I have designed the DPE Default Password Enumeration Concept as an effort to provide structured enumeration of default logons and passwords of network devices, applications and Operating Systems.

The main goal is to increase the “password auditing scanners” interoperability potential. Any kind of tool integrating the XML DPE scheme will be able to identify and report default access configurations on specific devices, software or operating systems.

Taking into account the benefits of SecurityMetrics standards principles, DPE integrates CPE naming scheme (http://cpe.mitre.org) to describe information technology systems, platforms and packages and CVE (http://cve.mitre.org) to describe the vulnerability

DPE provides the default usernames and passwords information for the following:

  • Operating Systems : Unix, Linux, Windows, iSeries AS/400 …
  • Network devices : Routers, firewalls, switches, printers
  • Databases : Oracle, MySQL, MS SQL and more
  • Web applications : WebSphere, Apache …
  • Administrative Web Based solutions
  • Telephony devices and SIP systems
  • Other: specific applicances.

Why DPE ?

During a security evaluation process, auditors do not have a fast and simple way to identify at a glance the default access parameters of targeted device. In fact, most of them use a simple brute force utility to try every couple of Logons and passwords. In one hand, this could be a time-consuming stage and in the other it may causes indirect denial of service (accounts lockout, IP banning, alarms rising …)

I got the idea and solved by the way my problem (during a pentesting) by creating the DPE (Default Password Enumeration). Now every piece of software that integrates the DPE scheme along with the latest passwords Database can test the appropriate default logon/password.

DPE has been added to the Making Security Measurable Initiative. (http://measurablesecurity.mitre.org/directory/organizations/index.html)

Examples of use

  • Using automated XML parser software to read and test default entries. Note, that the software should able to handle the protocol communications (HTTP, HTTPS, SNMP, SSH, TELNET, FTP..)
  • Using extra Metasploit module. The module should consume the DPE xml database format.
  • Integrated with Password cracking tools

Benefits of the DPE efforts

  • Unifying the passwords database information.
  • Standardization of the default accesses testing.
  • Reducing the process of passwords testing.
  • Minimizing the risks of lockouts and denial of service during the security assessment.

Submission Guides

DPE xml entries, changes, modification or any comment could be emailed to me (dpe at toolswatch dot org). The entries will be reviewed prior to being posted on the repository.

To submit DPE entries, the following requirements should be accepted:

  • CSV file
  • format : [vendor ; cpe (if possible); description; type ; CVE (if possible) ; protocol ; port ; username ; password]


The duplicate entries will not be taken into account.

Any direct or particular request, feel free to drop an email to info at dpe at toolswatch dot org

Download (Beta release)

To demonstrate the added value of the concept and to facilitate the understanding of the DPE basics, I have developed a simple program called ‘DPEparser ‘. DPEparser is written in python and allows consuming the xml based database. The database itself is the core of the DPE concept. It is based on a wide amount of data found on renowned sites that have done a great job by keeping and sharing with us the information.

And to stand out from the others, DPE incorporates some missing information such as CPE (Common Platform Enumeration) and CVE. The main goals are to unify and to facilitate the search for default passwords during security assessments or penetration testing.

As a result, my ultimate objective is the creation of a unique and consolidated database for default credentials aligned with open standards such as CVE and CPE.

For this first beta release, I generated a list of average 1920 passwords and 225 vendors. I added several entries CVE and CPE based on the official NVD dictionary v2.2 (http://nvd.nist.gov/cpe.cfm ) whenever it is possible to do so. The database should grow very quickly. DPEparser is open source. So feel free to debug/modify the code as long as you keep…. you know the drill ;)

Parser & Database

DPEparser.py
MD5 (dpeparser.py) = 37d3b698dd178a0446b6378216c61e42

dpe_db.xml (mandatory. It could be downloaded using ./dpeparser –update or -u )

Beta features

  • Integrated information
    • Vendor name
    • Device Description,
    • Type
    • CPE (if any)
    • CVE (if any)
    • Protocol used
    • Default tcp/udp port
    • default username
    • default password
  • Search for credentials by CPE Common Platform Enumeration v2.2 (cpe:/h:cisco:building_broadband_service_manager:5.0)
  • Search for credentials by Type (available keywords: router, switch, firewall, voip, software, operating system, telephony, database, printer)
  • Search for credentials by vendor (cisco, alcatel ….)
  • Export and save automatically results to a comma-separated. It can be supplied to your favorite password bruteforcer.
  • Update DPE xml database from the official DPE repository (www.toolswatch.org/dpe)

usage

Usage: dpeparser.py [Options]

Options:

–version show program’s version number and exit

-h, –help show this help message and exit

-c SEARCHCPE, –cpe=SEARCHCPE

Search for CPE default passwords

ex:cpe:/h:cisco:router_4000

-v SEARCHVENDOR, –vendor=SEARCHVENDOR

Search for Vendors default passwords (ex: cisco,

apple…)

-t SEARCHTYPE, –type=SEARCHTYPE

Search for Type default passwords (ex:router, switch,

hub…)

-d SEARCHDESC, –description=SEARCHDESC

Search for description (ex:cisco router 2600…)

-u, –update update DPE xml content

Usage: dpeparser.py [Options] filename

dpeparser.py: error: [!]- You must supply a pattern to search for.

