Quantcast

DPE Default Password Enumeration Project aligned with CPE (and CVE)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

DPE Default Password Enumeration Project aligned with CPE (and CVE)

toolswatch
Dear all,

Years ago (around 2007/2008),  i have designed the DPE Default Password Enumeration Concept as an effort to provide structured enumeration of default logons and passwords of network devices, applications and Operating Systems.

The main goal is to increase the “password auditing scanners” interoperability potential.
Any kind of tool integrating the XML DPE will be able to identify and report default access configurations on specific devices, softwares or operating systems.

Taking into account the benefits of SecurityMetrics standards principles, DPE integrates the CPE naming scheme (mitre.org) to describe information technology systems, plateforms and packages.Some entries has also a CVE id. 

DPE provides the default usernames and passwords information for the following :

  • Operating Systems : Unix, Linux, Windows, iSeries AS/400 …
  • Network devices : Routers, firewalls, switches, printers
  • Databases : Oracle, MySQL, MS SQL and more
  • Web applications : WebSphere, Apache …
  • Administrative Web Based solutions
  • Telephony devices and SIP systems
  • Other: specific applicances.

Why DPE ?

During a security evaluation process, auditors do not have a fast and simple way to identify at a glance the default access parameters of targeted device.
In fact, most of them use a simple bruteforce utility to try every couple of Logons and passwords. In one hand, this could be a time-consuming stage and in the other it may causes indirect denial of service (accounts lockout, IP banning, alarms raising …)

I got the idea and solved by the way my the problem (during a pentesting) by creating the DPE (Default Password Enumeration).
Now every piece of software that integrates the DPE scheme along with the latest passwords Database can test the appropriate default logon/password.

Examples of use

  • Using automated XML  parser software to read and test default entries. Note, that the software should able to handle the protocol communications(HTTP, HTTPS, SNMP, SSH, TELNET, FTP..)
  • Using extra Metasploit module
  • Integrated with Password cracking tools

Benefits of the DPE efforts

  • Unifying the passwords database information.
  • Standarization of the default accesses testing.
  • Reducing the process of passwords testing.
  • Minimizing the risks of lockouts and denial of service during the security assesssment.
Read more here http://www.toolswatch.org/dpe/

You can download the DPE xml Database (today 81 vendors and average 1580 pwds and counting ...)
And a quick & dirty python parser to read the xml db.

I started to have few contributors sticking to the concept and my goal is to create a reliable default passwords database aligned with standards (and who knows vice versa )

Many improvements to come, just stay tuned.

N.J OUCHN
@toolswatch
www.toolswatch.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DPE Default Password Enumeration Project aligned with CPE (and CVE)

Jan-Oliver Wagner-3
Hello,

On Montag, 18. Februar 2013, nabil ouchn wrote:
> Years ago (around 2007/2008),  i have designed the DPE Default Password
> Enumeration Concept as an effort to provide structured enumeration of
> default logons and passwords of network devices, applications and Operating
> Systems.
>...

nice approach and job done.

OpenVAS uses CPE very intensively as well and I see some benefits to use DPE.
What are the license or terms of use for the python script and for the XML database file?

Best

Jan

--
Dr. Jan-Oliver Wagner |  ++49-541-335084-0  |  http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Loading...