Release of the Default Account Database v4.00

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <vuln-dev@securityfocus.com>
Date: Fri, 31 Oct 2003 10:32:20 -0700

Greetings to the VULN-DEV Community:

(Happy Halloween!)

I've gone ahead and updated the Default Password Database to version 4.0.
The previous release was way too old and after looking around the net for a
bit, I have to admit the problem remains out of control and someone needed
to reconsolidate the independent lists. Most were based on the original
DAD, so it was fairly easy to recombine them. The DAD went from 850 entries
to about 1,650 -- nearly doubled in size. Also, I did my best to
standardize, clean redundancies, and keep quality control in check. Its a
long process, 4.0.0 does need to have several entries examined for
additional details.

It can be downloaded at (Excel, CSV, and HTML format):

http://www.swordsoft.com/publications (main site)
http://63.230.73.253/publications (backup site)

The main site always goes down once I release anything no matter how minor,
and I'm sure its just really, really rotten luck since I'm not the only site
hosted there. The backup site is more stable, but has a slower connection
and sometimes gets swamped. One or the other should work if luck holds out.

If I may open up a bit of a discussion here regarding default passwords and
the DAD...

First of all, its clear this problem isn't just "not going away", but its
escalating. I don't feel I came anywhere -close- to collecting all the
passwords from public sources at this time. When I originally made the
list, I was really trying to squeeze the network for all its available
resources, but now its just plain ugly. I don't even want to wager a guess
at how many managed network devices and appliances exist in the "wild", but
with the focus change to appliance technology this problem has really opened
up. I've also noticed a trend in the increase of devices that function
"plug-and-play" with no requirement at all to even change the password, such
as wireless broadband routers.

Second, the DAD list doesn't contain many web-script/app default passwords
even though there are incredible numbers of them. I'm going to try my best
to hunt for these and accumulate as many as I can, all assistance with ones
people are familiar with would be GREATLY APPRECIATED. I believe that the
problem with default passwords on WWW components may be possibly the largest
problem because there are so many amateur webmasters out there that are
installating software largely without supervision, training, or experience.
It seems like this would be of the most value to the pen-test community
where the DAD is currently lacking. A single web server may have several,
dozens, or even hundreds of web services on them compared to a single
device.

Third, I couldn't help noticing that the size of the DAD is going to reach
tree-killer status and slowly moving away from the intention that its could
be used for automation or quick reference. I'm considering breaking
everything into sub-categories such as PBX, Network Device, Web Service,
Operating System, etc. New column or new tables? Good idea or bad idea?
Or is the flat list working fine? Any thoughts?

Take it easy,

Eric Knight

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]