├── .coveragerc ├── .dockerignore ├── .gitignore ├── .travis.yml ├── COPYING ├── Dockerfile ├── README.md ├── changeme.1 ├── changeme.py ├── changeme ├── __init__.py ├── core.py ├── cred.py ├── redis_queue.py ├── report.py ├── scan_engine.py ├── scanners │ ├── __init__.py │ ├── database.py │ ├── ftp.py │ ├── http_basic_auth.py │ ├── http_fingerprint.py │ ├── http_get.py │ ├── http_post.py │ ├── http_raw_post.py │ ├── memcached.py │ ├── mongo.py │ ├── mssql.py │ ├── mysql.py │ ├── postgres.py │ ├── redis_scanner.py │ ├── scanner.py │ ├── snmp.py │ ├── ssh.py │ ├── ssh_key.py │ └── telnet.py ├── schema.py ├── target.py ├── templates │ └── report.j2 ├── tests │ ├── __init__.py │ ├── core.py │ ├── http.py │ ├── memcached.py │ ├── mock_responses.py │ ├── mongodb.py │ ├── redis_scanner.py │ ├── snmp.py │ ├── target.py │ └── tomcat_nmap.xml └── version.py ├── creds ├── ftp │ └── ftp.yml ├── http │ ├── camera │ │ └── speco_technologies_ip_camera.yml │ ├── general │ │ ├── activemq.yml │ │ ├── amano_ts-3000i.yml │ │ ├── apache_tomcat.yml │ │ ├── apache_tomcat_host_manager.yml │ │ ├── apc_network_management_card.yml │ │ ├── audiocodes_mediant_1000.yml │ │ ├── avaya_contact_center.yml │ │ ├── ca_apm_team_center.yml │ │ ├── ca_netqos.yml │ │ ├── cisco_collaboration_endpoint.yml │ │ ├── cisco_systems.yml │ │ ├── crestron_hd-md4x1-4k-e.yml │ │ ├── datastax_opscenter.yml │ │ ├── dell_idrac.yml │ │ ├── dynatrace.yml │ │ ├── elasticsearch.yml │ │ ├── grafana.yml │ │ ├── haivision_makito_x_decoder.yml │ │ ├── hp_server_automation.yml │ │ ├── ibm_imm.yml │ │ ├── ibm_netezza.yml │ │ ├── ibm_urbancode_deploy.yml │ │ ├── jasperreports.yml │ │ ├── jboss_as_6.yml │ │ ├── jboss_as_6_alt.yml │ │ ├── jenkins.yml │ │ ├── kanboard.yml │ │ ├── makito_decoder.yml │ │ ├── netbackup_opscenter_analytics.yml │ │ ├── nexus_repository_manager.yml │ │ ├── nortel_integrated_call_director.yml │ │ ├── nuxeo_server.yml │ │ ├── oracle_glassfish.yml │ │ ├── sonarqube.yml │ │ ├── supermicro.yml │ │ ├── teamcity_9_guest.yml │ │ ├── teleopti_wfm.yml │ │ ├── ubiquiti_edgeos.yml │ │ ├── video_web_server.yml │ │ ├── weblogic.yml │ │ ├── websphere.yml │ │ └── zabbix.yml │ ├── iot │ │ ├── heatmiser_wifi_thermostat.yml │ │ └── proliphix_thermostat.yml │ ├── phone │ │ └── polycom_vvx_500.yml │ ├── printer │ │ ├── brother_hl_series.yml │ │ ├── canon_ir-adv.yml │ │ ├── hp_laserjet_600.yml │ │ ├── hp_laserjet_no_password.yml │ │ ├── hp_laserjet_no_password_legacy.yml │ │ ├── ricoh_mp.yml │ │ ├── xerox_phaser_6700.yml │ │ └── xerox_workcentre_5020_dn.yml │ └── webcam │ │ ├── maygion_camera.yml │ │ └── trendnet_internet_camera.yml ├── mongodb │ └── noauth.yml ├── mssql │ ├── aris.yml │ ├── bosch_rps.yml │ ├── cch.yml │ ├── easyWinArt.yml │ ├── emerson_ams.yml │ ├── geonetwork.yml │ ├── i2b2_workbench.yml │ ├── ibm_maximo.yml │ ├── ibm_was.yml │ ├── ihs_kingdom.yml │ ├── lasa_aims.yml │ ├── lenel_onguard.yml │ ├── mediaportal.yml │ ├── medocheck.yml │ ├── micro_focus_silk_central.yml │ ├── mssql.yml │ ├── napco_continental_access.yml │ ├── netxms.yml │ ├── opengts.yml │ ├── safenet_sentinel_ems.yml │ ├── schlage_sms.yml │ ├── skf.yml │ ├── splendidcrm.yml │ ├── telestream_vantage.yml │ ├── timeforce.yml │ ├── utc.yml │ ├── video_insight.yml │ ├── welchallyn.yml │ └── wonderware_historian.yml ├── mysql │ └── mysql.yml ├── postgres │ ├── ambari.yml │ ├── msf.yml │ └── postgres.yml ├── redis │ └── redis.yml ├── snmp │ ├── apc.yml │ ├── cisco_guard.yml │ ├── common.yml │ └── public_private.yml ├── ssh │ ├── Modern_IE.yml │ ├── antsle.yml │ ├── apple_jailbroken_device.yml │ ├── att_arris.yml │ ├── cisco.yml │ ├── cisco_aironet.yml │ ├── hipchat.yml │ ├── ibm_storwize_v7000.yml │ ├── raspberry_pi.yml │ └── ssh.yml ├── ssh_key │ ├── array_networks_vxag.yml │ ├── barracuda_load_balancer.yml │ ├── ceragon-fibeair.yml │ ├── exagrid.yml │ ├── f5_big-ip.yml │ ├── loadbalancer.org_enterprise_va.yml │ ├── monroe_electronics_r189.yml │ ├── quantum-dxi-v1000.yml │ └── vagrant.yml └── telnet │ └── telnet.yml ├── dev-requirements.txt └── requirements.txt /.coveragerc: -------------------------------------------------------------------------------- 1 | [report] 2 | show_missing = True 3 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | .git 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | *.swo 3 | *.pyc 4 | .coverage 5 | data.db 6 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: python 2 | python: 3 | - "2.7" 4 | - "3.4" 5 | - "3.5" 6 | - "3.6" 7 | addons: 8 | apt: 9 | sources: 10 | - ubuntu-toolchain-r-test 11 | packages: 12 | - gcc 13 | - g++ 14 | - unixodbc-dev 15 | install: 16 | - pip install -r requirements.txt 17 | - pip install -r dev-requirements.txt 18 | services: 19 | - redis-server 20 | - memcached 21 | - mongodb 22 | script: nosetests --nologcapture -v -s --with-coverage --cover-erase --cover-package=changeme changeme/tests/*.py 23 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:latest 2 | MAINTAINER Zach Grace (@ztgrace) 3 | 4 | RUN mkdir /changeme 5 | COPY . /changeme/ 6 | 7 | RUN apk update \ 8 | && apk add --no-cache --virtual .changeme-deps \ 9 | bash \ 10 | libxml2 \ 11 | py-lxml \ 12 | py-pip \ 13 | && apk add --no-cache --virtual .build-deps \ 14 | ca-certificates \ 15 | gcc \ 16 | g++ \ 17 | libffi-dev \ 18 | libtool \ 19 | libxml2-dev \ 20 | make \ 21 | musl-dev \ 22 | postgresql-dev \ 23 | python-dev \ 24 | unixodbc-dev \ 25 | && pip install -r /changeme/requirements.txt \ 26 | && apk del .build-deps \ 27 | && find /usr/ -type f -a -name '*.pyc' -o -name '*.pyo' -exec rm '{}' \; \ 28 | && ln -s /changeme/changeme.py /usr/local/bin/ 29 | 30 | ENV HOME /changeme 31 | ENV PS1 "\033[00;34mchangeme>\033[0m " 32 | WORKDIR /changeme 33 | CMD ./changeme.py 34 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # changeme [![Build Status](https://travis-ci.org/ztgrace/changeme.svg?branch=master)](https://travis-ci.org/ztgrace/changeme) 2 | 3 | A default credential scanner. 4 | 5 | ![Basic Scan](https://raw.githubusercontent.com/wiki/ztgrace/changeme/images/basic.gif) 6 | 7 | ## About 8 | 9 | changeme picks up where commercial scanners leave off. It focuses on detecting default and backdoor credentials and not necessarily common credentials. It's default mode is to scan HTTP default credentials, but has support for other credentials. 10 | 11 | changeme is designed to be simple to add new credentials without having to write any code or modules. changeme keeps credential data separate from code. All credentials are stored in [yaml](http://yaml.org/) files so they can be both easily read by humans and processed by changeme. Credential files can be created by using the `./changeme.py --mkcred` tool and answering a few questions. 12 | 13 | changeme supports the http/https, mssql, mysql, postgres, ssh, ssh w/key, snmp, mongodb and ftp protocols. Use `./changeme.py --dump` to output all of the currently available credentials. 14 | 15 | You can load your targets using a variety of methods, single ip address/host, subnet, list of hosts, nmap xml file and Shodan query. All methods except for Shodan are loaded as a positional argument and the type is inferred. 16 | 17 | ## Installation 18 | 19 | changeme has only been tested on Linux and has known issues on Windows and OS X/macOS. Use docker to run changeme on the unsupported platforms. It supports either a redis-backed queue (most stable) or an in-memory backed queue. 20 | 21 | Stable versions of changeme can be found on the [releases](https://github.com/ztgrace/changeme/releases) page. 22 | 23 | For mssql support, `unixodbc-dev` needs to be installed prior to installing the `pyodbc`. 24 | 25 | [PhantomJS](http://phantomjs.org/) is required in your PATH for HTML report screenshots. 26 | 27 | Use `pip` to install the required python modules: `pip install -r requirements.txt` 28 | 29 | ## Docker 30 | 31 | A convenient way of running changeme is to do so inside a Docker container. You can run a pre-built container from Docker Hub, or build your own using the instructions below. 32 | 33 | ### Run changeme in Docker 34 | 35 | Docker runs best in conjunction with Redis as a queue back end. Here's how to get a linked container setup working with Redis. 36 | 37 | Get the latest containers: `docker pull redis && docker pull ztgrace/changeme` 38 | 39 | Launch redis in the background: `docker run -d --name redis1 redis` 40 | 41 | Start changeme linking the redis container by name and mounting a local directory into the container's `/mnt` directory: `docker run -it -v /tmp/results:/mnt --link redis1:redis ztgrace/changeme:latest /bin/sh` 42 | 43 | Run changeme with a `--redishost` of `redis` and `--output` file in our mounted volume: `./changeme.py --redishost redis --output /tmp/mnt/results.csv --protocols ssh --threads 20 -d 192.168.1.0/24` 44 | 45 | ### Build from Dockerfile 46 | 47 | 1. Build the docker container: `docker build -t changeme .` 48 | 2. Run changeme from inside the container: `docker run -it changeme /bin/bash' 49 | 50 | ## Usage Examples 51 | 52 | Below are some common usage examples. 53 | 54 | * Scan a single host: `./changeme.py 192.168.59.100` 55 | * Scan a subnet for default creds: `./changeme.py 192.168.59.0/24` 56 | * Scan using an nmap file `./changeme.py subnet.xml` 57 | * Scan a subnet for Tomcat default creds and set the timeout to 5 seconds: `./changeme.py -n "Apache Tomcat" --timeout 5 192.168.59.0/24` 58 | * Use [Shodan](https://www.shodan.io/) to populate a targets list and check them for default credentials: `./changeme.py --shodan_query "Server: SQ-WEBCAM" --shodan_key keygoeshere -c camera` 59 | * Scan for SSH and known SSH keys: `./changeme.py --protocols ssh,ssh_key 192.168.59.0/24` 60 | * Scan a host for SNMP creds using the protocol syntax: `./changeme.py snmp://192.168.1.20` 61 | 62 | See [Wiki Examples](https://github.com/ztgrace/changeme/wiki/Examples) for more detailed examples. 63 | 64 | ## Known Issues 65 | 66 | The telnet scanner is broken. 67 | 68 | Additionally, anything filed under https://github.com/ztgrace/changeme/issues as a bug. 69 | 70 | ## Bugs and Enhancements 71 | 72 | Bugs and enhancements are tracked at [https://github.com/ztgrace/changeme/issues](https://github.com/ztgrace/changeme/issues). 73 | 74 | **Request a credential:** Please add an issue to Github and apply the credential label. 75 | 76 | **Vote for a credential:** If you would like to help us prioritize which credentials to add, you can add a comment to a credential issue. 77 | 78 | Please see the [wiki](https://github.com/ztgrace/changeme/wiki) for more details. 