl}))}
    local form = stdnse.output_table()
    form.thispage = "index.htm"
    form.reload = 0
    form["users.username"] = user
    form["users.password"] = pass
    form["button.login.users.home"] = "Log In"
    form["Login.userAgent"] = header["User-Agent"]
    local resp = http_post_simple(host, port, lurl, {header=header}, form)
    return resp.status == 200
           and (get_cookie(resp, "TeamF1Login", "^%w+$")
             or get_tag(resp.body or "", "input", {type="^hidden$", name="^thispage$", value="^forcedLogin%.htm$"}))
  end
})

table.insert(fingerprints, {
  name = "Cisco RV22x, SA520",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local lurl = url.absolute(path, "scgi-bin/platform.cgi")
    if not (response.status == 200
           and response.body
           and response.body:find(lurl, 1, true)
           and get_refresh_url(response.body, "/scgi%-bin/platform%.cgi$")) then
      return false
    end
    local resp = http_get_simple(host, port, lurl)
    if resp.status == 200
       and resp.body
       and resp.body:find("frmRedirectToTop", 1, true)
       and get_tag(resp.body, "body", {onload="frmRedirectToTop"}) then
      local form = stdnse.output_table()
      form.thispage = "index.htm"
      form.statusMsg = ""
      form.reload = 0
      resp = http_post_simple(host, port, lurl, nil, form)
    end
    return resp.status == 200
           and resp.body
           and resp.body:find("Cisco", 1, true)
           and get_tag(resp.body, "input", {type="^text$", name="^SSLVPNUser%.UserName$"})
  end,
  login_combos = {
    {username = "cisco", password = "cisco"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "scgi-bin/platform.cgi")
    local header = {["User-Agent"]="Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko",
                    ["Referer"]=url.build(url_build_defaults(host, port, {path=lurl}))}
    local form = stdnse.output_table()
    form.thispage = "index.htm"
    form.reload = 0
    form["SSLVPNUser.UserName"] = user
    form["SSLVPNUser.Password"] = pass
    form["button.login.home"] = "Log In"
    form["Login.userAgent"] = header["User-Agent"]
    local resp = http_post_simple(host, port, lurl, {header=header}, form)
    if resp.status == 200
       and get_tag(resp.body or "", "input", {type="^hidden$", name="^thispage$", value="^forcedLogin%.htm$"}) then
      stdnse.debug1("User '%s' already logged in; credentials cannot be tested", user)
      return false
    end
    return resp.status == 200
           and get_cookie(resp, "TeamF1Login", "^%w+$")
  end
})

table.insert(fingerprints, {
  name = "Cisco RV042/RV082",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local lurl = url.absolute(path, "cgi-bin/welcome.cgi")
    if not (have_openssl
           and response.status == 200
           and response.body
           and response.body:find(lurl, 1, true)
           and get_refresh_url(response.body, "/cgi%-bin/welcome%.cgi$")) then
      return false
    end
    local resp = http_get_simple(host, port, lurl)
    return resp.status == 200
           and resp.body
           and resp.body:find("Cisco", 1, true)
           and get_tag(resp.body, "form", {name="^form_contents$", action="/cgi%-bin/userLogin%.cgi$"})
           and get_tag(resp.body, "input", {name="^auth_key$", type="^hidden$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "cisco", password = "cisco"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port,
                                 url.absolute(path, "cgi-bin/welcome.cgi"))
    if resp1.status ~= 200 then return false end
    local form = get_form_fields(resp1.body, {name="^form_contents$", action="/cgi%-bin/userLogin%.cgi$"})
    if not (form and form.auth_key) then return false end
    form.username = user
    local password = stdnse.tohex(openssl.md5(pass .. form.auth_key)):lower()
    local token = resp1.body:match("%Wvar%s+tmp2%s*=%s*['\"]([^'\"]+)")
    if token then
      password = stdnse.tohex(openssl.digest("SHA256", token .. password)):lower()
    end
    form.password = password
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "cgi-bin/userLogin.cgi"),
                                  nil, form)
    return resp2.status == 200
           and get_refresh_url(resp2.body or "", "/default%.htm$")
           and get_cookie(resp2, "mlap", ".")
  end
})

table.insert(fingerprints, {
  name = "Cisco RV32x",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("cisco", 1, true)
           and get_tag(response.body, "form", {name="^form_contents$", action="/cgi%-bin/userLogin%.cgi$"})
           and get_tag(response.body, "input", {name="^auth_server_pw$", type="^hidden$"})
  end,
  login_combos = {
    {username = "cisco", password = "cisco"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if resp1.status ~= 200 then return false end
    local form = get_form_fields(resp1.body, {name="^form_contents$", action="/cgi%-bin/userLogin%.cgi$"})
    if not (form and form.auth_key) then return false end
    form.username = user
    form.auth_server_pw = base64.enc(pass)
    local password = stdnse.tohex(openssl.md5(pass .. form.auth_key)):lower()
    local token = resp1.body:match("%Wvar%s+tmp2%s*=%s*['\"]([^'\"]+)")
    if token then
      password = stdnse.tohex(openssl.digest("SHA256", token .. password)):lower()
    end
    form.password = password
    form.LanguageList="ENGLISH"
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "cgi-bin/userLogin.cgi"),
                                  nil, form)
    return resp2.status == 200
           and get_refresh_url(resp2.body or "", "/default%.htm$")
           and get_cookie(resp2, "mlap", ".")
  end
})

table.insert(fingerprints, {
  name = "Cisco Small Business 200",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/nikola_login.html", 1, true)
           and response.body:lower():find("<title>switch</title>", 1, true)
  end,
  login_combos = {
    {username = "cisco", password = "cisco"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {uname=user,
                  pwd2=base64.enc(pass),
                  language_selector="en-US",
                  err_flag=0,
                  err_msg="",
                  passpage="nikola_main2.html",
                  failpage="nikola_login.html",
                  submit_flag=0}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "nikola_login.html"),
                                 nil, form)
    return resp.status == 200 and get_cookie(resp, "SID", ".")
  end
})

table.insert(fingerprints, {
  name = "Cisco DPC3848VM",
  cpe = "cpe:/h:cisco:dpc3848vm",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and response.header["location"] == "Docsis_system.php"
  end,
  login_combos = {
    {username = "user", password = ""},
    {username = "", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local form = {username_login=user,
                  password_login=pass,
                  LanguageSelect="en",
                  login="Log In"}
    local resp = http_post_simple(host, port, url.absolute(path, "check.php"),
                                 nil, form)
    if not (resp.status == 200 and resp.body) then return false end
    local lstatus = resp.body:match("%Wvar%s+login_status%s*=%s*(%-?%d+)")
    return tonumber(lstatus or "99") <= 0
  end
})

table.insert(fingerprints, {
  name = "Cisco EPC39xx",
  cpe = "cpe:/h:cisco:epc39*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Docsis", 1, true)
           and response.body:find("%Wwindow%.location%.href%s*=%s*(['\"])Docsis_system%.asp%1")
  end,
  login_combos = {
    {username = "",      password = ""},
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {username_login=user,
                  password_login=pass,
                  LanguageSelect="en",
                  Language_Submit="0",
                  login="Log In"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "goform/Docsis_system"),
                                 nil, form)
    local loc = resp.header["location"] or ""
    return resp.status == 302
           and (loc:find("/Quick_setup%.asp$") or loc:find("/Administration%.asp$"))
  end
})

table.insert(fingerprints, {
  name = "Cisco Configuration Utility (var.1)",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("cisco", 1, true)
           and response.body:find("%Wfunction%s+en_value%s*%(")
           and get_tag(response.body, "input", {name="^keep_name$"})
  end,
  login_combos = {
    {username = "cisco", password = "cisco"}
  },
  login_check = function (host, port, path, user, pass)
    pass = ("%s%02d"):format(pass, #pass)
    pass = pass:rep(math.ceil(64 / #pass)):sub(1, 64)
    local form = {submit_button="login",
                  keep_name=0,
                  enc=1,
                  user=user,
                  pwd=stdnse.tohex(openssl.md5(pass))}
    local resp = http_post_simple(host, port, url.absolute(path, "login.cgi"),
                                 nil, form)
    return resp.status == 200
           and (resp.body or ""):find("%Wvar%s+session_key%s*=%s*(['\"])%x*%1%s*;")
  end
})

table.insert(fingerprints, {
  name = "Cisco Configuration Utility (var.2)",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("cisco", 1, true)
           and response.body:find("%Wfunction%s+en_value%s*%(")
           and get_tag(response.body, "input", {name="^gui_action$"})
  end,
  login_combos = {
    {username = "cisco", password = "cisco"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local len = tonumber(resp1.body:match("%Wfunction%s+en_value.-%Wfor%s*%(.-<%s*(%d+)%s*;"))
    if not len then return false end
    pass = ("%s%02d"):format(pass, #pass)
    pass = pass:rep(math.ceil(len / #pass)):sub(1, len)
    local form = {submit_button="login",
                  submit_type="",
                  gui_action="",
                  wait_time=0,
                  change_action="",
                  enc=1,
                  user=user,
                  pwd=stdnse.tohex(openssl.md5(pass)),
                  sel_lang="EN"}
    local resp2 = http_post_simple(host, port, url.absolute(path, "login.cgi"),
                                  nil, form)
    return resp2.status == 200
           and (get_tag(resp2.body or "", "input", {name="^session_key$", value="^%w+$"})
             or resp2.body:find("%Wvar%s+login_st%s*=%s*3%s*;"))
  end
})

table.insert(fingerprints, {
  name = "Cisco Router Access",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("%Wvar%s+nonce%s*=%s*(['\"])%x+%1")
           and response.body:find("%Wfunction%s+en_value%s*%(")
           and get_tag(response.body, "input", {name="^gui_action$"})
  end,
  login_combos = {
    {username = "", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local nonce = resp1.body:match("%Wvar%s+nonce%s*=%s*['\"](%x+)['\"]")
    if not nonce then return false end
    pass = ("%s%02d"):format(pass, #pass)
    pass = pass:rep(math.ceil(64 / #pass)):sub(1, 64)
    pass = stdnse.tohex(openssl.md5(pass))
    local wait_time = get_tag(resp1.body, "input", {name="^wait_time$"})
    local form = {submit_button="login",
                  change_action="",
                  gui_action="Apply",
                  wait_time=wait_time and wait_time.value or "",
                  submit_type="",
                  http_username=user,
                  http_passwd=stdnse.tohex(openssl.md5(pass .. nonce))}
    local resp2 = http_post_simple(host, port, url.absolute(path, "login.cgi"),
                                  nil, form)
    return resp2.status == 200
           and (resp2.body or ""):find(";session_id=%x+%W")
  end
})

table.insert(fingerprints, {
  name = "Cisco IronPort",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 303
           and (response.header["server"] or ""):find("^glass/%d+%.")
           and (response.header["location"] or ""):find("/login%f[?\0]")
           and get_cookie(response, "sid", "^%w+$")
  end,
  login_combos = {
    {username = "admin", password = "ironport"}
  },
  login_check = function (host, port, path, user, pass)
    local refpath = url.absolute(path, "default")
    local form = {referrer=url.build(url_build_defaults(host, port, {path=refpath})),
                  screen="login",
                  username=user,
                  password=pass,
                  action="Login"}
    local resp = http_post_simple(host, port, url.absolute(path, "login"),
                                 nil, form)
    return resp.status == 303
           and (get_cookie(resp, "euq_authenticated", "^%w+$")
             or get_cookie(resp, "authenticated", "^%w+$"))
  end
})

table.insert(fingerprints, {
  name = "Linksys",
  cpe = "cpe:/h:linksys:*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response) or ""
    return realm:find("^Linksys %u[%u%d]+%s*$")
           or realm:find("^WRT54GC%w*$")
           or realm == "NR041"
  end,
  login_combos = {
    {username = "", password = "admin"},
    {username = "admin", password = "admin"},
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Allied Telesis AR",
  cpe = "cpe:/h:alliedtelesyn:cable_dsl_router_at-ar*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response) or ""
    return realm:find("^Allied Telesis ")
           or realm:find("^Allied Telesyn ")
           or realm:find("^CentreCOM ")
  end,
  login_combos = {
    {username = "manager", password = "friend"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "HP ProCurve Switch",
  cpe = "cpe:/h:hp:procurve_switch",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):lower():find("^ehttp[/%s]")
           and response.body
           and response.body:find("ProCurve Switch", 1, true)
           and (response.body:find("%Wdocument%.location%s*=%s*(['\"])home%.html%1")
             or get_tag(response.body, "frame", {src="^nctabs%.html$"}))
  end,
  login_combos = {
    {username = "", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "security/web_access.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Huawei USG",
  cpe = "cpe:/h:huawei:usg*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and get_cookie(response, "SESSIONID", "&Huawei")
  end,
  login_combos = {
    {username = "admin",       password = "Admin@123"},
    {username = "audit-admin", password = "Admin@123"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    local cookie
    for _, ck in ipairs(resp1.cookies or {}) do
      if ck.name == "SESSIONID" then
        cookie = "SESSIONID=" .. ck.value
        if not ck.httponly then
          cookie = cookie:match("^(.-)&")
        end
        break
      end
    end
    if not (resp1.status == 200 and cookie) then return false end
    local form = {["spring-security-redirect"]="",
                  password=pass,
                  language="en",
                  lang="English",
                  username=user,
                  platcontent=""}
    local lurl = url.absolute(path, "default.html?dc=" .. math.floor(stdnse.clock_ms()))
    local resp2 = http_post_simple(host, port, lurl, {cookies=cookie}, form)
    return resp2.status == 200
           and (resp2.body or ""):find("top.location.replace(localHref)", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Moxa AirWorks",
  category = "routers",
  paths = {
    {path = "/Login.asp"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("Moxa AWK", 1, true)
           and response.body:find("/webNonce%W")
           and get_tag(response.body, "form", {action="/home%.asp$"})
  end,
  login_combos = {
    {username = "admin", password = "root"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, url.absolute(path, "Login.asp"))
    if not (resp1.status == 200 and resp1.body) then return false end
    local pcookie = resp1.body:match("%Wfunction%s+SetCookie%W[^}]-theName%s*=%s*['\"](.-)[='\"]")
    if not pcookie then return false end
    local form2 = {user=user, time=math.floor(stdnse.clock_ms())}
    local url2 = url.absolute(path, "webNonce?" .. url.build_query(form2))
    local resp2 = http_get_simple(host, port, url2,
                                 {cookies={{name=pcookie, value=""}}})
    if not (resp2.status == 200 and resp2.body) then return false end
    local cpass = stdnse.tohex(openssl.md5(pass .. resp2.body))
    local form3 = {Username=user,
                   Password="",
                   ["Submit.x"]=0,
                   ["Submit.y"]=0}
    local resp3 = http_post_simple(host, port, url.absolute(path, "home.asp"),
                                  {cookies={{name=pcookie, value=cpass}}},
                                  form3)
    return resp3.status == 200
           and get_tag(resp3.body or "", "frame", {src="^main%.asp$"})
  end
})

table.insert(fingerprints, {
  name = "Moxa EDR (var.1)",
  cpe = "cpe:/o:moxa:edr_g903_firmware",
  category = "routers",
  paths = {
    {path = "/Login.asp"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("Moxa EDR", 1, true)
           and response.body:find(">iGenSel2%((['\"])Username%1")
           and response.body:find("%Wdocument%.getElementById%(%s*(['\"])Username%1%s*%)%.value%s*%+%s*(['\"]):%2")
  end,
  login_combos = {
    {username = "admin", password = ""},
    {username = "user",  password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local cpass = stdnse.tohex(openssl.md5(#pass > 0 and pass or "NULL"))
    local cookies = {{name="admin:EDR", value=(user=="admin" and cpass or "")},
                     {name="user:EDR", value=(user=="user" and cpass or "")}}
    local form1 = {Username=user,
                   Password=pass,
                   ["Submit.x"]=0,
                   ["Submit.y"]=0}
    local resp1 = http_post_simple(host, port, url.absolute(path, "init.asp"),
                                  {cookies=cookies}, form1)
    if resp1.status~=200 then return false end
    local resp2 = http_get_simple(host, port, url.absolute(path, "index.asp"),
                                 {cookies=cookies})
    return resp2.status == 200
           and get_tag(resp2.body or "", "frame", {src="^name%.asp$"})
end
})

table.insert(fingerprints, {
  name = "Moxa EDR (var.2)",
  cpe = "cpe:/o:moxa:edr_g903_firmware",
  category = "routers",
  paths = {
    {path = "/Login.asp"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("Moxa EDR", 1, true)
           and response.body:find(">iGenSel2%((['\"])Username%1")
           and response.body:find("%Wdocument%.getElementById%(%s*(['\"])Username%1%s*%)%.value%s*;")
  end,
  login_combos = {
    {username = "admin", password = ""},
    {username = "user",  password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local cuser = #user > 0 and user or "unknown"
    local cpass = #pass > 0 and pass or "NULL"
    local cookies = {{name="NAME", value=url.escape(cuser)},
                     {name="PASSWORD", value=stdnse.tohex(openssl.md5(cpass))}}
    local form1 = {Username=user,
                   Password=pass,
                   ["Submit.x"]=0,
                   ["Submit.y"]=0}
    local resp1 = http_post_simple(host, port, url.absolute(path, "init.asp"),
                                  {cookies=cookies}, form1)
    if resp1.status~=200 then return false end
    local resp2 = http_get_simple(host, port, url.absolute(path, "home.asp"),
                                 {cookies=cookies})
    return resp2.status == 200
           and get_tag(resp2.body or "", "frame", {src="^name%.asp$"})
end
})

table.insert(fingerprints, {
  name = "Moxa EDR (var.3)",
  cpe = "cpe:/o:moxa:edr_g903_firmware",
  category = "routers",
  paths = {
    {path = "/Login.asp"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("Moxa EDR", 1, true)
           and response.body:find("%Wdocument%.getElementById%(%s*(['\"])InputPassword%1%s*%)%.action%s*=%s*(['\"])[^'\"]-/init%.asp%2")
           and not response.body:find("sysnotify_support", 1, true)
           and response.body:find("%Wvar%s+rndN%s*=%s*%d+%s*;")
  end,
  login_combos = {
    {username = "admin", password = "moxa"},
    {username = "user",  password = "moxa"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, url.absolute(path, "Login.asp"))
    if not (resp1.status == 200 and resp1.body) then return false end
    local nonce = resp1.body:match("%Wvar%s+rndN%s*=%s*(%d+)%s*;")
    if not nonce then return false end
    local cuser = #user > 0 and user or "unknown"
    local cpass = pass .. nonce
    local cookies = {{name="NAME", value=url.escape(cuser)},
                     {name="PASSWORD", value=stdnse.tohex(openssl.md5(cpass))}}
    local form2 = {Username=user,
                   Password=pass,
                   ["Submit.x"]=0,
                   ["Submit.y"]=0}
    local resp2 = http_post_simple(host, port, url.absolute(path, "init.asp"),
                                  {cookies=cookies}, form2)
    if resp2.status~=200 then return false end
    local resp3 = http_get_simple(host, port, url.absolute(path, "home.asp"),
                                 {cookies=cookies})
    return resp3.status == 200
           and get_tag(resp3.body or "", "frame", {src="^name%.asp$"})
  end
})

table.insert(fingerprints, {
  name = "Moxa EDR (var.4)",
  category = "routers",
  paths = {
    {path = "/Login.asp"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("Moxa EDR", 1, true)
           and response.body:find("%Wdocument%.getElementById%(%s*(['\"])InputPassword%1%s*%)%.action%s*=%s*(['\"])[^'\"]-/init%.asp%2")
           and not response.body:find("sysnotify_support", 1, true)
           and not response.body:find("%Wvar%s+rndN%s*=%s*%d+%s*;")
  end,
  login_combos = {
    {username = "admin", password = "moxa"},
    {username = "user",  password = "moxa"}
  },
  login_check = function (host, port, path, user, pass)
    local cuser = #user > 0 and user or "unknown"
    local cpass = #pass > 0 and pass or "NULL"
    local cookies = {{name="NAME", value=url.escape(cuser)},
                     {name="PASSWORD", value=stdnse.tohex(openssl.md5(cpass))}}
    local form1 = {Username=user,
                   Password=pass,
                   ["Submit.x"]=0,
                   ["Submit.y"]=0}
    local resp1 = http_post_simple(host, port, url.absolute(path, "init.asp"),
                                  {cookies=cookies}, form1)
    if resp1.status~=200 then return false end
    local resp2 = http_get_simple(host, port, url.absolute(path, "home.asp"),
                                 {cookies=cookies})
    return resp2.status == 200
           and get_tag(resp2.body or "", "frame", {src="^name%.asp$"})
  end
})

table.insert(fingerprints, {
  name = "Moxa EDR (var.5)",
  cpe = "cpe:/o:moxa:edr_g903_firmware",
  category = "routers",
  paths = {
    {path = "/Login.asp"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("Moxa EDR", 1, true)
           and response.body:find("%Wdocument%.getElementById%(%s*(['\"])InputPassword%1%s*%)%.action%s*=%s*(['\"])[^'\"]-/init%.asp%2")
           and response.body:find("sysnotify_support", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "moxa"},
    {username = "user",  password = "moxa"}
  },
  login_check = function (host, port, path, user, pass)
    local cuser = #user > 0 and user or "unknown"
    local cpass = #pass > 0 and pass or "NULL"
    local cookies = {{name="sysnotify_support", value="yes"},
                     {name="sysnotify_loginStatus", value="initial"},
                     {name="lasttime", value=tostring(math.floor(stdnse.clock_ms()))},
                     {name="sessionID", value=tostring(math.random(1000000000, 4294967295))},
                     {name="NAME", value=url.escape(cuser)},
                     {name="PASSWORD", value=stdnse.tohex(openssl.md5(cpass))},
                     {name="AUTHORITY", value=""}}
    local form = {Username=user,
                  Password=pass,
                  ["Submit.x"]=0,
                  ["Submit.y"]=0}
    local resp = http_post_simple(host, port, url.absolute(path, "init.asp"),
                                 {cookies=cookies}, form)
    return resp.status == 200
           and (resp.body or ""):find("%sonLoad%s*=%s*['\"]SetAuthorityCookie%(")
  end
})

table.insert(fingerprints, {
  name = "Ovislink AirLive (basic auth)",
  cpe = "cpe:/h:ovislink:airlive_*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response) or ""
    return realm:find("^AirLive ")
           or realm:find("%f[%w]admin/airlive$")
           or realm:find("%f[%w]airlive/airlive$")
  end,
  login_combos = {
    {username = "admin", password = "airlive"},
    {username = "airlive", password = "airlive"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Ovislink AirLive AP",
  cpe = "cpe:/h:ovislink:airlive_*",
  category = "routers",
  paths = {
    {path = "/index.asp"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("AirLive", 1, true)
           and response.body:lower():find("<title>airlive [%w-]+</title>")
           and response.body:lower():find("%shref%s*=%s*(['\"]?)sts_%w+%.asp%1[%s>]")
  end,
  login_combos = {
    {username = "", password = "airlive"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "goform/asp_login"),
                                 nil, {psw=pass})
    return resp.status == 302
           and (resp.header["location"] or ""):find("/sts_%w+%.asp$")
  end
})

table.insert(fingerprints, {
  name = "Ovislink AirLive WIAS (var.1)",
  cpe = "cpe:/h:ovislink:airlive_*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("WIAS", 1, true)
           and response.body:lower():find("<title>wias%-%d+%a</title>")
           and get_tag(response.body, "form", {action="^check%.shtml$"})
           and get_tag(response.body, "input", {name="^password$"})
  end,
  login_combos = {
    {username = "admin", password = "airlive"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "check.shtml"),
                                 nil, {username=user,password=pass})
    return resp.status == 302
           and resp.header["location"] == "home.shtml"
  end
})

table.insert(fingerprints, {
  name = "Ovislink AirLive WIAS (var.2)",
  cpe = "cpe:/h:ovislink:airlive_*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("AirLive", 1, true)
           and response.body:lower():find("<title>airlive wias%-%d+%a</title>")
           and get_tag(response.body, "form", {action="^check%.shtml$"})
           and get_tag(response.body, "input", {name="^adm_pwd$"})
  end,
  login_combos = {
    {username = "admin", password = "airlive"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "check.shtml"),
                                 nil, {adm_name=user,adm_pwd=pass})
    return resp.status == 302
           and resp.header["location"] == "home.shtml"
  end
})

table.insert(fingerprints, {
  name = "AirTies router",
  cpe = "cpe:/h:airties:air_*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and get_refresh_url(response.body, "/js/%.js_check%.html$")
  end,
  login_combos = {
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local form = {redirect="",
                  self="",
                  user=user,
                  password=pass,
                  gonder="OK"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "cgi-bin/login"),
                                 nil, form)
    return resp.status == 200
           and get_cookie(resp, "AIRTIESSESSION", "^%x+$")
           and get_refresh_url(resp.body or "", "/main%.html$")
  end
})

table.insert(fingerprints, {
  name = "Arris Touchstone",
  cpe = "cpe:/a:arris:touchstone_*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("sta_wifi", 1, true)
           and get_tag(response.body, "form", {action="^check%.php$"})
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, url.absolute(path, "check.php"),
                                 nil, {username=user,password=pass})
    return resp.status == 200
           and get_cookie(resp, "PHPSESSID", "^%w+$")
           and (resp.body or ""):find("%Wlocation%.href%s*=%s*(['\"])admin_password_change%.php%1")
  end
})

table.insert(fingerprints, {
  name = "ASUS router",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and response.body
           and response.body:find("%Wtop%.location%.href%s*=%s*(['\"])[^'\"]-/Main_Login%.asp%1")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "Main_Login.asp"))
    return resp.status == 200
           and resp.body
           and resp.body:find("ASUS", 1, true)
           and get_tag(resp.body, "input", {name="^login_authorization$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local murl = url.absolute(path, "Main_Login.asp")
    local resp1 = http_get_simple(host, port, murl)
    if resp1.status ~= 200 then return false end
    local form = get_form_fields(resp1.body, {action="^login%.cgi$"})
    if not form then return false end
    form.next_page = "index.asp"
    form.login_authorization = base64.enc(user .. ":" .. pass)
    form.login_username = nil
    form.login_passwd = nil
    form.captcha_text = nil
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=murl}))}
    local resp2 = http_post_simple(host, port, url.absolute(path, "login.cgi"),
                                  {header=header}, form)
    return resp2.status == 200
           and get_cookie(resp2, "asus_token", "^%w+$")
           and get_refresh_url(resp2.body or "")
    end
})

table.insert(fingerprints, {
  name = "ASUS router (basic auth)",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response)
    if not realm then return false end
    local type = realm:match("^(%u+)%-%u[%u%d]+$")
    for t in ("DSL,EA,RP,RT,TM"):gmatch("%u+") do
      if t == type then return true end
    end
    return false
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "ASUS TM router",
  cpe = "cpe:/h:asus:tm-*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^TM%-%u[%u%d]+$")
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "ASUS RX3041",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^ *RX3041%f[ \0]")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Belkin G Wireless Router",
  cpe = "cpe:/h:belkin:f5d7234-4",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("setup_top.htm", 1, true)
           and response.body:find("status.stm", 1, true)
  end,
  login_combos = {
    {username = "", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "cgi-bin/login.exe"), nil,
                                 {totalMSec = stdnse.clock_ms()/1000,
                                 pws = stdnse.tohex(openssl.md5(pass))})
    return resp.status == 302
           and (resp.header["location"] or ""):find("/index%.htm$")
  end
})

table.insert(fingerprints, {
  name = "Belkin/Arris 2307",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("isAPmode", 1, true)
           and get_tag(response.body, "meta", {name="^description$", content="^%w+ 2307$"})
  end,
  login_combos = {
    {username = "", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local form = {page="",
                  logout="",
                  action="submit",
                  pws=base64.enc(pass),
                  itsbutton1="Submit",
                  h_language="en",
                  is_parent_window="1"}
    local resp = http_post_simple(host, port, url.absolute(path, "login.cgi"),
                                 nil, form)
    return resp.status == 200
           and (resp.body or ""):find("index.html", 1, true)
  end
})

table.insert(fingerprints, {
  name = "D-Link DIR router (var.1)",
  cpe = "cpe:/h:d-link:dir-*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find(" DIR%-%d+")
           and response.body
           and response.body:find("AUTH.Login(", 1, true)
           and response.body:find('%WOBJ%("loginusr"%)%.value%s*=%s*""')
           and response.body:lower():find("<title>d%-link systems[^<]+ home</title>")
  end,
  login_combos = {
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local form = {REPORT_METHOD="xml",
                  ACTION="login_plaintext",
                  USER=user,
                  PASSWD=pass,
                  CAPTCHA=""}
    local resp = http_post_simple(host, port, url.absolute(path, "session.cgi"),
                                 {cookies="uid="..random_alnum(10)}, form)
    return resp.status == 200
           and (resp.body or ""):find("<RESULT>SUCCESS</RESULT>", 1, true)
  end
})

table.insert(fingerprints, {
  name = "D-Link DIR router (var.2)",
  cpe = "cpe:/h:d-link:dir-*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find(" DIR%-%d+")
           and response.body
           and response.body:find("AUTH.Login(", 1, true)
           and response.body:find('%WOBJ%("loginusr"%)%.value%s*=%s*username%W')
           and response.body:lower():find("<title>d%-link systems[^<]+ home</title>")
  end,
  login_combos = {
    {username = "Admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local form = {REPORT_METHOD="xml",
                  ACTION="login_plaintext",
                  USER=user,
                  PASSWD=pass,
                  CAPTCHA=""}
    local resp = http_post_simple(host, port, url.absolute(path, "session.cgi"),
                                 {cookies="uid="..random_alnum(10)}, form)
    return resp.status == 200
           and (resp.body or ""):find("<RESULT>SUCCESS</RESULT>", 1, true)
  end
})

