默认口令枚举DPE

原文地址：http://resources.infosecinstitute.com/dpe-the-structured-enumeration-of-default-credentials-and-passwords/
DPE: Default Password Enumeration
DPE主要目标是增加"密码审计扫描器"的操作性。在渗透测试过程中，安全审计人员通常都是使用一个简单的暴力破解工具来尝试每一种登录user和password的组合。一方面它会花费很长时间，另一方面，在许多情况下，可能会造成DOS。
提供如下默认username/password信息
1. 操作系统:Unix，Linux，Windows， Iseries AS/400...
2. 网络设备：路由，防火墙，交换机，打印机
3. 数据库：Oracle， MySQL， MSSQL等
4. web程序：WebSphere， Apache
5. 管理基于web的解决方案
6. 电话设备和SIP系统
7. 其他设备
使用场景：
1. 使用自动XML解析软件来读/测试默认实体。注意这类软件应该可以处理协议通信(HTTP, HTTPS, SNMP, TELNET, FTP)
2. 使用额外的metasploit模块.模块应该定制DPE xml数据库格式。
3. 集成到密码破解工具中
DPE的好处：
1. 同意密码数据库信息
2. 标准的默认口令访问测试
3. 减少密码测试过程
4. 降低渗透测试过程中密码被锁住或DOS风险
DPE的核心是使用DPEparser来解析xml格式的数据库。
DPEParser下载地址：http://www.toolswatch.org/dpe/dpe_db.xml
DPE xml数据库下载地址：http://www.toolswatch.org/dpe/dpe_db.xml或使用./dpeparser.py -u或 ./dpeparser –update
1. 信息集成
厂商名字
设备描述
类型
CPE(如果存在)
CVE(如果存在)
使用协议
默认TCP/UDP端口
默认username
默认password
2. 通过CPE(Common Platform Enumeration)来搜索口令(例如cpe:/h:cisco:arrowpoint，这个是一个查询)
3. 通过类型搜索口令(允许关键字router, switch, firewall, voip, software, operating system, telephony, database, printer, appliance)
4. 通过厂商来搜索默认密码(cisco, alcatel …)
5. 自动导出和保存密码，使用逗号分隔。可以用来做密码暴力破解的wordlist
6. 更新DPE xml数据库

引用

root@kali:~# ./dpeparser.py -h
Usage: dpeparser.py [Options] filename

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -c SEARCHCPE, --cpe=SEARCHCPE
                        Search for CPE default passwords
                        ex:cpe:/h:cisco:router_4000
  -v SEARCHVENDOR, --vendor=SEARCHVENDOR
                        Search for Vendors default passwords (ex: cisco,
                        apple...)
  -t SEARCHTYPE, --type=SEARCHTYPE
                        Search for Type default passwords (ex:router, switch,
                        hub...)
  -d SEARCHDESC, --description=SEARCHDESC
                        Search for description (ex:cisco router 2600...)
  -b, --banner          Display Banner
  -u, --update          update DPE xml content

下载最新DPE xml数据库(强制的)

引用

./dpeparser.py -u

通过CPE来列举默认口令

引用

./dpeparser.py -c cpe:/a:cisco:wireless_lan_solution_engine
root@kali:~# ./dpeparser.py -c cpe:/a:cisco:wireless_lan_solution_engine

[+] Searching default credentials for cpe:/a:cisco:wireless_lan_solution_engine
[+] Creating output file passlist.txt
-----------------------------------------------------------------------------------------------
DPEid: dpe-2007-5382
vendor:cisco
type: application
CPE: cpe:/a:cisco:wireless_lan_solution_engine
CVE: cve-2007-5382
description: cisco  wireless lan solution engine (rev from 2.0 to 2.5)
         protocol: multi
         TCP/UDP port:
         username: root
         password: blender
-----------------------------------------------------------------------------------------------
DPEid: dpe-2007-5382
vendor:cisco
type: application
CPE: cpe:/a:cisco:wireless_lan_solution_engine
CVE: cve-2007-5382
description: cisco  wireless lan solution engine (rev from 2.0 to 2.5)
         protocol: multi
         TCP/UDP port:
         username: wlse
         password: wlsedb
-----------------------------------------------------------------------------------------------
...

通过设备类型来列举默认口令：

引用

root@kali:~# ./dpeparser.py -t printer

[+] Searching default credentials for printer
[+] Creating output file passlist.txt
-----------------------------------------------------------------------------------------------
DPEid: not_attributed_yet
vendor:brother
type: printer
CPE: cpe:/h:brother:not_defined_yet
CVE:
description: nc-3100h
         protocol: bradmin
         TCP/UDP port: gui
         username: none
         password: access
-----------------------------------------------------------------------------------------------
DPEid: not_attributed_yet
vendor:brother
type: printer
CPE: cpe:/h:brother:not_defined_yet
CVE:
description: nc-4100h
         protocol: bradmin
         TCP/UDP port: gui
         username: none
         password: access
-----------------------------------------------------------------------------------------------
...

通过厂商来列举默认口令

引用

root@kali:~# ./dpeparser.py -v cisco

[+] Searching default credentials for cisco
[+] Creating output file passlist.txt
-----------------------------------------------------------------------------------------------
DPEid: not_attributed_yet
vendor:cisco
type: video conference
CPE:
CVE:
description: cisco unified videoconferencing (uvc) manager
         protocol: http
         TCP/UDP port: 80
         username: admin
         password: admin
-----------------------------------------------------------------------------------------------
DPEid: dpe-2005-0601
vendor:cisco
type: application
CPE: cpe:/a:cisco:application_and_content_networking_software:4.0.3
CVE: cve-2005-0601
description: cisco devices with application and content networking system (acns
         protocol: console
         TCP/UDP port:
         username: admin
         password: default
-----------------------------------------------------------------------------------------------
...

通过描述来列举默认口令：

引用

root@kali:~# ./dpeparser.py -d "OFFICE Rev. 4.1"

[+] Searching default credentials for OFFICE Rev. 4.1
[+] Creating output file passlist.txt
-----------------------------------------------------------------------------------------------
DPEid: not_attributed_yet
vendor:alcatel
type: application
CPE: cpe:/a:alcatel-lucent:omnipcx:014.001
CVE:
description: alcatel-lucent omnipcx office rev. 4.1
         protocol: ftp
         TCP/UDP port: 21
         username: ftp_inst
         password: pbxk1064
-----------------------------------------------------------------------------------------------
DPEid: not_attributed_yet
vendor:alcatel
type: application
CPE: cpe:/a:alcatel-lucent:omnipcx:014.001
CVE:
description: alcatel-lucent omnipcx office rev. 4.1
         protocol: ftp
         TCP/UDP port: 21
         username: ftp_admi
         password: kilo1987
-----------------------------------------------------------------------------------------------
...