79 | 80 | ## Contributors 81 | 82 | Thanks for code contributions and suggestions. 83 | 84 | * @AlessandroZ 85 | * @m0ther_ 86 | * @GraphX 87 | * @Equinox21_ 88 | * https://github.com/ztgrace/changeme/graphs/contributors 89 | -------------------------------------------------------------------------------- /changeme.1: -------------------------------------------------------------------------------- 1 | .TH CHANGEME "1" "June 2018" "changeme 1.1.1" "User Commands" 2 | .SH NAME 3 | changeme \- Default Credential Scanner 4 | .SH DESCRIPTION 5 | A default Credential Scanner with support for various protocols 6 | .PP 7 | .SH SYNOPSIS 8 | .B changeme [options] 9 | .IP 10 | .SH OPTIONS 11 | .SS "required arguments:" 12 | .TP 13 | \fBtarget\fR 14 | Target to scan. Can be IP, subnet, hostname, nmap xml 15 | file, text file or proto://host:port 16 | .SS "optional arguments:" 17 | .TP 18 | \fB\-h\fR, \fB\-\-help\fR 19 | show this help message and exit 20 | .TP 21 | \fB\-\-all\fR, \fB\-a\fR 22 | Scan for all protocols 23 | .TP 24 | \fB\-\-category\fR, \fB\-c\fR CATEGORY 25 | Category of default creds to scan for 26 | .TP 27 | \fB\-\-contributors\fR 28 | Display cred file contributors 29 | .TP 30 | \fB\-\-debug\fR, \fB\-d\fR 31 | Debug output 32 | .TP 33 | \fB\-\-delay\fR, \fB\-dl\fR DELAY 34 | Specify a delay in milliseconds to avoid 429 status 35 | codes default=500 36 | .TP 37 | \fB\-\-dump\fR 38 | Print all of the loaded credentials 39 | .TP 40 | \fB\-\-dryrun\fR 41 | Print urls to be scan, but don't scan them 42 | .TP 43 | \fB\-\-fingerprint\fR, \fB\-f\fR 44 | Fingerprint targets, but don't check creds 45 | .TP 46 | \fB\-\-fresh\fR 47 | Flush any previous scans and start fresh 48 | .TP 49 | \fB\-\-log\fR, \fB\-l\fR LOG 50 | Write logs to logfile 51 | .TP 52 | \fB\-\-mkcred\fR 53 | Make cred file 54 | .TP 55 | \fB\-\-name\fR, \fB\-n\fR NAME 56 | Narrow testing to the supplied credential name 57 | .TP 58 | \fB\-\-noversion\fR 59 | Don't perform a version check 60 | .TP 61 | \fB\-\-proxy\fR, \fB\-p\fR PROXY 62 | HTTP(S) Proxy 63 | .TP 64 | \fB\-\-output\fR, \fB\-o\fR OUTPUT 65 | Name of result file. File extension determines type 66 | (csv, html, json). 67 | .TP 68 | \fB\-\-oa\fR 69 | Output results files in csv, html and json formats 70 | .TP 71 | \fB\-\-protocols\fR PROTOCOLS 72 | Comma separated list of protocols to test: 73 | http,ssh,ssh_key. Defaults to http. 74 | .TP 75 | \fB\-\-portoverride\fR 76 | Scan all protocols on all specified ports 77 | .TP 78 | \fB\-\-redishost\fR REDISHOST 79 | Redis server 80 | .TP 81 | \fB\-\-redisport\fR REDISPORT 82 | Redis server 83 | .TP 84 | \fB\-\-resume\fR, \fB\-r\fR 85 | Resume previous scan 86 | .TP 87 | \fB\-\-shodan_query\fR, \fB\-q\fR SHODAN_QUERY 88 | Shodan query 89 | .TP 90 | \fB\-\-shodan_key\fR, \fB\-k\fR SHODAN_KEY 91 | Shodan API key 92 | .TP 93 | \fB\-\-ssl\fR 94 | Force cred to SSL and fall back to non\-SSL if an 95 | SSLError occurs 96 | .TP 97 | \fB\-\-threads\fR, \fB\-t\fR THREADS 98 | Number of threads, default=10 99 | .TP 100 | \fB\-\-timeout\fR TIMEOUT 101 | Timeout in seconds for a request, default=10 102 | .TP 103 | \fB\-\-useragent\fR, \fB\-ua\fR USERAGENT 104 | User agent string to use 105 | .TP 106 | \fB\-\-validate\fR 107 | Validate creds files 108 | .TP 109 | \fB\-\-verbose\fR, \fB\-v\fR 110 | Verbose output 111 | .SH EXAMPLES 112 | \fBchangeme 192.168.2.100\fR Scan single host 113 | .TP 114 | \fBchangeme 192.168.2.0/24\fR Scan subnet 115 | .TP 116 | \fBchangeme subnet.xml\fR Scan using a nmap output file 117 | .TP 118 | \fBchangeme -n "Apache Tomcat" --timeout 5 192.168.2.0/24\fR Scan a subnet for Tomcat default creds and set the timeout to 5 seconds 119 | .TP 120 | \fBchangeme --shodan_query "Server: SQ-WEBCAM" --shodan_key keygoeshere -c camera\fR Use Shodan to populate a targets list and check them for default credentials 121 | .TP 122 | \fBchangeme --protocols ssh,ssh_key 192.168.2.0/24\fR Scan subnet for SSH and known SSH keys 123 | .TP 124 | \fBchangeme snmp://192.168.2.100\fR Scan a host for SNMP creds using the protocol syntax 125 | .SH AUTHOR 126 | changeme was developed by ztgrace, this manpage was made by Samuel Henrique based on \fBchangeme --help\fR output and can be used by other projects as well. 127 | -------------------------------------------------------------------------------- /changeme.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from changeme import core 4 | 5 | if __name__ == '__main__': 6 | core.main() 7 | -------------------------------------------------------------------------------- /changeme/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ['core', 'version', 'scan_engine'] 2 | -------------------------------------------------------------------------------- /changeme/core.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from cerberus import Validator 3 | from changeme.redis_queue import RedisQueue 4 | import logging 5 | from logutils import colorize 6 | import os 7 | import random 8 | import re 9 | import redis 10 | from .report import Report 11 | import requests 12 | from requests import ConnectionError 13 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 14 | from .scan_engine import ScanEngine 15 | from . import schema 16 | import sys 17 | from . import version 18 | import yaml 19 | 20 | PERSISTENT_QUEUE = "data.db" # Instantiated in the scan_engine class 21 | 22 | 23 | def banner(version): 24 | b = """ 25 | ##################################################### 26 | # _ # 27 | # ___| |__ __ _ _ __ __ _ ___ _ __ ___ ___ # 28 | # / __| '_ \ / _` | '_ \ / _` |/ _ \ '_ ` _ \ / _ \\ # 29 | # | (__| | | | (_| | | | | (_| | __/ | | | | | __/ # 30 | # \___|_| |_|\__,_|_| |_|\__, |\___|_| |_| |_|\___| # 31 | # |___/ # 32 | # v%s # 33 | # Default Credential Scanner by @ztgrace # 34 | ##################################################### 35 | """ % version 36 | 37 | return b 38 | 39 | 40 | def main(): 41 | print(banner(version.__version__)) 42 | 43 | args = parse_args() 44 | init_logging(args['args'].verbose, args['args'].debug, args['args'].log) 45 | config = Config(args['args'], args['parser']) 46 | if not config.noversion: 47 | check_version() 48 | creds = load_creds(config) 49 | s = None 50 | 51 | if config.mkcred: 52 | schema.mkcred() 53 | quit() 54 | 55 | if config.contributors: 56 | print_contributors(creds) 57 | quit() 58 | 59 | if config.dump: 60 | print_creds(creds) 61 | quit() 62 | 63 | logger = logging.getLogger('changeme') 64 | 65 | if not config.validate: 66 | check_for_interrupted_scan(config) 67 | s = ScanEngine(creds, config) 68 | try: 69 | s.scan() 70 | except IOError: 71 | logger.debug('Caught IOError exception') 72 | 73 | report = Report(s.found_q, config.output) 74 | report.print_results() 75 | 76 | if config.output and ".json" in config.output or config.output and config.oa: 77 | report.render_json() 78 | if config.output and ".csv" in config.output or config.output and config.oa: 79 | report.render_csv() 80 | if config.output and ".html" in config.output or config.output and config.oa: 81 | report.render_html() 82 | if (config.output and not ('json' in config.output or 'csv' in config.output or 'html' in config.output)) and not config.oa: 83 | logger.error('Only JSON, CSV and HTML are the only supported output types.') 84 | 85 | 86 | return s 87 | 88 | 89 | def init_logging(verbose=False, debug=False, logfile=None): 90 | """ 91 | Logging levels: 92 | - Critical: Default credential found 93 | - Error: error in the program 94 | - Warning: Verbose data 95 | - Info: more verbose 96 | - Debug: Extra info for debugging purposes 97 | """ 98 | # Set up our logging object 99 | logger = logging.getLogger('changeme') 100 | 101 | if debug: 102 | logger.setLevel(logging.DEBUG) 103 | elif verbose: 104 | logger.setLevel(logging.INFO) 105 | else: 106 | logger.setLevel(logging.WARNING) 107 | 108 | if logfile: 109 | # Create file handler which logs even debug messages 110 | ####################################################################### 111 | fh = logging.FileHandler(logfile) 112 | 113 | # create formatter and add it to the handler 114 | formatter = logging.Formatter( 115 | '[%(asctime)s][%(levelname)s] %(message)s') 116 | fh.setFormatter(formatter) 117 | logger.addHandler(fh) 118 | 119 | # Set up the StreamHandler so we can write to the console 120 | ########################################################################### 121 | # create console handler with a higher log level 122 | ch = colorize.ColorizingStreamHandler(sys.stdout) 123 | 124 | # set custom colorings: 125 | ch.level_map[logging.DEBUG] = [None, 2, False] 126 | ch.level_map[logging.INFO] = [None, 'white', False] 127 | ch.level_map[logging.WARNING] = [None, 'yellow', False] 128 | ch.level_map[logging.ERROR] = [None, 'red', False] 129 | ch.level_map[logging.CRITICAL] = [None, 'green', False] 130 | if debug: 131 | formatter = logging.Formatter('[%(asctime)s][%(module)s][%(funcName)s] %(message)s', datefmt='%H:%M:%S') 132 | else: 133 | formatter = logging.Formatter('[%(asctime)s] %(message)s', datefmt='%H:%M:%S') 134 | ch.setFormatter(formatter) 135 | logger.addHandler(ch) 136 | 137 | # Adjust the loggers for requests and urllib3 138 | logging.getLogger('requests').setLevel(logging.ERROR) 139 | logging.getLogger('urllib3').setLevel(logging.ERROR) 140 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 141 | 142 | return logger 143 | 144 | 145 | class Config(object): 146 | def __init__(self, args, arg_parser): 147 | # Convert argparse Namespace to a dict and make the keys + values member variables of the config class 148 | args = vars(args) 149 | self.target = None 150 | for key in args: 151 | setattr(self, key, args[key]) 152 | 153 | self._validate_args(arg_parser) 154 | 155 | def _validate_args(self, ap): 156 | logger = logging.getLogger('changeme') 157 | if (not self.validate and not self.contributors and not self.dump and not self.shodan_query 158 | and not self.mkcred and not self.resume) and not self.target: 159 | ap.print_help() 160 | quit() 161 | 162 | if self.proxy and re.match('^https?://[0-9\.]