vFeed


DPE – The Default Password Enumeration Project

Years ago (around 2007/2008),  i have designed the DPE Default Password Enumeration Concept as an effort to provide structured enumeration of default logons and passwords of network devices, applications and Operating Systems.

The main goal is to increase the “password auditing scanners” interoperability potential.
Any kind of tool integrating the XML DPE scheme will be able to identify and report default access configurations on specific devices, softwares or operating systems.

Taking into account the benefits of SecurityMetrics standards principles, DPE integrates the CPE naming scheme (mitre.org) to describe information technology systems, plateforms and packages.

DPE provides the default usernames and passwords information for the following :

  • Operating Systems : Unix, Linux, Windows, iSeries AS/400 …
  • Network devices : Routers, firewalls, switches, printers
  • Databases : Oracle, MySQL, MS SQL and more
  • Web applications : WebSphere, Apache …
  • Administrative Web Based solutions
  • Telephony devices and SIP systems
  • Other: specific applicances.

Why DPE ?

During a security evaluation process, auditors do not have a fast and simple way to identify at a glance the default access parameters of targeted device.
In fact, most of them use a simple bruteforce utility to try every couple of Logons and passwords. In one hand, this could be a time-consuming stage and in the other it may causes indirect denial of service (accounts lockout, IP banning, alarms rising …)

I got the idea and solved by the way my the problem (during a pentesting) by creating the DPE (Default Password Enumeration).
Now every piece of software that integrates the DPE scheme along with the latest passwords Database can test the appropriate default logon/password.

DPE has been added to the Making Security Measurable Initiative. (http://measurablesecurity.mitre.org/directory/organizations/index.html)

DPE has been added to Mitre effort MakingSecurityMeasurable

Examples of use

  • Using automated XML  parser software to read and test default entries. Note, that the software should able to handle the protocol communications (HTTP, HTTPS, SNMP, SSH, TELNET, FTP..)
  • Using extra Metasploit module. The module should consume the DPE xml database format.
  • Integrated with Password cracking tools

Benefits of the DPE efforts

  • Unifying the passwords database information.
  • Standarization of the default accesses testing.
  • Reducing the process of passwords testing.
  • Minimizing the risks of lockouts and denial of service during the security assesssment.

Submission Guides

DPE XML entries, changes, modification or any comment could be emailed to me (dpe at toolswatch dot org). The entries will be reviewed prior to being posted on the repository.

To submit DPE entries, the following requirements should be accepted :

  • CSV file
  • format : vendor ; cpe (if possible); description; type ; CVE (if possible) ;  protocol ;  port ; username ; password

Before submitting any data please validate your content using the DPE Schem
The duplicate entries will not be taken into account.

Any direct or particular request, feel free to drop an email to info at nabil dot ouchn at gmail dot com

Project authorship

NJ OUCHN (@toolswatch). My email is nabil dot ouchn at gmail dot com

Feel free to contact for any matter related to this project

Download (Beta release)

To demonstrate the added value of the concept and to facilitate the understanding of the DPE basics, I have developed a simple program called ‘DPEparser ‘. DPEparser is written in python and allows consuming the xml based database. The database itself is the core of the DPE concept. It is based on a wide amount of data found on renowned sites that have done a great job by keeping and sharing with us the information.

And to stand out from the others, DPE incorporates some missing information such as CPE (Common Platform Enumeration) and CVE. The main goals are to unify and to facilitate the search for default passwords during security assessments or penetration testing.

As a result, my ultimate objective is the creation of a unique and consolidated database for default credentials aligned with open standards such as CVE and CPE.

For this second beta release, I generated a list of average 1922 passwords and 212 vendors. I added several entries CPE based on the official NVD dictionary v2.2 (http://nvd.nist.gov/cpe.cfm)  when it is possible to do so. The  database should grow very quickly.
DPEparser is open source. So feel free to debug/modify the code as long as you keep …. you know the drill 😉

DPEparser.py

dpe_db.xml  (mandatory. It could be downloaded using ./dpeparser –update or -u )

DPE Scheme v02

Beta features

  • Integrated information
    • Vendor name
    • Device Description,
    • Type
    • CPE (if any)
    • CVE (if any)
    • Protocol used
    • Default tcp/udp port
    • default username
    • default password
  • Search for credentials by CPE Common Platform Enumeration v2.2 (cpe:/h:cisco:building_broadband_service_manager:5.0)
  • Search for credentials by Type (available keywords: router,switch,firewall,voip,software, operating system, telephony, database, printer)
  • Search for credentials by vendor (cisco, alcatel ….)
  • Export and save automatically results to a comma-separated. It can be supplied to your favorite password bruteforcer.
  • Update DPE xml database from the official DPE repository (www.toolswatch.org/dpe)

Changelog

2013/03/09 — Beta 002

  • New DPE scheme. Now Information and Credentials are organized  by Vendor. It is easier to read the xml file.
<vendor name="advantech">
    <model cpe="cpe:/h:advantech:adam-6015" description="advantech adam-60xx module series" dpeid="dpe-2008-5848" type="scada">
      <info cve="cve-2008-5848" port="80" protocol="http"/>
      <credential password="&quot;00000000&quot;" username="none"/>
    </model>
    <model cpe="cpe:/h:advantech:adam-6017" description="advantech adam-60xx module series" dpeid="dpe-2008-5848" type="scada">
      <info cve="cve-2008-5848" port="80" protocol="http"/>
      <credential password="&quot;00000000&quot;" username="none"/>
    </model>
</vendor>
  • Added a DPE id. Each id is associated to a CVE. For a default credentials covered by CVE-2008-5848, the DPE id will be “DPE-2008-5848”
  • Modified the DPE Parser to reflect the changes
  • Slightely modified the output text file. Now it reports description, protocol port and (login/password).

usage

Usage: dpeparser.py [Options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -c SEARCHCPE, --cpe=SEARCHCPE
                        Search for CPE default passwords
                        ex:cpe:/h:cisco:router_4000
  -v SEARCHVENDOR, --vendor=SEARCHVENDOR
                        Search for Vendors default passwords (ex: cisco,
                        apple...)
  -t SEARCHTYPE, --type=SEARCHTYPE
                        Search for Type default passwords (ex:router, switch,
                        hub...)
  -d SEARCHDESC, --description=SEARCHDESC
                        Search for description (ex:cisco router 2600...)
  -u, --update          update DPE xml content
Usage: dpeparser.py [Options] filename

dpeparser.py: error: [!]- You must supply a pattern to search for.

Actual release

$ ./dpeparser.py --banner
    ____  ____  _____   ____   
   |  _ \|  _ \| ____| |  _ \ __ _ _ __ ___  ___ _ __ 
   | | | | |_) |  _|   | |_) / _` | '__/ __|/ _ \ '__|
   | |_| |  __/| |___  |  __/ (_| | |  \__ \  __/ |   
   |____/| |   |_____| |_|   \__,_|_|  |___/\___|_|   
         |_|Beta 002 Database XML build v212_p1922

Download latest DPE xml Database (mandatory)

$ ./dpeparser.py -u
[+] Updating from official location http://www.toolswatch.org/dpe/dpe_db.xml
[*] Downloading: dpe_db.xml Bytes: 60940
 60940 [100.00%]

Listing Default Credentials using a CPE

$ ./dpeparser.py -c cpe:/h:advantech:adam-6017

[+] Searching default credentials for cpe:/h:advantech:adam-6017
[+] Creating output file passlist.txt
-----------------------------------------------------------------------------------------------
DPEid: dpe-2008-5848
vendor:advantech
type: scada
CPE: cpe:/h:advantech:adam-6017
CVE: cve-2008-5848
description: advantech adam-60xx module series
     protocol: http
     TCP/UDP port: 80
     username: none
     password: "00000000"

--------------------------------------------------
[+] Exporting passwords in cpe:/h:advantech:adam-6017 to file passlist.txt
[+] Exiting program.

Listing Default Credentials by a device type

$ ./dpeparser.py -t printer

[+] Searching default credentials for printer
[+] Creating output file passlist.txt
-----------------------------------------------------------------------------------------------
DPEid: dpe-2009-0941
vendor:hp
type: printer
CPE: cpe:/h:hp:laserjet
CVE: cve-2009-0941
description: hp 1000/2000/3000 mpe/9000/. many lasterjets affected
     protocol: multi
     TCP/UDP port: 
     username: MGR
     password: NETBASE
-----------------------------------------------------------------------------------------------
DPEid: dpe-2002-0305
vendor:zero one tech
type: printer
CPE: cpe:/h:zero_one_tech:p100s
CVE: cve-2002-0305
description: zero one tech (zot) p100s print server
     protocol: snmp
     TCP/UDP port: 161
     username: 
     password: public
[CUT]
--------------------------------------------------
[+] Exporting passwords in printer to file passlist.txt
[+] Exiting program.

Listing Default Credentials by vendor

$ ./dpeparser.py -v cisco

[+] Searching default credentials for ibm
[+] Creating output file passlist.txt
-----------------------------------------------------------------------------------------------
DPEid: dpe-2007-4598
vendor:ibm
type: application
CPE: cpe:/h:ibm:surepos_500
CVE: cve-2007-4598
description: ibm surepos 500
     protocol: not_defined
     TCP/UDP port: 
     username: operator
     password: blank
-----------------------------------------------------------------------------------------------
DPEid: not_attributed_yet
vendor:ibm
type: mainframe
CPE: cpe:/h:ibm:iseries_as_400
CVE: 
description: ibm iseries as/400
     protocol: multi (telnet, ftp)
     TCP/UDP port: 23 / 21
     username: 11111111
     password: 11111111
-----------------------------------------------------------------------------------------------
DPEid: not_attributed_yet
vendor:ibm
type: mainframe
CPE: cpe:/h:ibm:iseries_as_400
CVE: 
description: ibm iseries as/400
     protocol: multi (telnet, ftp)
     TCP/UDP port: 23 / 21
     username: 22222222
     password: 22222222
-----------------------------------------------------------------------------------------------

Listing Default Credentials by description

$ ./dpeparser.py -d "OFFICE Rev. 4.1"
[+] Searching default credentials for OFFICE Rev. 4.1
[+] Creating output file passlist.txt
-----------------------------------------------------------------------------------------------
DPEid: not_attributed_yet
vendor:alcatel
type: software
CPE: cpe:/a:alcatel-lucent:omnipcx:014.001
CVE: 
description: omnipcx office rev. 4.1
     protocol: ftp
     TCP/UDP port: 21
     username: ftp_inst
     password: pbxk1064
-----------------------------------------------------------------------------------------------
DPEid: not_attributed_yet
vendor:alcatel
type: software
CPE: cpe:/a:alcatel-lucent:omnipcx:014.001
CVE: 
description: omnipcx office rev. 4.1
     protocol: ftp
     TCP/UDP port: 21
     username: ftp_admi
     password: kilo1987
-----------------------------------------------------------------------------------------------
DPEid: not_attributed_yet
vendor:alcatel
type: software
CPE: cpe:/a:alcatel-lucent:omnipcx:014.001
CVE: 
description: omnipcx office rev. 4.1
     protocol: ftp
     TCP/UDP port: 21
     username: ftp_oper
     password: help1954
-----------------------------------------------------------------------------------------------
DPEid: not_attributed_yet
vendor:alcatel
type: software
CPE: cpe:/a:alcatel-lucent:omnipcx:014.001
CVE: 
description: omnipcx office rev. 4.1
     protocol: ftp
     TCP/UDP port: 21
     username: ftp_nmc
     password: tuxalize

--------------------------------------------------

The output file

# Password list for OFFICE Rev. 4.1
# Generated by DPE Default Passwords Enumeration Parser
# http://www.toolswatch.org

# Record for omnipcx office rev. 4.1
ftp,21,ftp_inst,pbxk1064
# Record for omnipcx office rev. 4.1
ftp,21,ftp_admi,kilo1987
# Record for omnipcx office rev. 4.1
ftp,21,ftp_oper,help1954
# Record for omnipcx office rev. 4.1
ftp,21,ftp_nmc,tuxalize


Back to Top ↑