Download latest DPE xml Database (mandatory)

$ ./dpeparser.py -u

[+] Updating from official location http://www.toolswatch.org/dpe/dpe_db.xml

[*] Downloading: dpe_db.xml Bytes: 60940

60940 [100.00%]

Listing Default Credentials using a CPE

$ ./dpeparser.py -c cpe:/a:cisco:wireless_lan_solution_engine

[+] Searching default credentials for cpe:/a:cisco:wireless_lan_solution_engine

[+] Creating output file passlist.txt

——-

vendor: cisco

model: cisco wireless lan solution engine (rev from 2.0 to 2.5)

type: software

cpe: cpe:/a:cisco:wireless_lan_solution_engine

username: root

password: blender

protocol: multi on tcp/udp port:

——-

vendor: cisco

model: cisco wireless lan solution engine (rev from 2.0 to 2.5)

type: software

cpe: cpe:/a:cisco:wireless_lan_solution_engine

username: wlse

password: wlsedb

protocol: multi on tcp/udp port:

————————————————–

[+] Exporting passwords in cpe:/a:cisco:wireless_lan_solution_engine to file passlist.txt

[+] Exiting program.

Listing Default Credentials by a device type

$ ./dpeparser.py -t printer

[+] Searching default credentials for printer

[+] Creating output file passlist.txt

——-

vendor: ricoh

model: aficio 2020d

type: printer

cpe:

username: admin

password: password

protocol: http on tcp/udp port:

——-

vendor: ricoh

model: aficio 2228c

type: printer

cpe:

username: sysadmin

password: password

protocol: multi on tcp/udp port:

——-

vendor: ricoh

model: aficio 2232c

type: printer

cpe:

username: n/a

password: password

protocol: telnet on tcp/udp port:

——-

vendor: ricoh

model: aficio ap3800c rev. 2.17

type: printer

cpe:

username: (none)

password: password

protocol: http on tcp/udp port:

——-

vendor: ricoh

model: aficio rev. ap3800c

type: printer

cpe:

username: sysadmin

password: password

protocol: http on tcp/udp port:

——-

vendor: ricoh

model: ap410n rev. 1.13

type: printer

cpe:

username: admin

password: (none)

protocol: http on tcp/udp port:

————————————————–

[+] Exporting passwords in printer to file passlist.txt

Listing Default Credentials by vendor

$ ./dpeparser.py -v cisco

[+] Searching default credentials for cisco

[+] Creating output file passlist.txt

——-

vendor: cisco

model: bbsd msde client rev. 5.0 and 5.1

type: access

cpe: cpe:/h:cisco:building_broadband_service_manager:5.0

username: bbsd-client

password: NULL

protocol: telnet or named pipes on tcp/udp port:23

——-

vendor: cisco

model: bbsm administrator rev. 5.0 and 5.1

type: access

cpe: cpe:/h:cisco:building_broadband_service_manager:5.0

username: Administrator

password: changeme

protocol: multi on tcp/udp port:

——-

vendor: cisco

model: bbsm msde administrator rev. 5.0 and 5.1

type: access

cpe: cpe:/h:cisco:building_broadband_service_manager:5.0

username: sa

password: (none)

protocol: ip and named pipes on tcp/udp port:

———- CUT

Listing Default Credentials by description

$ ./dpeparser.py -d “OFFICE Rev. 4.1”

[+] Searching default credentials for OFFICE Rev. 4.1

[+] Creating output file passlist.txt

——-

vendor: alcatel

model: omnipcx office rev. 4.1

type: software

cpe: cpe:/a:alcatel-lucent:omnipcx:014.001

username: ftp_inst

password: pbxk1064

protocol: ftp on tcp/udp port:21

——-

vendor: alcatel

model: omnipcx office rev. 4.1

type: software

cpe: cpe:/a:alcatel-lucent:omnipcx:014.001

username: ftp_admi

password: kilo1987

protocol: ftp on tcp/udp port:21

——-

vendor: alcatel

model: omnipcx office rev. 4.1

type: software

cpe: cpe:/a:alcatel-lucent:omnipcx:014.001

username: ftp_oper

password: help1954

protocol: ftp on tcp/udp port:21

——-

vendor: alcatel

model: omnipcx office rev. 4.1

type: software

cpe: cpe:/a:alcatel-lucent:omnipcx:014.001

username: ftp_nmc

password: tuxalize

protocol: ftp on tcp/udp port:21

The output file

# Password list for OFFICE Rev. 4.1

# Generated by DPE Default Passwords Enumeration Parser

ftp_inst,pbxk1064

ftp_admi,kilo1987

ftp_oper,help1954

ftp_nmc,tuxalize