+:[0-9]{1,5}$', self.proxy): 163 | self.proxy = {'http': self.proxy, 'https': self.proxy} 164 | logger.info('Setting proxy to %s' % self.proxy) 165 | elif self.proxy: 166 | logger.error('Invalid proxy, must be http(s)://x.x.x.x:8080') 167 | sys.exit() 168 | 169 | if self.delay and self.delay != 0: 170 | if isinstance(self.delay, int) and 0 <= self.delay <= 1000: 171 | logger.debug('Delay is set to %d milliseconds' % self.delay) 172 | else: 173 | logger.error('Invalid delay type. Delay must be an integer between 0 and 1000. Delay is: %s' % 174 | type(self.delay)) 175 | 176 | # Drop logging level to INFO to see the fingerprint messages 177 | if self.fingerprint: 178 | logger.setLevel(logging.INFO) 179 | 180 | if self.verbose: 181 | logger.setLevel(logging.INFO) 182 | if self.debug or self.validate: 183 | logger.setLevel(logging.DEBUG) 184 | 185 | self.useragent = {'User-Agent': self.useragent if self.useragent else get_useragent()} 186 | 187 | if ',' in self.protocols: 188 | self.protocols = self.protocols.split(',') 189 | 190 | if self.all: 191 | self.protocols = 'all' 192 | 193 | logger.debug(self.protocols) 194 | 195 | if self.output and which('phantomjs') is None: 196 | logger.warning('phantomjs is not in your path, screenshots will not work') 197 | 198 | 199 | def _file_exists(self, f): 200 | if not os.path.isfile(f): 201 | self.logger.error("File %s not found" % f) 202 | sys.exit() 203 | 204 | 205 | def parse_args(): 206 | ap = argparse.ArgumentParser(description='Default credential scanner v%s' % version.__version__) 207 | ap.add_argument('--all', '-a', action='store_true', help='Scan for all protocols', default=False) 208 | ap.add_argument('--category', '-c', type=str, help='Category of default creds to scan for', default=None) 209 | ap.add_argument('--contributors', action='store_true', help='Display cred file contributors') 210 | ap.add_argument('--debug', '-d', action='store_true', help='Debug output') 211 | ap.add_argument('--delay', '-dl', type=int, help="Specify a delay in milliseconds to avoid 429 status codes default=500", default=500) 212 | ap.add_argument('--dump', action='store_true', help='Print all of the loaded credentials') 213 | ap.add_argument('--dryrun', action='store_true', help='Print urls to be scan, but don\'t scan them') 214 | ap.add_argument('--fingerprint', '-f', action='store_true', help='Fingerprint targets, but don\'t check creds', default=False) 215 | ap.add_argument('--fresh', action='store_true', help='Flush any previous scans and start fresh', default=False) 216 | ap.add_argument('--log', '-l', type=str, help='Write logs to logfile', default=None) 217 | ap.add_argument('--mkcred', action='store_true', help='Make cred file', default=False) 218 | ap.add_argument('--name', '-n', type=str, help='Narrow testing to the supplied credential name', default=None) 219 | ap.add_argument('--noversion', action='store_true', help='Don\'t perform a version check', default=False) 220 | ap.add_argument('--proxy', '-p', type=str, help='HTTP(S) Proxy', default=None) 221 | ap.add_argument('--output', '-o', type=str, help='Name of result file. File extension determines type (csv, html, json).', default=None) 222 | ap.add_argument('--oa', action='store_true', help='Output results files in csv, html and json formats', default=False) 223 | ap.add_argument('--protocols', type=str, help="Comma separated list of protocols to test: http,ssh,ssh_key. Defaults to http.", default='http') 224 | ap.add_argument('--portoverride', action='store_true', help='Scan all protocols on all specified ports', default=False) 225 | ap.add_argument('--redishost', type=str, help='Redis server', default='localhost') 226 | ap.add_argument('--redisport', type=str, help='Redis server', default='6379') 227 | ap.add_argument('--resume', '-r', action='store_true', help='Resume previous scan', default=False) 228 | ap.add_argument('--shodan_query', '-q', type=str, help='Shodan query', default=None) 229 | ap.add_argument('--shodan_key', '-k', type=str, help='Shodan API key', default=None) 230 | ap.add_argument('--ssl', action='store_true', help='Force cred to SSL and fall back to non-SSL if an SSLError occurs', default=False) 231 | ap.add_argument('--threads', '-t', type=int, help='Number of threads, default=10', default=10) 232 | ap.add_argument('--timeout', type=int, help='Timeout in seconds for a request, default=10', default=10) 233 | ap.add_argument('--useragent', '-ua', type=str, help="User agent string to use", default=None) 234 | ap.add_argument('--validate', action='store_true', help='Validate creds files', default=False) 235 | ap.add_argument('--verbose', '-v', action='store_true', help='Verbose output', default=False) 236 | 237 | # Hack to get the help to show up right 238 | cli = ' '.join(sys.argv) 239 | if "-h" in cli or "--help" in cli: 240 | ap.add_argument('target', type=str, help='Target to scan. Can be IP, subnet, hostname, nmap xml file, text file or proto://host:port', default=None) 241 | 242 | # initial parse to see if an option not requiring a target was used 243 | args, unknown = ap.parse_known_args() 244 | if not args.dump and not args.contributors and not args.mkcred and not args.resume and not args.shodan_query and not args.validate: 245 | ap.add_argument('target', type=str, help='Target to scan. Can be IP, subnet, hostname, nmap xml file, text file or proto://host:port', default=None) 246 | 247 | args = ap.parse_args() 248 | 249 | return {'args': args, 'parser': ap} 250 | 251 | 252 | def get_protocol(filename): 253 | parts = filename.split(os.path.sep) 254 | cred_index = 0 255 | for p in parts: 256 | if p == 'creds': 257 | break 258 | cred_index += 1 259 | 260 | return parts[cred_index + 1] 261 | 262 | 263 | 264 | def load_creds(config): 265 | # protocol is based off of the directory and category is a field in the cred file. That way you can 266 | # have default creds across protocols for a single device like a printer 267 | logger = logging.getLogger('changeme') 268 | creds = list() 269 | total_creds = 0 270 | cred_names = list() 271 | cred_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), '..', 'creds') 272 | logger.debug('cred_path: %s' % cred_path) 273 | protocols = [proto for proto in os.walk(cred_path)][0][1] 274 | for root, dirs, files in os.walk(cred_path): 275 | for fname in files: 276 | f = os.path.join(root, fname) 277 | protocol = get_protocol(f) 278 | if is_yaml(f): 279 | parsed = parse_yaml(f) 280 | if parsed: 281 | if parsed['name'] in cred_names: 282 | pass 283 | elif validate_cred(parsed, f, protocol): 284 | parsed['protocol'] = protocol # Add the protocol after the schema validation 285 | if in_scope(config.name, config.category, parsed, protocols): 286 | total_creds += len(parsed['auth']['credentials']) 287 | creds.append(parsed) 288 | cred_names.append(parsed['name']) 289 | logger.debug('Loaded %s' % parsed['name']) 290 | 291 | print('Loaded %i default credential profiles' % len(creds)) 292 | print('Loaded %i default credentials\n' % total_creds) 293 | 294 | creds 295 | return creds 296 | 297 | 298 | def validate_cred(cred, f, protocol): 299 | valid = True 300 | if protocol == 'http': 301 | v = Validator() 302 | valid = v.validate(cred, schema.http_schema) 303 | for e in v.errors: 304 | logging.getLogger('changeme').error("[validate_cred] Validation Error: %s, %s - %s" % 305 | (f, e, v.errors[e])) 306 | # TODO: implement schema validators for other protocols 307 | 308 | return valid 309 | 310 | 311 | def parse_yaml(f): 312 | logger = logging.getLogger('changeme') 313 | with open(f, 'r') as fin: 314 | raw = fin.read() 315 | try: 316 | parsed = yaml.load(raw) 317 | except Exception as e: 318 | logger.error("[parse_yaml] %s is not a valid yaml file" % f) 319 | return None 320 | return parsed 321 | 322 | 323 | def is_yaml(f): 324 | isyaml = False 325 | try: 326 | isyaml = os.path.basename(f).split('.')[1] == 'yml' 327 | except: 328 | pass 329 | return isyaml 330 | 331 | 332 | def in_scope(name, category, cred, protocols): 333 | add = True 334 | 335 | if name: 336 | names = name.split(',') 337 | found = False 338 | for n in names: 339 | if n.lower() in cred['name'].lower(): 340 | found = True 341 | 342 | if found is False: 343 | add = False 344 | 345 | if category and not cred['category'] == category: 346 | add = False 347 | elif cred['protocol'] not in protocols: 348 | add = False 349 | 350 | return add 351 | 352 | 353 | def print_contributors(creds): 354 | contributors = set() 355 | for cred in creds: 356 | cred_contributors = cred['contributor'].split(', ') 357 | for c in cred_contributors: 358 | contributors.add(c) 359 | 360 | for c in version.contributors: 361 | contributors.add(c) 362 | 363 | print("Thank you to our contributors!") 364 | for i in sorted(contributors, key=str.lower): 365 | print(i) 366 | print() 367 | 368 | 369 | def print_creds(creds): 370 | for cred in creds: 371 | print("\n%s (%s)" % (cred['name'], cred['category'])) 372 | for i in cred['auth']['credentials']: 373 | print(" - %s:%s" % (i['username'], i['password'])) 374 | 375 | 376 | def get_useragent(): 377 | headers_useragents = [ 378 | 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3', 379 | 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)', 380 | 'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)', 381 | 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1', 382 | 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1', 383 | 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)', 384 | 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)', 385 | 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)', 386 | 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)', 387 | 'Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)', 388 | 'Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51' 389 | ] 390 | return random.choice(headers_useragents) 391 | 392 | 393 | def check_for_interrupted_scan(config): 394 | logger = logging.getLogger('changeme') 395 | if config.fresh: 396 | logger.debug("Forcing a fresh scan") 397 | remove_queues() 398 | elif config.resume: 399 | logger.debug("Resuming previous scan") 400 | return 401 | 402 | fp = RedisQueue('fingerprint') 403 | scanners = RedisQueue('scanners') 404 | fp_qsize = 0 405 | scanners_qsize = 0 406 | logger.debug('scanners: %s, fp: %s' % (scanners_qsize, fp_qsize)) 407 | try: 408 | fp_qsize = fp.qsize() 409 | except redis.exceptions.ConnectionError: 410 | pass 411 | try: 412 | scanners_qsize = scanners.qsize() 413 | except redis.exceptions.ConnectionError: 414 | pass 415 | 416 | if fp_qsize > 0 or scanners_qsize > 0: 417 | if not prompt_for_resume(config): 418 | remove_queues() 419 | 420 | if fp_qsize == 0 and scanners_qsize == 0: 421 | # Clear the found queue if there's no fingerprints or scanners in the queues 422 | try: 423 | logger.debug('Clearing found_q') 424 | found_q = RedisQueue('found_q') 425 | found_q.delete() 426 | except Exception as e: 427 | logger.debug('Exception: %s: %s' % (type(e).