DPE Default Password Enumeration Project aligned with CPE (and CVE)
Years ago (around 2007/2008), i have designed the DPE Default
Password Enumeration Concept as an effort to provide structured
enumeration of default logons and passwords of network devices,
applications and Operating Systems.
The main goal is to increase the “password auditing scanners” interoperability potential.
Any kind of tool integrating the XML DPE will be able to identify
and report default access configurations on specific devices, softwares
or operating systems.
Taking into account the benefits of SecurityMetrics standards
principles, DPE integrates the CPE naming scheme (mitre.org) to describe
information technology systems, plateforms and packages.Some entries has also a CVE id.
DPE provides the default usernames and passwords information for the following :
Operating Systems : Unix, Linux, Windows, iSeries AS/400 …
During a security evaluation process, auditors do not have a fast and
simple way to identify at a glance the default access parameters of
In fact, most of them use a simple bruteforce utility to try every
couple of Logons and passwords. In one hand, this could be a
time-consuming stage and in the other it may causes indirect denial of
service (accounts lockout, IP banning, alarms raising …)
I got the idea and solved by the way my the problem (during a pentesting) by creating the DPE (Default Password Enumeration).
Now every piece of software that integrates the DPE scheme along with
the latest passwords Database can test the appropriate default
Examples of use
Using automated XML parser software to read and test default
entries. Note, that the software should able to handle the protocol
communications(HTTP, HTTPS, SNMP, SSH, TELNET, FTP..)
Using extra Metasploit module
Integrated with Password cracking tools
Benefits of the DPE efforts
Unifying the passwords database information.
Standarization of the default accesses testing.
Reducing the process of passwords testing.
Minimizing the risks of lockouts and denial of service during the security assesssment.
On Montag, 18. Februar 2013, nabil ouchn wrote:
> Years ago (around 2007/2008), i have designed the DPE Default Password
> Enumeration Concept as an effort to provide structured enumeration of
> default logons and passwords of network devices, applications and Operating
nice approach and job done.
OpenVAS uses CPE very intensively as well and I see some benefits to use DPE.
Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner