Published on October 25th, 2013 | by NJ Ouchn0
DPE – Default Password Enumeration – integrated to Lunarline SCAP Sync
The main goal of DPE – Default Password Enumeration is to increase the “password auditing scanners” interoperability potential. Any kind of tool integrating the XML DPE scheme will be able to identify and report default access configurations on specific devices, softwares or operating systems.
Taking into account the benefits of SecurityMetrics standards principles, DPE integrates the CPE naming scheme (mitre.org) to describe information technology systems, plateforms and packages.
DPE provides the default usernames and passwords information for the following :
- Operating Systems : Unix, Linux, Windows, iSeries AS/400 …
- Network devices : Routers, firewalls, switches, printers
- Databases : Oracle, MySQL, MS SQL and more
- Web applications : WebSphere, Apache …
- Administrative Web Based solutions
- Telephony devices and SIP systems
- Other: specific applicances.
SCAP Sync is a website that spiders and indexes SCAP content from a variety of original content providers (including NIST and Mitre). This content is version controlled and made available for both human consumption (on the website) and machine consumption (via a REST API). This documentation describes the features of and use cases for the SCAP Sync REST API.
Integration with DPE
The third – and perhaps most exciting – new data source is Default Password Enumeration (DPE). This standard is not a formal part of the SCAP suite of standards, but it’s such a great idea that we immediately recognized the value of integrating it into SCAP Sync. DPE was conceived and created by Nabil Ouchn (who is also the maintainer toolswatch.org) as a way to capture known default passwords for all types of software and computing equipment in a machine-readable format. The DPE standard links default passwords to specific products using the CPE protocol, thus providing tight integration with SCAP.
Here’s an example of a RedHat Linux CPE that is annotated with default password data from DPE.