__name__, e.__str__().replace('\n', '|'))) 428 | pass 429 | 430 | 431 | 432 | def prompt_for_resume(config): 433 | logger = logging.getLogger('changeme') 434 | logger.error('A previous scan was interrupted. Type R to resume or F to start a fresh scan') 435 | answer = '' 436 | while not (answer == 'R' or answer == 'F'): 437 | prompt = '(R/F)> ' 438 | answer = '' 439 | try: 440 | answer = raw_input(prompt) 441 | except NameError: 442 | answer = input(prompt) 443 | 444 | if answer.upper() == 'F': 445 | logger.debug("Forcing a fresh scan") 446 | elif answer.upper() == 'R': 447 | logger.debug("Resuming previous scan") 448 | config.resume = True 449 | 450 | return config.resume 451 | 452 | 453 | def remove_queues(): 454 | logger = logging.getLogger('changeme') 455 | try: 456 | os.remove(PERSISTENT_QUEUE) 457 | logger.debug("%s removed" % PERSISTENT_QUEUE) 458 | except OSError: 459 | logger.debug("%s didn't exist" % PERSISTENT_QUEUE) 460 | pass 461 | 462 | # Clear Redis 463 | queues = ['fingerprint', 'scanners', 'found_q'] 464 | for q in queues: 465 | logger.debug('Removing %s RedisQueue' % q) 466 | r = RedisQueue(q) 467 | try: 468 | r.delete() 469 | logger.debug("%s Redis queue removed" % q) 470 | except: 471 | logger.debug("%s Redis queue exception" % q) 472 | pass 473 | 474 | 475 | def check_version(): 476 | logger = logging.getLogger('changeme') 477 | 478 | try: 479 | res = requests.get('https://raw.githubusercontent.com/ztgrace/changeme/master/changeme/version.py', timeout=2) 480 | except ConnectionError: 481 | logger.debug("Unable to retrieve latest changeme version.") 482 | return 483 | 484 | latest = res.text.split('\n')[0].split(' = ')[1].replace("'", '') 485 | if not version.__version__ == latest: 486 | logger.warning('Your version of changeme is out of date. Local version: %s, Latest: %s' % (str(version.__version__), latest)) 487 | 488 | 489 | # copied from https://stackoverflow.com/questions/377017/test-if-executable-exists-in-python 490 | def which(program): 491 | import os 492 | 493 | def is_exe(fpath): 494 | return os.path.isfile(fpath) and os.access(fpath, os.X_OK) 495 | 496 | fpath, fname = os.path.split(program) 497 | if fpath: 498 | if is_exe(program): 499 | return program 500 | else: 501 | for path in os.environ["PATH"].split(os.pathsep): 502 | path = path.strip('"') 503 | exe_file = os.path.join(path, program) 504 | if is_exe(exe_file): 505 | return exe_file 506 | 507 | return None 508 | 509 | -------------------------------------------------------------------------------- /changeme/cred.py: -------------------------------------------------------------------------------- 1 | class Cred(object): 2 | def __init__(self, cdict): 3 | self.name = cdict['name'] 4 | 5 | # fingerprint 6 | 7 | # auth 8 | self.credentials = cdict['auth']['credentials'] 9 | self.csrf = cdict['auth']['csrf'] 10 | self.headers = cdict['auth']['headers'] 11 | 12 | self.username = cdict['auth']['username'] 13 | self.password = cdict['auth']['password'] 14 | self.b64 = cdict['auth']['base64'] 15 | self.success = cdict['auth']['success'] 16 | -------------------------------------------------------------------------------- /changeme/redis_queue.py: -------------------------------------------------------------------------------- 1 | import redis 2 | import pickle 3 | 4 | 5 | # based on http://peter-hoffmann.com/2012/python-simple-queue-redis-queue.html 6 | class RedisQueue(object): 7 | """Simple Queue with Redis Backend""" 8 | def __init__(self, name, namespace='queue', **redis_kwargs): 9 | """The default connection parameters are: host='localhost', port=6379, db=0""" 10 | self.__db= redis.Redis(**redis_kwargs) 11 | self.key = '%s:%s' %(namespace, name) 12 | 13 | def qsize(self): 14 | """Return the approximate size of the queue.""" 15 | return self.__db.llen(self.key) 16 | 17 | def empty(self): 18 | """Return True if the queue is empty, False otherwise.""" 19 | return self.qsize() == 0 20 | 21 | def put(self, item): 22 | """Put item into the queue.""" 23 | self.__db.rpush(self.key, pickle.dumps(item)) 24 | 25 | def get(self, block=True, timeout=None): 26 | """Remove and return an item from the queue. 27 | 28 | If optional args block is true and timeout is None (the default), block 29 | if necessary until an item is available.""" 30 | if block: 31 | item = self.__db.blpop(self.key, timeout=timeout) 32 | else: 33 | item = self.__db.lpop(self.key) 34 | 35 | if item: 36 | item = item[1] 37 | return pickle.loads(item) 38 | 39 | def get_nowait(self): 40 | """Equivalent to get(False).""" 41 | return self.get(False) 42 | 43 | def ping(self): 44 | self.__db.ping() 45 | 46 | def delete(self): 47 | self.__db.delete(self.key) 48 | self.__db.flushdb() 49 | -------------------------------------------------------------------------------- /changeme/report.py: -------------------------------------------------------------------------------- 1 | import csv 2 | from copy import deepcopy 3 | from datetime import datetime 4 | import jinja2 5 | import json 6 | import logging 7 | import os 8 | import re 9 | import sys 10 | from tabulate import tabulate 11 | 12 | 13 | class Report: 14 | def __init__(self, queue, output): 15 | self.results = self._convert_q2list(queue) 16 | self.output = output 17 | self.logger = logging.getLogger('changeme') 18 | 19 | def render_csv(self,): 20 | fname = self.output 21 | if not re.match(r'.*\.csv$', fname): 22 | fname += ".csv" 23 | 24 | with open(fname, 'w') as fout: 25 | fieldnames = ["name", "username", "password", "target"] 26 | writer = csv.DictWriter( 27 | fout, 28 | quoting=csv.QUOTE_ALL, 29 | fieldnames=fieldnames, 30 | extrasaction='ignore' 31 | ) 32 | writer.writeheader() 33 | writer.writerows(self.results) 34 | 35 | self.logger.critical("%i credentials written to %s" % (len(self.results), fname)) 36 | 37 | def render_json(self): 38 | # convert the Target classes to a string so it can be json'd 39 | res = deepcopy(self.results) 40 | for r in res: 41 | t = r['target'] 42 | r['target'] = str(t) 43 | 44 | results = dict() 45 | results["results"] = res 46 | j = json.dumps(results) 47 | fname = self.output 48 | if not re.match(r'.*\.json$', fname): 49 | fname += ".json" 50 | 51 | with open(fname, 'w') as fout: 52 | fout.write(j) 53 | 54 | self.logger.critical("%i credentials written to %s" % (len(self.results), fname)) 55 | 56 | def print_results(self): 57 | if len(self.results) > 0: 58 | results = deepcopy(self.results) 59 | for r in results: 60 | if 'http' in r['target'].protocol: 61 | r['evidence'] = '' 62 | 63 | print("") 64 | print("") 65 | self.logger.critical('Found %i default credentials' % len(self.results)) 66 | print("") 67 | print(tabulate(results, headers={'name': 'Name', 68 | 'username': 'Username', 69 | 'password': 'Password', 70 | 'target': 'Target', 71 | 'evidence': 'Evidence'})) 72 | 73 | print("") 74 | else: 75 | print("No default credentials found") 76 | 77 | def render_html(self): 78 | template_loader = jinja2.FileSystemLoader(searchpath=self.get_template_path()) 79 | template_env = jinja2.Environment(loader=template_loader) 80 | report_template = template_env.get_template('report.j2') 81 | cli = ' '.join(sys.argv) 82 | timestamp = datetime.now() 83 | report = report_template.render({'found': self.results, 'cli': cli, 'timestamp': timestamp}) 84 | 85 | fname = self.output 86 | if not re.match(r'.*\.html$', fname): 87 | fname += ".html" 88 | 89 | with open(fname, 'w') as fout: 90 | fout.write(report) 91 | 92 | self.logger.critical("%i credentials written to %s" % (len(self.results), fname)) 93 | 94 | @staticmethod 95 | def get_template_path(): 96 | PATH = os.path.dirname(os.path.abspath(__file__)) 97 | template_path = os.path.join(PATH, 'templates') 98 | return template_path 99 | 100 | def _convert_q2list(self, q): 101 | items = list() 102 | while not q.qsize() == 0: 103 | i = q.get() 104 | items.append(i) 105 | 106 | # Restore queue 107 | for i in items: 108 | q.put(i) 109 | 110 | return items 111 | -------------------------------------------------------------------------------- /changeme/scan_engine.py: -------------------------------------------------------------------------------- 1 | import logging 2 | import multiprocessing as mp 3 | import redis 4 | from changeme.redis_queue import RedisQueue 5 | import pickle 6 | from .scanners.ftp import FTP 7 | from .scanners.http_fingerprint import HttpFingerprint 8 | from .scanners.memcached import MemcachedScanner 9 | from .scanners.mongo import Mongodb 10 | from .scanners.mssql import MSSQL 11 | from .scanners.mysql import MySQL 12 | from .scanners.postgres import Postgres 13 | from .scanners.redis_scanner import RedisScanner 14 | from .scanners.snmp import SNMP 15 | from .scanners.ssh import SSH 16 | from .scanners.ssh_key import SSHKey 17 | from .scanners.http_fingerprint import HttpFingerprint 18 | from .target import Target 19 | import time 20 | try: 21 | # Python 2 22 | from Queue import Queue 23 | except: 24 | # Python 3 25 | from queue import Queue 26 | 27 | 28 | class ScanEngine(object): 29 | def __init__(self, creds, config): 30 | self.creds = creds 31 | self.config = config 32 | self.logger = logging.getLogger('changeme') 33 | self.scanners = self._get_queue('scanners') 34 | self.total_scanners = 0 35 | self.targets = set() 36 | self.fingerprints = self._get_queue('fingerprints') 37 | self.total_fps = 0 38 | self.found_q = self._get_queue('found_q') 39 | 40 | def scan(self): 41 | 42 | # Phase I - Fingerprint 43 | ###################################################################### 44 | if not self.config.resume: 45 | self._build_targets() 46 | 47 | if self.config.dryrun: 48 | self.dry_run() 49 | 50 | num_procs = self.config.threads if self.fingerprints.qsize() > self.config.threads else self.fingerprints.qsize() 51 | 52 | self.logger.debug('Number of procs: %i' % num_procs) 53 | self.total_fps = self.fingerprints.qsize() 54 | procs = [mp.Process(target=self.fingerprint_targets) for i in range(num_procs)] 55 | 56 | self._add_terminators(self.fingerprints) 57 | 58 | for proc in procs: 59 | proc.start() 60 | 61 | for proc in procs: 62 | proc.join() 63 | 64 | self.logger.info('Fingerprinting completed') 65 | 66 | # Phase II - Scan 67 | ###################################################################### 68 | # Unique the queue 69 | scanners = list() 70 | while self.scanners.qsize() > 0: 71 | s = self.scanners.get() 72 | 73 | if s not in scanners: 74 | scanners.append(s) 75 | 76 | for s in scanners: 77 | self.scanners.put(s) 78 | 79 | if not self.config.fingerprint: 80 | num_procs = self.config.threads if self.scanners.qsize() > self.config.threads else self.scanners.qsize() 81 | self.total_scanners = self.scanners.qsize() 82 | 83 | self.logger.debug('Starting %i scanner procs' % num_procs) 84 | procs = [mp.Process(target=self._scan, args=(self.scanners, self.found_q)) for i in range(num_procs)] 85 | 86 | self._add_terminators(self.scanners) 87 | 88 | for proc in procs: 89 | self.logger.debug('Starting scanner proc') 90 | proc.start() 91 | 92 | for proc in procs: 93 | proc.join() 94 | 95 | self.logger.info('Scanning Completed') 96 | 97 | # Hack to address a broken pipe IOError per https://stackoverflow.com/questions/36359528/broken-pipe-error-with-multiprocessing-queue 98 | time.sleep(0.1) 99 | 100 | def _add_terminators(self, q): 101 | # Add poison pills 102 | for i in range(self.config.threads): 103 | q.put(None) 104 | 105 | def _scan(self, scanq, foundq): 106 | while True: 107 | remaining = self.scanners.qsize() 108 | self.logger.debug('%i scanners remaining' % remaining) 109 | 110 | try: 111 | scanner = scanq.get(block=True) 112 | if scanner is None: 113 | return 114 | except Exception as e: 115 | self.logger.debug('Caught exception: %s' % type(e).__name__) 116 | continue 117 | 118 | result = scanner.scan() 119 | if result: 120 | foundq.put(result) 121 | 122 | def fingerprint_targets(self): 123 | while True: 124 | remaining = self.fingerprints.qsize() 125 | self.logger.debug('%i fingerprints remaining' % remaining) 126 | 127 | try: 128 | fp = self.fingerprints.get() 129 | if type(fp) == bytes: 130 | fp = pickle.loads(fp) 131 | 132 | # Exit process 133 | if fp is None: 134 | return 135 | 136 | except Exception as e: 137 | self.logger.debug('Caught exception: %s' % type(e).__name__) 138 | self.logger.debug('Exception: %s: %s' % (type(e).__name__, e.__str__().replace('\n', '|'))) 139 | return 140 | 141 | if fp.fingerprint(): 142 | results = fp.get_scanners(self.creds) 143 | if results: 144 | for result in results: 145 | self.scanners.put(result) 146 | else: 147 | self.logger.debug('failed fingerprint') 148 | 149 | self.logger.debug('scanners: %i, %s' % (self.scanners.qsize(), id(self.scanners))) 150 | 151 | def _build_targets(self): 152 | self.logger.debug('Building targets') 153 | 154 | if self.config.target: 155 | self.targets = Target.parse_target(self.config.target) 156 | else: 157 | self.logger.warning('shodan') 158 | self.targets = Target.get_shodan_targets(self.config) 159 | 160 | 161 | # Load set of targets into queue 162 | self.logger.debug('%i targets' % len(self.targets)) 163 | 164 | # If there's only one protocol and the user specified a protocol, override the defaults 165 | if len(self.targets) == 1: 166 | t = self.targets.pop() 167 | if t.protocol: 168 | self.config.protocols = t.protocol 169 | self.targets.add(t) 170 | 171 | fingerprints = list() 172 | # Build a set of unique fingerprints 173 | if 'http' in self.config.protocols or self.config.all: 174 | fingerprints = fingerprints + HttpFingerprint.build_fingerprints(self.targets, self.creds, self.config) 175 | 176 | fingerprints = list(set(fingerprints)) # unique the HTTP fingerprints 177 | 178 | # Add any protocols if they were included in the targets 179 | for t in self.targets: 180 | if t.protocol and t.protocol not in self.config.protocols: 181 | self.config.protocols += ",%s" % t.protocol 182 | 183 | self.logger.info('Configured protocols: %s' % self.config.protocols) 184 | 185 | # scanner_map maps the friendly proto:// name to the actual class name 186 | scanner_map = { 187 | 'ssh': 'SSH', 188 | 'ssh_key': 'SSHKey', 189 | 'ftp': 'FTP', 190 | 'memcached': 'MemcachedScanner', 191 | 'mongodb': 'Mongodb', 192 | 'mssql': 'MSSQL', 193 | 'mysql': 'MySQL', 194 | 'postgres': 'Postgres', 195 | 'redis': 'RedisScanner', 196 | 'snmp': 'SNMP', 197 | } 198 | 199 | for target in self.targets: 200 | for cred in self.creds: 201 | for proto, classname in scanner_map.items(): 202 | if cred['protocol'] == proto and (proto in self.config.protocols or self.config.all): 203 | t = Target(host=target.host, port=target.port, protocol=proto) 204 | fingerprints.append(globals()[classname](cred, t, self.config, '', '')) 205 | 206 | self.logger.info("Loading creds into queue") 207 | for fp in set(fingerprints): 208 | self.fingerprints.put(fp) 209 | self.total_fps = self.fingerprints.qsize() 210 | self.logger.debug('%i fingerprints' % self.fingerprints.qsize()) 211 | 212 | 213 | def dry_run(self): 214 | self.logger.info("Dry run targets:") 215 | while self.fingerprints.qsize() > 0: 216 | fp = self.fingerprints.get() 217 | print(fp.target) 218 | quit() 219 | 220 | def _get_queue(self, name): 221 | try: 222 | # Try for redis 223 | r = RedisQueue(name) 224 | r.ping() 225 | self.logger.debug('Using RedisQueue for %s' % name) 226 | return r 227 | 228 | except redis.ConnectionError: 229 | # Fall back to sqlite persistent queue 230 | self.logger.debug('Using in-memory queue for %s' % name) 231 | m = mp.Manager() 232 | q = m.Queue() 233 | return q 234 | -------------------------------------------------------------------------------- /changeme/scanners/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = [ 2 | 'database', 3 | 'ftp', 4 | 'http_basic_auth', 5 | 'http_fingerprint', 6 | 'http_get', 7 | 'http_post', 8 | 'http_raw_post', 9 | 'memcached', 10 | 'mongo', 11 | 'mssql', 12 | 'mysql', 13 | 'postgres', 14 | 'redis_scanner', 15 | 'scanner', 16 | 'snmp', 17 | 'ssh_key', 18 | 'ssh', 19 | 'telnet' 20 | ] 21 | -------------------------------------------------------------------------------- /changeme/scanners/database.py: -------------------------------------------------------------------------------- 1 | from .scanner import Scanner 2 | import sqlalchemy 3 | 4 | 5 | class Database(Scanner): 6 | 7 | def __init__(self, cred, target, username, password, config): 8 | super(Database, self).__init__(cred, target, config, username, password) 9 | self.database = None 10 | self.query = None 11 | 12 | def _check(self): 13 | url = "%s://%s:%s@%s:%s/%s" % (self.target.protocol, self.username, self.password, self.target.host, self.target.port, self.database) 14 | engine = sqlalchemy.create_engine(url, connect_args={'connect_timeout': self.config.timeout}) 15 | c = engine.connect() 16 | res = c.execute(self.query) 17 | 18 | results = list() 19 | [results.append(i) for i in res.fetchall()] 20 | 21 | return str(results[0][0]) 22 | 23 | def _mkscanner(self, cred, target, u, p, config): 24 | raise NotImplementedError("A Database class needs to implement a _mkscanner method.") 25 | -------------------------------------------------------------------------------- /changeme/scanners/ftp.py: -------------------------------------------------------------------------------- 1 | from .scanner import Scanner 2 | import ftplib 3 | 4 | 5 | class FTP(Scanner): 6 | def __init__(self, cred, target, username, password, config): 7 | super(FTP, self).__init__(cred, target, config, username, password) 8 | 9 | def _check(self): 10 | ftp = ftplib.FTP() 11 | ftp.connect(self.target.host, self.target.port) 12 | 13 | ftp.login(self.username, self.password) 14 | evidence = ftp.retrlines('LIST') 15 | ftp.quit() 16 | 17 | return evidence 18 | 19 | def _mkscanner(self, cred, target, u, p, config): 20 | return FTP(cred, target, u, p, config) 21 | -------------------------------------------------------------------------------- /changeme/scanners/http_basic_auth.py: -------------------------------------------------------------------------------- 1 | from changeme.scanners.http_get import HTTPGetScanner 2 | from requests.auth import HTTPBasicAuth 3 | 4 | 5 | class HTTPBasicAuthScanner(HTTPGetScanner): 6 | pass 7 | 8 | def _make_request(self): 9 | self.logger.debug("Requesting %s" % self.target) 10 | self.response = self.request.get(self.target, 11 | auth=HTTPBasicAuth(self.username, self.password), 12 | verify=False, 13 | proxies=self.config.proxy, 14 | timeout=self.config.timeout, 15 | headers=self.headers, 16 | cookies=self.cookies) 17 | -------------------------------------------------------------------------------- /changeme/scanners/http_fingerprint.py: -------------------------------------------------------------------------------- 1 | from changeme.scanners.http_basic_auth import HTTPBasicAuthScanner 2 | from changeme.scanners.http_get import HTTPGetScanner 3 | from changeme.scanners.http_post import HTTPPostScanner 4 | from changeme.scanners.http_raw_post import HTTPRawPostScanner 5 | from changeme.target import Target 6 | from copy import deepcopy 7 | import logging 8 | from lxml import html 9 | import re 10 | import requests 11 | 12 | 13 | class HttpFingerprint: 14 | def __init__(self, target, headers, cookies, config): 15 | self.target = target # changeme.target.Target() 16 | self.headers = headers 17 | self.cookies = cookies 18 | self.config = config 19 | self.logger = logging.getLogger('changeme') 20 | self.res = None 21 | self.req = requests.Session() 22 | 23 | def __getstate__(self): 24 | state = self.__dict__ 25 | state['logger'] = None # Need to clear the logger when serializing otherwise mp.Queue blows up 26 | return state 27 | 28 | def __setstate__(self, d): 29 | self.__dict__ = d 30 | self.logger = logging.getLogger('changeme') 31 | 32 | def __hash__(self): 33 | return hash(str(self.target) + str(self.headers) + str(self.cookies)) 34 | 35 | def __eq__(self, other): 36 | s = dict() 37 | o = dict() 38 | s['target'] = self.target 39 | s['headers'] = self.headers 40 | s['cookies'] = self.cookies 41 | o['target'] = other.target 42 | o['headers'] = other.headers 43 | o['cookies'] = other.cookies 44 | return s == o 45 | 46 | def fingerprint(self): 47 | 48 | try: 49 | self._fp() 50 | except Exception as e: 51 | if self.config.ssl and e.__class__ == requests.exceptions.SSLError: 52 | self.target.protocol = 'http' 53 | self.logger.debug('Retrying with non-SSL target: %s' % self.target) 54 | try: 55 | self._fp() 56 | except Exception as e: 57 | self.logger.debug('Failed to connect to %s' % self.target) 58 | 59 | return False 60 | 61 | return True 62 | 63 | def _fp(self): 64 | self.res = self.req.get( 65 | str(self.target), 66 | timeout=self.config.timeout, 67 | verify=False, 68 | proxies=self.config.proxy, 69 | headers=self.headers, 70 | cookies=self.cookies 71 | ) 72 | 73 | def _get_csrf_token(self, res, cred): 74 | name = cred['auth'].get('csrf', False) 75 | if name: 76 | tree = html.fromstring(res.content) 77 | try: 78 | csrf = str(tree.xpath('//input[@name="%s"]/@value' % name)[0]) 79 | except: 80 | self.logger.error( 81 | 'Failed to get CSRF token %s in %s' % (str(name), str(res.url))) 82 | return False 83 | self.logger.debug('Got CSRF token %s: %s' % (name, csrf)) 84 | else: 85 | csrf = False 86 | 87 | return csrf 88 | 89 | def _get_session_id(self, res, cred): 90 | cookie = cred['auth'].get('sessionid', False) 91 | 92 | if cookie: 93 | try: 94 | value = res.cookies[cookie] 95 | self.logger.debug('Got session cookie value: %s' % value) 96 | except: 97 | self.logger.error( 98 | 'Failed to get %s cookie from %s' % (cookie, res.url)) 99 | return False 100 | return {cookie: value} 101 | else: 102 | self.logger.debug('No cookie') 103 | return False 104 | 105 | def ismatch(self, cred, response): 106 | match = False 107 | if cred['protocol'] == 'http': 108 | fp = cred['fingerprint'] 109 | basic_auth = fp.get('basic_auth_realm', None) 110 | if basic_auth and basic_auth in response.headers.get('WWW-Authenticate', list()): 111 | self.logger.info('%s basic auth matched: %s' % (cred['name'], basic_auth)) 112 | match = True 113 | 114 | server = response.headers.get('Server', None) 115 | fp_server = fp.get('server_header', None) 116 | if fp_server and server and fp_server in server: 117 | self.logger.debug('%s server header matched: %s' % (cred['name'], fp_server)) 118 | match = True 119 | 120 | body = fp.get('body', None) 121 | if body: 122 | for b in body: 123 | if re.search(b, response.text): 124 | match = True 125 | self.logger.info('%s body matched: %s' % (cred['name'], b)) 126 | elif body: 127 | match = False 128 | 129 | return match 130 | 131 | def get_scanners(self, creds): 132 | scanners = list() 133 | for cred in creds: 134 | if self.ismatch(cred, self.res): 135 | 136 | csrf = self._get_csrf_token(self.res, cred) 137 | if cred['auth'].get('csrf', False) and not csrf: 138 | self.logger.error('Missing required CSRF token') 139 | return 140 | 141 | sessionid = self._get_session_id(self.res, cred) 142 | if cred['auth'].get('sessionid') and not sessionid: 143 | self.logger.error("Missing session cookie %s for %s" % (cred['auth'].get('sessionid'), self.res.url)) 144 | return 145 | 146 | for pair in cred['auth']['credentials']: 147 | for u in cred['auth']['url']: # pass in the auth url 148 | target = deepcopy(self.target) 149 | target.url = u 150 | self.logger.debug('Building %s %s:%s, %s' % (cred['name'], pair['username'], pair['password'], target)) 151 | 152 | if cred['auth']['type'] == 'get': 153 | scanners.append(HTTPGetScanner(cred, target, pair['username'], pair['password'], self.config, self.req.cookies)) 154 | elif cred['auth']['type'] == 'post': 155 | scanners.append(HTTPPostScanner(cred, target, pair['username'], pair['password'], self.config, self.req.cookies, csrf)) 156 | elif cred['auth']['type'] == 'raw_post': 157 | scanners.append(HTTPRawPostScanner(cred, target, pair['username'], pair['password'], self.config, self.req.cookies, csrf, pair['raw'])) 158 | elif cred['auth']['type'] == 'basic_auth': 159 | scanners.append(HTTPBasicAuthScanner(cred, target, pair['username'], pair['password'], self.config, self.req.cookies)) 160 | 161 | return scanners 162 | 163 | @staticmethod 164 | def build_fingerprints(targets, creds, config): 165 | fingerprints = list() 166 | logger = logging.getLogger('changeme') 167 | # Build a set of unique fingerprints 168 | for target in targets: 169 | for c in creds: 170 | if not c['protocol'] == 'http': 171 | continue 172 | if not config.portoverride and (target.port and not c['default_port'] == target.port): 173 | continue 174 | 175 | fp = c['fingerprint'] 176 | for url in fp.get('url'): 177 | t = Target(host=target.host, port=target.port, protocol=target.protocol) 178 | if c.get('ssl') or config.ssl: 179 | t.protocol = 'https' 180 | else: 181 | t.protocol = 'http' 182 | 183 | if not t.port: 184 | t.port = c['default_port'] 185 | t.url = url 186 | 187 | hfp = HttpFingerprint(t, fp.get('headers', None), fp.get('cookie', None), config) 188 | logger.debug('Adding %s to fingerprint list' % hfp.target) 189 | fingerprints.append(hfp) 190 | 191 | return fingerprints 192 | -------------------------------------------------------------------------------- /changeme/scanners/http_get.py: -------------------------------------------------------------------------------- 1 | import base64 2 | from requests import session 3 | from .scanner import Scanner 4 | import re 5 | from selenium import webdriver 6 | from time import sleep 7 | try: 8 | # Python 3 9 | from urllib.parse import urlencode, urlparse 10 | except ImportError: 11 | # Python 2 12 | from urllib import urlencode 13 | from urlparse import urlparse 14 | 15 | 16 | class HTTPGetScanner(Scanner): 17 | 18 | def __init__(self, cred, target, username, password, config, cookies): 19 | super(HTTPGetScanner, self).__init__(cred, target, config, username, password) 20 | self.cred = cred 21 | self.config = config 22 | self.cookies = cookies 23 | self.headers = dict() 24 | self.request = session() 25 | self.response = None 26 | 27 | headers = self.cred['auth'].get('headers', dict()) 28 | if headers: 29 | for h in headers: 30 | self.headers.update(h) 31 | self.headers.update(self.config.useragent) 32 | 33 | # make the cred have only one u:p combo 34 | self.cred['auth']['credentials'] = [{'username': self.username, 'password': self.password}] 35 | 36 | def __reduce__(self): 37 | return self.__class__, (self.cred, self.target, self.username, self.password, self.config, self.cookies) 38 | 39 | def scan(self): 40 | try: 41 | self._make_request() 42 | except Exception as e: 43 | self.logger.error('Failed to connect to %s' % self.target) 44 | self.logger.debug('Exception: %s: %s' % (type(e).__name__, e.__str__().replace('\n', '|'))) 45 | return None 46 | 47 | if self.response.status_code == 429: 48 | self.warn('Status 429 received. Sleeping for %d seconds and trying again' % self.config.delay) 49 | sleep(self.config.delay) 50 | try: 51 | self._make_request() 52 | except Exception as e: 53 | self.logger.error('Failed to connect to %s' % self.target) 54 | 55 | return self.check_success() 56 | 57 | def check_success(self): 58 | match = False 59 | success = self.cred['auth']['success'] 60 | 61 | if self.cred['auth'].get('base64', None): 62 | self.username = base64.b64decode(self.cred.username) 63 | self.password = base64.b64decode(self.cred.password) 64 | 65 | if success.get('status') == self.response.status_code: 66 | self.logger.debug('%s matched %s success status code %s' % (self.target, self.cred['name'], self.response.status_code)) 67 | if success.get('body'): 68 | for string in success.get('body'): 69 | if re.search(string, self.response.text, re.IGNORECASE): 70 | self.logger.debug('%s matched %s success body text %s' % (self.target, self.cred['name'], success.get('body'))) 71 | match = True 72 | break 73 | else: 74 | match = True 75 | 76 | if match: 77 | self.logger.critical('[+] Found %s default cred %s:%s at %s' % 78 | (self.cred['name'], self.username, self.password, self.target)) 79 | evidence = '' 80 | if self.config.output is not None: 81 | try: 82 | evidence = self._screenshot(self.target) 83 | except Exception as e: 84 | self.logger.error("Error gathering screenshot for %s" % self.target) 85 | self.logger.debug('Exception: %s: %s' % (type(e).__name__, e.__str__().replace('\n', '|'))) 86 | 87 | return {'name': self.cred['name'], 88 | 'username': self.username, 89 | 'password': self.password, 90 | 'target': self.target, 91 | 'evidence': evidence} 92 | else: 93 | self.logger.info('Invalid %s default cred %s:%s at %s' % 94 | (self.cred['name'], self.username, self.password, self.target)) 95 | return False 96 | 97 | def _check_fingerprint(self): 98 | self.logger.debug("_check_fingerprint") 99 | self.request = session() 100 | self.response = self.request.get(self.target, 101 | timeout=self.config.timeout, 102 | verify=False, 103 | proxies=self.config.proxy, 104 | cookies=self.fingerprint.cookies, 105 | headers=self.fingerprint.headers) 106 | self.logger.debug('_check_fingerprint', '%s - %i' % (self.target, self.response.status_code)) 107 | return self.fingerprint.match(self.response) 108 | 109 | def _make_request(self): 110 | self.logger.debug("_make_request") 111 | data = self.render_creds(self.cred) 112 | qs = urlencode(data) 113 | url = "%s?%s" % (self.target, qs) 114 | self.logger.debug("url: %s" % url) 115 | self.response = self.request.get(self.target, 116 | verify=False, 117 | proxies=self.config.proxy, 118 | timeout=self.config.timeout, 119 | headers=self.headers, 120 | cookies=self.cookies) 121 | 122 | def render_creds(self, candidate, csrf=None): 123 | """ 124 | Return a list of dicts with post/get data and creds. 125 | 126 | The list of dicts have a data element and a username and password 127 | associated with the data. The data will either be a dict if its a 128 | regular GET or POST and a string if its a raw POST. 129 | """ 130 | b64 = candidate['auth'].get('base64', None) 131 | type = candidate['auth'].get('type') 132 | config = None 133 | if type == 'post': 134 | config = candidate['auth'].get('post', None) 135 | if type == 'get': 136 | config = candidate['auth'].get('get', None) 137 | 138 | if not type == 'raw_post': 139 | data = self._get_parameter_dict(candidate['auth']) 140 | 141 | if csrf: 142 | csrf_field = candidate['auth']['csrf'] 143 | data[csrf_field] = csrf 144 | 145 | for cred in candidate['auth']['credentials']: 146 | cred_data = {} 147 | username = "" 148 | password = "" 149 | if b64: 150 | username = base64.b64encode(cred['username']) 151 | password = base64.b64encode(cred['password']) 152 | else: 153 | username = cred['username'] 154 | password = cred['password'] 155 | 156 | cred_data[config['username']] = username 157 | cred_data[config['password']] = password 158 | 159 | data_to_send = dict(list(data.items()) + list(cred_data.items())) 160 | return data_to_send 161 | else: # raw post 162 | return None 163 | 164 | def _get_parameter_dict(self, auth): 165 | params = dict() 166 | data = auth.get('post', auth.get('get', None)) 167 | for k in list(data.keys()): 168 | if k not in ('username', 'password', 'url'): 169 | params[k] = data[k] 170 | 171 | return params 172 | 173 | @staticmethod 174 | def get_base_url(req): 175 | parsed = urlparse(req) 176 | url = "%s://%s" % (parsed[0], parsed[1]) 177 | return url 178 | 179 | def _screenshot(self, target): 180 | self.logger.debug("Screenshotting %s" % self.target) 181 | # Set up the selenium webdriver 182 | # This feels like it will have threading issues 183 | for key, value in self.response.request.headers.items(): 184 | capability_key = 'phantomjs.page.customHeaders.