table.insert(fingerprints, {
  name = "D-Link DIR router (var.3)",
  cpe = "cpe:/h:d-link:dir-*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and (response.header["server"] or ""):find(" DIR%-%d+")
           and response.body
           and response.body:find("AUTH.Login_Hash(", 1, true)
           and response.body:lower():find("<title>d%-link systems[^<]+ home</title>")
  end,
  login_combos = {
    {username = "Admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local url2 = url.absolute(path, "authentication.cgi")
    local url1 = url2 .. "?captcha=&dummy=" .. math.floor(stdnse.clock_ms())
    local resp1 = http_get_simple(host, port, url1)
    if not (resp1.status == 200 and resp1.body) then return false end
    local jstatus, jout = json.parse(resp1.body)
    if not (jstatus and jout.uid and jout.challenge) then return false end
    local auth = stdnse.tohex(openssl.hmac("MD5", pass, user .. jout.challenge))
    local resp2 = http_post_simple(host, port, url2,
                                  {cookies = "uid=" .. jout.uid},
                                  {id=user, password=auth:upper()})
    if not (resp2.status == 200 and resp2.body) then return false end
    jstatus, jout = json.parse(resp2.body)
    return jstatus and jout.status == "ok"
  end
})

table.insert(fingerprints, {
  name = "D-Link DIR-620",
  cpe = "cpe:/h:d-link:dir-620",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("DIR-620", 1, true)
           and response.body:lower():find("<title>dir-620</title>", 1, true)
           and get_tag(response.body, "form", {action="^index%.cgi$"})
  end,
  login_combos = {
    {username = "admin", password = "anonymous"}
  },
  login_check = function (host, port, path, user, pass)
    local cookies = {{name="user_ip", value="127.0.0.1"},
                     {name="cookie_lang", value="rus"},
                     {name="client_login", value=user},
                     {name="client_password", value=pass}}
    local resp = http_post_simple(host, port, url.absolute(path, "index.cgi"),
                                 {cookies=cookies},
                                 {v2="y",rs_type="html",auth="auth"})
    return resp.status == 200
           and (resp.body or ""):find("%sid%s*=%s*(['\"])v_firmware_value%1%s*>%d")
  end
})

table.insert(fingerprints, {
  name = "D-Link DIR router (basic auth)",
  cpe = "cpe:/h:d-link:dir-*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("%f[%w]DIR%-%d%d%d%f[%u\0]")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "D-Link DSL router",
  cpe = "cpe:/h:d-link:dsl-*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^mini_httpd/%d+%.")
           and response.body
           and response.body:find("%Wwindow%.location%.href%s*=%s*(['\"])[^'\"]-/cgi%-bin/webproc%1")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "admin", password = "password"},
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "cgi-bin/webproc")
    local resp1 = http_get_simple(host, port, lurl)
    if resp1.status ~= 200 then return false end
    local form = {getpage="html/index.html",
                  errorpage="html/main.html",
                  ["var:menu"]="setup",
                  ["var:page"]="wizard",
                  ["obj-action"]="auth",
                  [":username"]=user,
                  [":password"]=pass,
                  [":action"]="login",
                  [":sessionid"]=get_cookie(resp1, "sessionid")}
    local resp2 = http_post_simple(host, port, lurl,
                                  {cookies=resp1.cookies}, form)
    return resp2.status == 302
           and (resp2.header["location"] or ""):find("/cgi-bin/webproc?getpage=html/index.html&", 1, true)
  end
})

table.insert(fingerprints, {
  name = "D-Link DSL router (basic auth)",
  cpe = "cpe:/h:d-link:dsl-*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^DSL%-%d%d%d%d?[BRU]%f[_\0]")
  end,
  login_combos = {
    {username = "admin",   password = "admin"},
    {username = "support", password = "support"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "D-Link DSL T router (basic auth)",
  cpe = "cpe:/h:d-link:dsl-*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("%f[^ \0]DSL%-%d%d%d%d?T$")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "user",  password = "user"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "D-Link DSR router",
  cpe = "cpe:/h:d-link:dsr-*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local lurl = url.absolute(path, "scgi-bin/platform.cgi")
    if not (response.status == 200
           and response.body
           and response.body:find(lurl, 1, true)
           and get_refresh_url(response.body, "/scgi%-bin/platform%.cgi$")) then
      return false
    end
    local resp = http_get_simple(host, port, lurl)
    return resp.status == 200
           and resp.body
           and resp.body:find("D-Link", 1, true)
           and get_tag(resp.body, "input", {name="^Users%.UserName$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "scgi-bin/platform.cgi")
    local header = {["User-Agent"]="Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko",
                    ["Referer"]=url.build(url_build_defaults(host, port, {path=lurl}))}
    local form = stdnse.output_table()
    form.thispage = "index.html"
    form["Users.UserName"] = user
    form["Users.Password"] = pass
    form["button.login.Users.dashboard"] = "Login"
    form["Login.userAgent"] = header["User-Agent"]
    form.loggedInStatus = ""
    local resp = http_post_simple(host, port, lurl, {header=header}, form)
    return resp.status == 200
           and get_cookie(resp, "TeamF1Login", "^%x+$")
  end
})

table.insert(fingerprints, {
  name = "TP-Link (basic auth)",
  cpe = "cpe:/o:tp-link:lm_firmware",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 401
           and (http_auth_realm(response) or ""):find("^TP%-LINK")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "TP-Link (MD5 cookie)",
  cpe = "cpe:/o:tp-link:lm_firmware",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and (http_auth_realm(response) or ""):find("^TP%-LINK")
           and response.body
           and response.body:find("%spassword%s*=%s*hex_md5")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local auth = base64.enc(user .. ":" .. stdnse.tohex(openssl.md5(pass)))
    local cookie = "Authorization=" .. url.escape("Basic " .. auth)
    local resp = http_get_simple(host, port,
                                url.absolute(path, "userRpm/LoginRpm.htm?Save=Save"),
                                {cookies=cookie})
    return resp.status == 200
           and (resp.body or ""):find(">window%.parent%.location%.href%s*=%s*(['\"])[^'\"]-/userRpm/Index%.htm%1")
  end
})

table.insert(fingerprints, {
  name = "TP-Link (plain cookie)",
  cpe = "cpe:/o:tp-link:lm_firmware",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (http_auth_realm(response) or ""):find("^TP%-LINK")
           and response.body
           and not response.body:find("%spassword%s*=%s*hex_md5")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local auth = base64.enc(user .. ":" .. pass)
    local cookie = "Authorization=" .. url.escape("Basic " .. auth)
    local resp = http_get_simple(host, port, path, {cookies=cookie})
    return resp.status == 200
           and (resp.body or ""):find("%shref%s*=%s*(['\"])[^'\"]-/userRpm/LogoutRpm%.htm%1")
  end
})

table.insert(fingerprints, {
  name = "TP-Link DOCSIS modem",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find(".tp-link.", 1, true)
           and get_tag(response.body, "a", {href="^https?://www%.tp%-link%.com/?$"})
           and get_tag(response.body, "form", {action="/goform/login$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {loginUsername=user,
                  loginPassword=pass,
                  forbidTime="0",
                  authTime="0"}
    local cookie = "Authorization=Basic " .. base64.enc(user .. ":" .. pass)
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=url.absolute(path, "login.asp")}))}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "goform/login"),
                                 {cookies=cookie, header=header}, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/index%.htm$")
  end
})

table.insert(fingerprints, {
  name = "Buffalo AirStation",
  cpe = "cpe:/h:buffalotech:airstation_*",
  category = "routers",
  paths = {
    {path = "/login.html"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("BUFFALO", 1, true)
           and get_tag(response.body, "input", {name="^pws$"})
           and get_tag(response.body, "img", {title="^spacer$", src="^data:"})
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local img = get_tag(resp1.body, "img", {title="^spacer$", src="^data:"})
    if not img then return false end
    local form ={name=user,
                 pws=stdnse.tohex(openssl.md5(pass)),
                 url=url.absolute(path, "./"),
                 mobile=0,
                 httoken=b64decode(img.src:sub(79))}
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=path}))}
    local resp2 = http_post_simple(host, port, url.absolute(path, "login.cgi"),
                                  {header=header}, form)
    local loc = resp2.header["location"]
    return resp2.status == 302
           and (loc == form.url
             or loc == url.absolute(path, "loginexclude.html"))
  end
})

table.insert(fingerprints, {
  name = "BEC ADSL router",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.header["server"] == "micro_httpd"
           and (http_auth_realm(response) or ""):find("^BEC %d%d%d%d%u")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "admin", password = "NEMONTadmin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Billion BiPAC",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response) or ""
    return realm:find("^BiPAC %d%d%d%d[%u%d ]*$")
           or realm:find("^8700AX: ")
  end,
  login_combos = {
    {username = "admin",   password = "admin"},
    {username = "user",    password = "user"},
    {username = "support", password = "support"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Comtrend NexusLink-5631",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "DSL Router"
  end,
  login_combos = {
    {username = "apuser", password = "apuser"},
    {username = "root", password = "12345"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "DrayTek Vigor",
  cpe = "cpe:/o:draytek:vigor_*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = response.header["location"] or ""
    if not (response.status == 302 and loc:find("/weblogin%.htm$")) then
      return false
    end
    local resp = http_get_simple(host, port, loc)
    return resp.status == 200
           and resp.body
           and resp.body:find('frmSub[0].name="aa"', 1, true)
           and resp.body:lower():find("<title>vigor login page</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {aa=base64.enc(user),
                  ab=base64.enc(pass)}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "cgi-bin/wlogin.cgi"),
                                 nil, form)
    return resp.status == 302
           and resp.header["location"] == "/"
           and get_cookie(resp, "SESSION_ID_VIGOR", "^%x+$")
  end
})

table.insert(fingerprints, {
  name = "iBall Baton",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^iBall Baton ")
  end,
  login_combos = {
    {username = "admin",   password = "admin"},
    {username = "support", password = "support"},
    {username = "user",    password = "user"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Link-Net LW/LWH router",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 302
           and (response.header["location"] or ""):find("/home%.asp$")) then
      return false
    end
    local resp = http_get_simple(host, port,
                                url.absolute(path, "home.asp"))
    return resp.status == 200
           and resp.body
           and resp.body:find("LINK-NET", 1, true)
           and resp.body:find("%svendor%s*=%s*(['\"])LINK%-NET%1")
           and resp.body:lower():find("[%s>]wireless router</title>")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "internet/wan.asp"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "NST Globalist Spread Router",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response)
    return realm == "SpreadRouter Serise WebUI" or realm == "Settings WebUI"
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Planex Broad Lanner",
  cpe = "cpe:/h:planex:brl-*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Planex Communications", 1, true)
           and get_tag(response.body, "meta", {content="^B%a%a%-04FM%a HTML"})
           and get_tag(response.body, "frame", {src="^top%.htm$"})
  end,
  login_combos = {
    {username = "", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "top.htm"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Thomson Gateway",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Thomson"
  end,
  login_combos = {
    {username = "", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Thomson TG585 v7",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Thomson Gateway"
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Tilgin (var.1)",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Tilgin", 1, true)
           and get_tag(response.body, "button", {name="^__auth$", value="^login$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {__user=user,
                  __pass=pass,
                  __auth="login"}
    local resp = http_post_simple(host, port, path, nil, form)
    return resp.status == 303
           and resp.header["location"] == path
           and get_cookie(resp, "auth", "^%d+:main/%d+:")
  end
})

table.insert(fingerprints, {
  name = "Tilgin (var.2)",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Tilgin", 1, true)
           and response.body:find("CryptoJS.HmacSHA1", 1, true)
           and get_tag(response.body, "input", {name="^__hash$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local key = resp1.body:match("=%s*CryptoJS%.HmacSHA1%([^)]-['\"](%x+)['\"]%s*%)")
    if not key then return false end
    local form = {__formtok="",
                  __user=user,
                  __auth="login",
                  __hash=stdnse.tohex(openssl.hmac("SHA1", key, user .. pass))}
    local resp2 = http_post_simple(host, port, path, nil, form)
    return resp2.status == 303
           and resp2.header["location"] == path
           and get_cookie(resp2, "auth", "^%d+:%d+:main/%d+:")
  end
})

table.insert(fingerprints, {
  name = "TrendChip ADSL Modem",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "ADSL Modem"
           and (response.header["server"] or ""):find("^Boa/%d+%.")
           and get_cookie(response, "SESSIONID", "^%x+$")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "admin", password = "1234"},
    {username = ("qwertyuiop"):rep(13):sub(1, 128),
        password = ("1234567890"):rep(13):sub(1, 128)},
    {username = "user3",
        password = ("1234567890"):rep(13):sub(1, 128)},
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not resp1.status then return false end
    local auth = {username = user, password = pass}
    local resp2 = http_get_simple(host, port, path,
                                 {auth=auth, cookies=resp1.cookies})
    return resp2.status == 200
  end
})

table.insert(fingerprints, {
  name = "USRobotics ADSL Gateway",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response) or ""
    return realm:find("^U%.S%. Robotics ADSL %w+$")
           or realm:find("^USR%d* ADSL Gateway$")
  end,
  login_combos = {
    {username = "admin",   password = "admin"},
    {username = "support", password = "support"},
    {username = "user",    password = "user"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Westell",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["location"] or ""):find("/htmlV/PasswordChange%.asp$")
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "htmlV/PasswordChange.asp"),
                        user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Yamaha RT 10.x",
  cpe = "cpe:/o:yahama:rt*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local lurl = response.status == 200
                 and get_refresh_url(response.body or "", "/user/index[_%a]*.html$")
    if not lurl then return false end
    local resp = http_get_simple(host, port, lurl)
    return (http_auth_realm(resp) or ""):find("^YAMAHA%-RT ")
  end,
  login_combos = {
    {username = "", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_get_simple(host, port, path)
    local lurl = resp.status == 200
                 and get_refresh_url(resp.body or "", "/user/index[_%a]*.html$")
    if not lurl then return false end
    return try_http_auth(host, port, lurl, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Yamaha RT 11.x",
  cpe = "cpe:/o:yahama:rt*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^YAMAHA%-RT ")
  end,
  login_combos = {
    {username = "", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Yamaha SWX",
  category = "routers",
  paths = {
    {path = "/login.html"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Yamaha Corporation", 1, true)
           and get_tag(response.body, "form", {action="/goform/authenticate%.json$"})
           and get_tag(response.body, "input", {name="^URL$", value="/dashboard/index%.html$"})
  end,
  login_combos = {
    {username="", password=""}
  },
  login_check = function (host, port, path, user, pass)
    local form = {URL=url.absolute(path, "dashboard/index.html"),
                  USER=user,
                  PASS=pass}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "goform/authenticate.json"),
                                 nil, form)
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.result == "SUCCESS"
  end
})

table.insert(fingerprints, {
  name = "Zhone ZNID",
  cpe = "cpe:/o:dasanzhone:znid_*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.header["server"] == "micro_httpd"
           and (http_auth_realm(response) or ""):find("%f[%w]ZNID%d%d[%dx][%dx]")
  end,
  login_combos = {
    {username = "user", password = "user"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Zoom ADSL X5",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 301
           and (response.header["server"] or ""):find("^Nucleus/%d+%.")
           and (response.header["location"] or ""):find("/hag/pages/home%.htm$")
  end,
  login_combos = {
    {username = "admin", password = "zoomadsl"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "hag/pages/home.htm"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "ZTE F660",
  cpe = "cpe:/h:zte:f660",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("ZTE", 1, true)
           and response.body:lower():find("<title>f660</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local ltoken = resp1.body:match("%WgetObj%(%s*['\"]Frm_Logintoken['\"]%s*%)%.value%s*=%s*['\"](%d+)['\"]%s*;")
    if not ltoken then return false end
    local form = {frashnum="",
                  action="login",
                  Frm_Logintoken=ltoken,
                  Username=user,
                  Password=pass}
    local resp2 = http_post_simple(host, port, path, {cookies=resp1.cookies}, form)
    return resp2.status == 302
           and (resp2.header["location"] or ""):find("/start%.ghtml$")
  end
})

table.insert(fingerprints, {
  name = "ZTE ZXV10 I5xx",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("ZTE", 1, true)
           and get_tag(response.body, "form", {name="^flogin$", action="^getpage%.gch%?pid=1001$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local stime = resp1.body:match("%Wdocument%.getElementById%(%s*['\"]submittime['\"]%s*%)%.value%s*=%s*['\"](%d+)['\"]%s*;")
    if not stime then return false end
    local form = {submenu=-1,
                  menuPos=-1,
                  nosubmenu=1,
                  nextpage="welcome.gch",
                  nextgch="",
                  nextjs="welcome.js",
                  title="Come In to Configuration",
                  path="Welcome",
                  submittime=stime,
                  tUsername=user,
                  tPassword=pass}
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "getpage.gch?pid=1001"),
                                  nil, form)
    return resp2.status == 200
           and (resp2.body or ""):lower():find("<title>[^<]-configuration")
  end
})

table.insert(fingerprints, {
  name = "ZTE ZXV10 W300",
  cpe = "cpe:/o:zte:zxv10_w300_firmware",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^ZXV10 W300$")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "3Com OfficeConnect VPN Firewall",
  cpe = "cpe:/h:3com:3cr870-95",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("3Com", 1, true)
           and response.body:find("%Wtop%.document%.location%s*=%s*(['\"])[^'\"]-/default%.htm%1")
           and get_tag(response.body, "meta", {["http-equiv"]="^3cnumber$"})
  end,
  login_combos = {
    {username = "", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "cgi-bin/admin?page=x"),
                                 nil, {AdminPassword=pass,next=10,page="x"})
    return resp.status == 200
           and get_tag(resp.body or "", "input", {name="^tk$"})
  end
})

table.insert(fingerprints, {
  name = "Corega",
  cpe = "cpe:/o:corega:cg-*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response) or ""
    return realm:find("^CG%-%u*BAR")
           or realm:find("^corega BAR ")
  end,
  login_combos = {
    {username = "root", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Netgear ProSafe Firewall FVS318",
  cpe = "cpe:/h:netgear:fvs318",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "Netgear"
           and response.body
           and get_tag(response.body, "frame", {src="^top%.html$"})
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "top.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Netgear ProSafe Firewall FVS318G, SRX5308",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local lurl = url.absolute(path, "scgi-bin/platform.cgi")
    if not (response.status == 200
           and response.body
           and response.body:find(lurl, 1, true)
           and get_refresh_url(response.body, "/scgi%-bin/platform%.cgi$")) then
      return false
    end
    local resp = http_get_simple(host, port, lurl)
    return resp.status == 200
           and resp.body
           and resp.body:find("NETGEAR", 1, true)
           and get_tag(resp.body, "input", {name="^USERDBUsers%.UserName$"})
  end,
  login_combos = {
    {username = "admin", password = "password"},
    {username = "guest", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "scgi-bin/platform.cgi")
    local header = {["User-Agent"]="Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko",
                    ["Referer"]=url.build(url_build_defaults(host, port, {path=lurl}))}
    local form = stdnse.output_table()
    form.thispage = "index.htm"
    form["USERDBUsers.UserName"] = user
    form["USERDBUsers.Password"] = pass
    form["USERDBDomains.Domainname"] = "geardomain"
    form["button.login.USERDBUsers.router_status"] = "Login"
    form["Login.userAgent"] = header["User-Agent"]
    local resp = http_post_simple(host, port, lurl, {header=header}, form)
    if resp.status == 200
       and get_tag(resp.body or "", "input", {type="^hidden$", name="^thispage$", value="^forcedLogin%.htm$"}) then
      stdnse.debug1("User '%s' already logged in; credentials cannot be tested", user)
      return false
    end
    return resp.status == 200
           and get_cookie(resp, "TeamF1Login", "^%w+$")
  end
})

table.insert(fingerprints, {
  name = "Netgear Router (legacy)",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^R[PT][13]1[14]$")
  end,
  login_combos = {
    {username = "admin", password = "1234"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Netgear Router",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response) or ""
    return realm:find("^NETGEAR %u+%d+[%w-]+%s*$")
           or realm == "Netgear"
           or realm == "FR114P"
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Netgear ProSafe Plus Switch",
  cpe = "cpe:/h:netgear:gs108*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("loginTData", 1, true)
           and response.body:lower():find("<title>netgear ", 1, true)
  end,
  login_combos = {
    {username = "", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, url.absolute(path, "login.cgi"),
                                 nil, {password=pass})
    return resp.status == 200 and get_cookie(resp, "GS108SID", ".")
  end
})

table.insert(fingerprints, {
  name = "Netgear Smart Switch",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("document.forms[0].pwd.focus();", 1, true)
           and response.body:lower():find("%saction%s*=%s*(['\"])[^'\"]-/base/%w+_login%.html%1")
           and response.body:lower():find("<title>netgear ", 1, true)
  end,
  login_combos = {
    {username = "", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local lurl = resp1.body:match("['\"]([^'\"]-/base/%w+_login%.html)")
    if not lurl then return false end
    local button = lurl:find("main_login", 1, true) and "" or "_button"
    local form = {pwd=pass,
                  ["login" .. button .. ".x"]=0,
                  ["login" .. button .. ".y"]=0,
                  err_flag=0,
                  err_msg=""}
    local resp2 = http_post_simple(host, port, lurl, nil, form)
    return resp2.status == 200 and get_cookie(resp2, "SID", ".")
  end
})

table.insert(fingerprints, {
  name = "Netgear Intelligent Edge",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("document.forms[0].uname.focus();", 1, true)
           and response.body:lower():find("%saction%s*=%s*(['\"])[^'\"]-/base/%w+_login%.html%1")
           and response.body:lower():find("<title>netgear ", 1, true)
  end,
  login_combos = {
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local lurl = resp1.body:match("['\"]([^'\"]-/base/%w+_login%.html)")
    if not lurl then return false end
    local form = {uname=user,
                  pwd=pass,
                  ["login_button.x"]=0,
                  ["login_button.y"]=0,
                  err_flag=0,
                  err_msg="",
                  submt=""}
    local resp2 = http_post_simple(host, port, lurl, nil, form)
    return resp2.status == 200 and get_cookie(resp2, "SID", ".")
  end
})

table.insert(fingerprints, {
  name = "Netgear Gigabit Enterprise Switch",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/base/web_main.html", 1, true)
           and response.body:lower():find("<title>netgear system login</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "base/web_main.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "PLANET Smart Gigabit Switch",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find(">Welcome to PLANET ", 1, true)
           and get_tag(response.body, "form", {action="/pass$"})
  end,
  login_combos = {
    {username = "", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {password=pass,
                  x=0,
                  y=0}
    local resp = http_post_simple(host, port, url.absolute(path, "pass"),
                                 nil, form)
    if not (resp.status == 200
           and get_tag(resp.body or "", "frame", {src="/planet%.htm$"})) then
      return false
    end
    http_get_simple(host, port, url.absolute(path, "logout?submit=Apply"))
    return true
  end
})

table.insert(fingerprints, {
  name = "PLANET Managed Switch (var.1)",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local server = response.header["server"] or ""
    return (http_auth_realm(response) or ""):find("^Loging?$")
           and (server == "Vitesse Web Server"
             or server == "WebServer")
           and response.body
           and response.body:find(">Authorization required to access this URL.<", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "PLANET Managed Switch (var.2)",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = (response.header["location"] or ""):gsub("^https?://[^/]*", "")
    if not (response.status == 302
           and loc:find("/default%.html$")) then
      return false
    end
    local resp = http_get_simple(host, port, loc)
    return resp.status == 200
           and resp.body
           and resp.body:find("1366X768", 1, true)
           and resp.body:lower():find("<title>switch web management (1366x768 is recommended)</title>", 1, true)
           and get_tag(resp.body, "form", {action="/goform/WebSetting%.html$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {name=user,
                  pwd=pass,
                  app="login"}
    local resp = http_post_simple(host, port,
                                  url.absolute(path, "goform/WebSetting.html"),
                                  nil, form)
    return resp.status == 203
           and resp.body
           and get_tag(resp.body, "frame", {src="/frontboard%.html$"})
  end
})

table.insert(fingerprints, {
  name = "PLANET Managed Switch (var.3)",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/cgi-bin/get.cgi?cmd=portlink&lg=", 1, true)
           and get_tag(response.body, "frame", {src="/cgi%-bin/get%.cgi%?cmd=portlink&lg=%w+$"})
           and response.body:lower():find("<title>managed switch</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "cgi-bin/get.cgi?cmd=portlink&lg=en"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "PLANET Wireless Router",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("PLANET Technology", 1, true)
           and response.body:find("(['\"])dataCenter%.js%1")
           and response.body:find("%Wauth_action%s*:%s*(['\"])login%1")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local form = {username=user,
                  password=base64.enc(pass:gsub("%s", "@")),
                  getPage="index.html",
                  action="Apply",
                  auth_action="login",
                  mode="AUTH",
                  _flg=0}
    local resp = http_post_simple(host, port,
                                  url.absolute(path, "postCenter.js"),
                                  nil, form)
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body:gsub("'", "\""))
    if not (jstatus and jout.result == "0") then return false end
    http_get_simple(host, port, url.absolute(path, "login.html"))
    return true
  end
})

table.insert(fingerprints, {
  name = "Rubytech chassis",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("fake_server.html", 1, true)
           and get_tag(response.body, "form", {action="^fake_server%.html$"})
           and get_tag(response.body, "input", {name="^textpass$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = stdnse.output_table()
    form.textuser=user
    form.textpass=pass
    form.Submit="Login"
    form.randstr=math.random()
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "fake_server.html"),
                                 nil, form)
    return resp.status == 200
           and (resp.body or ""):find("%Wlocation%.href%s*=%s*['\"][^'\"]-/main_frame%.html%?")
  end
})

table.insert(fingerprints, {
  name = "ZyXEL Prestige",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response) or ""
    return realm:find("^Prestige ")
           or realm:find("^P[%u-]*645ME")
  end,
  login_combos = {
    {username = "admin", password = "1234"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "ZyXEL ZyNOS",
  cpe = "cpe:/o:zyxel:zynos_firmware",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and (response.header["server"] or ""):find("^RomPager/%d+%.")
           and response.body
           and response.body:find("rpAuth.html", 1, true)
           and response.body:find("%WchangeURL%(%s*(['\"])[^'\"]-%f[%w]rpAuth%.html%1%s*%)")
  end,
  login_combos = {
    {username = "", password = "1234"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {LoginPassword="ZyXEL ZyWALL Series",
                  hiddenPassword=stdnse.tohex(openssl.md5(pass)),
                  Prestige_Login="Login"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "Forms/rpAuth_1"),
                                 nil, form)
    return resp.status == 303
           and (resp.header["location"] or ""):find("/passWarning%.html$")
  end
})

table.insert(fingerprints, {
  name = "ZyXEL USG",
  cpe = "cpe:/o:zyxel:usg*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/ext-js/images/usg/", 1, true)
           and get_tag(response.body, "input", {name="^loginTosslvpn$"})
  end,
  login_combos = {
    {username = "admin", password = "1234"},
    {username = "zyfwp", password = "PrOw!aN_fXp"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {username=user,
                  pwd=pass,
                  pwd_r="",
                  password=pass,
                  loginTosslvpn="false"}
    local resp = http_post_simple(host, port, path, nil, form)
    return resp.status == 302
           and get_cookie(resp, "authtok", "^[%w+-]+$")
  end
})

table.insert(fingerprints, {
  name = "ZyXEL NXC",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("fake_safari_username", 1, true)
           and get_tag(response.body, "input", {name="^loginTosslvpn$"})
  end,
  login_combos = {
    {username = "zyfwp", password = "PrOw!aN_fXp"},
    {username = "admin", password = "1234"},
  },
  login_check = function (host, port, path, user, pass)
    local form = {fake_safari_username="",
                  fake_safari_password="",
                  username=user,
                  pwd=pass,
                  password=pass,
                  f_ui_lang=""}
    local resp = http_post_simple(host, port, path, nil, form)
    return resp.status == 302
           and get_cookie(resp, "authtok", "^[%w+-]+$")
  end
})

table.insert(fingerprints, {
  name = "ZyXEL VMG",
  cpe = "cpe:/o:zyxel:vmg*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 401
           and get_cookie(response, "Session", "^%d+$")
           and response.body
           and response.body:find("/js/zyxelhelp.js", 1, true)
           and get_tag(response.body, "script", {src="/js/zyxelhelp%.js$"})
  end,
  login_combos = {
    {username = "admin", password = "1234"},
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 401 and get_cookie(resp1, "Session", "^%d+$")) then
      return false
    end
    table.insert(resp1.cookies, {name = "Authentication", value = url.escape(base64.enc(user .. ":" .. pass))})
    local resp2 = http_get_simple(host, port, url.absolute(path, "init"),
                                 {cookies=resp1.cookies})
    return resp2.status == 200
  end
})

table.insert(fingerprints, {
  name = "Adtran NetVanta",
  cpe = "cpe:/h:adtran:netvanta_*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^NetVanta %d+%f[ \0]")
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Siemens Gigaset SX762/763",
  cpe = "cpe:/h:siemens:gigaset_sx76*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 303
           and (response.header["server"] or ""):find("^SiemensGigaset%-Server/%d+%.")
           and (response.header["location"] or ""):find("/UE/welcome_login%.html$")
  end,
  login_combos = {
    {username = "", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {form_submission_type="login",
                  form_submission_parameter="",
                  current_page="welcome_login.html",
                  next_page="home_security.html",
                  i=1,
                  admin_role_name="administrator",
                  operator_role_name="operator",
                  subscriber_role_name="subscriber",
                  choose_role=0,
                  your_password=pass,
                  Login="OK"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "UE/ProcessForm"),
                                 nil, form)
    return resp.status == 303
           and (resp.header["location"] or ""):find("/UE/home_security%.html$")
  end
})

table.insert(fingerprints, {
  name = "Siemens Scalance X-200",
  cpe = "cpe:/o:siemens:scalance_x-200_series_firmware",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and get_cookie(response, "siemens_ad_session", "^%x+")
           and response.body
           and response.body:find(" SCALANCE X ", 1, true)
           and get_tag(response.body, "input", {name="^nonceA$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "user",  password = "user"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local nonce = get_tag(resp1.body, "input", {name="^nonceA$", value="^%x+$"})
    if not nonce then return false end
    local auth = stdnse.tohex(openssl.md5(table.concat({user, pass, nonce.value}, ":")))
    local resp2 = http_post_simple(host, port, path, {cookies=resp1.cookies},
                                  {encoded=user..":"..auth, nonceA=nonce.value})
    return resp2.status == 200
           and (resp2.body or ""):find("%Wlocation%.href%s*=%s*(['\"])index1%.html%1")
  end
})

table.insert(fingerprints, {
  name = "Siemens Scalance M873/M875",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^SCALANCE M%-?87%d%f[%D]")
  end,
  login_combos = {
    {username = "admin", password = "scalance"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Siemens RUGGEDCOM WIN",
  cpe = "cpe:/h:siemens:ruggedcom_win*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == ""
           and get_cookie(response, "sessionId", "^%d+$")
           and (response.header["server"] or ""):find("^BS/%d+%.")
  end,
  login_combos = {
    {username = "admin", password = "generic"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not get_cookie(resp1, "sessionId", "^%d+$") then return false end
    local resp2 = http_get_simple(host, port, path,
                                  {cookies=resp1.cookies,
                                  auth={username=user,password=pass}})
    return resp2.status == 200
           and get_refresh_url(resp2.body, "/0/m%d+$")
  end
})

table.insert(fingerprints, {
  name = "Siemens RUGGEDCOM ROS (var.1)",
  cpe = "cpe:/o:siemens:ruggedcom_rugged_operating_system",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = (response.header["location"] or ""):gsub("^https?://[^/]*", "")
    if not (response.status == 302
           and loc:find("/InitialPage%.asp$")) then
      return false
    end
    local resp = http_get_simple(host, port, loc)
    return resp.status == 200
           and resp.body
           and resp.body:find("RuggedSwitch Operating System", 1, true)
           and get_tag(resp.body, "a", {href="^Menu%.asp%?UID=%d+$"})
  end,
  login_combos = {
    {username = "admin",    password = "admin"},
    {username = "operator", password = "operator"},
    {username = "guest",    password = "guest"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port,
                                 url.absolute(path, "InitialPage.asp"))
    if not (resp1.status == 200 and resp1.body) then return false end
    local llink = get_tag(resp1.body, "a", {href="^Menu%.asp%?UID=%d+$"})
    if not llink then return false end
    local lurl = url.absolute(path, llink.href)
    local resp2 = http_get_simple(host, port, lurl)
    if resp2.status ~= 401 then return false end
    return try_http_auth(host, port, lurl, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Siemens RUGGEDCOM ROS (var.2)",
  cpe = "cpe:/o:siemens:ruggedcom_rugged_operating_system",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = (response.header["location"] or ""):gsub("^https?://[^/]*", "")
    if not (response.status == 302
           and loc:find("/InitialPage%.asp$")) then
      return false
    end
    local resp = http_get_simple(host, port, loc)
    return resp.status == 200
           and resp.body
           and resp.body:find("goahead.gif", 1, true)
           and resp.body:find("LogIn", 1, true)
           and get_tag(resp.body, "form", {action="/goform/postLoginData%?UID=%d+$"})
  end,
  login_combos = {
    {username = "admin",    password = "admin"},
    {username = "operator", password = "operator"},
    {username = "guest",    password = "guest"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port,
                                 url.absolute(path, "InitialPage.asp"))
    if not (resp1.status == 200 and resp1.body) then return false end
    local frm = get_tag(resp1.body, "form", {action="/goform/postLoginData%?UID=%d+$"})
    if not frm then return false end
    local form = {User=user,
                  Password=pass,
                  choice="LogIn"}
    local resp2 = http_post_simple(host, port, url.absolute(path, frm.action),
                                  nil, form)
    return (resp2.status == 203 or resp2.status == 200)
           and get_tag(resp2.body or "", "a", {href="/logout%.asp%?uid=%d+$"})
  end
})

table.insert(fingerprints, {
  name = "Siemens RUGGEDCOM ROX",
  category = "routers",
  paths = {
    {path = "/login.html"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/skins/macified/styles/master.css", 1, true)
           and response.body:find("confdLogin();", 1, true)
           and get_tag(response.body, "a", {onclick="^confdlogin%(%);"})
           and get_tag(response.body, "body", {onload="^loadbannercontent%(%);"})
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "oper",  password = "oper"},
    {username = "guest", password = "guest"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, url.absolute(path, "confd/login"),
                                 nil, {user=user,passwd=pass})
    return resp.status == 200
           and (resp.body or ""):find("^(['\"])sess%d+%1$")
  end
})

table.insert(fingerprints, {
  name = "VideoFlow DVP",
  category = "routers",
  paths = {
    {path = "/login.html"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/skins/macified/styles/master.css", 1, true)
           and response.body:find("confdLogin();", 1, true)
           and get_tag(response.body, "a", {onclick="^confdlogin%(%);"})
           and get_tag(response.body, "body", {onload="^document%.form%.username%.focus%(%);"})
  end,
  login_combos = {
    {username = "root",    password = "videoflow"},
    {username = "admin",   password = "admin"},
    {username = "oper",    password = "oper"},
    {username = "private", password = "private"},
    {username = "public",  password = "public"},
    {username = "devel",   password = "leved"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, url.absolute(path, "confd/login"),
                                 nil, {user=user,passwd=pass})
    return resp.status == 200
           and (resp.body or ""):find("^(['\"])sess%d+%1$")
  end
})

table.insert(fingerprints, {
  name = "Foxconn Femtocell",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("login.cgi", 1, true)
           and get_tag(response.body, "form", {action="^cgi%-bin/login%.cgi$"})
           and response.body:lower():find("<title>femtocell management system</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = stdnse.output_table()
    form.username = user
    form.password = pass
    form.Submit = "Login"
    local lurl = "cgi-bin/login.cgi?" .. url.build_query(form)
    local resp = http_get_simple(host, port, url.absolute(path, lurl))
    return resp.status == 200
           and get_cookie(resp, "sessionID", ".")
           and (resp.body or ""):find("%Wwindow%.location%s*=%s*(['\"])mainFrame%.cgi%1")
  end
})

table.insert(fingerprints, {
  name = "Datum Systems SnIP",
  cpe = "cpe:/o:datumsystems:snip",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^SnIP%d+$")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Option GlobeSurfer II",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("GlobeSurfer II", 1, true)
           and response.body:find("%Wf%.action%s*=%s*(['\"])[^'\"]-/cache/%d+/upgrade%.cgi%1")
           and get_cookie(response, "session_id", "^%d+$")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local page2 = get_tag(resp1.body, "input", {name="^active_page$", value="^%d+$"})
    local url2 = resp1.body:match(".*%Wfunction%s+mimic_button%s*%([^}]-%Wcase%s+0%s*:[^}]-%Wf%.action%s*=%s*['\"]([^'\"]-/cache/%d+/index%.cgi)['\"]")
    if not (page2 and url2) then return false end
    local form2 = {active_page=page2.value,
                   prev_page=0,
                   page_title="Connection status",
                   nav_stack_0=page2.value,
                   mimic_button_field="sidebar: sidebar_logout..",
                   button_value="",
                   transaction_id=0}
    local resp2 = http_post_simple(host, port, url2,
                                  {cookies=resp1.cookies}, form2)
    if not (resp2.status == 200 and resp2.body) then return false end
    local authkey = get_tag(resp2.body, "input", {name="^auth_key$", value="^%d+$"})
    local transid = get_tag(resp2.body, "input", {name="^transaction_id$", value="^%d+$"})
    local page3 = get_tag(resp2.body, "input", {name="^active_page$", value="^%d+$"})
    local url3 = resp2.body:match(".*%Wfunction%s+mimic_button%s*%([^}]-%Wcase%s+0%s*:[^}]-%Wf%.action%s*=%s*['\"]([^'\"]-/cache/(%d+)/index%.cgi)['\"]")
    if not (authkey and transid and page3 and url3) then return false end
    local form3 = {active_page=page3.value,
                   prev_page=page2.value,
                   page_title="Login",
                   nav_stack_0=page3.value,
                   ["nav_" .. page3.value .. "_button_value"]="sidebar_logout",
                   mimic_button_field="submit_button_login_submit: ..",
                   button_value="sidebar_logout",
                   transaction_id=transid.value,
                   lang=0,
                   user_name=user,
                   ["password_" .. get_cookie(resp2, "session_id")]="",
                   md5_pass=stdnse.tohex(openssl.md5(pass .. authkey.value)),
                   auth_key=authkey.value}
    local resp3 = http_post_simple(host, port, url3,
                                  {cookies=resp2.cookies}, form3)
    return resp3.status == 200
           and (resp3.body or ""):find("sidebar%5Fadvanced..", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Option GlobeSurfer III",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("md5_pass", 1, true)
           and response.body:lower():find("<title>[^<]-globesurfer%W")
           and get_cookie(response, "rg_cookie_session_id", "^%d+$")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local authkey = get_tag(resp1.body, "input", {name="^auth_key$", value="^%d+$"})
    if not authkey then return false end
    local form = {active_page="page_login",
                  prev_page="",
                  page_title="Login",
                  mimic_button_field="submit_button_login_submit: ..",
                  button_value="",
                  strip_page_top=0,
                  page_title_text="Login",
                  page_icon_number=30,
                  defval_lang=0,
                  defval_username="",
                  md5_pass=stdnse.tohex(openssl.md5(pass .. authkey.value)),
                  auth_key=authkey.value,
                  lang=0,
                  username=user,
                  ["password_" .. get_cookie(resp1, "rg_cookie_session_id")]=""}
    local resp2 = http_post_simple(host, port, url.absolute(path, "index.cgi"),
                  {cookies=resp1.cookies}, form)
    return resp2.status == 302
           and (resp2.header["location"] or ""):find("active%5fpage=page%5fhome", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Digi TransPort",
  category = "routers",
  paths = {
    {path = "/login.asp"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("TransPort WR", 1, true)
           and response.body:lower():find("<title>transport wr", 1, true)
           and get_cookie(response, "SID", "^%x+$")
  end,
  login_combos = {
    {username = "username", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.cookies) then return false end
    local form = {username=user,
                  password=pass,
                  login="LOG IN"}
    local resp2 = http_post_simple(host, port, path,
                                  {cookies=resp1.cookies}, form)
    return resp2.status == 302
           and (resp2.header["location"] or ""):find("/default%.asp$")
  end
})

table.insert(fingerprints, {
  name = "Digi ConnectPort",
  category = "routers",
  paths = {
    {path = "/login.htm"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("ConnectPort", 1, true)
           and response.body:lower():find("<title>%s*connectport%W")
           and get_tag(response.body, "form", {action="/Forms/login_1$"})
  end,
  login_combos = {
    {username = "root", password = "dbps"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if resp1.status ~= 200 then return false end
    local form = get_form_fields(resp1.body, {action="/Forms/login_1$"})
    if not form then return false end
    form.username = user
    form.password = pass
    form.btLogin = "Login"
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "Forms/login_1"),
                                  {cookies=resp1.cookies}, form)
    return resp2.status == 303
           and (resp2.header["location"] or ""):find("/home%.htm$")
  end
})

table.insert(fingerprints, {
  name = "Digi ConnectPort (no auth)",
  category = "routers",
  paths = {
    {path = "/login.htm"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 303
           and (response.header["location"] or ""):find("/home%.htm$")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "home.htm"))
    return resp.status == 200
           and resp.body
           and resp.body:find("ConnectPort", 1, true)
           and resp.body:lower():find("<title>%s*connectport%W")
           and get_tag(resp.body, "a", {href="/admin/logout%.htm$"})
  end,
  login_combos = {
    {username = "", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return true
  end
})

table.insert(fingerprints, {
  name = "Sea Tel MXP",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "Micro Digital Web Server"
           and response.body
           and response.body:find("MXP", 1, true)
           and response.body:lower():find("%Wwindow%.location%.href%s*=%s*(['\"])login%.html%1")
  end,
  login_combos = {
    {username = "Dealer",   password = "seatel1"},
    {username = "SysAdmin", password = "seatel2"},
    {username = "User",     password = "seatel3"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {uId=user,
                  uPwd=pass,
                  uLoginMode="in",
                  callConter=0}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "cgi-bin/userValidate"),
                                 nil, form)
    return resp.status == 200
           and (resp.body or ""):find("^%s*%^true%s*$")
  end
})

table.insert(fingerprints, {
  name = "Thrane & Thrane Sailor 900 VSAT (var.1)",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and get_cookie(response, "tt_adm", "^%l+$")
           and response.body
           and get_tag(response.body, "form", {action="%?pageid=%w+$"})
           and get_tag(response.body, "input", {name="^pass_login$"})
  end,
  login_combos = {
    {username = "admin", password = "1234"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local frm = get_tag(resp1.body, "form", {action="%?pageid=%w+$"})
    if not frm then return false end
    local resp2 = http_post_simple(host, port, url.absolute(path, frm.action),
                                  nil, {user_login=user,pass_login=pass})
    return resp2.status == 200
           and url.unescape(get_cookie(resp2, "tt_adm", "%%3[Aa]") or ""):find(":" .. user .. ":", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Thrane & Thrane Sailor 900 VSAT (var.2)",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and get_cookie(response, "tt_adm", "^%l+$")
           and response.body
           and response.body:find("900 VSAT", 1, true)
           and get_tag(response.body, "a", {href="%?pageid=administration$"})
  end,
  login_combos = {
    {username = "admin", password = "1234"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local llink = get_tag(resp1.body, "a", {href="%?pageid=administration$"})
    if not llink then return false end
    local resp2 = http_post_simple(host, port, url.absolute(path, llink.href),
                                  nil, {user_login=user,pass_login=pass})
    return resp2.status == 200
           and url.unescape(get_cookie(resp2, "tt_adm", "%%3[Aa]") or ""):find(":" .. user .. ":", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Ubiquiti AirOS",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 302
           and (response.header["location"] or ""):find("/cookiechecker?uri=/", 1, true)) then
      return false
    end
    for _, ck in ipairs(response.cookies or {}) do
      if ck.name == "AIROS_SESSIONID" or ck.name:find("^AIROS_%x+$") then
        return ck.value:find("^%x+$")
      end
    end
    return false
  end,
  login_combos = {
    {username = "ubnt", password = "ubnt"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_multipart(host, port,
                                    url.absolute(path, "login.cgi"), nil,
                                    {uri=path, username=user, password=pass})
    return resp.status == 302
           and resp.header["location"] == path
  end
})

table.insert(fingerprints, {
  name = "Ubiquiti EdgeOS",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find(">EdgeOS<", 1, true)
           and response.body:find("%WEDGE%.Config%s*=")
           and response.body:lower():find("<title>edgeos</title>")
  end,
  login_combos = {
    {username = "ubnt", password = "ubnt"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, path, nil,
                                 {username=user,password=pass})
    return (resp.status == 302 or resp.status == 303)
           and (resp.header["location"] or ""):sub(-#path) == path
           and get_cookie(resp, "PHPSESSID", "^%w+$")
  end
})

table.insert(fingerprints, {
  name = "Ubiquiti EdgeSwitch",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find(">Ubiquiti EdgeSwitch<", 1, true)
           and response.body:lower():find("<title>ubiquiti edgeswitch</title>")
           and get_tag(response.body, "script", {src="/static/scripts/bundle%-%x+%.js$"})
  end,
  login_combos = {
    {username = "ubnt", password = "ubnt"}
  },
  login_check = function (host, port, path, user, pass)
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=path})),
                    ["Content-Type"]="application/json",
                    ["Accept"]="application/json, text/plain, */*"}
    local jin = {username=user, password=pass}
    json.make_object(jin)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "api/v1.0/user/login"),
                                 {header=header}, json.generate(jin))
    return resp.status == 200
           and (resp.header["x-auth-token"] or ""):find("^%x+$")
  end
})

table.insert(fingerprints, {
  name = "Microhard Systems (var.1)",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 401
           and response.body
           and get_tag_html(response.body, "a") == "httpd-ssl-1.0.0"
  end,
  login_combos = {
    {username = "admin",    password = "admin"},
    {username = "upgrade",  password = "admin"},
    {username = "msshc",    password = "msshc"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Microhard Systems (var.2)",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 401
           and response.body == "Authorization Required\n"
           and response.header["keep-alive"] == "timeout=20"
           and (response.header["www-authenticate"] or ""):find("^Basic%s")
  end,
  login_combos = {
    {username = "admin",    password = "admin"},
    {username = "admin",    password = "tamaani"},
    {username = "upgrade",  password = "admin"},
    {username = "testlab",  password = "testlab"},
    {username = "testlab1", password = "testlab1"},
    {username = "msshc",    password = "msshc"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Microhard Systems (var.3)",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("cgi-bin/webif/system-info.sh", 1, true)
           and get_refresh_url(response.body, "%f[%w]cgi%-bin/webif/system%-info%.sh$")
  end,
  login_combos = {
    {username = "admin",    password = "admin"},
    {username = "admin",    password = "tamaani"},
    {username = "upgrade",  password = "admin"},
    {username = "testlab",  password = "testlab"},
    {username = "testlab1", password = "testlab1"},
    {username = "msshc",    password = "msshc"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "cgi-bin/webif/system-info.sh"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "NetComm ADSL router",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^NetComm ")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Netcomm NTC",
  category = "routers",
  paths = {
    {path = "/index.html"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("NetComm", 1, true)
           and response.body:lower():find("/netcomm_gui_banner.jpg", 1, true)
           and get_cookie(response, "_appwebSessionId_", "^%x+$")
  end,
  login_combos = {
    {username = "root", password = "admin"},
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, path, nil,
                                 {username=user,password=pass})
    return resp.status == 302
           and (resp.header["location"] or ""):find("/st[as]tus%.html%f[?\0]")
  end
})

table.insert(fingerprints, {
  name = "Netcomm 3G17Wn",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find(">3G17Wn", 1, true)
           and get_cookie(response, "_appwebSessionId_", "^%x+$")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, path, nil,
                                 {username=user,password=pass})
    return resp.status == 302
           and (resp.header["location"] or ""):find("/adm/status%.asp$")
  end
})

table.insert(fingerprints, {
  name = "NetComm 3G21WB",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("3G21WB", 1, true)
           and response.body:lower():find("<title>3g21wb", 1, true)
           and get_tag(response.body, "frame", {src="^menu%.html$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "menu.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "NetComm 3G42WT",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("3G42WT", 1, true)
           and response.body:lower():find("<title>3g42wt", 1, true)
           and get_tag(response.body, "frame", {src="^login%.html$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "login.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "PacketFront DRG600",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "drg600.wifi"
  end,
  login_combos = {
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Airlink ACEmanager",
  cpe = "cpe:/h:sierrawireless:airlink_mp_*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Sierra Wireless AirLink", 1, true)
           and response.body:lower():find("<title>:+%s+acemanager%s+:+</title>")
  end,
  login_combos = {
    {username = "user", password = "12345"}
  },
  login_check = function (host, port, path, user, pass)
    local encuser = xmlencode(user)
    local header = {["Content-Type"]="text/xml"}
    local msg = [=[
      <request xmlns="urn:acemanager">
        <connect>
          <login>__USER__</login>
          <password><![CDATA[__PASS__]]></password>
        </connect>
      </request>
      ]=]
    msg = msg:gsub("%f[^\0\n]%s+", "")
    msg = msg:gsub("__%w+__", {__USER__=encuser, __PASS__=pass})
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "xml/Connect.xml"),
                                 {header=header}, msg)
    return resp.status == 200 and get_cookie(resp, "token", "^%d+$")
  end
})

table.insert(fingerprints, {
  name = "Mimosa Relay",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Mimosa", 1, true)
           and response.body:find("%Wmimosa%.isConnected%s*=")
  end,
  login_combos = {
    {username = "configure", password = "mimosa"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 path .. "?q=index.login&mimosa_ajax=1",
                                 nil, {username=user,password=pass})
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and (jout.role or 0) ~= 0
  end
})

table.insert(fingerprints, {
  name = "IRTE Digital Radio Link",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "Z-World Rabbit"
           and response.body
           and get_tag(response.body, "frame", {src="^objsum00%.html$"})
  end,
  login_combos = {
    {username = "", password = "0000"},
    {username = "", password = "111111"}
  },
  login_check = function (host, port, path, user, pass)
    local form1 = stdnse.output_table()
    form1.infield5 = 1
    form1.infield6 = pass
    local resp1 = http_post_multipart(host, port,
                                     url.absolute(path, "pswd.cgi"), nil, form1)
    if not (resp1.status == 200 and (resp1.body or ""):find("(['\"])password%.html%1")) then
      return false
    end
    local resp2 = http_get_simple(host, port,
                                 url.absolute(path, "password.html"))
    return resp2.status == 200
           and get_tag(resp2.body or "", "input", {name="^infield5$", value="^2$"})
  end
})

table.insert(fingerprints, {
  name = "Motorola AP",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^lighttpd/%d+%.")
           and response.body
           and response.body:find(">Motorola", 1, true)
           and response.body:lower():find("<title>motorola solutions</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "motorola"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {_dc = math.floor(stdnse.clock_ms()),
                  username = user,
                  password = pass}
    local lurl = url.absolute(path, "rest.fcgi/services/rest/login?" .. url.build_query(form))
    local resp = http_get_simple(host, port, lurl)
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.status
  end
})

table.insert(fingerprints, {
  name = "Motorola RF Switch",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^thttpd/%d+%.")
           and response.body
           and response.body:find(">Motorola", 1, true)
           and response.body:lower():find("<title>motorola wireless network management</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "superuser"}
  },
  login_check = function (host, port, path, user, pass)
    local login = ("J20K34NMMT89XPIJ34S login %s %s"):format(stdnse.tohex(user), stdnse.tohex(pass))
    local lurl = url.absolute(path, "usmCgi.cgi/?" .. url.escape(login))
    local resp = http_get_simple(host, port, lurl)
    return resp.status == 200
           and (resp.body or ""):find("^login 0 ")
  end
})

table.insert(fingerprints, {
  name = "Pakedge C36 Macrocell Controller",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and response.header["location"] == "./c36/login.php"
  end,
  login_combos = {
    {username = "pakedge", password = "pakedgec"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {rtype="login",
                  username=user,
                  password=pass}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "c36/ajax/login.php"),
                                 nil, form)
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.ok
  end
})

table.insert(fingerprints, {
  name = "ArubaOS WebUI",
  cpe = "cpe:/o:arubanetworks:arubaos",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 401
           and response.body
           and response.body:find("/images/arubalogo.gif", 1, true)
           and response.body:find("/screens/wms/wms.login", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {opcode="login",
                  url="/",
                  needxml=0,
                  uid=user,
                  passwd=pass}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "screens/wms/wms.login"),
                                 nil, form)
    return resp.status == 200
           and (resp.body or ""):find("/screens/wmsi/monitor.summary.html", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Aruba AirWave",
  cpe = "cpe:/a:arubanetworks:airwave",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/noauth/theme/airwave/favicon.ico", 1, true)
           and response.body:lower():find("%shref%s*=%s*(['\"])[^'\"]-/mercury%.%d+%.css%1")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {credential_0=user,
                  credential_1=pass,
                  destination=url.absolute(path, "index.html")}
    local resp = http_post_simple(host, port, url.absolute(path, "LOGIN"),
                                 nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/index%.html$")
  end
})

table.insert(fingerprints, {
  name = "Ruckus ZoneDirector 9.x",
  cpe = "cpe:/o:ruckus:zonedirector_firmware",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = (response.header["location"] or ""):gsub("^https?://[^/]*", "")
    if not (response.status == 302 and loc:find("/admin/login%.jsp$")) then
      return false
    end
    local resp = http_get_simple(host, port, loc)
    return resp.status == 200
           and get_cookie(resp, "-ejs-session-", "^x%x+$")
           and resp.body
           and resp.body:find("ZoneDirector", 1, true)
           and get_tag(resp.body, "a", {href="^https?://www%.ruckuswireless%.com%f[/\0]"})
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "admin", password = "password"},
    {username = "super", password = "sp-admin"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "admin/login.jsp")
    local resp1 = http_get_simple(host, port, lurl)
    if resp1.status ~= 200 then return false end
    local form = get_form_fields(resp1.body, {action="^login%.jsp$"})
    if not form then return false end
    form.username = user
    form.password = pass
    form.ok = (get_tag(resp1.body, "input", {type="^submit$", name="^ok$"}) or {}).value
    local resp2 = http_post_simple(host, port, lurl,
                                  {cookies=resp1.cookies}, form)
    return resp2.status == 302
           and (resp2.header["location"] or ""):find("/admin/dashboard%.jsp%f[?\0]")
  end
})

table.insert(fingerprints, {
  name = "Ruckus ZoneDirector 10.x",
  cpe = "cpe:/o:ruckus:zonedirector_firmware",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = (response.header["location"] or ""):gsub("^https?://[^/]*", "")
    if not (response.status == 302 and loc:find("/admin10/login%.jsp$")) then
      return false
    end
    local resp = http_get_simple(host, port, loc)
    return resp.status == 200
           and get_cookie(resp, "-ejs-session-", "^x%x+$")
           and resp.body
           and resp.body:find("X-Ruckus-Auth", 1, true)
           and get_tag(resp.body, "meta", {["http-equiv"]="^X%-Ruckus%-Auth$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "admin", password = "password"},
    {username = "super", password = "sp-admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {username=user,
                  password=pass,
                  ok=""}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "admin10/login.jsp"),
                                 nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/admin10/dashboard%.jsp%f[?\0]")
  end
})

table.insert(fingerprints, {
  name = "Ruckus IoT Controller",
  cpe = "cpe:/a:commscope:ruckus_iot_controller",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = (response.header["location"] or ""):gsub("^https?://[^/]*", ""):gsub("#.*", "")
    if not (response.status == 302 and loc:find("/refUI/$")) then
      return false
    end
    local resp = http_get_simple(host, port, loc)
    return resp.status == 200
           and resp.body
           and resp.body:find("RIoT Controller", 1, true)
           and resp.body:lower():find("<title>riot controller</title>", 1, true)
           and get_tag(resp.body, "script", {src="/refUI/static/js/main%.%x+.chunk%.js$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "nplus1user", password = "nplus1user"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "v1/oauth/login?format=json"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Nortel VPN Router",
  cpe = "cpe:/h:nortel:vpn_router_*",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "HTTP Server"
           and response.body
           and response.body:find(">Nortel", 1, true)
           and response.body:lower():find("<title>nortel vpn router</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "setup"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "manage/bdy_sys.htm"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "pfSense (var.1)",
  cpe = "cpe:/a:bsdperimeter:pfsense",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/pfsense/login.css", 1, true)
           and get_tag(response.body, "form", {name="^login_iform$"})
  end,
  login_combos = {
    {username = "admin", password = "pfsense"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {usernamefld=user,
                  passwordfld=pass,
                  login="Login"}
    local resp = http_post_simple(host, port, url.absolute(path, "index.php"),
                                 nil, form)
    return resp.status == 302
           and resp.header["location"] == path
           and get_cookie(resp, "PHPSESSID", "^%x+$")
  end
})

table.insert(fingerprints, {
  name = "pfSense (var.2)",
  cpe = "cpe:/a:pfsense:pfsense",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("pfSense", 1, true)
           and get_tag(response.body, "input", {name="^__csrf_magic$"})
  end,
  login_combos = {
    {username = "admin", password = "pfsense"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local token = get_tag(resp1.body, "input", {type="^hidden$", name="^__csrf_magic$", value=""})
    if not token then return false end
    local form = {[token.name]=token.value,
                  usernamefld=user,
                  passwordfld=pass,
                  login=""}
    local resp2 = http_post_simple(host, port, url.absolute(path, "index.php"),
                                  {cookies=resp1.cookies}, form)
    return resp2.status == 302
           and resp2.header["location"] == path
           and get_cookie(resp2, "PHPSESSID", "^%w+$")
  end
})

table.insert(fingerprints, {
  name = "ScreenOS",
  cpe = "cpe:/o:juniper:netscreen_screenos",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^Virata%-EmWeb/R%d+_")
           and response.body
           and response.body:lower():find("admin_pw", 1, true)
  end,
  login_combos = {
    {username = "netscreen", password = "netscreen"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {admin_id="",
                  admin_pw="",
                  time=tostring(math.floor(stdnse.clock_ms())):sub(5),
                  un=base64.enc(user),
                  pw=base64.enc(pass)}
    local resp = http_post_simple(host, port, url.absolute(path, "index.html"),
                                 nil, form)
    return resp.status == 303
           and (resp.header["location"] or ""):find("/nswebui.html?", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Juniper Web Device Manager",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:lower():find("juniper", 1, true)
           and get_tag(response.body, "form", {action="/login$"})
  end,
  login_combos = {
    {username = "root", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local form = {login="login",
                  username=user,
                  password=pass}
    local resp = http_post_simple(host, port, url.absolute(path, "login"),
                                 nil, form)
    return resp.status == 200
           and (resp.body or ""):match("%Wvar%s+user_name%s*=%s*['\"](.-)['\"]") == user
  end
})

table.insert(fingerprints, {
  name = "F5 TMOS",
  cpe = "cpe:/o:f5:tmos",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("F5 Networks", 1, true)
           and response.body:find("BIG-IP", 1, true)
           and response.body:find("/tmui/tmui/system/settings/redirect.jsp", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=url.absolute(path, "tmui/login.jsp")}))}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "tmui/logmein.html?"),
                                 {header=header}, {username=user,passwd=pass})
    return resp.status == 302
           and get_cookie(resp, "BIGIPAuthCookie", "^%x+$")
  end
})

table.insert(fingerprints, {
  name = "F5 BIG-IQ",
  cpe = "cpe:/a:f5:big-iq_centralized_management",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 301
           and response.header["server"] == "webd"
           and (response.header["location"] or ""):find("/ui/login/?$")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local header = {["Content-Type"]="application/json;charset=utf-8"}
    local jin = {username=user, password=pass, needsToken=true}
    json.make_object(jin)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "mgmt/shared/authn/login"),
                                 {header=header}, json.generate(jin))
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.username == user and jout.token
  end
})

table.insert(fingerprints, {
  name = "Array Networks APV",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Array Networks WebUI"
  end,
  login_combos = {
    {username = "array", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Citrix NetScaler",
  cpe = "cpe:/a:citrix:netscaler",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("NetScaler", 1, true)
           and response.body:lower():find("<title>citrix login</title>", 1, true)
  end,
  login_combos = {
    {username = "nsroot", password = "nsroot"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {username=user,
                  password=pass,
                  url="",
                  timezone_offset=0}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "login/do_login"),
                                 nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/menu/neo$")
           and get_cookie(resp, "startupapp") == "neo"
  end
})

table.insert(fingerprints, {
  name = "Citrix NetScaler MAS",
  category = "routers",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["location"] or ""):find("/admin_ui/mas/ent/login%.html$")
  end,
  login_combos = {
    {username = "nsroot", password = "nsroot"}
  },
  login_check = function (host, port, path, user, pass)
    local jin = {login={username=user,password=pass}}
    json.make_object(jin)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "nitro/v1/config/login"),
                                 nil, {object=json.generate(jin)})
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.errorcode == 0 and jout.resourceName == user
  end
})