{}'.format(key) 185 | webdriver.DesiredCapabilities.PHANTOMJS[capability_key] = value 186 | 187 | if self.config.proxy: 188 | webdriver.DesiredCapabilities.PHANTOMJS['proxy'] = { 189 | "httpProxy": self.config.proxy['http'].replace('http://', ''), 190 | "ftpProxy": self.config.proxy['http'].replace('http://', ''), 191 | "sslProxy": self.config.proxy['http'].replace('http://', ''), 192 | "noProxy":None, 193 | "proxyType":"MANUAL", 194 | "autodetect":False 195 | } 196 | driver = webdriver.PhantomJS() 197 | driver.set_page_load_timeout(int(self.config.timeout) - 0.1) 198 | driver.set_window_position(0, 0) 199 | driver.set_window_size(850, 637.5) 200 | for cookie in self.response.request._cookies.items(): 201 | self.logger.debug("Adding cookie: %s:%s" % cookie) 202 | driver.add_cookie({'name': cookie[0], 203 | 'value': cookie[1], 204 | 'path': '/', 205 | 'domain': self.target.host 206 | }) 207 | 208 | try: 209 | driver.get(str(self.target)) 210 | driver.save_screenshot('screenshot.png') 211 | evidence = driver.get_screenshot_as_base64() 212 | driver.quit() 213 | except Exception as e: 214 | self.logger.error('Error getting screenshot for %s' % self.target) 215 | self.logger.debug('Exception: %s: %s' % (type(e).__name__, e.__str__().replace('\n', '|'))) 216 | evidence = "" 217 | 218 | return evidence 219 | 220 | -------------------------------------------------------------------------------- /changeme/scanners/http_post.py: -------------------------------------------------------------------------------- 1 | from changeme.scanners.http_get import HTTPGetScanner 2 | 3 | 4 | class HTTPPostScanner(HTTPGetScanner): 5 | 6 | def __init__(self, cred, target, username, password, config, cookies, csrf): 7 | super(HTTPPostScanner, self).__init__(cred, target, username, password, config, cookies) 8 | self.csrf = csrf 9 | 10 | def __reduce__(self): 11 | return (self.__class__, (self.cred, self.target, self.username, self.password, self.config, self.cookies, self.csrf)) 12 | 13 | def _make_request(self): 14 | self.logger.debug('_make_request') 15 | self.logger.debug("target: %s" % self.target) 16 | data = self.render_creds(self.cred, self.csrf) 17 | self.response = self.request.post(self.target, 18 | data, 19 | verify=False, 20 | proxies=self.config.proxy, 21 | timeout=self.config.timeout, 22 | headers=self.headers, 23 | cookies=self.cookies) 24 | -------------------------------------------------------------------------------- /changeme/scanners/http_raw_post.py: -------------------------------------------------------------------------------- 1 | from changeme.scanners.http_post import HTTPPostScanner 2 | 3 | 4 | class HTTPRawPostScanner(HTTPPostScanner): 5 | 6 | def __init__(self, cred, target, username, password, config, cookies, csrf, raw): 7 | super(HTTPRawPostScanner, self).__init__(cred, target, username, password, config, cookies, csrf) 8 | self.raw = raw 9 | 10 | def __reduce__(self): 11 | return (self.__class__, (self.cred, self.target, self.username, self.password, self.config, self.cookies, self.csrf, self.raw)) 12 | 13 | def _make_request(self): 14 | self.logger.debug('_make_request') 15 | self.logger.debug("target: %s" % self.target) 16 | self.response = self.request.post(self.target, 17 | self.raw, 18 | verify=False, 19 | proxies=self.config.proxy, 20 | timeout=self.config.timeout, 21 | headers=self.headers, 22 | cookies=self.cookies) 23 | -------------------------------------------------------------------------------- /changeme/scanners/memcached.py: -------------------------------------------------------------------------------- 1 | import memcache 2 | from .scanner import Scanner 3 | 4 | 5 | class MemcachedScanner(Scanner): 6 | 7 | def __init__(self, cred, target, username, password, config): 8 | super(MemcachedScanner, self).__init__(cred, target, config, username, password) 9 | 10 | def _check(self): 11 | mc = memcache.Client(['%s:%s' % (self.target.host, self.target.port)], debug=0) 12 | stats = mc.get_stats() 13 | evidence = "version: %s" % (stats[0][1]['version']) 14 | 15 | return evidence 16 | 17 | def _mkscanner(self, cred, target, u, p, config): 18 | return MemcachedScanner(cred, target, u, p, config) 19 | -------------------------------------------------------------------------------- /changeme/scanners/mongo.py: -------------------------------------------------------------------------------- 1 | from pymongo import MongoClient 2 | from .scanner import Scanner 3 | import socket 4 | 5 | 6 | class Mongodb(Scanner): 7 | 8 | def __init__(self, cred, target, username, password, config): 9 | super(Mongodb, self).__init__(cred, target, config, username, password) 10 | 11 | def _check(self): 12 | u_p = "" 13 | if self.username or self.password: 14 | u_p = "%s:%s@" % (self.username, self.password) 15 | client = MongoClient('mongodb://%s%s:%s/' % (u_p, self.target.host, self.target.port)) 16 | dbs = client.database_names() 17 | server_info = client.server_info() 18 | evidence = 'Version: %s, databases: %s' % (server_info['version'], ', '.join(dbs)) 19 | 20 | return evidence 21 | 22 | def _mkscanner(self, cred, target, u, p, config): 23 | return Mongodb(cred, target, u, p, config) 24 | -------------------------------------------------------------------------------- /changeme/scanners/mssql.py: -------------------------------------------------------------------------------- 1 | from .database import Database 2 | 3 | class MSSQL(Database): 4 | def __init__(self, cred, target, username, password, config): 5 | super(MSSQL, self).__init__(cred, target, username, password, config) 6 | self.target.protocol = "mssql+pyodbc" 7 | self.database = "" 8 | self.query = "SELECT @@VERSION AS 'SQL Server Version';" 9 | 10 | def _mkscanner(self, cred, target, u, p, config): 11 | return MSSQL(cred, target, u, p, config) -------------------------------------------------------------------------------- /changeme/scanners/mysql.py: -------------------------------------------------------------------------------- 1 | from .database import Database 2 | 3 | class MySQL(Database): 4 | def __init__(self, cred, target, username, password, config): 5 | super(MySQL, self).__init__(cred, target, username, password, config) 6 | self.database = "" 7 | self.query = "select version();" 8 | 9 | def _mkscanner(self, cred, target, u, p, config): 10 | return MySQL(cred, target, u, p, config) -------------------------------------------------------------------------------- /changeme/scanners/postgres.py: -------------------------------------------------------------------------------- 1 | from .database import Database 2 | 3 | class Postgres(Database): 4 | def __init__(self, cred, target, username, password, config): 5 | super(Postgres, self).__init__(cred, target, username, password, config) 6 | self.target.protocol = "postgresql+psycopg2" 7 | self.database = "" 8 | self.query = "select version();" 9 | 10 | def _mkscanner(self, cred, target, u, p, config): 11 | return Postgres(cred, target, u, p, config) -------------------------------------------------------------------------------- /changeme/scanners/redis_scanner.py: -------------------------------------------------------------------------------- 1 | import redis 2 | from .scanner import Scanner 3 | 4 | 5 | class RedisScanner(Scanner): 6 | 7 | def __init__(self, cred, target, username, password, config): 8 | super(RedisScanner, self).__init__(cred, target, config, username, password) 9 | 10 | def _check(self): 11 | r = redis.StrictRedis(host=self.target.host, port=self.target.port) 12 | info = r.info() 13 | evidence = "redis_version: %s, os: %s" % (info['redis_version'], info['os']) 14 | 15 | return evidence 16 | 17 | def _mkscanner(self, cred, target, u, p, config): 18 | return RedisScanner(cred, target, u, p, config) 19 | -------------------------------------------------------------------------------- /changeme/scanners/scanner.py: -------------------------------------------------------------------------------- 1 | import logging 2 | from netaddr import IPAddress 3 | import socket 4 | 5 | 6 | class Scanner(object): 7 | def __init__(self, cred, target, config, username, password): 8 | self.logger = logging.getLogger('changeme') 9 | self.cred = cred 10 | self.target = target 11 | if self.target.port is None: 12 | self.target.port = self.cred['default_port'] 13 | self.config = config 14 | self.username = username 15 | self.password = password 16 | 17 | def __hash__(self): 18 | return id(self) 19 | 20 | def scan(self): 21 | return self.check_success() 22 | 23 | def fingerprint(self): 24 | if self.target.port is None: 25 | self.target.port = self.cred['default_port'] 26 | try: 27 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 28 | sock.settimeout(3) 29 | result = sock.connect_ex((str(self.target.host), self.target.port)) 30 | sock.shutdown(2) 31 | if result == 0: 32 | return True 33 | self.logger.info('Port %i open' % self.target.port) 34 | else: 35 | return False 36 | except Exception as e: 37 | self.logger.debug(str(e)) 38 | return False 39 | 40 | def get_scanners(self, creds): 41 | scanners = list() 42 | for pair in self.cred['auth']['credentials']: 43 | 44 | scanners.append(self._mkscanner(self.cred, self.target, pair['username'], pair['password'], self.config)) 45 | return scanners 46 | 47 | 48 | def check_success(self): 49 | try: 50 | evidence = self._check() 51 | self.logger.critical('[+] Found %s default cred %s:%s at %s' % (self.cred['name'], self.username, self.password, self.target)) 52 | self.logger.debug('%s %s:%s evidence: %s' % (self.target, self.username, self.password, evidence)) 53 | return {'name': self.cred['name'], 54 | 'username': self.username, 55 | 'password': self.password, 56 | 'target': self.target, 57 | 'evidence': evidence} 58 | 59 | except Exception as e: 60 | self.logger.info('Invalid %s default cred %s:%s at %s' % (self.cred['name'], self.username, self.password, str(self.target))) 61 | self.logger.debug('%s Exception: %s' % (type(e).__name__, str(e))) 62 | return False 63 | 64 | def _check(self): 65 | raise NotImplementedError("A Scanner class needs to implement a _check method.") 66 | 67 | def __getstate__(self): 68 | state = self.__dict__ 69 | state['logger'] = None # Need to clear the logger when serializing otherwise mp.Queue blows up 70 | return state 71 | 72 | def __setstate__(self, d): 73 | self.