---
--VoIP
---
table.insert(fingerprints, {
  name = "Aastra IP Phone",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^Aastra %d+i$")
  end,
  login_combos = {
    {username = "admin", password = "22222"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Aastra AXS 5000",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = response.header["location"] or ""
    if not (response.status == 302 and loc:find("/rhm$")) then return false end
    local resp = http_get_simple(host, port, loc)
    return http_auth_realm(resp) == "Aastra 5000"
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "rhm"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Aastra OpenCom 1000",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("OpenCom", 1, true)
           and response.body:lower():find("<title>opencom 1000</title>", 1, true)
           and get_tag(response.body, "frame", {src="/login%.html$"})
  end,
  login_combos = {
    {username = "Admin", password = "Admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, url.absolute(path, "login.html"))
    if not (resp1.status == 200 and resp1.body) then return false end
    local token = get_tag(resp1.body, "input", {name="^login$", value="^%x+$"})
    if not token then return false end
    pass = stdnse.tohex(openssl.md5(pass))
    local form2 = {login=stdnse.tohex(openssl.md5(token.value .. pass)),
                   user=user,
                   password="",
                   ButtonOK="OK"}
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "summary.html"),
                                  nil, form2)
    return resp2.status == 302
           and (resp2.header["location"] or ""):find("/%?uid=0x%x+$")
  end
})

table.insert(fingerprints, {
  name = "Ateis Vox@",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Vox@", 1, true)
           and response.body:lower():find("<title>vox@", 1, true)
           and get_tag(response.body, "a", {href="/config%.html$"})
  end,
  login_combos = {
    {username = "ateis", password = "ateis"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "config.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "AudioCodes Mediant",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 203
           and response.body
           and response.body:find("hex_sha256", 1, true)
           and get_tag(response.body, "form", {action="/UE/Login$"})
  end,
  login_combos = {
    {username = "Admin", password = "Admin"},
    {username = "User",  password = "User"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "UE/Login")
    local form1 = stdnse.output_table()
    form1.t = 1
    form1.c0 = 0
    form1.c1 = user
    local resp1 = http_post_simple(host, port, lurl, nil, form1)
    if not (resp1.status == 200 and resp1.body) then return false end
    local hashfnc = function (...)
                      local text = table.concat({...}, ":")
                      return stdnse.tohex(openssl.digest("SHA256", text)):lower()
                    end
    local prms = {}
    resp1.body:gsub("<(%a)>%s*(.-)%s*</%1>", function (k, v) prms[k] = v end)
    if not (prms.s and prms.m) then return false end
    local form2 = stdnse.output_table()
    form2.t = 1
    form2.s = prms.s
    form2.c0 = 1
    if prms.m == "0" then
      if not prms.r then return false end
      form2.c1 = hashfnc(user, prms.r, hashfnc(pass))
    elseif prms.m == "2" then
      form2.c1 = pass
    else
      if not prms.n then return false end
      form2.c1 = hashfnc(hashfnc(pass, prms.n), prms.r)
    end
    local resp2 = http_post_simple(host, port, lurl, nil, form2)
    return resp2.status == 200
           and (resp2.body or ""):find("<login>success</login>", 1, true)
  end
})

table.insert(fingerprints, {
  name = "AudioCodes Mediant (basic auth)",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Realm1"
           and (response.header["server"] or ""):find("^Allegro%-Software%-RomPager/%d+%.")
           and response.body
           and response.body:lower():find("<title>protected object</title>", 1, true)
  end,
  login_combos = {
    {username = "Admin", password = "Admin"},
    {username = "User",  password = "User"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Cisco TelePresence",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["location"] or ""):find("/web/signin$")
  end,
  login_combos = {
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "web/signin/open"), nil,
                                 {username=user, password=pass})
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.result == "ok"
  end
})

table.insert(fingerprints, {
  name = "Dialogic PowerMedia XMS Console",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/verifyLogin/", 1, true)
           and response.body:lower():find("<title>%s*dialogic xms admin console%s*</title>")
  end,
  login_combos = {
    {username = "viewer",     password = "admin"},
    {username = "admin",      password = "admin"},
    {username = "superadmin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "index.php/verifyLogin/login"),
                                 nil, {usernameId=user, passwordId=pass})
    return resp.status == 200
           and get_cookie(resp, "ci_session", "USERNAME")
  end
})

table.insert(fingerprints, {
  name = "Dialogic PowerMedia XMS NodeController",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "NodeController"
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Dialogic PowerMedia XMS RESTful API",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "XMS RESTful API"
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Grandstream VoIP Device",
  category = "voip",
  paths = {
    {path = "/cgi-bin/login"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Grandstream", 1, true)
           and response.body:lower():find("<title>grandstream ?device configuration</title>")
           and get_tag(response.body, "input", {name="^gnkey$", type="^hidden$", value="^0b82$"})
  end,
  login_combos = {
    {username = "", password = "admin"},
    {username = "", password = "123"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, url.absolute(path, "dologin"),
                                 nil, {P2=pass,Login="Login",gnkey="0b82"})
    return resp.status == 200 and get_cookie(resp, "session_id", "^%x+$")
  end
})

table.insert(fingerprints, {
  name = "Grandstream GXP2200",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("%Wdocument%.title%s*=%s*(['\"])GXP2200%1")
           and response.body:lower():find("enterprise multimedia phone for android", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "user",  password = "123"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {action="login",
                  Username=user,
                  Secret=pass,
                  time=math.floor(stdnse.clock_ms())}
    local resp = http_get_simple(host, port,
                                url.absolute(path, "manager?" .. url.build_query(form)))
    return resp.status == 200 and get_cookie(resp, "phonecookie", "^%x+$")
  end
})

table.insert(fingerprints, {
  name = "Asterisk PBX",
  category = "voip",
  paths = {
    {path = "/login.html"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("js/astman.js", 1, true)
           and get_tag(response.body, "input", {id="^secret$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {action="login",
                  username=user,
                  secret=pass}
    local lurl = "AMI/rawman?" .. url.build_query(form)
    local resp = http_get_simple(host, port, url.absolute(path, lurl))
    return resp.status == 200
           and (resp.body or ""):find("^%s*Response:%s*Success%W")
  end
})

table.insert(fingerprints, {
  name = "Polycom SoundPoint (var.1)",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and response.body
           and response.body:find("Polycom", 1, true)
           and response.body:find("submitLoginInfo", 1, true)
           and response.body:lower():find("<title>polyc?o?m? %- configuration utility</title>")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "js/login.js"))
    return resp.status == 200
           and (resp.body or ""):find("%Wurl:%s*(['\"])auth%.htm%?t=")
  end,
  login_combos = {
    {username = "Polycom", password = "456"},
    {username = "User",    password = "123"}
  },
  login_check = function (host, port, path, user, pass)
    local qstr = url.build_query({t=os.date("!%a, %d %b %Y %H:%M:%S GMT")})
    local creds = {username = user, password = pass, digest = false}
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=path}))}
    local resp = http_get_simple(host, port,
                                url.absolute(path, "auth.htm?" .. qstr),
                                {auth=creds, header=header})
    return resp.status == 200
           and resp.body
           and (resp.body:find("|SUCCESS|", 1, true)
             or get_tag(resp.body, "html"))
  end
})

table.insert(fingerprints, {
  name = "Polycom SoundPoint (var.2)",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and response.body
           and response.body:find("Polycom", 1, true)
           and response.body:find("submitLoginInfo", 1, true)
           and response.body:lower():find("<title>polyc?o?m? %- configuration utility</title>")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "js/login.js"))
    return resp.status == 200
           and (resp.body or ""):find("%Wurl:%s*(['\"])[^'\"]-/form%-submit/auth%.htm%1")
  end,
  login_combos = {
    {username = "Polycom", password = "456"},
    {username = "User",    password = "123"}
  },
  login_check = function (host, port, path, user, pass)
    local creds = {username = user, password = pass, digest = false}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "form-submit/auth.htm"),
                                 {auth=creds}, "")
    return resp.status == 200
           and ((resp.body or ""):find("|SUCCESS|", 1, true)
             or get_cookie(resp, "session", "."))
  end
})

table.insert(fingerprints, {
  name = "Polycom SoundPoint (basic auth)",
  cpe = "cpe:/h:polycom:soundpoint_ip_*",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.header["server"] == "Polycom SoundPoint IP Telephone HTTPd"
           and http_auth_realm(response) == "SPIP Configuration"
  end,
  login_combos = {
    {username = "Polycom", password = "456"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Polycom RSS 4000",
  cpe = "cpe:/h:polycom:recording_and_streaming_server_4000",
  category = "voip",
  paths = {
    {path = "/portal/login.jsf"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Polycom", 1, true)
           and response.body:lower():find("<title>polycom rss 4000</title>", 1, true)
           and get_tag(response.body, "input", {id="^loginform:username$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local vstate = get_tag(resp1.body, "input", {name="^javax%.faces%.viewstate$", value="^%-?%d+:%-?%d+$"})
    if not vstate then return false end
    local opts2 = {header={["Faces-Request"]="partial/ajax"},
                   cookies=resp1.cookies}
    local form2 = {loginForm="loginForm",
                   ["loginForm:userName"]=user,
                   ["loginForm:password"]=pass,
                   ["loginForm:domain"]="LOCAL",
                   ["javax.faces.ViewState"]=vstate.value,
                   ["javax.faces.source"]="loginForm:loginBt",
                   ["javax.faces.partial.event"]="click",
                   ["javax.faces.partial.execute"]="loginForm:loginBt @component",
                   ["javax.faces.partial.render"]="@component",
                   ["org.richfaces.ajax.component"]="loginForm:loginBt",
                   ["loginForm:loginBt"]="loginForm:loginBt",
                   ["AJAX:EVENTS_COUNT"]=1,
                   ["javax.faces.partial.ajax"]="true"}
    local resp2 = http_post_simple(host, port, path, opts2, form2)
    return resp2.status == 200
           and (resp2.body or ""):find("<complete>checkLogin('')", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Polycom RMX 500",
  cpe = "cpe:/h:polycom:rmx_500",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("<RMX1000_UI>", 1, true)
           and response.body:lower():find("<title></title>", 1, true)
  end,
  login_combos = {
    {username = "POLYCOM", password = "POLYCOM"}
  },
  login_check = function (host, port, path, user, pass)
    local msg = [[
      <?xml version="1.0" encoding="UTF-8" ?>
      <RMX1000_UI version="1.0.0.0">
        <FROM_PAGE id="login">
          <SESSION_ID value="" />
          <_CGI_NO_REFRESH value="YES" />
          <SEL_LANG value="en" />
          <IS_CGI value="YES" />
          <DEV_IP_V4 value="" />
          <LOGINNAME value="__USER__" />
          <PASSWD value="__PASS__" />
          <rmx1000_ip value="127.0.0.1" />
          <proxy_log_ip value="" />
          <LOGIN_FLAG value="__IPADDR__.__TSTAMP__" />
          <_CGI_UI_LANG value="en" />
          <cfg_ui_hide value="YES" />
          <_CGI_TIME value="__TIME__" />
        </FROM_PAGE>
      </RMX1000_UI>]]
    msg = msg:gsub("^%s+", ""):gsub("\n%s*", "")
    msg = msg:gsub("__%w+__", {__USER__=xmlencode(user),
                               __PASS__=xmlencode(pass),
                               __IPADDR__=xmlencode(host.ip),
                               __TSTAMP__=math.floor(stdnse.clock_ms()),
                               __TIME__=xmlencode(os.date("!%a %b %d %Y %H:%M:%S GMT+0000"))})
    local qstr = url.build_query({_dst_in_xml_raw=msg})
    local resp = http_get_simple(host, port,
                                 url.absolute(path, "cgi-bin/rmx_cgi?" .. qstr))
    return resp.status == 200
           and (resp.body or ""):find("<SESSION_ID>%x+</SESSION_ID>")
  end
})

table.insert(fingerprints, {
  name = "Polycom RMX 1000",
  cpe = "cpe:/h:polycom:rmx_1000",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("<RMX1000_UI>", 1, true)
           and response.body:lower():find("<title>polycom rmx 1000</title>", 1, true)
  end,
  login_combos = {
    {username = "POLYCOM", password = "POLYCOM"}
  },
  login_check = function (host, port, path, user, pass)
    local msg = [[
      <?xml version="1.0" encoding="UTF-8" ?>
      <RMX1000_UI version="1.0.0.0">
        <FROM_PAGE id="login">
          <SESSION_ID value="" />
          <_CGI_NO_REFRESH value="NO" />
          <SEL_LANG value="en" />
          <IS_CGI value="YES" />
          <DEV_IP_V4 value="" />
          <LOGINNAME value="__USER__" />
          <PASSWD value="__PASS__" />
          <rmx1000_ip value="127.0.0.1" />
          <proxy_log_ip value="" />
          <_CGI_UI_LANG value="en" />
          <cfg_ui_hide value="YES" />
          <_CGI_TIME value="__TIME__" />
        </FROM_PAGE>
      </RMX1000_UI>]]
    msg = msg:gsub("^%s+", ""):gsub("\n%s*", "")
    msg = msg:gsub("__%w+__", {__USER__=xmlencode(user),
                               __PASS__=xmlencode(stdnse.tohex(pass)),
                               __TIME__=xmlencode(os.date("!%a %b %d %Y %H:%M:%S GMT+0000"))})
    local resp = http_post_simple(host, port,
                                  url.absolute(path, "cgi-bin/rmx1000_cgi"),
                                  nil, {_dst_in_xml_raw=msg})
    return resp.status == 200
           and (resp.body or ""):find("<SESSION_ID>%x+</SESSION_ID>")
  end
})

table.insert(fingerprints, {
  name = "Polycom RPAD",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "Polycom RPAD"
           and response.body
           and get_refresh_url(response.body, "/edge/$")
  end,
  login_combos = {
    {username = "LOCAL\\admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {j_username=base64.enc(user),
                  j_password=base64.enc(pass)}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "edge/security/check"),
                                 nil, form)
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(b64decode(resp.body:gsub("%s+","")) or "")
    return jstatus and jout.success
  end
})

table.insert(fingerprints, {
  name = "Polycom VVX (admin)",
  cpe = "cpe:/o:polycom:vvx_*",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^admin@VVX%s")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Polycom VVX (user)",
  cpe = "cpe:/o:polycom:vvx_*",
  category = "voip",
  paths = {
    {path = "/user/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^user@VVX%s")
  end,
  login_combos = {
    {username = "user", password = "user"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Teles Gateway",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "TELES AG"
           and response.body
           and get_tag(response.body, "frame", {src="/common/navibar_[%w_]+_login%.html$"})
  end,
  login_combos = {
    {username = "teles-admin",   password = "tcs-admin"},
    {username = "teles-user",    password = "tcs-user"},
    {username = "teles-carrier", password = "tcs-carrier"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local frame = get_tag(resp1.body, "frame", {src="/common/navibar_[%w_]+_login%.html$"})
    if not frame then return false end
    local nurl = url.absolute(path, frame.src)
    local resp2 = http_get_simple(host, port, nurl)
    if not (resp2.status == 200 and resp2.body) then return false end
    local lurl = resp2.body:lower():match("<a%f[%s][^>]-%shref%s*=%s*['\"]?([^'\">%s]*)[^>]*>login</a")
    if not lurl then return false end
    return try_http_auth(host, port, url.absolute(nurl, lurl), user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Mediatrix",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["location"] or ""):find("%f[^/\0]system_info%.esp$")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "admin", password = "administrator"},
    {username = "public", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, url.absolute(path, "login.esp"),
                                 nil, {username=user,passwd=pass})
    return resp.status == 302
           and (resp.header["location"] or ""):find("%f[^/\0]system_info%.esp$")
  end
})

table.insert(fingerprints, {
  name = "Mediatrix (basic auth)",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response)
    return (realm == "Mediatrix" or realm == "default")
           and (response.body or ""):lower():find("<title>authentication error: access denied, authorization required.</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "1234"},
    {username = "root", password = "5678"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Mediatrix iPBX",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("PBX Administration", 1, true)
           and get_tag(response.body, "a", {href="^admin/$"})
           and response.body:lower():find("<title>ipbx</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "admin/config.php"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Openstage IP Phone",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Unify", 1, true)
           and get_tag(response.body, "frame", {src="[?&]page=webmp_user_login%f[&\0]"})
  end,
  login_combos = {
    {username = "", password = "123456"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {page_submit="WEBMp_Admin_Login",
                  lang="en",
                  AdminPassword=pass}
    local resp = http_post_simple(host, port, url.absolute(path, "page.cmd"),
                                 nil, form)
    return resp.status == 200
           and get_cookie(resp, "webm", "%d+|[%d-]*[1-9a-f][%d-]*")
  end
})

table.insert(fingerprints, {
  name = "Yealink IP Phone",
  cpe = "cpe:/o:yealink:voip_phone_firmware",
  category = "voip",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find(" IP [Pp]hone SIP%-%u%d+%u?$")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "user",  password = "user"},
    {username = "var",   password = "var"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

---
--Digital recorders
---
table.insert(fingerprints, {
  name = "DM Digital Sprite 2",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Dedicated Micros", 1, true)
           and response.body:find("webpages/index.shtml", 1, true)
           and get_tag(response.body, "meta", {name="^author$", content="^dedicated micros "})
  end,
  login_combos = {
    {username = "dm", password = "web"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "frmpages/index.html"),
                        user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "DM NetVu",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Dedicated Micros", 1, true)
           and response.body:find("/gui/gui_outer_frame.shtml", 1, true)
           and get_tag(response.body, "meta", {name="^author$", content="^dedicated micros "})
  end,
  login_combos = {
    {username = "", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "gui/frmpages/gui_system.shtml")
    local resp = http_get_simple(host, port, lurl)
    if resp.status == 200 then
      return (resp.body or ""):find('top.render_table("System Page"', 1, true)
    end
    return try_http_auth(host, port, lurl, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "LevelOne WCS-0050 Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "LevelOne WCS-0050"
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "LG Smart IP Device",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find(">LG Smart IP Device<", 1, true)
           and get_tag(response.body, "frame", {src="^login_org%.php$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "digest.php"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "MOBOTIX Camera",
  category = "security",
  paths = {
    {path = "/"},
    {path = "/control/userimage.html"}
  },
  target_check = function (host, port, path, response)
    return response.status == 401
           and http_auth_realm(response)
           and response.body
           and response.body:find("MOBOTIX AG", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "meinsm"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "OEM GoAhead-Webs IP Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.header["server"] == "GoAhead-Webs"
           and http_auth_realm(response) == "GoAhead"
  end,
  login_combos = {
    {username = "admin", password = "888888"},
    {username = "admin", password = "12345"},
    {username = "admin", password = "123456"},
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "OEM Mini_http IP Camera, DVR",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (response.header["server"] or ""):find("^mini_httpd/%d+%.%d+")
           and http_auth_realm(response) == "."
  end,
  login_combos = {
    {username = "admin", password = "123456"},
    {username = "root",  password = "icatch99"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "IPCC P2P Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.header["server"] == "GoAhead-Webs"
           and http_auth_realm(response) == "WIFICAM"
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "AXIS 2100 Network Camera",
  cpe = "cpe:/h:axis:2100_network_camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^Boa/%d+%.")
           and response.body
           and response.body:find("AXIS", 1, true)
           and response.body:lower():find("<title>axis ", 1, true)
  end,
  login_combos = {
    {username = "root", password = "pass"},
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "view/view.shtml"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "AXIS C/M/P/V Series Device",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if response.status == 302 then
      if not (response.header["location"] or ""):find("/index%.shtml$") then
        return false
      end
      response = http_get_simple(host, port,
                                url.absolute(path, "index.shtml"))
    end
    return response.status == 200
           and response.body
           and response.body:find("/axis-cgi/pwdroot/set_language.cgi?", 1, true)
           and response.body:lower():find("<title>index page</title>", 1, true)
  end,
  login_combos = {
    {username = "root", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_get_simple(host, port,
                                url.absolute(path, "pwdroot/pwdRoot.shtml"))
    return resp.status == 200
           and resp.body
           and get_tag(resp.body, "input", {value="^" .. user .. "$"})
           and get_tag(resp.body, "input", {name="^pwd_confirm$"})
  end
})

table.insert(fingerprints, {
  name = "AXIS Network Video Door Station",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if response.status == 302 then
      if not (response.header["location"] or ""):find("/index%.shtml$") then
        return false
      end
      response = http_get_simple(host, port,
                                url.absolute(path, "index.shtml"))
    end
    return response.status == 200
           and response.body
           and response.body:find("%Wvar%s+refreshUrl%s*=%s*(['\"])[^'\"]-/view/view%.shtml%?id=%d+%1")
           and response.body:lower():find("<title>index page</title>", 1, true)
  end,
  login_combos = {
    {username = "root", password = "pass"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {id=math.random(1000,30000),
                  imagepath=url.absolute(path, "mjpg/1/video.mjpg"),
                  size=1}
    return try_http_auth(host, port,
                        url.absolute(path, "view/view.shtml?" .. url.build_query(form)),
                        user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "AXIS Entry Manager",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/webapp/pacs/index.shtml?id=", 1, true)
           and (response.body:find("%Wvar%s+refreshUrl%s*=%s*(['\"])[^'\"]-/webapp/pacs/index%.shtml%?id=%d+%1")
             or get_refresh_url(response.body, "/webapp/pacs/index%.shtml%?id=%d+$"))
           and response.body:lower():find("<title>index page</title>", 1, true)
  end,
  login_combos = {
    {username = "root", password = "pass"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {action="list",
                  group="Properties.System.Language",
                  _=math.floor(stdnse.clock_ms())}
    return try_http_auth(host, port,
                        url.absolute(path, "axis-cgi/param.cgi?" .. url.build_query(form)),
                        user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Panasonic Network Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("./live/index2.html?Language=", 1, true)
           and (response.body:find("%Wlocation%.replace%((['\"])%./live/index2%.html%?Language=%d+%1")
             or response.body:find("%Wwindow%.open%((['\"])%./live/index2%.html%?Language=%d+%1"))
           and response.body:lower():find("<title>%a%a%-%a%w+ ")
  end,
  login_combos = {
    {username = "admin", password = "12345"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "live/index2.html?Language=0"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Sanyo Network Camera (no auth)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and response.body
           and response.body:find("SANYO", 1, true)
           and response.body:lower():find("<title>sanyo +network camera</title>")
           and get_tag(response.body, "form", {name="^lang_set$"})) then
      return false
    end
    local resp = http_get_simple(host, port,
                                url.absolute(path, "cgi-bin/change_id.cgi"))
    return resp.status == 200
  end,
  login_combos = {
    {username = "", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return true
  end
})

table.insert(fingerprints, {
  name = "Sanyo Network Camera (admin auth)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and response.body
           and response.body:find("SANYO", 1, true)
           and response.body:lower():find("<title>sanyo +network camera</title>")
           and get_tag(response.body, "form", {name="^lang_set$"})) then
      return false
    end
    local resp = http_get_simple(host, port,
                                url.absolute(path, "cgi-bin/change_id.cgi"))
    return http_auth_realm(resp) == "You need advanced ID"
  end,
  login_combos = {
    {username = "admin",    password = "admin"},
    {username = "admin2",   password = "admin2"},
    {username = "admin3",   password = "admin3"},
    {username = "operator", password = "operator"},
    {username = "guest",    password = "guest"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl =  url.absolute(path, "cgi-bin/change_id.cgi?" .. math.floor(stdnse.clock_ms()))
    return try_http_auth(host, port, lurl, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Sanyo Network Camera (user auth)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "You need ID"
           and response.body
           and response.body:lower():find("<title>sanyo network camera</title>", 1, true)
  end,
  login_combos = {
    {username = "admin",    password = "admin"},
    {username = "admin2",   password = "admin2"},
    {username = "admin3",   password = "admin3"},
    {username = "operator", password = "operator"},
    {username = "guest",    password = "guest"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Sony Network Camera (Boa 1)",
  cpe = "cpe:/h:sony:snc_*",
  category = "security",
  paths = {
    {path = "/en/index.html"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^Boa/%d+%.")
           and response.body
           and response.body:lower():find("%ssrc%s*=%s*(['\"])indexbar%.html%1")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "l4/index.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Sony Network Camera (Boa 2)",
  cpe = "cpe:/h:sony:snc_*",
  category = "security",
  paths = {
    {path = "/en/index.html"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^Boa/%d+%.")
           and response.body
           and response.body:lower():find("<title>sony network camera snc-", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local _, lurl = resp1.body:match("=%s*window%.open%(%s*(['\"])(.-)%1")
    if not lurl then return false end
    lurl = url.absolute(path, lurl)
    return try_http_auth(host, port, lurl, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Sony Network Camera (NetEVI/Virgo)",
  cpe = "cpe:/h:sony:snc_*",
  category = "security",
  paths = {
    {path = "/index.html"}
  },
  target_check = function (host, port, path, response)
    local server = response.header["server"] or ""
    return response.status == 200
           and server:find("^NetEVI/%d+%.") or server:find("^Virgo/%d+%.")
           and response.body
           and response.body:lower():find("<title>sony network camera snc-", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "home/l4/admin.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Sony Network Camera (thttpd)",
  cpe = "cpe:/h:sony:snc_*",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^thttpd/%d+%.")
           and response.body
           and response.body:find("adm/file.cgi?next_file=setting.htm", 1, true)
           and response.body:lower():find("<title>sony network camera snc-", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "adm/file.cgi?next_file=setting.htm"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Basler Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:lower():find("<title>[^<]- web client [^<]- basler ag</title>")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "cgi-bin/auth_if.cgi?Login"),
                                 nil, {["Auth.Username"]=user, ["Auth.Password"]=pass})
    return resp.status == 200
           and (resp.body or ""):find("[{,]%s*success%s*:%s*true%s*[,}]")
  end
})

table.insert(fingerprints, {
  name = "IQinVision Camera (var.1)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local server = response.header["server"] or ""
    return response.status == 401
           and response.body
           and (server:find("^IQinVision Embedded ")
                and response.body:find("<xmp>%s*Please Authenticate%s*</xmp>")
             or server:find("^IQhttpD/%d+%.")
                and response.body:find("Authorization required for the URL", 1, true))
  end,
  login_combos = {
    {username = "login", password = "access"},
    {username = "root",  password = "system"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "IQinVision Camera (var.2)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 403
           and (response.header["server"] or ""):find("^IQinVision Embedded ")
           and get_cookie(response, "SrvrNonce", "^%x+")
  end,
  login_combos = {
    {username = "login", password = "access"},
    {username = "root",  password = "system"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    local nonce = get_cookie(resp1, "SrvrNonce")
    if not nonce then return false end
    local creds = stdnse.tohex(openssl.md5(table.concat({nonce, user,
                                                         pass:upper()}, ":")))
    local cookies = ("SrvrNonce=%s; SrvrCreds=%s"):format(nonce, creds)
    local resp2 = http_get_simple(host, port, path, {cookies=cookies})
    return resp2.status == 200
  end
})

table.insert(fingerprints, {
  name = "IQinVision Camera (var.3)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local server = response.header["server"] or ""
    if not (response.status == 200
           and response.body
           and (server:find("^IQinVision Embedded ")
                and response.body:find(">IQ", 1, true)
                and response.body:lower():find("<title>iq", 1, true)
             or server:find("^IQhttpD/%d+%.")
                and response.body:find("%Wself%.location%s*=%s*(['\"])dptzvid%.html%1"))) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "accessset.html"))
    return resp.status == 401
  end,
  login_combos = {
    {username = "root", password = "system"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "accessset.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "IQinVision Camera (var.4)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (have_openssl
           and response.status == 200
           and (response.header["server"] or ""):find("^IQinVision Embedded ")
           and response.body
           and response.body:find(">IQ", 1, true)
           and response.body:lower():find("<title>iq", 1, true)) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "accessset.html"))
    return resp.status == 403
           and get_cookie(resp, "SrvrNonce", "^%x+")
  end,
  login_combos = {
    {username = "root", password = "system"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "accessset.html")
    local resp1 = http_get_simple(host, port, lurl)
    local nonce = get_cookie(resp1, "SrvrNonce")
    if not nonce then return false end
    local creds = stdnse.tohex(openssl.md5(table.concat({nonce, user,
                                                         pass:upper()}, ":")))
    local cookies = ("SrvrNonce=%s; SrvrCreds=%s"):format(nonce, creds)
    local resp2 = http_get_simple(host, port, lurl, {cookies=cookies})
    return resp2.status == 200
  end
})

table.insert(fingerprints, {
  name = "Sentry360 FS-IP5000 Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "Sentry360"
           and response.body
           and get_tag(response.body, "img", {src="^logo_cam_page%.png$"})
  end,
  login_combos = {
    {username = "Admin", password = "1234"}
  },
  login_check = function (host, port, path, user, pass)
    local rnd1 = math.random(10000000, 99999999)
    local rnd2 = math.random(10000000, 99999999)
    local lurl = url.absolute(path, ("load.set?rnd=%d&rnd=%d"):format(rnd1, rnd2))
    return try_http_auth(host, port, lurl, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "SerVision TVG",
  cpe = "cpe:/o:servision:hvg_video_gateway_firmware",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^2%.2%.")
           and response.body
           and response.body:find("TO_LOAD", 1, true)
           and get_tag(response.body, "input", {name="^user_username$"})
  end,
  login_combos = {
    {username = "svuser", password = "servconf"},
    {username = "anybody", password = "Bantham"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {user_username=user,
                  user_password=pass,
                  LOADED=1,
                  TO_LOAD="index.htm"}
    local resp = http_post_simple(host, port, url.absolute(path, "index.htm"),
                                 nil, form)
    return resp.status == 201
           and (resp.body or ""):find("%WloadMain%((['\"])main%.htm%1%)")
  end
})

table.insert(fingerprints, {
  name = "Speco IP Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find('src="newlogin.html"', 1, true)
           and response.body:lower():find("<title>speco ip camera</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "1234"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_get_simple(host, port,
                                url.absolute(path, "httpapi?GetUserLevel&ipAddress="),
                                {auth={username=user, password=pass}})
    return resp.status == 200
           and (resp.body or ""):lower():find("userlevel:", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Brickcom Camera",
  cpe = "cpe:/o:brickom:*",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^Brickcom%s")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "ACTi Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find('gPwd="123456"', 1, true)
           and response.body:lower():find("<title>web configurator</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "123456"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = ("cgi-bin/system?USER=%s&PWD=%s&LOGIN&SYSTEM_INFO"):format(
                 url.escape(user), url.escape(pass))
    local resp = http_get_simple(host, port, url.absolute(path, lurl))
    return resp.status == 200
           and (resp.body or ""):find("LOGIN='1'", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Ovislink AirLive BU",
  cpe = "cpe:/h:ovislink:airlive_bu-*",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^Boa/%d+%.")
           and response.body
           and response.body:find("controlmenu.htm", 1, true)
           and get_tag(response.body, "frame", {src="^controlmenu%.htm$"})
           and response.body:lower():find("<title>airlive</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "airlive"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "setting.htm"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "American Dynamics IP Dome",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("gbl_locale", 1, true)
           and response.body:lower():find("<title>american dynamics", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {gbl_locale=1,
                  accessRoute="",
                  username=user,
                  password=pass}
    local resp = http_post_simple(host, port, url.absolute(path, "index.php"),
                                 nil, form)
    return resp.status == 200
           and (resp.body or ""):find("gbl_username%s*=")
  end
})

table.insert(fingerprints, {
  name = "exacqVision",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and response.body
           and response.body:find("%Wlocation%.replace%(%s*(['\"])login%.web%1%s*%)%s*;")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "login.web"))
    return resp.status == 200
           and resp.body
           and resp.body:find("exacqVision", 1, true)
           and resp.body:lower():find("<title>login</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin256"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {u=user,
                  p=pass,
                  l=1,
                  s=0,
                  output="json",
                  responseVersion=2,
                  save=1}
    local resp = http_post_simple(host, port, url.absolute(path, "login.web"),
                                 nil, form)
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.login and jout.success
  end
})

table.insert(fingerprints, {
  name = "GeoVision Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "GeoHttpServer"
           and response.body
           and (response.body:find('action="webcam_login"', 1, true)
             or response.body:find('action="phoneinfo"', 1, true))
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {id=user,
                  pwd=pass,
                  ViewType=2,
                  Login="Login"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "webcam_login"),
                                 nil, form)
    return resp.status == 200
           and resp.body
           and (resp.body:find('%sname%s*=%s*"IDKey"%f[%s][^>]-%svalue%s*=%s*"[%x-]+"')
             or resp.body:find('%?IDKey=[%x-]+'))
  end
})

table.insert(fingerprints, {
  name = "GeoVision Web-Manager",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("GeoVision", 1, true)
           and response.body:find("%Wlocation%.href%s*=%s*(['\"])ssi%.cgi/Login%.htm%1")
           and response.body:lower():find("<title>geovision ", 1, true)
  end,
  login_combos = {
    {username = "guest", password = "guest"},
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port,
                                 url.absolute(path, "ssi.cgi/Login.htm"))
    if not (resp1.status == 200 and resp1.body) then return false end
    local nonce1, nonce2 = resp1.body:match("%Wvar%s+cc1%s*=%s*['\"](%x+)['\"]%s*;%s*var%s+cc2%s*=%s*['\"](%x+)['\"]")
    if not nonce1 then return false end
    local hashfnc = function (p, a, b) return stdnse.tohex(openssl.md5(table.concat({a,p:lower(),b}))):upper() end
    local form = {username="",
                  password="",
                  Apply="Apply",
                  umd5=hashfnc(user, nonce1, nonce2),
                  pmd5=hashfnc(pass, nonce2, nonce1),
                  browser=1}
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "LoginPC.cgi"),
                                  nil, form)
    return resp2.status == 200
           and get_cookie(resp2, "CLIENT_ID", "^%d+$")
  end
})

table.insert(fingerprints, {
  name = "GeoVision WebControl",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^Welcome to GV%-%w+ WebControl$")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Arecont Vision (no auth)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find(">Arecont Vision", 1, true)
           and response.body:lower():find("<title>arecont vision camera</title>", 1, true)
           and get_tag(response.body, "div", {class="^avmenu$"})
  end,
  login_combos = {
    {username = "", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return true
  end
})

table.insert(fingerprints, {
  name = "Arecont Vision (basic auth)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Arecont Vision"
  end,
  login_combos = {
    {username = "admin",  password = ""},
    {username = "viewer", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Avigilon Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^Avigilon%-%d+$")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Canon Camera",
  cpe = "cpe:/h:canon:network_camera_server_vb*",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("img/canon_logo.gif", 1, true)
           and get_tag(response.body, "img", {src="^img/canon_logo%.gif$"})
           and response.body:lower():find("<title>network camera</title>", 1, true)
  end,
  login_combos = {
    {username = "root", password = "camera"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "admin/index.html?lang=en"),
                        user, pass, "any")
  end
})

table.insert(fingerprints, {
  name = "Brovotech IPCAM",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["location"] or ""):find("/cn/viewer_index%.asp$")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "cn/viewer_index.asp"),
                        user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Grandstream Camera",
  cpe = "cpe:/o:grandstream:gxv_device_firmware",
  category = "security",
  paths = {
    {path = "/index.html"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "GS-Webs"
           and response.body
           and response.body:lower():find("%stype%s*=%s*['\"]application/x%-vnd%-npgs_")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "Pages/system.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Hikvision (var.1)",
  category = "security",
  paths = {
    {path = "/index.asp"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("%Wwindow%.location%.href%s*=%s*['\"]doc/page/login%.asp['\"?]")
           and response.body:lower():find("<title>index</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "12345"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_get_simple(host, port,
                                url.absolute(path, "PSIA/Custom/SelfExt/userCheck"),
                                {auth={username=user, password=pass}})
    return resp.status == 200
           and (resp.body or ""):lower():find("<statusvalue>200</statusvalue>", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Hikvision (var.2)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("%Wwindow%.location%.href%s*=%s*['\"]doc/page/login%.asp['\"?]")
           and response.body:lower():find("<title>index</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "12345"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_get_simple(host, port,
                                url.absolute(path, "ISAPI/Security/userCheck"),
                                {auth={username=user, password=pass}})
    return resp.status == 200
           and (resp.body or ""):lower():find("<statusvalue>200</statusvalue>", 1, true)
  end
})

table.insert(fingerprints, {
  name = "TI Megapixel IP Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Megapixel IP Camera"
           and response.header["server"] == "HKVision-Webs"
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "MayGion Camera (no auth)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "WebServer(IPCamera_Logo)"
           and response.body
           and get_tag(response.body, "iframe", {src="^video%.htm$"})
  end,
  login_combos = {
    {username = "", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return true
  end
})

table.insert(fingerprints, {
  name = "MayGion Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "WebServer(IPCamera_Logo)"
           and response.body
           and response.body:find("login.xml", 1, true)
  end,
  login_combos = {
    {username = "admin",   password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {user=user,
                  usr=user,
                  password=pass,
                  pwd=pass}
    local lurl = "login.xml?" .. url.build_query(form)
    local resp = http_get_simple(host, port, url.absolute(path, lurl))
    return resp.status == 200
           and get_cookie(resp, "user") == user
           and get_cookie(resp, "password") == pass
           and get_cookie(resp, "usrLevel") == "0"
  end
})

table.insert(fingerprints, {
  name = "OEM Boa IP Camera (var.1)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 401
           and (http_auth_realm(response) or ""):find(" IP Camera$")
           and (response.header["server"] or ""):find("^Boa/%d+%.")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "OEM Boa IP Camera (var.2)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^Boa/%d+%.")
           and get_tag(response.body, "script", {src="^profile$"})
           and get_tag(response.body, "img", {id="^setting$",onclick="%f[%w]window%.location=(['\"])setting%.htm%1$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "setting.htm"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "OEM Boa IP Camera (var.3)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^Boa/%d+%.")
           and get_tag(response.body, "script", {src="^profile$"})
           and response.body:lower():find("<title>ip camera viewer</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "12345"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "setting.htm"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "OEM Netcam",
  category = "security",
  paths = {
    {path = "/"},
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^[Nn]etcam$")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "PLANET IP Cam",
  category = "security",
  paths = {
    {path = "/"},
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "PLANET IP CAM"
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "PLANET IP Surveillance",
  category = "security",
  paths = {
    {path = "/"},
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("ipcam_language", 1, true)
           and get_tag(response.body, "frame", {src="^asp/view%.asp$"})
           and response.body:lower():find("<title>planet ip surveillance web management</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = ""},
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "asp/set.asp"),
                        user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "TP-Link IPC",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/web-static/dynaform/class.js", 1, true)
           and response.body:lower():find("<title>ipc</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local a = "RDpbLfCPsJZ7fiv"
    local b = pass
    local pwdlen = math.max(#a, #b)
    a = table.pack(string.byte(a .. ("\187"):rep(pwdlen - #a), 1, -1))
    b = table.pack(string.byte(b .. ("\187"):rep(pwdlen - #b), 1, -1))
    local pad = "yLwVl0zKqws7LgKPRQ84Mdt708T1qQ3Ha7xv3H7NyU84p21BriUWBU43odz3iP4rBL3cD02KZciXTysVXiV8ngg6vL48rPJyAUw0HurW20xqxv9aYb4M9wK1Ae0wlro510qXeU07kV57fQMc8L6aLgMLwygtc0F10a0Dg70TOoouyFhdysuRMO51yY5ZlOZZLEal1h0t9YQW0Ko7oBwmCAHoic4HYbUyVeU3sfQ1xtXcPcf1aT303wAQhv66qzW"
    local pwd = {}
    for i = 1, pwdlen do
      table.insert(pwd, pad:byte(1 + (a[i] ~ b[i]) % #pad))
    end
    local header = {["Accept"]="application/json, text/plain, */*",
                    ["Content-Type"]="application/json;charset=utf-8"}
    local jin = {method="do",
                 login={username=user,
                        password=string.char(table.unpack(pwd))}}
    json.make_object(jin)
    local resp = http_post_simple(host, port, path, {header=header},
                                 json.generate(jin))
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.stok and jout.error_code == 0
  end
})

table.insert(fingerprints, {
  name = "Allnet Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "NetworkPTZ"
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "D-Link Camera",
  cpe = "cpe:/h:d-link:dcs-*",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^DCS%-%d+%u?%f[_\0]")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Microseven IP camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/hi3510/", 1, true)
           and get_tag(response.body, "script", {src="/cgi%-bin/hi3510/param%.cgi%?cmd=getuserinfo$"})
  end,
  login_combos = {
    {username = "admin", password = "password"},
    {username = "guest", password = "guest"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "cgi-bin/hi3510/param.cgi?cmd=getuserinfo"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Milesight Camera (var.1)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and (response.body:find(">Milesight Network Camera", 1, true)
             or response.body:find(">IPCAM Network Camera", 1, true))
           and get_tag(response.body, "input", {id="^secret$"})
           and not get_tag(response.body, "script", {src="/javascript/md5%.js%?"})
  end,
  login_combos = {
    {username = "admin",    password = "ms1234"},
    {username = "operator", password = "ms1234"},
    {username = "viewer",   password = "ms1234"}
  },
  login_check = function (host, port, path, user, pass)
    local userno = {admin=0, operator=1, viewer=2}
    local creds = {tostring(userno[user]),
                   url.escape(user),
                   url.escape(pass)}
    local lurl = "vb.htm?language=ie&checkpassword=" .. table.concat(creds, ":")
    local resp = http_get_simple(host, port, url.absolute(path, lurl))
    return resp.status == 200
           and resp.body:find("OK checkpassword", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Milesight Camera (var.2)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and (response.body:find(">Milesight Network Camera", 1, true)
             or response.body:find(">IPCAM Network Camera", 1, true))
           and get_tag(response.body, "input", {id="^secret$"})
           and get_tag(response.body, "script", {src="/javascript/md5%.js%?"})
end,
  login_combos = {
    {username = "admin",    password = "ms1234"},
    {username = "operator", password = "ms1234"},
    {username = "viewer",   password = "ms1234"}
  },
  login_check = function (host, port, path, user, pass)
    local userno = {admin=0, operator=1, viewer=2}
    local creds = {tostring(userno[user]),
                   url.escape(user),
                   stdnse.tohex(openssl.md5(pass))}
    local lurl = "vb.htm?language=ie&checkpassword=" .. table.concat(creds, ":")
    local resp = http_get_simple(host, port, url.absolute(path, lurl))
    return resp.status == 200
           and resp.body:find("OK checkpassword", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Milesight Camera (Alphafinity)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find(">Alphafinity Network Camera", 1, true)
           and get_tag(response.body, "input", {id="^secret$"})
           and get_tag(response.body, "script", {src="/javascript/md5%.js%?"})
end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local userno = {admin=0, operator=1, viewer=2}
    local creds = {tostring(userno[user]),
                   url.escape(user),
                   stdnse.tohex(openssl.md5(pass))}
    local lurl = "vb.htm?language=ie&checkpassword=" .. table.concat(creds, ":")
    local resp = http_get_simple(host, port, url.absolute(path, lurl))
    return resp.status == 200
           and resp.body:find("OK checkpassword", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Milesight Camera (Beward)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and (response.body:find(">BEWARD Network HD camera", 1, true)
             or response.body:find(">Beward Network Camera", 1, true))
           and get_tag(response.body, "input", {id="^secret$"})
           and get_tag(response.body, "script", {src="/javascript/md5%.js%?"})
end,
  login_combos = {
    {username = "admin",    password = "admin"},
    {username = "testuser", password = "htyjdfwbz1"}
  },
  login_check = function (host, port, path, user, pass)
    local userno = {admin=0, testuser=1}
    local creds = {tostring(userno[user]),
                   url.escape(user),
                   stdnse.tohex(openssl.md5(pass))}
    local lurl = "vb.htm?language=ie&checkpassword=" .. table.concat(creds, ":")
    local resp = http_get_simple(host, port, url.absolute(path, lurl))
    return resp.status == 200
           and resp.body:find("OK checkpassword", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Beward SIP Door Station",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 401
           and (http_auth_realm(response) or ""):find(" SIP Door Station %- %x+$")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "OEM MegapixelIPCamera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response)
    return response.status == 401
           and (response.header["server"] or ""):find("^Mbedthis%-Appweb/%d+%.")
           and (realm == "MegapixelIPCamera" or realm == "QuasarHDIPCamera")
  end,
  login_combos = {
    {username = "Admin", password = "1234"},
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Philips InSight",
  cpe = "cpe:/h:philips:in.sight*",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^lighttpd/%d+%.")
           and response.body
           and response.body:find(">Philips ", 1, true)
           and response.body:lower():find("%salt%s*=%s*(['\"])philips insight wireless home monitor%1")
  end,
  login_combos = {
    {username = "admin", password = "M100-4674448"},
    {username = "user",  password = "M100-4674448"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "cgi-bin/v1/camera"),
                        user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Planex CS",
  cpe = "cpe:/o:planex:cs-*",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^CS%-%u+%d+[%u%d]*$")
  end,
  login_combos = {
    {username = "admin",      password = "password"},
    {username = "supervisor", password = "dangerous"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Santec IPCamera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Santec-IPCamera"
  end,
  login_combos = {
    {username = "admin", password = "9999"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "HD IPC IP camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and (response.header["server"] or ""):find("^thttpd/%d+%.")
           and response.body
           and get_refresh_url(response.body, "/web/index%.html$")) then
      return false
    end
    local resp = http_get_simple(host, port,
                                url.absolute(path, "web/index.html"))
    return resp.status == 200
           and resp.body
           and resp.body:find("LonginPassword", 1, true)
           and get_tag(resp.body, "input", {id="^longinpassword$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "guest", password = "guest"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {["-name"]=user,
                  ["-passwd"]=pass,
                  ["-time"]=math.floor(stdnse.clock_ms())}
    local lurl = url.absolute(path, "cgi-bin/hi3510/checkuser.cgi?" .. url.build_query(form))
    local resp = http_get_simple(host, port, lurl)
    return resp.status == 200
           and resp.body
           and resp.body:find("%f[%w]var%s+check%s*=%s*(['\"]?)1%1%s*;")
           and resp.body:find("%f[%w]var%s+authLevel%s*=%s*['\"]?[1-9]")
  end
})

table.insert(fingerprints, {
  name = "3S Vision",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if response.header["server"] ~= "httpd" then return false end
    local realm = http_auth_realm(response) or ""
    return realm == "IP Video Server"
           or realm == "IP SPEED DOME"
           or realm:find("^[%w ]- IP Camera$")
  end,
  login_combos = {
    {username = "3sadmin", password = "27988303"},
    {username = "root", password = "root"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Network Video Server (var.1)",
  category = "security",
  paths = {
    {path = "/login.asp"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("onLoginNVS", 1, true)
           and response.body:lower():find("<title>web service</title>", 1, true)
           and get_tag(response.body, "script", {["for"]="^WebCMS$", event="^CBK_LoginResult%("})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {username=user,
                  password=pass,
                  UserID=math.random(10000000, 99999999)}
    local lurl = url.absolute(path, "webs/loginCMS") .. "?"
                 .. url.build_query(form)
    local resp = http_get_simple(host, port, lurl)
    return resp.status == 200
           and (resp.body or ""):find("<level>%d</level>")
  end
})

table.insert(fingerprints, {
  name = "Network Video Server (var.2)",
  category = "security",
  paths = {
    {path = "/login.asp"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("onLoginNVS", 1, true)
           and response.body:lower():find("<title>web service</title>", 1, true)
           and get_tag(response.body, "script", {["for"]="^NetVideoX$", event="^CBK_LoginResult%("})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {username=user,
                  password=pass,
                  UserID=math.random(10000000, 99999999)}
    local lurl = url.absolute(path, "webs/httplogin") .. "?"
                 .. url.build_query(form)
    local resp = http_get_simple(host, port, lurl)
    return resp.status == 200
           and (resp.body or ""):find("<level>%d</level>")
  end
})

table.insert(fingerprints, {
  name = "Network Video Server (var.3)",
  category = "security",
  paths = {
    {path = "/login.asp"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("onLoginNVS", 1, true)
           and get_tag(response.body, "script", {event="^CallBackLoginState%("})
           and get_tag(response.body, "script", {src="^script/base64%.js$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {action="list",
                  group="LOGIN",
                  UserID=math.random(10000000, 99999999)}
    local lurl = url.absolute(path, "cgi-bin/login.cgi") .. "?"
                 .. url.build_query(form)
    local resp = http_get_simple(host, port, lurl,
                                {auth={username=user, password=pass}})
    return resp.status == 200
           and (resp.body or ""):find("%f[%w]root.ERR.no=0%f[^%w]")
  end
})

table.insert(fingerprints, {
  name = "Pravis Systems DVR",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and get_refresh_url(response.body, "/cgi%-bin/design/html_template/Login%.html$")
           and response.body:lower():find("<title>login cgicc form</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "cgi-bin/design/html_template/Login.cgi"),
                                 nil, {login_txt_id=user, login_txt_pw=pass})
    return resp.status == 200
           and resp.body
           and resp.body:find("%Wlocation%s*=%s*(['\"])webviewer%.cgi%1")
  end
})

table.insert(fingerprints, {
  name = "Foscam Netwave (var.1)",
  cpe = "cpe:/o:foscam:ip_camera_firmware",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "Netwave IP Camera"
           and response.body
           and get_tag(response.body, "script", {src="^check_user%.cgi$"})
  end,
  login_combos = {
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "check_user.cgi"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Foscam Netwave (var.2)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "Netwave IP Camera"
           and response.body
           and response.body:find("%Wwindow%.location%.href%s*=%s*(['\"])index1%.htm%1")
  end,
  login_combos = {
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "check_user.cgi") .. "?"
                 .. url.build_query({user=user, pwd=pass})
    return try_http_auth(host, port, lurl, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Foscam IP Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("IPCam", 1, true)
           and response.body:lower():find("<title>ipcam client</title>", 1, true)
           and response.body:lower():find("%ssrc%s*=%s*['\"]js/main%.js['\"?]")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local form = {usr=user,
                  pwd=pass,
                  cmd="logIn",
                  usrName=user,
                  groupId=string.sub(math.floor(stdnse.clock_ms()), -9)}
    local lurl = "cgi-bin/CGIProxy.fcgi?" .. url.build_query(form)
    local resp = http_get_simple(host, port, url.absolute(path, lurl))
    return resp.status == 200
           and (resp.body or ""):find("<logInResult>0</logInResult>", 1, true)
  end
})

table.insert(fingerprints, {
  name = "ITX Web Remote Viewer",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if response.status == 200
       and get_refresh_url(response.body, "/redirect%.html$") then
      response = http_get_simple(host, port, url.absolute(path, "redirect.html"))
    end
    return http_auth_realm(response) == "WEB Remote Viewer"
  end,
  login_combos = {
    {username = "ADMIN", password = "1234"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "html/versioninfo.htm"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "JVC VN-xxx Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^JVC VN%-%w+ API Server%f[/\0]")
           and response.body
           and get_refresh_url(response.body, "/cgi%-bin/%w+%.cgi%?%w+%.html$")
  end,
  login_combos = {
    {username = "admin", password = "jvc"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_get_simple(host, port, path)
    local lurl = resp.status == 200
                 and get_refresh_url(resp.body or "", "/cgi%-bin/%w+%.cgi%?%w+%.html$")
    if not lurl then return false end
    return try_http_auth(host, port, lurl, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "JVC VR-8xx DVR",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "VR-8xx"
  end,
  login_combos = {
    {username = "admin", password = "jvc"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "JVC Broadcaster",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^JVC Broadcaster %d+%.%d+")
  end,
  login_combos = {
    {username = "admin", password = "jvc1234"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "OEM DVR",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("%Wdocument%.location%.replace%(%s*(['\"])mlogin%.cgi%1%s*%)%s*;")
           and response.body:lower():find("<title>dvr login</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local form = {c_userid=user,
                  c_password=pass,
                  c_target=2}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "direct_open_setup.cgi"),
                                 nil, form)
    return resp.status == 200
           and get_tag(resp.body or "", "script", {src="^setup%.js$"})
  end
})

table.insert(fingerprints, {
  name = "Samsung DVR",
  cpe = "cpe:/h:samsung:dvr",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("Samsung", 1, true)
           and response.body:lower():find("<title>web viewer for samsung dvr</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "4321"}
  },
  login_check = function (host, port, path, user, pass)
    local cookie = ("DATA1=%s&DATA2=%s&SDATA3=%.15f"):format(base64.enc(user),
                                                             base64.enc(pass),
                                                             math.random())
    local form = {lang="en",
                  port=0,
                  close_user_session=0,
                  data1=base64.enc(user),
                  data2=stdnse.tohex(openssl.md5(pass))}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "cgi-bin/webviewer_cgi_login2"),
                                 {cookies=cookie}, form)
    return resp.status == 200
           and (resp.body or ""):find("%Wtop%.document%.location%.href%s*=%s*['\"]%.%./index%.htm[?'\"]")
  end
})

table.insert(fingerprints, {
  name = "Samsung iPOLiS",
  cpe = "cpe:/a:samsung:ipolis_device_manager",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local lurl = "home/monitoring.cgi"
    if not (response.status == 200
           and response.body
           and response.body:find(lurl, 1, true)
           and response.body:find("%Wdocument%.location%.replace%((['\"])[^'\"]-%f[^/'\"]home/monitoring%.cgi%1%)%s*;")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, lurl))
    return (http_auth_realm(resp) or ""):find("^iPolis%f[_\0]")
  end,
  login_combos = {
    {username = "admin", password = "4321"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "home/monitoring.cgi"),
                        user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Truen TCAM (var.1)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/user/view.html", 1, true)
           and get_tag(response.body, "frame", {src="/user/view%.html$"})
           and response.body:lower():find("<title>video surveillance</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "1234"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "user/view.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Truen TCAM (var.2)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local lurl = "user/view.html"
    if not (response.status == 200
           and response.body
           and response.body:find(lurl, 1, true)
           and get_refresh_url(response.body, "/user/view%.html$")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, lurl))
    return (http_auth_realm(resp) or ""):find("^IPVideo_%x+$")
  end,
  login_combos = {
    {username = "admin", password = "1234"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "user/view.html"),
                        user, pass, "any")
  end
})

table.insert(fingerprints, {
  name = "TVT DVR",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local lurl = "Pages/login.htm"
    if not (response.status == 200
           and response.body
           and response.body:find(lurl, 1, true)
           and response.body:find("%Wwindow%.location%.href%s*=%s*(['\"])Pages/login%.htm%1")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, lurl))
    return resp.status == 200
           and resp.body
           and resp.body:find("IDCS_LOGIN_NBSP", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "123456"},
    {username = "admin", password = "1"}
  },
  login_check = function (host, port, path, user, pass)
    local auth = {username = user, password = pass}
    local header = {["Content-Type"]="text/plain;charset=UTF-8"}
    local msg = [=[
      <?xml version="1.0" encoding="utf-8" ?>
      <request version="1.0" systemType="NVMS-9000" clientType="WEB"/>
      ]=]
    msg = msg:gsub("^%s+", ""):gsub("\n%s*", "")
    local resp = http_post_simple(host, port, url.absolute(path, "doLogin"),
                                 {auth=auth, header=header}, msg)
    return resp.status == 200
           and (resp.body or ""):find("<status>success</status>", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Ubiquiti UniFi Video (var.1)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find(">UniFi Video<", 1, true)
           and response.body:lower():find("<title>unifi video</title>", 1, true)
           and get_tag(response.body, "main-view", {["ui-view"]=""})
           and get_tag(response.body, "script", {["data-headjs-load"]="^main%.js%f[\0?]"})
  end,
  login_combos = {
    {username = "ubnt", password = "ubnt"}
  },
  login_check = function (host, port, path, user, pass)
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=url.absolute(path, "login")})),
                    ["Content-Type"]="application/json",
                    ["Accept"]="application/json, text/plain, */*"}
    local jin = {username=user, password=pass}
    json.make_object(jin)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "api/1.1/login"),
                                 {cookies="ubntActiveUser=false", header=header},
                                 json.generate(jin))
    return resp.status == 200
           and get_cookie(resp, "authId", "^%w+$")
  end
})

table.insert(fingerprints, {
  name = "Ubiquiti UniFi Video (var.2)",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find(">UniFi Video<", 1, true)
           and response.body:find("app-id=com.ubnt.unifivideo", 1, true)
           and response.body:lower():find("<title>unifi video</title>", 1, true)
           and get_tag(response.body, "meta", {name="^google%-play%-app$", content="^app%-id=com%.ubnt%.unifivideo$"})
  end,
  login_combos = {
    {username = "ubnt", password = "ubnt"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if resp1.status ~= 200 then return false end
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=url.absolute(path, "login")})),
                    ["Content-Type"]="application/json",
                    ["Accept"]="application/json, text/plain, */*"}
    local jin = {username=user, password=pass}
    json.make_object(jin)
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "api/2.0/login"),
                                  {cookies=resp1.cookies, header=header},
                                  json.generate(jin))
    return resp2.status == 200
           and get_cookie(resp2, "JSESSIONID_AV", "^%x+$")
  end
})

table.insert(fingerprints, {
  name = "Xiongmai NETSurveillance",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("%Wlocation%s*=%s*(['\"])Login%.htm%1%s*;")
           and response.body:find("%Wvar%s+gHashCookie%s*=%s*new%s+Hash%.Cookie%(%s*(['\"])NetSuveillanceWebCookie%1%s*,")
  end,
  login_combos = {
    {username = "admin",   password = ""},
    {username = "default", password = "tluafed"}
  },
  login_check = function (host, port, path, user, pass)
    local cookie = "NetSuveillanceWebCookie="
                   .. url.escape(('{"username":"%s"}'):format(user))
    local form = stdnse.output_table()
    form.command = "login"
    form.username = user
    form.password = pass
    local resp = http_post_simple(host, port, url.absolute(path, "Login.htm"),
                                 {cookies=cookie}, form)
    return resp.status == 200
           and (resp.body or ""):match("%Wvar%s+g_user%s*=%s*['\"](.-)['\"]%s*;") == user
  end
})

table.insert(fingerprints, {
  name = "AVTech AVC DVR",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("MM_goToURL", 1, true)
           and response.body:lower():find("<title>--- video web server ---</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {username=user,
                  password=pass,
                  Submit="Submit"}
    local resp = http_post_simple(host, port, url.absolute(path, "home.htm"),
                                 nil, form)
    return resp.status == 200
           and (resp.body or ""):lower():find("<object%s")
  end
})

table.insert(fingerprints, {
  name = "AVTech IP Camera",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/nobody/", 1, true)
           and response.body:lower():find("<title>::: login :::</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local creds = base64.enc(user .. ":" .. pass)
    local lurl = ("cgi-bin/nobody/VerifyCode.cgi?account=%s&rnd=%.15f"):format(
                 creds, math.random())
    local resp = http_get_simple(host, port, url.absolute(path, lurl))
    return resp.status == 200
           and get_cookie(resp, "SSID") == creds
  end
})

table.insert(fingerprints, {
  name = "EverFocus ECORHD",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local realm = http_auth_realm(response) or ""
    return realm:find("^ECOR%d+%-[%u%d]+$")
           or realm:find("^ELUX%d+$")
  end,
  login_combos = {
    {username = "admin", password = "11111111"},
    {username = "user1", password = "11111111"},
    {username = "user2", password = "11111111"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Interlogix truVision",
  category = "security",
  paths = {
    {path = "/index.asp"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "Interlogix-Webs"
           and response.body
           and response.body:find("%Wwindow%.location%.href%s*=%s*(['\"])doc/page/login%.asp%1")
  end,
  login_combos = {
    {username = "admin", password = "1234"}
  },
  login_check = function (host, port, path, user, pass)
    local header = {["Content-Type"]="text/xml"}
    local creds = {username = user, password = pass, digest = false}
    local ipaddr = ("192.168.%d.%d"):format(math.random(254), math.random(254))
    local macaddr = random_hex(12):gsub("..", ":%1"):sub(2)
    local msg = [[
      <?xml version="1.0" encoding="utf-8"?>
      <userCheck>
        <ipAddress>__IPADDR__</ipAddress>
        <macAddress>__MACADDR__</macAddress>
      </userCheck>]]
    msg = msg:gsub("^%s+", ""):gsub("\n%s*", "")
    msg = msg:gsub("__%w+__", {__IPADDR__=ipaddr, __MACADDR__=macaddr})
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "PSIA/Custom/SelfExt/userCheckEx"),
                                 {header=header, auth=creds}, msg)
    return resp.status == 200
           and (resp.body or ""):find("<statusValue>200</statusValue>", 1, true)
  end
})

table.insert(fingerprints, {
  name = "LILIN NVR",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^Merit LILIN")
  end,
  login_combos = {
    {username = "admin", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "NUUO NVR",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("NUUO", 1, true)
           and response.body:lower():find("<title>nuuo network video recorder login</title>", 1, true)
           and get_tag(response.body, "form", {name="^mainform$", action="^index%.php$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {language="English",
                  login=user,
                  password=pass,
                  submit=" Login "}
    local resp = http_post_simple(host, port, url.absolute(path, "index.php"),
                                 nil, form)
    return resp.status == 302
           and resp.header["location"] == "screen.php"
  end
})

table.insert(fingerprints, {
  name = "NUUO Titan NVR",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("NUUO", 1, true)
           and response.body:lower():find("<title>[%w%s]*network video recorder login</title>")
           and get_tag(response.body, "form", {name="^mainform$", action="^login%.php$"})
           and get_tag(response.body, "img", {type="^submit$", value="^login$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {language="en",
                  user=user,
                  pass=pass,
                  browser_engine="firefox"}
    local resp = http_post_simple(host, port, url.absolute(path, "login.php"),
                                 nil, form)
    return (resp.status == 302
             and (resp.header["location"] or ""):find("/setting%.php$"))
           or (resp.status == 200
             and (resp.body or ""):find("%snexpage%s*=%s*(['\"])setting%.php%1"))
  end
})

table.insert(fingerprints, {
  name = "NUUO Solo NVR",
  cpe = "cpe:/o:nuuo:nvrsolo",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("NUUO", 1, true)
           and response.body:lower():find("<title>[%w%s]*network video recorder login</title>")
           and get_tag(response.body, "form", {name="^mainform$", action="^login%.php$"})
           and get_tag(response.body, "input", {type="^submit$", name="^submit$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {language="en",
                  user=user,
                  pass=pass,
                  submit="Login"}
    local resp = http_post_simple(host, port, url.absolute(path, "login.php"),
                                 nil, form)
    return (resp.status == 302
             and (resp.header["location"] or ""):find("/setting%.php$"))
           or (resp.status == 200
             and (resp.body or ""):find("%snexpage%s*=%s*(['\"])setting%.php%1"))
  end
})

table.insert(fingerprints, {
  name = "NUUO Solo NVR OEM",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("NUUO", 1, true)
           and response.body:lower():find("<title>[%w%s]*network video recorder login</title>")
           and get_tag(response.body, "form", {name="^mainform$", action="^login%.php$"})
           and get_tag(response.body, "input", {type="^image$", name="^submit$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {["submit.x"]=0,
                  ["submit.y"]=0,
                  language="en",
                  user=user,
                  pass=pass,
                  browser_engine="firefox",
                  base_url=""}
    local resp = http_post_simple(host, port, url.absolute(path, "login.php"),
                                 nil, form)
    return (resp.status == 302
             and (resp.header["location"] or ""):find("/setting%.php$"))
           or (resp.status == 200
             and (resp.body or ""):find("%snexpage%s*=%s*(['\"])setting%.php%1"))
  end
})

table.insert(fingerprints, {
  name = "VideoIQ iCVR",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["location"] or ""):find("?wicket:bookmarkablePage=:com.videoiq.fusion.camerawebapi.ui.pages.LoginPage", 1, true)
  end,
  login_combos = {
    {username = "supervisor", password = "supervisor"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    local lurl = (resp1.header["location"] or ""):match("%f[/]/%f[^/].*")
    if not (resp1.status == 302 and lurl) then return false end
    local form = {loginForm1_hf_0="",
                  userName=user,
                  password=pass,
                  login=""}
    local resp2 = http_post_simple(host, port,
                                  lurl .. "&wicket:interface=:0:loginPanel:loginForm::IFormSubmitListener::",
                                  {cookies=resp1.cookies}, form)
    return resp2.status == 302
  end
})

table.insert(fingerprints, {
  name = "Dahua Security",
  cpe = "cpe:/o:dahuasecurity:dvr_firmware",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and (response.body:find("js/loginEx.js", 1, true)
               and get_tag(response.body, "script", {src="^js/loginEx%.js%f[?\0]"})
               and get_tag(response.body, "script", {src="^jsCore/rpcCore%.js%f[?\0]"})
             or response.body:find("/js/merge.js", 1, true)
               and get_tag(response.body, "script", {src="/js/merge%.js$"})
               and get_tag(response.body, "div", {id="^download_plugins$"})
             or response.body:find("jsBase/widget/js/dui.tab.js", 1, true)
               and get_tag(response.body, "script", {src="^jsBase/widget/js/dui%.tab%.js%f[?\0]"})
               and get_tag(response.body, "script", {src="^jsCore/common%.js%f[?\0]"}))
  end,
  login_combos = {
    {username = "666666",    password = "666666"},
    {username = "admin",     password = "admin"},
    {username = "anonymity", password = "anonymity"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "RPC2_Login")
    local opts = {cookies="DHLangCookie30=English",
                  header={["X-Request"]="JSON"}}
    local jin = {method="global.login",
                 params={userName=user,
                         password="",
                         clientType="Web3.0"},
                 id=10000}
    json.make_object(jin)
    local resp1 = http_post_simple(host, port, lurl, opts, json.generate(jin))
    if not (resp1.status == 200 and resp1.body) then return false end
    local jstatus, jout = json.parse(resp1.body)
    local params = jstatus and jout.params
    if not params then return false end
    local passtype
    if not params.encryption then -- luacheck: ignore 542
    elseif params.encryption == "Basic" then
      pass = base64.enc(user .. ":" .. pass)
    elseif params.encryption == "Default" then
      local hashfnc = function (...)
                        local text = table.concat({...}, ":")
                        return stdnse.tohex(openssl.md5(text)):upper()
                      end
      if not (params.random and params.realm) then return false end
      pass = hashfnc(user, params.random, hashfnc(user, params.realm, pass))
      passtype = "Default"
    elseif params.encryption == "OldDigest" then
      local hash = openssl.md5(pass)
      local ptbl = {}
      for i = 1, #hash, 2 do
        local a, b = hash:byte(i, i + 1)
        a = (a + b) % 62
        if a <= 9 then
          b = 48
        elseif a <= 35 then
          b = 55
        else
          b = 61
        end
        table.insert(ptbl, string.char(a + b))
      end
      pass = table.concat(ptbl)
    else
      return false
    end
    opts.cookies = opts.cookies .. ";  DhWebClientSessionID=" .. jout.session
    jin.session = jout.session
    jin.params.password = pass
    jin.params.passwordType = passtype
    jin.params.authorityType = params.encryption
    local resp2 = http_post_simple(host, port, lurl, opts, json.generate(jin))
    if not (resp2.status == 200 and resp2.body) then return false end
    jstatus, jout = json.parse(resp2.body)
    return jstatus and jout.result
  end
})

table.insert(fingerprints, {
  name = "Digital Watchdog",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 301
           and (response.header["location"] or ""):find("/static/index%.html$")
           and (response.header["server"] or ""):find("(Digital Watchdog)", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "api/getCurrentUser")
    local resp1 = http_get_simple(host, port, lurl, {cookies="Authorization=Digest"})
    local realm = get_cookie(resp1, "realm")
    local nonce = get_cookie(resp1, "nonce")
    if not (resp1.status == 401 and realm and nonce) then return false end
    user = user:lower()
    local hashfnc = function (...)
                      local text = table.concat({...}, ":")
                      return stdnse.tohex(openssl.md5(text))
                    end
    local hash = hashfnc(hashfnc(user, realm, pass), nonce, hashfnc("GET:"))
    local auth = url.escape(base64.enc(table.concat({user, nonce, hash}, ":")))
    table.insert(resp1.cookies, {name="Authorization", value="Digest", path=path})
    table.insert(resp1.cookies, {name="auth", value=auth, path=path})
    local resp2 = http_get_simple(host, port, lurl, {cookies=resp1.cookies})
    return resp2.status == 200
           and resp2.header["content-type"] == "application/json"
  end
})

table.insert(fingerprints, {
  name = "Loxone Intercom Video",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("HyNetOS/%d+%.")
           and response.body
           and response.body:find("Loxone", 1, true)
           and response.body:lower():find("<title>loxone intercom video</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "setup.cgi"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Loxone Smart Home",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("Loxone", 1, true)
           and response.body:lower():find("<title>loxone smart home</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port,
                                 url.absolute(path, "jdev/cfg/apiKey"))
    if not (resp1.status == 200 and resp1.body) then return false end
    local jstatus, jout = json.parse(resp1.body)
    if not (jstatus and jout.LL.value) then return false end
    jstatus, jout = json.parse(jout.LL.value:gsub("'", '"'))
    if not (jstatus and jout.key) then return false end
    local key = stdnse.fromhex(jout.key)
    local auth = stdnse.tohex(openssl.hmac("SHA1", key, user .. ":" .. pass))
    local lurl = "jdev/sps/LoxAPPversion3?" .. url.build_query({auth=auth,user=user})
    local resp2 = http_get_simple(host, port, url.absolute(path, lurl))
    return resp2.status == 200
  end
})

table.insert(fingerprints, {
  name = "Automa Lilliput2",
  category = "security",
  paths = {
    {path = "/login.php"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Automa", 1, true)
           and response.body:lower():find("<title>[^<]-%sautoma srl</title>")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, path, nil,
                                 {username=user,password=pass,submit="Login"})
    return resp.status == 302
           and resp.header["location"] == "index.php"
  end
})

table.insert(fingerprints, {
  name = "Streaming Media System",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Smart Home And Intercom System"
  end,
  login_combos = {
    {username = "admin", password = "123456"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Siedle Door Controller",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "Z-World Rabbit"
           and response.body
           and response.body:lower():find("<title></title>", 1, true)
           and response.body:lower():find("%Wparent%.location%s*=%s*(['\"])[^'\"]-/index%.zht%1")
  end,
  login_combos = {
    {username = "Service", password = "Siedle"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, url.absolute(path, "login.zht"))
    if not (resp1.status == 200 and resp1.body) then return false end
    local lang = resp1.body:lower():match("<select%f[%s][^>]-%sname%s*=%s*['\"]m_webdata%.m_cgilogin%.m_lang['\"].-<option%f[%s]([^>]-%sselected%f[%s>][^>]*)")
    lang = (lang or ""):match("%svalue%s*=%s*['\"](%w+)['\"]")
    if not lang then return false end
    local form2 = stdnse.output_table()
    form2["m_webdata.m_cgiLogin.m_user"] = user
    form2["m_webdata.m_cgiLogin.m_passwd"] = pass
    form2["m_webdata.m_cgiLogin.m_lang"] = lang
    form2["action.x"] = 0
    form2["action.y"] = 0
    local resp2 = http_post_simple(host, port, url.absolute(path, "login.cgi"),
                                  nil, form2)
    return resp2.status == 302
           and (resp2.header["location"] or ""):find("/index%.zht$")
           and get_cookie(resp2, "DCRABBIT", "^%-?%d+$")
  end
})

table.insert(fingerprints, {
  name = "Vanderbilt SPC",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("SPC", 1, true)
           and response.body:lower():find("<title>%s*spc%d+ ")
           and get_tag(response.body, "form", {action="^login%.htm%?action=login"})
  end,
  login_combos = {
    {username = "Engineer", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {userid=user,
                  password=pass}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "login.htm?action=login&language=253"),
                                 nil, form)
    return resp.status == 200
           and get_tag(resp.body or "", "a", {href="^secure%.htm%?session=0?x?%x+&page="})
  end
})

table.insert(fingerprints, {
  name = "Vanderbilt Bright/Lite Blue",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Vanderbilt", 1, true)
           and response.body:lower():find("<title>%s*vanderbilt %w+ blue%W")
           and get_tag(response.body, "link", {href="/Site_SMS/Vshield_bbg%.png$"})
  end,
  login_combos = {
    {username = "usr", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {debug=0,
                  fldUserName=user,
                  fldPassword=pass}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "Site_SMS/cgi-bin/process_login.cgi"),
                                 nil, form)
    local loc = resp.header["location"] or ""
    return resp.status == 302
           and (loc:find("/Site_SMS/SMS_Frameset%.html%?SessionId=%d+%f[&\0]")
             or loc:find("/Site_SMS/SF_User_Login/User_Login_Page%.xml%?auth=41%f[&\0]"))
  end
})

table.insert(fingerprints, {
  name = "Genetec Synergis",
  category = "security",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
            and response.header["server"] == "Microsoft-HTTPAPI/2.0"
            and response.body
            and get_refresh_url(response.body, "/ui$")) then
      return false
    end
    local resp = http_get_simple(host, port,
                                url.absolute(path, "ui/LogOn?ReturnUrl=%2fui"))
    return resp.status == 200
           and resp.body
           and resp.body:find("/genetec.common.js", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "softwire"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {UserName=user,
                  Password=pass,
                  Language="En",
                  TimeZoneOffset=0}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "ui/LogOn?ReturnUrl=%2fui"),
                                 nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/ui$")
  end
})

---
--Industrial systems
---
table.insert(fingerprints, {
  name = "ABB Cylon Aspect",
  cpe = "cpe:/o:abb:*",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Cylon", 1, true)
           and response.body:lower():find("<title>cylon</title>", 1, true)
           and get_tag(response.body, "img", {src="%.cylon%.png$"})
           and get_tag(response.body, "input", {name="^f_pass$"})
  end,
  login_combos = {
    {username = "guest", password = "guest"},
    {username = "aamuser", password = "default"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {f_user=user,
                  f_pass=pass,
                  submit="Log In"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "validate/login.php"),
                                 nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/", 1, true)
           and get_cookie(resp, "PHPSESSID", "^%w+$")
  end
})

table.insert(fingerprints, {
  name = "ScadaBR",
  category = "industrial",
  paths = {
    {path = "/"},
    {path = "/ScadaBR/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("ScadaBR", 1, true)
           and get_tag(response.body, "meta", {name="^DESCRIPTION$", content="^ScadaBR Software$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_post_simple(host, port, url.absolute(path, "login.htm"),
                                  nil, {username=user,password=pass})
    local loc = (resp1.header["location"] or ""):gsub("^https?://[^/]*", "")
    if not (resp1.status == 302 and loc:find("%.shtm%f[;\0]")) then
      return false
    end
    local resp2 = http_get_simple(host, port, url.absolute(path, loc))
    return resp2.status == 200
           and resp2.body
           and resp2.body:find("logout.htm", 1, true)
           and get_tag(resp2.body, "a", {href="^logout%.htm$"})
  end
})

table.insert(fingerprints, {
  name = "Schneider Modicon Web",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["server"] or ""):find("^Schneider%-WEB/V%d+%.")
           and (response.header["location"] or ""):find("/index%.htm$")
  end,
  login_combos = {
    {username = "USER", password = "USER"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "secure/embedded/http_passwd_config.htm?Language=English"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Schneider Xflow",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("Xflow", 1, true)
           and get_tag(response.body, "input", {name="^rsakey1$"})
  end,
  login_combos = {
    {username = "TEST", password = "TEST"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local rsakey1 = get_tag(resp1.body, "input", {name="^rsakey1$", value="^%d+$"})
    local rsakey2 = get_tag(resp1.body, "input", {name="^rsakey2$", value="^%d+$"})
    if not (rsakey1 and rsakey2) then return false end
    local p = openssl.bignum_dec2bn(rsakey1.value)
    local m = openssl.bignum_dec2bn(rsakey2.value)
    local encpass = {}
    local r = 0
    for _, s in ipairs({pass:byte(1, -1)}) do
      local a = openssl.bignum_dec2bn(r + s)
      local b = openssl.bignum_bn2dec(openssl.bignum_mod_exp(a, p, m))
      table.insert(encpass, ("%04x"):format(b))
      r = s
    end
    table.insert(encpass, 1, ("0000"):rep(16-#encpass))
    local form2 = {language="EN",
                   login="home.xml",
                   username=user,
                   rsakey1=rsakey1.value,
                   rsakey2=rsakey2.value,
                   pwd=table.concat(encpass):upper(),
                   enter="Log in"}
    local resp2 = http_post_simple(host, port, url.absolute(path, "kw"),
                                  nil, form2)
    return resp2.status == 200
           and (resp2.body or ""):find("%Wvar%s+sessionid%s*=%s*(['\"])%x+%1")
  end
})

table.insert(fingerprints, {
  name = "TCS Basys Controls Communication Center",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Private"
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Trane Tracer SC",
  cpe = "cpe:/a:trane:tracer_sc",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not ((response.status == 301 or response.status == 302)
           and (response.header["location"] or ""):find("/hui/index%.html$")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "hui/index.html"))
    return resp.status == 200
           and resp.body
           and resp.body:find("Tracer SC", 1, true)
           and resp.body:find("%Whui%.bootstrap%.logon%(")
           and get_tag(resp.body, "script", {src="/hui/bootstrap%.js$"})
  end,
  login_combos = {
    {username = "Trane", password = "Tracer"}
  },
  login_check = function (host, port, path, user, pass)
    local creds = {username = "$" .. base64.enc(user),
                   password = base64.enc(pass),
                   digest = true}
    local resp = http_post_simple(host, port, url.absolute(path, "evox"),
                                 {auth=creds}, '<obj is="obix:Nil" />')
    return resp.status == 200
  end
})

table.insert(fingerprints, {
  name = "Adcon Telemetry Gateway",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Adcon", 1, true)
           and response.body:lower():find("<title>%s*adcon telemetry gateway%s*</title>")
           and get_tag(response.body, "a", {href="%f[%w]configurator%.jnlp$"})
  end,
  login_combos = {
    {username = "root", password = "840sw"},
    {username = "adv",  password = "addvantage"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "getconfig"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Lantronix ThinWeb Manager",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and (response.header["server"] or ""):find("^Gordian Embedded")
           and response.body
           and response.body:find("Lantronix", 1, true)
           and response.body:lower():find("<title>lantronix %w*web manager%W")
  end,
  login_combos = {
    {username = "", password = "system"}
  },
  login_check = function (host, port, path, user, pass)
    local resp0 = http_get_simple(host, port, path)
    if not (resp0.status == 200 and resp0.body) then return false end
    local lurl = get_tag(resp0.body, "frame", {src="^summary%.html$"})
                   and "server.html"
                 or resp0.body:lower():match("<a%f[%s][^>]-%shref%s*=%s*['\"]([^'\"]+)['\"]%s*>server properties</a>")
    if not lurl then return false end
    lurl = url.absolute(path, lurl)
    local resp1 = http_get_simple(host, port, lurl)
    local nonce = resp1.status == 403 and get_cookie(resp1, "SrvrNonce", ".")
    if not nonce then return false end
    local creds = stdnse.tohex(openssl.md5(nonce .. ":" .. pass:upper()))
    local cookies = ("SrvrNonce=%s; SrvrCreds=%s"):format(nonce, creds)
    local resp2 = http_get_simple(host, port, lurl, {cookies=cookies})
    return resp2.status == 200
  end
})

table.insert(fingerprints, {
  name = "Lantronix XPort",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("secure/ltx_conf.htm", 1, true)
           and get_refresh_url(response.body, "^secure/ltx_conf%.htm$")
  end,
  login_combos = {
    {username = "",  password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "secure/ltx_conf.htm"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Moxa MiiNePort",
  cpe = "cpe:/o:moxa:miineport_*",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 307
           and (response.header["location"] or ""):find("/moxa/home%.htm$")
  end,
  login_combos = {
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local form = {Username=user,
                  Password="",
                  MD5Password=stdnse.tohex(openssl.md5(pass)),
                  Submit="Login"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "moxa/Login.htm"),
                                 nil, form)
    return resp.status == 200
           and (resp.body or ""):find("%Wwindow%.open%((['\"])home%.htm%1")
  end
})

table.insert(fingerprints, {
  name = "MBus Webserver",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "MBus Webserver"
           and response.header["server"] == "MBus WebServer"
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Silex Server (var.1)",
  cpe = "cpe:/o:silex:*",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/status/devstat.htm", 1, true)
           and response.body:lower():find("<title>%a%a%a?%-%w%w%-?%w+</title>")
  end,
  login_combos = {
    {username="root", password=""},
    {username="admin", password="admin"},
    {username="admin", password="1234"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_get_simple(host, port, path)
    if not (resp.status == 200 and resp.body) then return false end
    local frm = get_tag(resp.body, "frame", {src="/%w+/status/devstat%.htm$"})
    if not frm then return false end
    local lang = frm.src:match("/(%w+)/status/devstat%.htm$")
    return try_http_auth(host, port,
                        url.absolute(path, lang .. "/mnt/adpass.htm"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Silex Server (var.2)",
  cpe = "cpe:/o:silex:*",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("status.hti?", 1, true)
           and response.body:lower():find("<title>silex ", 1, true)
  end,
  login_combos = {
    {username="", password="ACCESS"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {access="",
                  password="",
                  language=0,
                  access_psw=pass,
                  action="Submit"}
    local resp = http_post_simple(host, port, url.absolute(path, "login"),
                                 nil, form)
    return resp.status == 200
           and get_tag(resp.body or "", "frame", {src="^status%.hti%?access=%x+&"})
  end
})

table.insert(fingerprints, {
  name = "Wago I/O System 750",
  cpe = "cpe:/h:wago:wago_i%2fo_system*",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["location"] or ""):find("/webserv/index%.ssi$")
  end,
  login_combos = {
    {username="admin", password="wago"},
    {username="user",  password="user"},
    {username="guest", password="guest"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "webserv/cplcfg/security.ssi"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Wago TO-PASS",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "WAGO TO-PASS"
  end,
  login_combos = {
    {username="admin", password="wago"},
    {username="user",  password="user"},
    {username="guest", password="guest"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Orpak SiteOmat",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("siteomat_global.js", 1, true)
           and get_tag(response.body, "script", {src="/script/siteomat_global%.js"})
           and response.body:find("%Wvar%s+win%s*=%s*open%((['\"])login%.htm%1")
  end,
  login_combos = {
    {username = "Admin", password = "Admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {User=user,
                  Password=pass,
                  DBname="",
                  loginbut="Login"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "dologin.htm"), nil, form)
    return resp.status == 200
           and get_tag(resp.body or "", "body", {onload="^CheckLogin%(1%)$"})
  end
})

table.insert(fingerprints, {
  name = "ProMinent Controller",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "Z-World Rabbit"
           and response.body
           and get_tag(response.body, "frame", {src="^right%.shtml$"})
  end,
  login_combos = {
    {username = "Operator1",  password = "1"},
    {username = "Operator2",  password = "2"},
    {username = "Operator3",  password = "3"},
    {username = "Operator4",  password = "4"},
    {username = "Configure5", password = "5"},
    {username = "Configure6", password = "6"},
    {username = "Configure7", password = "7"},
    {username = "admin",      password = "AAAA"}
  },
  login_check = function (host, port, path, user, pass)
    local usermap = {["Operator1"]=1,
                     ["Operator2"]=2,
                     ["Operator3"]=3,
                     ["Operator4"]=4,
                     ["Configure5"]=5,
                     ["Configure6"]=6,
                     ["Configure7"]=7,
                     ["admin"]=8}
    local lurl = ("taco.cgi?F0=AH&F1=%d&F2=%s"):format(usermap[user],pass)
    local resp = http_get_simple(host, port, url.absolute(path, lurl))
    return resp.status == 200
           and (get_cookie(resp, "DCRABBIT") or ""):lower() == user:lower()
  end
})

table.insert(fingerprints, {
  name = "Emerson EC2",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("EC2", 1, true)
           and response.body:lower():find("<title>ec2 %d+ ")
           and get_tag(response.body, "frame", {src="^bckgnd%.html$"})
  end,
  login_combos = {
    {username = "EmersonID", password = "12"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "tcp_ip.shtml.shtml"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Emerson Xweb",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/cgi-bin/xweb500.cgi", 1, true)
           and response.body:find("%WUrl%s*=%s*(['\"])[^'\"]-/cgi%-bin/xweb500%.cgi%?res=%d%1")
  end,
  login_combos = {
    {username = "Admin", password = "Admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {pg=2,
                  action=2,
                  act=0,
                  login=user,
                  passwd=pass}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "cgi-bin/user.cgi"),
                                 nil, form)
    return resp.status == 200
           and resp.body
           and resp.body:find("%Wvar%s+value%s*=%s*(['\"])" .. user .. "%1")
           and resp.body:find("%Wlocation%.href%s*=%s*(['\"])[^'\"]-/index/indexFr%.html%1")
  end
})

table.insert(fingerprints, {
  name = "Heatmiser Wifi Thermostat",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Heatmiser", 1, true)
           and response.body:lower():find("<title>heatmiser wifi thermostat</title>", 1, true)
           and get_tag(response.body, "input", {name="^lgpw$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, path, nil, {lgnm=user,lgpw=pass})
    return resp.status == 302
           and (resp.header["location"] or ""):find("/main%.htm$")
  end
})

table.insert(fingerprints, {
  name = "Heatmiser NetMonitor 1.x",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("NetMonitor", 1, true)
           and response.body:lower():find("<title>netmonitor ", 1, true)
           and get_tag(response.body, "input", {name="^loginname$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "view_stats.htm"), nil,
                                 {loginname=user, loginpassword=pass})
    return resp.status == 200
           and get_tag(resp.body or "", "a", {href="^setup_stats%.htm$"})
  end
})

table.insert(fingerprints, {
  name = "Heatmiser NetMonitor 3.0x",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Netmonitor", 1, true)
           and response.body:find("loginState", 1, true)
           and response.body:lower():find("<title>netmonitor ", 1, true)
           and get_tag(response.body, "input", {name="^loginun$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_post_simple(host, port, url.absolute(path, "main.htm"),
                                  nil, {loginun=user, loginpw=pass})
    if not (resp1.status == 200 and (resp1.body or ""):find("(['\"]?)left%.htm%1")) then
      return false
    end
    local resp2 = http_get_simple(host, port, url.absolute(path, "left.htm"))
    return resp2.status == 200
           and get_tag(resp2.body or "", "input", {name="^loginstate$", value="^1$"})
  end
})

table.insert(fingerprints, {
  name = "Heatmiser NetMonitor 3.x",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Netmonitor", 1, true)
           and response.body:find("hmcookies", 1, true)
           and response.body:lower():find("<title>netmonitor ", 1, true)
           and get_tag(response.body, "input", {name="^loginun$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local idx = get_tag(resp1.body, "input", {name="^hmckidx$", value="^%d$"})
    if not idx then return false end
    idx = idx.value
    local form = {curckidx=idx,
                  loginun=user,
                  loginpw=pass}
    local resp2 = http_post_simple(host, port, url.absolute(path, "main.htm"),
                                  {cookies="hmcookie="..idx}, form)
    if not (resp2.status == 200 and resp2.body) then return false end
    local hmcookies = get_tag(resp2.body, "input", {name="^hmcookies$", value="^%d+$"})
    return hmcookies
           and hmcookies.value:sub(idx + 1, idx + 1) == "1"
  end
})

table.insert(fingerprints, {
  name = "Jacarta interSeptor",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find(">Jacarta ", 1, true)
           and response.body:lower():find("<title>jacarta interseptor", 1, true)
           and get_tag(response.body, "frame", {src="/pagecompre.html$"})
  end,
  login_combos = {
    {username = "interSeptor", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "PageAControl.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Phasefale JouleAlarm/JouleTemp",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Phasefale Joule", 1, true)
           and response.body:lower():find("<title>phasefale joule", 1, true)
           and get_tag(response.body, "form", {action="/set/set%.html$"})
  end,
  login_combos = {
    {username = "admin", password = "pass"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "set/set.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Proliphix Thermostat",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("index.shtml", 1, true)
           and response.body:find("%WprintNavLine%(%s*(['\"])Login%1%s*,%s*(['\"])index%.shtml%2%s*%)")
           and response.body:lower():find("<title>thermostat [^<]-%- status &amp; control</title>")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "user",  password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "index.shtml"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Alerton Building Suite 3",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (have_openssl
           and response.status == 302
           and (response.header["location"] or ""):find("/login%f[?\0]")
           and get_cookie(response, "niagara_audit")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "login"))
    return resp.status == 200
           and resp.body
           and resp.body:find("alerton", 1, true)
           and get_tag(resp.body, "input", {id="^scheme$", type="^hidden$"})
  end,
  login_combos = {
    {username = "LocalAdministrator", password = "pass"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "login")
    local resp1 = http_get_simple(host, port, lurl)
    if resp1.status ~= 200 then return false end
    local scheme = get_tag(resp1.body or "", "input", {id="^scheme$", type="^hidden$"})
    local token, cookies
    if scheme.value == "cookieDigest" then
      local header = {["Content-Type"] = "application/x-niagara-login-support"}
      local resp2 = http_post_simple(host, port, lurl, {header=header},
                                    "action=getnonce")
      local nonce = resp2.body
      if not (resp2.status == 200 and nonce) then return false end
      local hashfnc = function (...)
                        local text = table.concat({...}, ":")
                        return stdnse.tohex(openssl.sha1(text)):lower()
                      end
      pass = stdnse.tohex(openssl.md5(pass .. user:upper())):lower()
      token = {user, nonce, hashfnc(hashfnc(user, pass), nonce)}
      cookies = resp2.cookies
    else
      token = {user, pass}
      cookies = nil
    end
    local form = {username_zip="",
                  token=base64.enc(table.concat(token, ":"))}
    local resp = http_post_simple(host, port, lurl, {cookies=cookies}, form)
    return resp.status == 302
           and get_cookie(resp, "niagara_audit") == user
  end
})

table.insert(fingerprints, {
  name = "Lutron HomeWorks QS",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("LUTRON", 1, true)
           and get_tag(response.body, "form", {name="^input$", action="^login$"})
  end,
  login_combos = {
    {username = "lutron", password = "lutron"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {login=user,
                  password=pass}
    local resp = http_get_simple(host, port,
                                url.absolute(path, "login?" .. url.build_query(form)))
    return resp.status == 200
           and get_tag(resp.body, "a", {href="/DbXmlInfo.xml$"})
  end
})

table.insert(fingerprints, {
  name = "BTECH S5 Battery Monitor",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("BTECH", 1, true)
           and response.body:lower():find("<title>btech%W[^<]-%f[%w]s5 battery monitor")
           and get_tag(response.body, "a", {href="/admin/index%.zhtml$"})
  end,
  login_combos = {
    {username = "btech", password = "monitor"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "admin/index.zhtml"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Liebert IntelliSlot",
  cpe = "cpe:/o:vertiv:liebert_intellislot_firmware",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and response.body
           and response.body:find("web/initialize.htm", 1, true)
           and response.body:find("%Wdocument%.location%s*=%s*(['\"])web/initialize%.htm%1")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "protected/"))
    return resp.status == 401 and http_auth_realm(resp) == "Unity"
  end,
  login_combos = {
    {username = "Liebert", password = "Liebert"}
  },
  login_check = function (host, port, path, user, pass)
    local lurls = {"protected/session/unityLogin.htm?devId=4",
                   "protected/getAccess.htm?devId=0"}
    for _, lurl in ipairs(lurls) do
      if try_http_auth(host, port, url.absolute(path, lurl), user, pass, false) then
        return true
      end
    end
    return false
  end
})

table.insert(fingerprints, {
  name = "Eaton Power Xpert Gateway (var.1)",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 302
           and (response.header["location"] or ""):find("/content/?$")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "content/"))
    return http_auth_realm(resp) == "Power Xpert"
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "user",  password = "user"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "content/"),
                        user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Eaton Power Xpert Gateway (var.2)",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Eaton Power Xpert Gateway", 1, true)
           and response.body:lower():find("<title>%s*eaton power xpert gateway%s*<")
           and get_refresh_url(response.body, "/content/$")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "user",  password = "user"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "content/"),
                        user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Eaton Power Xpert Meter (var.1)",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Eaton Power Xpert Meter 2000", 1, true)
           and response.body:lower():find("<title>%s*eaton power xpert meter 2000%s*<")
           and get_tag(response.body, "embed", {code="^com%.eaton%.ngmp%.FullVgaApplet%.class$"})
           and get_tag(response.body, "a", {href="%f[^/\0]content/index%.shtml$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "user",  password = "user"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "content/index.shtml"),
                        user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Eaton Managed ePDU",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("Eaton", 1, true)
           and response.body:lower():find("<title>%s*eaton%W")
           and get_tag(response.body, "script", {src="/eaton/js/Nemo%.js$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "ws/gateway?")
    local form1 = stdnse.output_table()
    form1.page = "cgi_challenge"
    form1.login = user
    form1._dc = math.floor(stdnse.clock_ms())
    local resp1 = http_get_simple(host, port, lurl .. url.build_query(form1))
    local nonce = (resp1.body or ""):match("^%s*['\"](.-)['\"]%s*$")
    if not (resp1.status == 200 and nonce) then return false end
    local hashlen = 64
    if #nonce > hashlen then
      nonce = openssl.sha1(nonce)
    end
    nonce = nonce .. ("\0"):rep(hashlen - #nonce)
    local form2 = stdnse.output_table()
    form2.page = "cgi_authentication"
    form2.login = user
    form2.password = stdnse.tohex(openssl.hmac("SHA1", nonce, pass)):lower()
    form2._dc = math.floor(stdnse.clock_ms())
    local resp2 = http_get_simple(host, port, lurl .. url.build_query(form2))
    if not (resp2.status == 200 and resp2.body) then return false end
    local jstatus, jout = json.parse(resp2.body:gsub("'", "\""))
    return jstatus and type(jout) == "table" and type(jout[1]) == "number" and jout[2] == user
  end
})

table.insert(fingerprints, {
  name = "Eaton Monitored ePDU",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Eaton Monitored ePDU", 1, true)
           and response.body:lower():find("<title>%s*eaton monitored epdu%s*<")
           and get_tag(response.body, "a", {href="/admin/index%.zhtml$"})
  end,
  login_combos = {
    {username = "Admin", password = "etn"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "admin/index.zhtml"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "CS121 UPS Web/SNMP Manager",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^HyNetOS/%d+%.")
           and response.body
           and response.body:lower():find("<title>cs121 snmp/web adapter</title>", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "cs121-snmp"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "admin/net.shtml"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Riello UPS NetMan 204",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^mini_httpd/%d+%.")
           and response.body
           and response.body:find(">Netman ", 1, true)
           and response.body:lower():find("<title>netman 204 login</title>", 1, true)
  end,
  login_combos = {
    {username = "admin",     password = "admin"},
    {username = "fwupgrade", password = "fwupgrade"},
    {username = "user",      password = "user"},
    {username = "eurek",     password = "eurek"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "cgi-bin/login.cgi"),
                                 nil, {username=user, password=pass})
    return resp.status == 200
           and resp.body
           and (resp.body:find(">window.location.replace(", 1, true)
             or resp.body:find("Another user is logged in", 1, true))
  end
})

table.insert(fingerprints, {
  name = "APC Management Card (basic auth)",
  cpe = "cpe:/h:apc:ap*",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "APC Management Card"
  end,
  login_combos = {
    {username = "apc",      password = "apc"},
    {username = "device",   password = "apc"},
    {username = "readonly", password = "apc"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "APC Management Card",
  cpe = "cpe:/h:apc:ap*",
  category = "industrial",
  paths = {
    {path = "/logon.htm"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and (response.body:find("apclogo", 1, true)
             or response.body:find("www.apc.com", 1, true))
           and response.body:lower():find("<title>[^<]*log on</title>")
           and get_tag(response.body, "input", {name="^login_username$"})
  end,
  login_combos = {
    {username = "apc",      password = "apc"},
    {username = "device",   password = "apc"},
    {username = "readonly", password = "apc"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {login_username=user,
                  login_password=pass,
                  submit="Log On"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "Forms/login1"),
                                 nil, form)
    local loc = resp.header["location"]
    if not (resp.status == 303 and loc) then return false end
    if loc:find("/home%.htm$") then
      http_get_simple(host, port,
                     url.absolute(loc:gsub("^https?://[^/]*", ""), "logout.htm"),
                     {cookies=resp.cookies})
      return true
    end
    for _, ck in ipairs(resp.cookies or {}) do
      if ck.name:find("^APC") then return true end
    end
    return false
  end
})

table.insert(fingerprints, {
  name = "APC InfraStruXure Central",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("www.apc.com", 1, true)
           and (response.body:lower():find("<title>infrastruxure central ", 1, true)
             or response.body:lower():find("<title>struxureware central ", 1, true))
           and get_tag(response.body, "a", {href="^nbc/status/Status$"})
  end,
  login_combos = {
    {username = "apc",      password = "apc"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "nbc/status/Status"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "APC InfraStruXure PDU",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "InfraStruXure PDU"
  end,
  login_combos = {
    {username = "device", password = "apc"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "InfraPower PPS-02-S",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and response.header["location"] == "?/3/login"
           and (response.header["server"] or ""):find("^lighttpd/%d+%.")
           and get_cookie(response, "PHPSESSID", "^%w+$")
  end,
  login_combos = {
    {username = "00000000", password = "00000000"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {status=1,
                  usr=user,
                  psw=pass,
                  ["t-tag"]=os.date("!%m%d%H%M%Y")}
    local resp = http_post_simple(host, port, url.absolute(path, "?/3/login"),
                                 nil, form)
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.callback
  end
})

table.insert(fingerprints, {
  name = "iBoot",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "iBoot"
  end,
  login_combos = {
    {username = "", password = "PASS"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "iBoot G2",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return (http_auth_realm(response) or ""):find("^iBoot%-G2S?$")
  end,
  login_combos = {
    {username = "admin", password = "admin"},
    {username = "user",  password = "user"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "iBoot Bar",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find(">iBoot", 1, true)
           and response.body:lower():find("<title>iboot bar ", 1, true)
           and get_tag(response.body, "input", {name="^password$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, url.absolute(path, "login.cgi"),
                                 nil, {name=user,password=pass})
    return resp.status == 200
           and get_cookie(resp, "DCRABBIT", "^%d+$")
           and (resp.body or ""):find("%Wlocation%s*=%s*(['\"])index%.ztm%1")
  end
})

table.insert(fingerprints, {
  name = "HP Power Manager",
  cpe = "cpe:/a:hp:power_manager_remote_agent",
  category = "industrial",
  paths = {
    {path = "/index.asp"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("HP", 1, true)
           and response.body:lower():find("<title>hp power manager</title>", 1, true)
           and get_tag(response.body, "form", {action="/goform/formlogin$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {HtmlOnly="true",
                  Login=user,
                  Password=pass,
                  loginButton="Submit Login"}
    local resp = http_post_simple(host, port,
                                  url.absolute(path, "goform/formLogin"),
                                  nil, form)
    return resp.status == 200
           and (resp.body or ""):find("%Wtop%.location%.href%s*=%s*(['\"])[^'\"]-/Contents/index%.asp%1")
  end
})

table.insert(fingerprints, {
  name = "Sunny WebBox (var.1)",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Sunny Webbox", 1, true)
           and get_refresh_url(response.body, "/culture/index%.dml$")
  end,
  login_combos = {
    {username = "User",      password = "0000"},
    {username = "Installer", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {Language="LangEL",
                  Userlevels=user,
                  password=pass}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "culture/login"),
                                 nil, form)
    return resp.status == 200
           and get_tag(resp.body or "", "page", {id="^DeviceOverview$"})
  end
})

table.insert(fingerprints, {
  name = "Sunny Central (var.1)",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["location"] or ""):find("/SunnyCentral/public$")
  end,
  login_combos = {
    {username = "User",      password = "0000"},
    {username = "Installer", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    local usrlvl = {User=0,Installer=1}
    local header = {["Content-Type"]="application/json;charset=utf-8"}
    local jin = {password=pass,
                 msg="",
                 userLevel=usrlvl[user],
                 parameters={}}
    json.make_object(jin)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "home/login"),
                                 {header=header}, json.generate(jin))
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.data and jout.data.ret
  end
})

table.insert(fingerprints, {
  name = "Sunny WebBox/Central (var.2)",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Sunny ", 1, true)
           and response.body:lower():find("<title>sunny %a+</title>")
           and get_tag(response.body, "frame", {src="^home_frameset%.htm$"})
  end,
  login_combos = {
    {username = "", password = "sma"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {Language="en",
                  Password=pass,
                  ButtonLogin="Login"}
    local resp = http_post_simple(host, port, url.absolute(path, "login"),
                                 nil, form)
    if not (resp.status == 200
           and (resp.body or ""):find("top.frames[2].location.reload()", 1, true)) then
      return false
    end
    http_post_simple(host, port,
                    url.absolute(path, "home_frameset.htm?Logout=true"),
                    nil, {ButtonLogin="Abmelden"})
    return true
  end
})

table.insert(fingerprints, {
  name = "Sunny Central (var.3)",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Sunny ", 1, true)
           and response.body:lower():find("<title>sunny central ")
           and get_tag(response.body, "input", {name="^action$"})
           and get_tag(response.body, "input", {name="^command$"})
  end,
  login_combos = {
    {username = "user",      password = "sma"},
    {username = "installer", password = "sma"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {action="login",
                  command="auth",
                  uname=user,
                  language="en",
                  pass=pass,
                  _ie_dummy=""}
    local resp = http_post_simple(host, port, path, nil, form)
    return resp.status == 200
           and get_tag(resp.body or "", "input", {name="^action$", value="^solar$"})
  end
})

table.insert(fingerprints, {
  name = "Trimble 4.x",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Trimble"
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Trimble 5.x",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Trimble", 1, true)
           and response.body:find("%Wvar%s+trmbTop%s*=")
           and get_tag(response.body, "link", {href="^CACHEDIR%d+/favicon%.ico$"})
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http.get(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local link = get_tag(resp1.body, "link", {href="^CACHEDIR%d+/favicon%.ico$"})
    if not link then return false end
    local lurl = link.href:match("^.-/") .. "cgi-bin/login.xml?"
    local form = {username=user,
                  password=pass,
                  t=math.floor(os.difftime(os.time(),os.time({year=1980,month=1,day=6})))}
    local resp2 = http_get_simple(host, port,
                                 url.absolute(path, lurl .. url.build_query(form)))
    return resp2.status == 200
           and (resp2.body or ""):lower():find("<cookie>[^<]*%f[%w]user=" .. user:lower() .. "%W")
  end
})

table.insert(fingerprints, {
  name = "Deva Broadcast",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("devabroadcast.com", 1, true)
           and (get_tag(response.body, "form", {action="^login%.shtml$"})
             or get_tag(response.body, "li", {["data-c"]="^lgn$"}))
  end,
  login_combos = {
    {username = "user",  password = "pass"},
    {username = "admin", password = "pass"}
  },
  login_check = function (host, port, path, user, pass)
    local form = stdnse.output_table()
    form.user = user
    form.pass = pass
    local resp = http_post_simple(host, port, url.absolute(path, "login.shtml"),
                                 nil, form)
    return resp.status == 303
           and (resp.header["location"] or ""):find("/main%.shtml$")
  end
})

table.insert(fingerprints, {
  name = "Deva Broadcast (basic auth)",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("devabroadcast.com", 1, true)
           and get_tag(response.body, "a", {href="/secure/net%.htm$"})
  end,
  login_combos = {
    {username = "user",  password = "pass"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "secure/net.htm"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Harmonic NSG 9000",
  category = "industrial",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("NSG 9000", 1, true)
           and response.body:find("(['\"])/AUTH/a%1")
           and response.body:lower():find("<title[^>]*>nsg 9000%-")
  end,
  login_combos = {
    {username = "admin",  password = "nsgadmin"},
    {username = "guest",  password = "nsgguest"},
    {username = "config", password = "nsgconfig"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "AUTH/a"),
                        user, pass, false)
  end
})

---
--Printers
---
table.insert(fingerprints, {
  name = "Canon imageRunner Advance",
  cpe = "cpe:/a:canon:imagerunner",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("CANON", 1, true)
           and response.body:lower():find("<title>default authentication", 1, true)
           and get_tag(response.body, "input", {name="^deptid$"})
  end,
  login_combos = {
    {username = "7654321", password = "7654321"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {uri=path,
                  user_type_generic="",
                  deptid=user,
                  password=pass}
    local resp = http_post_simple(host, port, url.absolute(path, "login"),
                                 nil, form)
    return resp.status == 302
           and get_cookie(resp, "com.canon.meap.service.login.session", "^%-?%d+$")
  end
})

table.insert(fingerprints, {
  name = "Kyocera Command Center",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("start.htm", 1, true)
           and get_tag(response.body, "frame", {src="/start/start%.htm$"})
           and response.body:lower():find("<title>kyocera command center</title>", 1, true)
  end,
  login_combos = {
    {username = "", password = "admin00"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {okhtmfile=url.absolute(path, "opt1/index.htm"),
                  failhtmfile=url.absolute(path, "start/StartAccessDenied.htm"),
                  func="authLogin",
                  arg01_UserName=user,
                  arg02_Password=pass,
                  arg03_LoginType="",
                  submit001="OK",
                  language="../opt1/index.htm"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "start/login.cgi"),
                                 nil, form)
    return resp.status == 200
           and get_cookie(resp, "level") == "3"
  end
})

table.insert(fingerprints, {
  name = "Kyocera Command Center (basic auth)",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^KM%-httpd/%d+%.")
           and response.body
           and response.body:find("start.htm", 1, true)
           and get_tag(response.body, "frame", {src="/start/start%.htm$"})
  end,
  login_combos = {
    {username = "", password = ""},
    {username = "Admin", password = "Admin"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "basic/DevDef.htm")
    local resp = http_get_simple(host, port, lurl)
    if resp.status == 200 then return user == "" end
    return try_http_auth(host, port, lurl, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Kyocera Command Center RX",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Start_Wlm.htm", 1, true)
           and get_tag(response.body, "frame", {src="/startwlm/start_wlm%.htm$"})
  end,
  login_combos = {
    {username = "Admin", password = "Admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {failhtmfile=url.absolute(path, "startwlm/Start_Wlm.htm"),
                  okhtmfile=url.absolute(path, "startwlm/Start_Wlm.htm"),
                  func="authLogin",
                  arg03_LoginType="_mode_off",
                  arg04_LoginFrom="_wlm_login",
                  language="../wlmeng/index.htm",
                  privid="",
                  publicid="",
                  attrtype="",
                  attrname="",
                  arg01_UserName=user,
                  arg02_Password=pass,
                  arg05_AccountId="",
                  Login="Login",
                  arg06_DomainName="",
                  hndHeight=0}
    local lurl = url.absolute(path, "startwlm/login.cgi")
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=lurl}))}
    local resp = http_post_simple(host, port, lurl, {header=header}, form)
    return resp.status == 200
           and get_cookie(resp, "level") == "1"
  end
})

table.insert(fingerprints, {
  name = "OKI printer",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("okilogo", 1, true)
           and get_tag(response.body, "frame", {src="^status_toc%.htm$"})
  end,
  login_combos = {
    {username = "admin", password = "aaaaaa"},
    {username = "root",  password = "aaaaaa"},
    {username = "admin", password = "999999"},
    {username = "root",  password = "999999"},
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "setupfrm.htm"),
                        user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "RICOH Web Image Monitor",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^Web%-Server/%d+%.")
           and response.body
           and response.body:find("/websys/webArch/mainFrame.cgi", 1, true)
  end,
  login_combos = {
    {username = "admin",      password = ""},
    {username = "supervisor", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local resp0 = http.get(host, port, path)
    if not (resp0.status == 200 and resp0.body) then return false end
    local lurl = resp0.body:match("%Wlocation%.href%s*=%s*['\"](/[^'\"]-/)mainFrame%.cgi['\"]")
    if not lurl then return false end
    local resp1 = http_get_simple(host, port, url.absolute(lurl, "authForm.cgi"),
                                 {cookies="cookieOnOffChecker=on"})
    if not (resp1.status == 200 and resp1.body) then return false end
    local token = get_tag(resp1.body, "input", {type="^hidden$", name="^wimToken$", value=""})
    if not token then return false end
    local form = {wimToken = token.value,
                  userid_work = "",
                  userid = base64.enc(user),
                  password_work = "",
                  password = base64.enc(pass),
                  open = ""}
    local resp2 = http_post_simple(host, port, url.absolute(lurl, "login.cgi"),
                                  {cookies=resp1.cookies}, form)
    return resp2.status == 302
           and (resp2.header["location"] or ""):find("/mainFrame%.cgi$")
           and get_cookie(resp2, "wimsesid", "^%d+$")
  end
})

table.insert(fingerprints, {
  name = "Samsung SyncThru (var.1)",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("SyncThru", 1, true)
           and response.body:lower():find("<title>syncthru web service</title>", 1, true)
           and get_tag(response.body, "frame", {src="^top_frame%.html$"})
  end,
  login_combos = {
    {username = "", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_get_simple(host, port,
                                url.absolute(path, "Maintenance/security.htm"))
    return resp.status == 200
           and (resp.body or ""):find("%Wvar%s+secEnabled%s*=%s*(['\"])%1%s*;")
  end
})

table.insert(fingerprints, {
  name = "Samsung SyncThru (var.2)",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("SyncThru", 1, true)
           and response.body:lower():find("<title>syncthru web service</title>", 1, true)
           and get_tag(response.body, "frame", {src="^first_top_frame%.html$"})
  end,
  login_combos = {
    {username = "admin", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {j_username=base64.enc(user),
                  j_password=base64.enc(pass),
                  j_domain=base64.enc("LOCAL"),
                  context=url.absolute(path, "sws.login"),
                  j_targetAuthSuccess=url.absolute(path, "sws.login/gnb/loggedinView.sws?loginBG=login_bg.gif&basedURL=/&sws=N&isPinCode=false"),
                  IDUserId=user,
                  IDUserPw=pass,
                  IDDomain="LOCAL",
                  isPinCode="true",
                  isIdOnly="true"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "sws.application/j_spring_security_check_pre_installed"),
                                 nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/loggedinView%.sws%f[;?\0]")
           and get_cookie(resp, "UserRole") == "Admin"
  end
})

table.insert(fingerprints, {
  name = "Sharp Printer",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["server"] or ""):find("^Rapid Logic/%d+%.")
           and (response.header["location"] or ""):find("/main%.html$")
  end,
  login_combos = {
    {username = "Administrator", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local usermap = {Administrator = 3}
    local lurl = url.absolute(path, "login.html?") .. url.absolute(path, "main.html")
    local resp1 = http_get_simple(host, port, lurl)
    if not (resp1.status == 200 and resp1.body) then return false end
    local ltype = get_tag(resp1.body, "input", {type="^hidden$", name="^ggt_hidden%(10008%)$", value="^%d+$"})
    if not ltype then return false end
    local token = get_tag(resp1.body, "input", {type="^hidden$", name="^token2$", value="^%x+$"})
    if not token then return false end
    local form2 = {["ggt_select(10009)"]=usermap[user],
                   ["ggt_textbox(10003)"]=pass,
                   action="loginbtn",
                   token2=token.value,
                   ordinate=0,
                   ["ggt_hidden(10008)"]=ltype.value}
    local resp2 = http_post_simple(host, port, lurl,
                                  {cookies=resp1.cookies}, form2)
    return resp2.status == 302
           and (resp2.header["location"] or ""):find("/main%.html$")
  end
})

table.insert(fingerprints, {
  name = "Sharp Printer (basic auth)",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["extend-sharp-setting-status"] == "0"
           and response.body
           and get_tag(response.body, "frame", {src="^link_user%.html$"})
  end,
  login_combos = {
    {username = "admin", password = "Sharp"},
    {username = "user",  password = "Sharp"},
    {username = "admin", password = "1234"},
    {username = "user",  password = "1234"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "condition_def.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Toshiba TopAccess HD",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("/js/TopAccessUtil.js", 1, true)
           and get_tag(response.body, "script", {src="/js/TopAccessUtil%.js%f[\0?]"})
  end,
  login_combos = {
    {username = "admin", password = "123456"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    local token = resp1.status == 200 and get_cookie(resp1, "Session", ".")
    if not token then return false end
    local ipaddr = token:match("^(.+)%.")
    if not ipaddr then return false end
    local header = {["Content-Type"]="text/plain", ["csrfpId"]=token}
    local msg = [[
      <DeviceInformationModel>
        <GetValue>
          <Authentication>
            <UserCredential></UserCredential>
          </Authentication>
        </GetValue>
        <GetValue>
          <Panel>
            <DiagnosticMode><Mode_08><Code_8913></Code_8913></Mode_08></DiagnosticMode>
          </Panel>
        </GetValue>
        <SetValue>
          <Authentication>
            <UserCredential>
              <userName>__USER__</userName>
              <passwd>__PASS__</passwd>
              <ipaddress>__IPADDR__</ipaddress>
              <DepartmentManagement isEnable='false'><requireDepartment></requireDepartment></DepartmentManagement>
              <domainName></domainName>
              <applicationType>TOP_ACCESS</applicationType>
            </UserCredential>
          </Authentication>
        </SetValue>
        <Command>
          <Login>
            <commandNode>Authentication/UserCredential</commandNode>
            <Params><appName>TOPACCESS</appName></Params>
          </Login>
        </Command>
        <SaveSessionInformation>
          <SessionInfo>
            <Information><type>LoginPassword</type><data>__PASS__</data></Information>
            <Information><type>LoginUser</type><data>__USER__</data></Information>
          </SessionInfo>
        </SaveSessionInformation>
      </DeviceInformationModel>]]
    msg = msg:gsub("^%s+", ""):gsub("\n%s*", "")
    msg = msg:gsub("__%w+__", {__USER__=xmlencode(user),
                               __PASS__=xmlencode(pass),
                               __IPADDR__=ipaddr})
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "contentwebserver"),
                                  {cookies=resp1.cookies, header=header}, msg)
    return resp2.status == 200
           and (resp2.body or ""):find("<Login>.-<statusOfOperation>STATUS_OK</statusOfOperation>.-</Login>")
  end
})

table.insert(fingerprints, {
  name = "Toshiba TopAccess SY",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 301
           and (response.header["location"] or ""):find("/TopAccess/default%.htm$")
  end,
  login_combos = {
    {username = "Admin", password = "123456"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "ADMIN/Login"),
                                 nil, {USERNAME=user,PASS=pass})
    return resp.status == 301 and get_cookie(resp, "SESSID", "^0,%x+$")
  end
})

table.insert(fingerprints, {
  name = "Xerox SyncThru",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and (response.body or ""):find("RedirectToSWS()", 1, true)) then
      return false
    end
    local resp = http_get_simple(host, port,
                                url.absolute(path, "sws/index.html"))
    return resp.status == 200
           and resp.body
           and resp.body:find("CentreWare", 1, true)
           and resp.body:lower():find("<title>[^<]-%f[%w]centreware%f[%W]")
  end,
  login_combos = {
    {username = "admin", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    local auth = "Basic " .. base64.enc(user .. ":" .. pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "sws/app/gnb/login/login.jsp"),
                                 nil, {Authentication=auth})
    return resp.status == 200
           and (resp.body or ""):find("%Wsuccess%s*:%s*true%W")
  end
})

table.insert(fingerprints, {
  name = "Xerox AltaLink",
  cpe = "cpe:/o:xerox:altalink_*",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Xerox", 1, true)
           and response.body:find("%Wdocument%.location%s*=%s*(['\"])[^'\"]*/stat/welcome%.php%?tab=status%1%s*;")
  end,
  login_combos = {
    {username = "admin", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port,
                                 url.absolute(path, "properties/authentication/login.php"))
    if resp1.status ~= 200 then return false end
    local form = get_form_fields(resp1.body, {action="/userpost/xerox%.set$"})
    if not form then return false end
    form.frmwebUsername = user
    form.frmwebPassword = pass
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "userpost/xerox.set"),
                                  {cookies=resp1.cookies}, form)
    return resp2.status == 200
           and resp2.body
           and (resp2.body:find("%Wwindow%.opener%.top%.location%s*=%s*window%.opener%.top%.location%.href%s*;")
             or resp2.body:find("%Wdocument%.location%s*=%s*(['\"])['\"]-/stat/welcome%.php%?tab=status%1%s*;")
             or resp2.body:find("%Wdocument%.location%s*=%s*(['\"])['\"]-/properties/blank%.php%1%s*;"))
  end
})

table.insert(fingerprints, {
  name = "Xerox CentreWare",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("XEROX WORKCENTRE", 1, true)
           and get_tag(response.body, "frame", {src="/header%.php%?tab=status$"})
  end,
  login_combos = {
    {username = "admin", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port,
                                 url.absolute(path, "properties/authentication/login.php"))
    if resp1.status ~= 200 then return false end
    local form = get_form_fields(resp1.body, {action="/userpost/xerox%.set$"})
    if not form then return false end
    form.webUsername = user
    form.webPassword = pass
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "userpost/xerox.set"),
                                  {cookies=resp1.cookies}, form)
    return resp2.status == 200
           and (resp2.body or ""):find("%Wwindow%.opener%.top%.location%s*=%s*window%.opener%.top%.location%.pathname%s*;")
  end
})

table.insert(fingerprints, {
  name = "Xerox CentreWare (basic auth)",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "CentreWare Internet Services"
  end,
  login_combos = {
    {username = "11111", password = "x-admin"},
    {username = "admin", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Xerox CentreWare (basic auth var.1)",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if  not (response.status == 200
            and response.body
            and response.body:find("hdstat.htm", 1, true)
            and get_tag(response.body, "frame", {src="^hdstat%.htm$"})) then
      return false
    end
    local lcbody = response.body:lower()
    return lcbody:find("<title>[%w%s]*workcentre%s")
           or lcbody:find("<title>%s*internet services%W")
           or lcbody:find("<title>%s*docucolor%W")
  end,
  login_combos = {
    {username = "11111", password = "x-admin"},
    {username = "admin", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "prscauthconf.htm"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Xerox CentreWare (basic auth var.2)",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and (response.body or ""):find("ChangeDefWebLanguage()", 1, true)) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "home.html"))
    return (http_auth_realm(resp) or ""):find("%f[%w]WorkCentre%f[%W]")
  end,
  login_combos = {
    {username = "admin", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "home.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Xerox CentreWare (basic auth var.3)",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and (response.body or ""):find("ChangeDefWebLanguage()", 1, true)) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "home.html"))
    return resp.status == 200
           and resp.body
           and resp.body:find("Xerox", 1, true)
           and resp.body:lower():find("<title>[^<]-%f[%w]xerox%f[%W]")
  end,
  login_combos = {
    {username = "admin", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "properties/securitysettings.html"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Xerox CentreWare (basic auth var.4)",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Xerox", 1, true)
           and response.body:find("/status/statusAlerts.dhtml", 1, true)
           and response.body:find("/tabsFrame.dhtml", 1, true)
           and get_tag(response.body, "frame", {src="/tabsframe%.dhtml$"})
  end,
  login_combos = {
    {username = "admin", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "properties/maintenance/maintenance.dhtml"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Xerox CentreWare (basic auth var.5)",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and not response.header["server"]
           and response.body
           and response.body:find("Xerox", 1, true)
           and response.body:find("/js/deviceStatus.dhtml", 1, true)
           and response.body:find("/tabsFrame.dhtml", 1, true)
           and get_tag(response.body, "frame", {src="/tabsframe%.dhtml$"})
  end,
  login_combos = {
    {username = "admin", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "reloadMaintenance.dhtml"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Xerox CentreWare (basic auth var.6)",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^Xerox_MicroServer")
           and response.body
           and response.body:find("Xerox", 1, true)
           and response.body:find("/js/deviceStatus.dhtml", 1, true)
           and response.body:find("/tabsFrame.dhtml", 1, true)
           and get_tag(response.body, "frame", {src="/tabsframe%.dhtml$"})
  end,
  login_combos = {
    {username = "admin", password = "1111"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "properties/upgrade/m_software.dhtml"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Zebra Printer",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Zebra Technologies", 1, true)
           and response.body:lower():find("<a%f[%s][^>]-%shref%s*=%s*(['\"])config%.html%1[^>]*>view printer configuration</a>")
  end,
  login_combos = {
    {username = "", password = "1234"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, url.absolute(path, "authorize"),
                                 nil, {["0"]=pass})
    return resp.status == 200
           and (resp.body or ""):find(">Access Granted.", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Zebra Print Server",
  category = "printer",
  paths = {
    {path = "/server/TCPIPGEN.htm"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Network Print Server"
  end,
  login_combos = {
    {username = "admin", password = "1234"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "EFI Fiery Webtools (var.1)",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and (response.header["content-location"] or ""):find("^redirect%.html%.")) then
      return false
    end
    local rurl = get_refresh_url(response.body or "", "^wt2parser%.cgi%?home_%a+$")
    if not rurl then return false end
    local resp = http_get_simple(host, port,
                                url.absolute(path, rurl:gsub("home_", "config_")))
    return resp.status == 200
           and resp.body
           and resp.body:find("=%s*window%.open%((['\"])wt2parser%.cgi%?cfgsetup_%a+%1")
  end,
  login_combos = {
    {username = "Administrator", password = ""},
    {username = "Administrator", password = "Fiery.1"}
  },
  login_check = function (host, port, path, user, pass)
    local sessionid = host.ip
                      .. "_"
                      .. math.floor(stdnse.clock_ms())
                      .. math.random(100000, 999999)
    local encpass = xmlencode(pass)
    local header = {["Content-Type"]="text/xml", ["SOAPAction"]='""'}
    local soapmsg = [[
      <?xml version='1.0' encoding='UTF-8'?>
      <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SOAP-ENV:Body>
          <ns1:doLogin xmlns:ns1="urn:FierySoapService" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
            <sessionId xsi:type="xsd:string">__SESS__</sessionId>
            <in xsi:type="ns1:Login">
              <fieldsMask xsi:type="xsd:int">0</fieldsMask>
              <password xsi:type="xsd:string">__PASS__</password>
              <timeout xsi:type="xsd:int">30</timeout>
              <userName xsi:type="xsd:string" xsi:nil="true"/>
            </in>
          </ns1:doLogin>
        </SOAP-ENV:Body>
      </SOAP-ENV:Envelope>
      ]]
    soapmsg = soapmsg:gsub("%f[^\0\n]%s+", "")
    soapmsg = soapmsg:gsub("__%w+__", {__SESS__=sessionid, __PASS__=encpass})
    local resp = http_post_simple(host, port, url.absolute(path, "soap"),
                                 {header=header}, soapmsg)
    return resp.status == 200
           and (resp.body or ""):find('<result xsi:type="xsd:boolean">true</result>', 1, true)
  end
})

table.insert(fingerprints, {
  name = "EFI Fiery Webtools (var.2)",
  category = "printer",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and (response.header["content-location"] or ""):find("^redirect%.html%.")) then
      return false
    end
    local rurl = get_refresh_url(response.body or "")
    if not (rurl == "wt4/home"
             or (rurl or ""):find("^wt2parser%.cgi%?home_%a+$")) then
      return false
    end
    local resp = http_get_simple(host, port, url.absolute(path, "wt4/login?lang=en"))
    return resp.status == 200
           and resp.body
           and get_tag(resp.body, "input", {type="^hidden$", name="^authenticity_token$"})
  end,
  login_combos = {
    {username = "Administrator", password = ""},
    {username = "Administrator", password = "Fiery.1"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, url.absolute(path, "wt4/login?lang=en"))
    if not (resp1.status == 200 and resp1.body) then return false end
    local token = get_tag(resp1.body, "input", {type="^hidden$", name="^authenticity_token$", value=""})
    if not token then return false end
    local form = {user_name=user,
                  password=pass,
                  authenticity_token=token.value}
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "wt4/login/do_login"),
                                  {cookies=resp1.cookies}, form)
    return resp2.status == 302
           and (resp2.header["location"] or ""):find("/wt4/configure$")
  end
})

---
--Storage
---
table.insert(fingerprints, {
  name = "Areca RAID",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "Raid Console"
  end,
  login_combos = {
    {username = "admin", password = "0000"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "Asustor ADM",
  cpe = "cpe:/o:asustor:data_master",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and get_refresh_url(response.body, "^portal/%?%x+$")
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {account=user,
                  password=pass,
                  ["two-step-auth"]="true"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "portal/apis/login.cgi?act=login&_dc=" .. stdnse.clock_ms()),
                                 nil, form)
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.success and jout.account == user
  end
})

table.insert(fingerprints, {
  name = "HP StorageWorks SMU",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and response.body
           and response.body:find("checkAuthentication", 1, true)
           and get_tag(response.body, "script", {src="^js/js_brandstrings%.js$"})
  end,
  login_combos = {
    {username = "monitor", password = "!monitor"},
    {username = "manage",  password = "!manage"},
    {username = "admin",   password = "!admin"}
  },
  login_check = function (host, port, path, user, pass)
    local creds = stdnse.tohex(openssl.md5(user .. "_" .. pass))
    local header = {["Content-Type"]="application/x-www-form-urlencoded",
                    ["datatype"]="json"}
    local resp = http_post_simple(host, port, url.absolute(path, "api/"),
                                 {header=header}, "/api/login/" .. creds)
    return resp.status == 200
           and (resp.header["command-status"] or ""):find("^1 ")
  end
})

table.insert(fingerprints, {
  name = "HP 3PAR SSMC",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("StoreServ Management Console", 1, true)
           and response.body:lower():find("<title>storeserv management console</title>")
           and get_tag(response.body, "link", {href="^ssmc/css/"})
  end,
  login_combos = {
    {username = "", password = ""},
    {username = "3paradm",  password = "3pardata"},
    {username = "3parcust", password = "3parInServ"}
  },
  login_check = function (host, port, path, user, pass)
    if user == "" then
      local resp = http_get_simple(host, port,
                                  url.absolute(path, "foundation/REST/trustedservice/admincredentials"))
      if not (resp.status == 200 and resp.body) then return false end
      local jstatus, jout = json.parse(resp.body)
      return jstatus and jout.isAdminPasswordSet == false
    end
    local header = {["Accept"]="application/json, text/plain, */*",
                    ["Content-Type"]="application/json;charset=utf-8"}
    local jin = {username=user,
                 password=pass,
                 adminLogin=false,
                 authLoginDomain="LOCAL"}
    json.make_object(jin)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "foundation/REST/sessionservice/sessions"),
                                 {header=header}, json.generate(jin))
    return resp.status == 201
           and (resp.header["location"] or ""):find("/foundation/REST/sessionservice/sessions/%w+$")
  end
})

table.insert(fingerprints, {
  name = "IBM Storwize V3700",
  cpe = "cpe:/a:ibm:storwize_v3700_software",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("V3700", 1, true)
           and response.body:lower():find("<title>[^<]-%sibm storwize v3700%s*</title>")
  end,
  login_combos = {
    {username = "superuser", password = "passw0rd"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {login=user,
                 password=pass,
                 newPassword="",
                 confirmPassword="",
                 tzoffset="0", -- present twice in the original form
                 nextURL="",   -- present twice in the original form
                 licAccept=""}
    local resp = http_post_simple(host, port, url.absolute(path, "login"),
                                 nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/gui$")
  end
})

table.insert(fingerprints, {
  name = "NAS4Free",
  cpe = "cpe:/a:nas4free:nas4free",
  category = "storage",
  paths = {
    {path = "/login.php"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("NAS4Free", 1, true)
           and response.body:find("?channels=#nas4free", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "nas4free"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, path, nil,
                                 {username=user,password=pass})
    return resp.status == 302
           and resp.header["location"] == "index.php"
  end
})

table.insert(fingerprints, {
  name = "Netgear ReadyNAS RAIDiator",
  cpe = "cpe:/o:netgear:raidiator",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and get_refresh_url(response.body, "/shares/$")
           and response.body:lower():find("netgear")
  end,
  login_combos = {
    {username = "admin", password = "netgear1"},
    {username = "admin", password = "infrant1"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, url.absolute(path, "shares/"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Netgear ReadyNAS OS 6",
  category = "storage",
  paths = {
    {path = "/admin/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "ReadyNAS Admin"
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "Netgear ReadyDATA OS",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return http_auth_realm(response) == "ReadyDATAOS"
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port, path, user, pass, true)
  end
})

table.insert(fingerprints, {
  name = "OpenMediaVault",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("openmediavault", 1, true)
           and response.body:lower():find("%ssrc%s*=%s*(['\"])[^'\"]-js/omv/rpc%.js%1")
  end,
  login_combos = {
    {username = "admin", password = "openmediavault"}
  },
  login_check = function (host, port, path, user, pass)
    local header = {["Accept"]="application/json, */*",
                    ["Content-Type"]="application/json"}
    local jin = {service="Session",
                 method="login",
                 params={username=user,password=pass},
                 options=json.NULL}
    json.make_object(jin)
    local resp = http_post_simple(host, port, url.absolute(path, "rpc.php"),
                                 {header=header}, json.generate(jin))
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.response
           and jout.response.authenticated and jout.response.username == user
  end
})

table.insert(fingerprints, {
  name = "Pure Storage",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Pure Storage", 1, true)
           and response.body:lower():find("<title>pure storage ", 1, true)
           and get_tag(response.body, "form", {onsubmit="^pure%.page%.login%("})
  end,
  login_combos = {
    {username = "pureuser", password = "pureuser"}
  },
  login_check = function (host, port, path, user, pass)
    local jin = {username=user,
                 password=pass,
                 handler="session.query",
                 operation="login"}
    json.make_object(jin)
    local resp = http_post_simple(host, port, url.absolute(path, "login"),
                                 nil, {json=json.generate(jin)})
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.userSession and jout.userSession.user == user
  end
})

table.insert(fingerprints, {
  name = "Quest DR",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Quest Software", 1, true)
           and response.body:lower():find("<cui-login-screen>", 1, true)
  end,
  login_combos = {
    {username = "administrator", password = "St0r@ge!"}
  },
  login_check = function (host, port, path, user, pass)
    local header = {["Accept"]="application/json, text/plain, */*",
                    ["Content-Type"]="application/json;charset=utf-8"}
    local jin = {jsonrpc="2.0",
                 method="Logon",
                 params={UserName=user,Password=pass},
                 id=1}
    json.make_object(jin)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "ws/v1.0/jsonrpc"),
                                 {header=header}, json.generate(jin))
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    if not (jstatus and jout.result) then return false end
    for _, obj in ipairs(jout.result.objects or {}) do
      if obj.SessionCookie then return true end
    end
    return false
  end
})

table.insert(fingerprints, {
  name = "Seagate BlackArmor NAS (var.1)",
  cpe = "cpe:/o:seagate:blackarmor_nas_*",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Seagate", 1, true)
           and response.body:lower():find("<title>seagate nas - ", 1, true)
           and get_tag(response.body, "input", {name="^p_user$"})
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {p_user=user,
                  p_pass=pass,
                  lang="en",
                  xx=1,
                  loginnow="Login"}
    local resp = http_post_simple(host, port, path, nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/admin/system_status.php?", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Seagate BlackArmor NAS (var.2)",
  cpe = "cpe:/o:seagate:blackarmor_nas_*",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("BlackArmor", 1, true)
           and response.body:find("/index.php/mv_login/validate_user", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "index.php/mv_login/validate_user"),
                                 {header={["Accept"]="text/html, text/plain, */*"}},
                                 {username=user,password=pass})
    return resp.status == 302
           and (resp.header["location"] or ""):find("/index.php/mv_home/admin_dashboard", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Toshiba Canvio",
  category = "storage",
  paths = {
    {path = "/login.php"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Canvio", 1, true)
           and response.body:find("/sconfig/cgi/hook_login.php", 1, true)
  end,
  login_combos = {
    {username = "admin", password = "admin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local session, pageid = resp1.body:match("%Wfunction%s+mkPOSTParam%s*%("
                              .. "[^}]-%Wvar%s+s%s*=%s*['\"](%x+)"
                              .. "[^}]-%Wvar%s+p%s*=%s*['\"](%x+)")
    local action = resp1.body:match("%WpostParam%.aCtIoN%s*=%s*['\"](%x+)")
    if not (session and action) then return false end
    local form2 = {rn = math.random(1000000000000000,9999999999999999),
                   session = session,
                   pageid = pageid,
                   aCtIoN = action,
                   UsErNaMe = user,
                   PaSsWoRD = pass}
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "sconfig/cgi/hook_login.php"),
                                  {cookies="PHPSESSID="..session}, form2)
    if not (resp2.status == 200 and resp2.body) then return false end
    local jstatus, jout = json.parse(resp2.body)
    return jstatus and jout.err == 0
  end
})

table.insert(fingerprints, {
  name = "Western Digital My Cloud",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and get_cookie(response, "PHPSESSID", "^%x+$")
           and response.body
           and response.body:find("/cgi-bin/login_mgr.cgi", 1, true)
           and response.body:find("%Wcmd:%s*(['\"])wd_login%1")
  end,
  login_combos = {
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, path)
    if not (resp1.status == 200 and resp1.body) then return false end
    local form = {cmd="wd_login",
                  username=user,
                  pwd=base64.enc(pass),
                  port=""}
    local resp2 = http_post_simple(host, port,
                                  url.absolute(path, "cgi-bin/login_mgr.cgi"),
                                  {cookies=resp1.cookies}, form)
    return resp2.status == 200
           and (resp2.body or ""):find("<config>.*<res>[1-9]</res>.*</config>")
  end
})

table.insert(fingerprints, {
  name = "WiseGiga",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("WISEGIGA", 1, true)
           and response.body:lower():find("<title>wisegiga</title>", 1, true)
           and get_tag(response.body, "a", {href="/webfolder/$"})
  end,
  login_combos = {
    {username = "guest", password = "guest09#$"},
    {username = "root",  password = "admin09#$"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {id=user,
                  passwd=pass,
                  remember_check=0,
                  sel_lang="en"}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "webfolder/login_check.php"),
                                 nil, form)
    return resp.status == 200
           and (resp.body or ""):find("%Wlocation%.href%s*=%s*(['\"])[Mm]ain%.php%1")
  end
})

table.insert(fingerprints, {
  name = "D-Link SharePort Web Access",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return have_openssl
           and response.status == 200
           and (response.header["server"] or ""):find(" WEBACCESS/.- DIR%-%d+")
           and response.body
           and response.body:find("hex_hmac_md5", 1, true)
           and response.body:lower():find("<title>d%-link systems[^<]+ login</title>")
  end,
  login_combos = {
    {username = "admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local get_lurl = function ()
                       return url.absolute(path, "dws/api/Login?"
                                           .. math.floor(stdnse.clock_ms()))
                     end
    local resp1 = http_get_simple(host, port, get_lurl())
    if not (resp1.status == 200 and resp1.body) then return false end
    local jstatus, jout = json.parse(resp1.body)
    if not (jstatus and jout.uid and jout.challenge) then return false end
    local auth = stdnse.tohex(openssl.hmac("MD5", pass, user .. jout.challenge))
    local resp2 = http_post_simple(host, port, get_lurl(),
                                  {cookies = "uid=" .. jout.uid},
                                  {id=user, password=auth})
    if not (resp2.status == 200 and resp2.body) then return false end
    jstatus, jout = json.parse(resp2.body)
    return jstatus and jout.status == "ok"
  end
})

table.insert(fingerprints, {
  name = "EMC VMAX vApp Manager",
  category = "storage",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("VMAX", 1, true)
           and response.body:lower():find("<title>[^<]+ vmax</title>")
           and get_refresh_url(response.body, "/SE/?$")
  end,
  login_combos = {
    {username = "smc", password = "smc"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, url.absolute(path, "SE/app"),
                                 nil, {user=user, passwd=pass})
    return resp.status == 200
           and get_cookie(resp, "JSESSIONID", ".")
           and (resp.body or ""):find("=%s*['\"]login=success&")
  end
})

---
--Virtualization systems
---
table.insert(fingerprints, {
  name = "VMware ESXi",
  cpe = "cpe:/o:vmware:esxi",
  category = "virtualization",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("ID_EESX_Welcome", 1, true)
           and response.body:find("/folder?dcPath=ha-datacenter", 1, true)
  end,
  login_combos = {
    {username = "root", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    return try_http_auth(host, port,
                        url.absolute(path, "folder?dcPath=ha-datacenter"),
                        user, pass, false)
  end
})

table.insert(fingerprints, {
  name = "VMware vCloud Connector",
  category = "virtualization",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if not (response.status == 200
           and response.body
           and response.body:find("com.vmware.vami.", 1, true)
           and get_tag(response.body, "script", {src="^com%.vmware%.vami%.CoreWrapper%."})) then
      return false
    end
    local resp = http_get_simple(host, port,
                                url.absolute(path, "service/core/view-deploy.xml"))
    return resp.status == 200
           and resp.body
           and resp.body:find("<name>Core</name>", 1, true)
           and get_tag(resp.body, "property", {value="^vCloud Connector Node$"})
  end,
  login_combos = {
    {username = "admin", password = "vmware"}
  },
  login_check = function (host, port, path, user, pass)
    local header = {Authorization="Basic " .. base64.enc(user .. ":" .. pass),
                    CIMProtocolVersion="1.0",
                    CIMOperation="MethodCall",
                    CIMMethod=urlencode_all("CreateSessionToken"),
                    CIMObject=urlencode_all("root/cimv2:VAMI_Authentication"),
                    ["Content-Type"]="application/xml; charset=UTF-8"}
    local msg = [[
      <?xml version="1.0" encoding="UTF-8"?>
      <CIM CIMVERSION="2.0" DTDVERSION="2.0">
        <MESSAGE ID="1" PROTOCOLVERSION="1.0">
          <SIMPLEREQ>
            <METHODCALL NAME="CreateSessionToken">
              <LOCALCLASSPATH>
                <LOCALNAMESPACEPATH>
                  <NAMESPACE NAME="root"/>
                  <NAMESPACE NAME="cimv2"/>
                </LOCALNAMESPACEPATH>
                <CLASSNAME NAME="VAMI_Authentication"/>
              </LOCALCLASSPATH>
            </METHODCALL>
          </SIMPLEREQ>
        </MESSAGE>
      </CIM>]]
    msg = msg:gsub("^%s+", ""):gsub("\n%s*", "")
    local resp = http_post_simple(host, port, url.absolute(path, "cimom"),
                                 {header=header}, msg)
    return resp.status == 200
           and (resp.body or ""):find("<PARAMVALUE%s+NAME%s*=%s*(['\"])Token%1")
  end
})

table.insert(fingerprints, {
  name = "PCoIP Zero Client",
  cpe = "cpe:/a:teradici:pcoip_host_software",
  category = "virtualization",
  paths = {
    {path = "/login.html"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("PCoIP&#174 Zero Client", 1, true)
           and response.body:find("password_value", 1, true)
  end,
  login_combos = {
    {username = "", password = "Administrator"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, url.absolute(path, "cgi-bin/login"),
                                 nil, {password_value=pass, idle_timeout=60})
    return resp.status == 302 and get_cookie(resp, "session_id", "^%x+$")
  end
})

---
--Remote consoles
---
table.insert(fingerprints, {
  name = "Lantronix SLB/SLC",
  category = "console",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and (response.header["server"] or ""):find("^mini_httpd/%d+%.")
           and response.body
           and response.body:find("lantronix", 1, true)
           and response.body:find("slcpassword", 1, true)
  end,
  login_combos = {
    {username = "sysadmin", password = "PASS"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, path, nil,
                                 {slclogin=user, slcpassword=pass})
    return resp.status == 200
           and resp.body
           and (resp.body:find("User already logged into web")
             or get_tag(resp.body, "frame", {name="^data$", src="^home%.htm$"}))
  end
})

table.insert(fingerprints, {
  name = "Avocent Explorer",
  category = "console",
  paths = {
    {path = "/login.php"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("Avocent", 1, true)
           and response.body:find("loginPassword", 1, true)
           and response.body:lower():find("<title>[^<]+ explorer</title>")
  end,
  login_combos = {
    {username = "Admin", password = ""}
  },
  login_check = function (host, port, path, user, pass)
    local form = {action="login",
                  token="",
                  loginUsername=user,
                  loginPassword=pass,
                  language="en"}
    local resp = http_post_simple(host, port, path, nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/home%.php$")
           and get_cookie(resp, "avctSessionId", "^%d+$")
  end
})

table.insert(fingerprints, {
  name = "Bomgar Appliance",
  category = "console",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    if response.header["server"] ~= "Bomgar" then return false end
    local resp = http_get_simple(host, port,
                                url.absolute(path, "appliance/"))
    return resp.status == 302
           and get_cookie(resp, "gw_s", "^%w+$")
           and (resp.header["location"] or ""):find("/appliance/login%.ns$")
  end,
  login_combos = {
    {username = "admin", password = "password"}
  },
  login_check = function (host, port, path, user, pass)
    local lurl = url.absolute(path, "appliance/login.ns")
    local resp1 = http_get_simple(host, port, lurl)
    if not (resp1.status == 200 and resp1.body) then return false end
    local formid = get_tag(resp1.body, "input", {type="^hidden$", name="^form_id$", value="^[%w+/]+=*$"})
    if not formid then return false end
    local form2 = {fake_password="",
                   form_id=formid.value,
                   ["login[username]"]=user,
                   ["login[password]"]=pass,
                   ["login[submit]"]="Login",
                   submit_button="Login"}
    local header = {["Referer"]=url.build(url_build_defaults(host, port, {path=lurl}))}
    local resp2 = http_post_simple(host, port, lurl,
                                  {cookies=resp1.cookies, header=header}, form2)
    return resp2.status == 200
           and get_tag(resp2.body or "", "input", {id="^new_password2$"})
  end
})

table.insert(fingerprints, {
  name = "Dell ERA",
  category = "console",
  paths = {
    {path = "/applet.html"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "RMC Webserver 2.0"
           and response.body
           and response.body:find("DRSCAppletInterface.class", 1, true)
  end,
  login_combos = {
    {username = "root", password = "calvin"}
  },
  login_check = function (host, port, path, user, pass)
    local resp1 = http_get_simple(host, port, url.absolute(path, "cgi/challenge"))
    if resp1.status ~= 200 then return false end
    local url2 = ("cgi/login?user=%s&hash=%s"):format(user, pass)
    local resp2 = http_get_simple(host, port, url.absolute(path, url2),
                                 {cookies=resp1.cookies})
    return resp2.status == 200
           and (resp2.body or ""):find("<RMCLOGIN><RC>0x0</RC></RMCLOGIN>", 1, true)
  end
})

table.insert(fingerprints, {
  name = "Dell DRAC4",
  cpe = "cpe:/h:dell:remote_access_card",
  category = "console",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.header["server"] == "RMC Webserver 2.0"
           and response.body
           and response.body:find("DRAC 4", 1, true)
           and response.body:find("%Wvar%s+s_oemProductName%s*=%s*(['\"])DRAC 4%1")
  end,
  login_combos = {
    {username = "root", password = "calvin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = stdnse.output_table()
    form.user = user
    form.hash = pass
    local resp = http_post_simple(host, port, url.absolute(path, "cgi/login"),
                                 nil, form)
    return resp.status == 200
           and (resp.body or ""):find("%Wtop%.location%.replace%(%s*(['\"])[^'\"]-/cgi/main%1%s*%)")
  end
})

table.insert(fingerprints, {
  name = "Dell DRAC5",
  cpe = "cpe:/h:dell:remote_access_card",
  category = "console",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("%Wtop%.document%.location%.replace%(%s*(['\"])[^'\"]-/cgi%-bin/webcgi/index%1%s*%)")
           and response.body:lower():find("<title>remote access controller</title>", 1, true)
  end,
  login_combos = {
    {username = "root", password = "calvin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = stdnse.output_table()
    form.user = user
    form.password = pass
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "cgi-bin/webcgi/login"),
                                 nil, form)
    return resp.status == 302
           and (resp.header["location"] or ""):find("/cgi%-bin/webcgi/main$")
  end
})

table.insert(fingerprints, {
  name = "Dell iDRAC6 (lighttpd)",
  cpe = "cpe:/o:dell:idrac6_firmware",
  category = "console",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 302
           and (response.header["server"] or ""):find("^lighttpd/%d+%.")
           and (response.header["location"] or ""):find("/Applications/dellUI/login%.htm$")
  end,
  login_combos = {
    {username = "root", password = "calvin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = stdnse.output_table()
    form.WEBVAR_PASSWORD = pass
    form.WEBVAR_USERNAME = user
    form.WEBVAR_ISCMCLOGIN = 0
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "Applications/dellUI/RPC/WEBSES/create.asp"),
                                 nil, form)
    return resp.status == 200
           and (resp.body or ""):match("'USERNAME'%s*:%s*'(.-)'") == user
  end
})

table.insert(fingerprints, {
  name = "Dell iDRAC6/iDRAC7/iDRAC8 (Mbedthis)",
  cpe = "cpe:/o:dell:idrac*",
  category = "console",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = (response.header["location"] or ""):gsub("^https?://[^/]*", "")
    if not ((response.status == 301 or response.status == 302)
           and loc:find("/start%.html$")) then
      return false
    end
    local header = {["Accept-Encoding"]="gzip, deflate"}
    local resp = http_get_simple(host, port, loc, {header=header})
    return resp.status == 200
           and resp.body
           and resp.body:find("%Wvar%s+isSCenabled%s*=")
  end,
  login_combos = {
    {username = "root", password = "calvin"}
  },
  login_check = function (host, port, path, user, pass)
    local form = stdnse.output_table()
    form.user = user
    form.password = pass
    local resp = http_post_simple(host, port, url.absolute(path, "data/login"),
                                 nil, form)
    return resp.status == 200
           and (resp.body or ""):find("<authResult>[05]</authResult>")
  end
})

table.insert(fingerprints, {
  name = "Dell iDRAC9",
  cpe = "cpe:/o:dell:idrac9_firmware",
  category = "console",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    local loc = (response.header["location"] or ""):gsub("^https?://[^/]*", "")
    if not (response.status == 302
           and loc:find("/restgui/start%.html$")) then
      return false
    end
    local resp = http_get_simple(host, port, loc)
    return resp.status == 200
           and resp.body
           and resp.body:find("<idrac-start-screen", 1, true)
  end,
  login_combos = {
    {username = "root", password = "calvin"}
  },
  login_check = function (host, port, path, user, pass)
    local referer = url.build(url_build_defaults(host, port, {path = url.absolute(path, "restgui/start.html")}))
    local header = {["Accept"]="application/json, text/plain, */*",
                    ["Referer"]=referer,
                    ["Origin"]=referer:gsub("%f[/]/%f[^/].*", ""),
                    ["user"]='"'..user..'"',
                    ["password"]='"'..pass..'"'}
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "sysmgmt/2015/bmc/session"),
                                 {header=header}, "")
    if not (resp.status == 201 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    local auth = jstatus and jout.authResult
    return auth == 0 or auth == 7 or auth == 9
  end
})

table.insert(fingerprints, {
  name = "HP 9000 iLO",
  cpe = "cpe:/h:hp:integrated_lights-out",
  category = "console",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("HP 9000", 1, true)
           and response.body:find("loginId", 1, true)
           and response.body:lower():find("<title>hp ilo login</title>", 1, true)
  end,
  login_combos = {
    {username = "Admin", password = "Admin"},
    {username = "Oper",  password = "Oper"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port, url.absolute(path, "signin.html"),
                                 nil, {loginId=user, password=pass})
    return resp.status == 200
           and get_refresh_url(resp.body or "", "/home%.html$")
           and get_cookie(resp, "MPID", "^%x+$")
  end
})

table.insert(fingerprints, {
  name = "IBM Integrated Management Module",
  cpe = "cpe:/o:ibm:integrated_management_module_firmware",
  category = "console",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 301
           and (response.header["location"] or ""):find("/designs/imm/index%.php$")
  end,
  login_combos = {
    {username = "USERID", password = "PASSW0RD"}
  },
  login_check = function (host, port, path, user, pass)
    local form = {user=user,
                  password=pass,
                  SessionTimeout=1200}
    local resp = http_post_simple(host, port, url.absolute(path, "data/login"),
                                 nil, form)
    if not (resp.status == 200 and resp.body) then return false end
    local jstatus, jout = json.parse(resp.body)
    return jstatus and jout.authResult == "0"
  end
})

table.insert(fingerprints, {
  name = "ATEN IPMI",
  category = "console",
  paths = {
    {path = "/"}
  },
  target_check = function (host, port, path, response)
    return response.status == 200
           and response.body
           and response.body:find("ATEN International", 1, true)
           and get_tag(response.body, "meta", {name="^ATEN International"})
           and get_tag(response.body, "form", {action="/cgi/login%.cgi$"})
  end,
  login_combos = {
    {username = "ADMIN", password = "ADMIN"}
  },
  login_check = function (host, port, path, user, pass)
    local resp = http_post_simple(host, port,
                                 url.absolute(path, "cgi/login.cgi"),
                                 nil, {name=user, pwd=pass})
    return resp.status == 200
           and (resp.body or ""):find("../cgi/url_redirect.cgi?url_name=mainmenu", 1, true)
           and get_cookie(resp, "SID", "^%w+$")
  end
})