__dict__ = d 74 | self.logger = logging.getLogger('changeme') 75 | 76 | def __eq__(self, other): 77 | return self.__dict__ == other.__dict__ 78 | #return (str(self.target) + self.username + self.password) == (other.target + other.username + other.password) 79 | -------------------------------------------------------------------------------- /changeme/scanners/snmp.py: -------------------------------------------------------------------------------- 1 | from pysnmp.hlapi import * 2 | from .scanner import Scanner 3 | 4 | 5 | class SNMP(Scanner): 6 | def __init__(self, cred, target, username, password, config): 7 | super(SNMP, self).__init__(cred, target, config, username, password) 8 | 9 | def fingerprint(self): 10 | # Don't fingerprint since it's UDP 11 | return True 12 | 13 | def _check(self): 14 | iterator = getCmd(SnmpEngine(), 15 | CommunityData(self.password), 16 | UdpTransportTarget((str(self.target.host), 161)), 17 | ContextData(), 18 | ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))) 19 | 20 | errorIndication, errorStatus, errorIndex, varBinds = next(iterator) 21 | 22 | evidence = "" 23 | if errorIndication: 24 | self.logger.debug(errorIndication) 25 | elif errorStatus: 26 | self.logger.debug('%s at %s' % (errorStatus.prettyPrint(), 27 | errorIndex and varBinds[int(errorIndex) - 1][0] or '?')) 28 | else: 29 | for varBind in varBinds: 30 | evidence += ' = '.join([x.prettyPrint() for x in varBind]) 31 | 32 | if evidence == "": 33 | raise Exception 34 | 35 | return evidence 36 | 37 | def _mkscanner(self, cred, target, u, p, config): 38 | return SNMP(cred, target, u, p, config) 39 | -------------------------------------------------------------------------------- /changeme/scanners/ssh.py: -------------------------------------------------------------------------------- 1 | import paramiko 2 | from .scanner import Scanner 3 | import socket 4 | 5 | 6 | class SSH(Scanner): 7 | 8 | def __init__(self, cred, target, username, password, config): 9 | super(SSH, self).__init__(cred, target, config, username, password) 10 | 11 | def _check(self): 12 | c = paramiko.SSHClient() 13 | c.set_missing_host_key_policy(paramiko.MissingHostKeyPolicy()) # ignore unknown hosts 14 | c.connect(hostname=self.target.host, port=self.target.port, username=self.username, password=self.password) 15 | stdin, stdout, stderr = c.exec_command('uname -a') 16 | evidence = stdout.readlines()[0] 17 | c.close() 18 | 19 | return evidence 20 | 21 | def _mkscanner(self, cred, target, u, p, config): 22 | return SSH(cred, target, u, p, config) 23 | -------------------------------------------------------------------------------- /changeme/scanners/ssh_key.py: -------------------------------------------------------------------------------- 1 | import logging 2 | import paramiko 3 | from .ssh import SSH 4 | from io import StringIO 5 | 6 | 7 | class SSHKey(SSH): 8 | 9 | def __init__(self, cred, target, username, key, config): 10 | super(SSHKey, self).__init__(cred, target, username, key, config) 11 | self.logger = logging.getLogger('changeme') 12 | 13 | def _check(self): 14 | fake = StringIO(self.password) 15 | if "RSA PRIVATE KEY" in self.password: 16 | key = paramiko.RSAKey.from_private_key(fake) 17 | elif "DSA PRIVATE KEY" in self.password: 18 | key = paramiko.DSSKey.from_private_key(fake) 19 | 20 | c = paramiko.SSHClient() 21 | c.set_missing_host_key_policy(paramiko.MissingHostKeyPolicy()) # ignore unknown hosts 22 | c.connect(hostname=self.target.host, port=self.target.port, username=self.username, pkey=key) 23 | stdin, stdout, stderr = c.exec_command('uname -a') 24 | evidence = stdout.readlines()[0] 25 | c.close() 26 | 27 | self.password = 'Private Key' 28 | return evidence 29 | 30 | def _mkscanner(self, cred, target, u, p, config): 31 | return SSHKey(cred, target, u, p, config) 32 | -------------------------------------------------------------------------------- /changeme/scanners/telnet.py: -------------------------------------------------------------------------------- 1 | from .scanner import Scanner 2 | import telnetlib 3 | 4 | 5 | class Telnet(Scanner): 6 | 7 | def __init__(self, cred, target, config, username, password): 8 | super(Telnet, self).__init__(cred, target, config, username, password) 9 | 10 | def _check(self): 11 | try: 12 | telnet = telnetlib.Telnet(str(self.target), int(self.port), int(self.config.timeout)) 13 | telnet.read_until("login: ") 14 | telnet.write(self.username + "\n") 15 | 16 | if self.password: 17 | telnet.read_until("Password: ") 18 | telnet.write(self.password + "\n") 19 | 20 | # telnet.write("ls\n") 21 | telnet.write("exit\n") 22 | # telnet.read_all() 23 | return True 24 | except Exception as e: 25 | self.logger.debug('Error: %s' % str(e)) 26 | return False 27 | 28 | def _mkscanner(self, cred, target, u, p, config): 29 | return Telnet(cred, target, u, p, config) 30 | -------------------------------------------------------------------------------- /changeme/schema.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import changeme.core 4 | import os 5 | try: 6 | # Python 3 7 | from urllib.parse import unquote_plus 8 | except ImportError: 9 | # Python 2 10 | from urllib import unquote_plus 11 | import yaml 12 | 13 | cli_prompt = input 14 | try: 15 | cli_prompt = raw_input 16 | except NameError: 17 | pass 18 | 19 | http_schema = { 20 | 'auth': { 21 | 'type': 'dict', 22 | 'required': True, 23 | 'schema': { 24 | 'credentials': { 25 | 'type': 'list', 26 | 'required': True, 27 | 'schema': { 28 | 'type': 'dict', 29 | 'schema': { 30 | 'username': { 31 | 'type': ['string', 'integer'], 32 | 'nullable': True, 33 | 'required': True, 34 | }, 35 | 'password': { 36 | 'type': ['string', 'integer'], 37 | 'nullable': True, 38 | 'required': True, 39 | }, 40 | 'ref': {'type': 'string', 'required': False}, 41 | 'raw': {'type': 'string', 'required': False}, 42 | } 43 | } 44 | }, 45 | 'headers': { 46 | 'type': 'list', 47 | 'required': False, 48 | 'schema': { 49 | 'type': 'dict' 50 | } 51 | }, 52 | 'csrf': { 53 | 'type': 'string', 54 | 'nullable': True, 55 | 'required': False, 56 | }, 57 | 'post': { 58 | 'type': 'dict', 59 | 'allow_unknown': True, 60 | 'schema': { 61 | 'username': {'type': 'string', 'required': True}, 62 | 'password': {'type': 'string', 'required': True}, 63 | } 64 | }, 65 | 'get': { 66 | 'type': 'dict', 67 | 'allow_unknown': True, 68 | 'schema': { 69 | 'username': {'type': 'string', 'required': True}, 70 | 'password': {'type': 'string', 'required': True}, 71 | } 72 | }, 73 | 'sessionid': { 74 | 'type': 'string', 75 | 'nullable': True, 76 | 'required': False, 77 | }, 78 | 'base64': { 79 | 'type': 'boolean', 80 | 'nullable': False, 81 | 'required': False, 82 | }, 83 | 'success': { 84 | 'type': 'dict', 85 | 'schema': { 86 | 'body': { 87 | 'type': 'list', 88 | 'required': False 89 | }, 90 | 'status': {'type': 'integer', 'required': True}, 91 | }, 92 | }, 93 | 'type': { 94 | 'type': 'string', 95 | 'regex': 'post|basic_auth|get|raw_post', 96 | 'required': True 97 | }, 98 | 'url': { 99 | 'type': 'list', 100 | 'required': True, 101 | 'schema': {'type': 'string'} 102 | }, 103 | } 104 | }, 105 | 'category': {'type': 'string', 'required': True}, 106 | 'contributor': {'type': 'string', 'required': True}, 107 | 'fingerprint': { 108 | 'type': 'dict', 109 | 'required': True, 110 | 'schema': { 111 | 'body': {'type': 'list', 'required': False}, 112 | 'server_header': {'type': 'string', 'required': False}, 113 | 'cookie': { 114 | 'type': 'list', 115 | 'required': False, 116 | 'schema': { 117 | 'type': 'dict' 118 | }, 119 | }, 120 | 'headers': { 121 | 'type': 'list', 122 | 'required': False, 123 | 'schema': { 124 | 'type': 'dict' 125 | } 126 | }, 127 | 'status': {'type': 'integer', 'required': True}, 128 | 'basic_auth_realm': { 129 | 'type': 'string', 130 | 'nullable': True, 131 | 'required': False, 132 | }, 133 | 'url': { 134 | 'type': 'list', 135 | 'required': True, 136 | 'schema': {'type': 'string'} 137 | }, 138 | }, 139 | }, 140 | 'default_port': {'type': 'integer', 'required': True}, 141 | 'name': {'type': 'string', 'required': True}, 142 | 'ssl': {'type': 'boolean', 'required': True}, 143 | 'references': {'type': 'list', 'required': False}, 144 | 'versions': {'type': 'list', 'required': False}, 145 | 'protocol': {'type': 'string', 'required': False}, 146 | } 147 | 148 | 149 | def mkcred(): 150 | """ 151 | TODO: 152 | - move credentials under auth 153 | - move auth url under auth 154 | - move success under auth 155 | - move auth url under auth 156 | - move type under auth 157 | """ 158 | 159 | parameters = dict() 160 | auth_types = ['post', 'basic_auth', 'get', 'raw_post'] 161 | 162 | def get_data(field, prompt, boolean=False, integer=False): 163 | result = cli_prompt(prompt).strip() 164 | if boolean and result.lower() == 'y': 165 | result = True 166 | elif boolean: 167 | result = False 168 | 169 | if integer: 170 | result = int(result) 171 | 172 | parameters[field] = result 173 | 174 | get_data('contributor', 'Your name or handle: ') 175 | get_data('name', 'Name of service (JBoss, Tomcat): ') 176 | get_data('protocol', 'Protocol of service (http, ssh, ftp): ') 177 | get_data('category', 'Category of service (general, printer, phone): ') 178 | get_data('default_port', 'Default port: ', integer=True) 179 | get_data('ssl', 'Does the service use ssl (y/n): ', boolean=True) 180 | 181 | # Fingerprint 182 | ############################################################################### 183 | fp = dict() 184 | 185 | # Fingerprint url is confiured as a list so we can have more than one path 186 | path = cli_prompt('Path to the fingerprint page (/index.php): ') 187 | path_list = list() 188 | path_list.append(path) 189 | fp['url'] = path_list 190 | 191 | fp_status = cli_prompt('HTTP status code of fingerprint (401, 200): ') 192 | fp_body = cli_prompt('Unique string in the fingerprint page (Welcome to ***): ') 193 | server_header = cli_prompt('Server header (if unique): ') 194 | basic_auth_realm = cli_prompt('Basic Auth Realm: ') 195 | 196 | fp['status'] = int(fp_status) 197 | if fp_body: 198 | b = list() 199 | b.append(fp_body) 200 | fp['body'] = b 201 | if basic_auth_realm: 202 | fp['basic_auth_realm'] = basic_auth_realm 203 | if server_header: 204 | fp['server_header'] = server_header 205 | 206 | parameters['fingerprint'] = fp 207 | 208 | # Authentication 209 | ############################################################################### 210 | auth = dict() 211 | headers = list() 212 | auth_urls = list() 213 | url = cli_prompt('Authentication URL (/login.php): ') 214 | auth_urls.append(url) 215 | auth['url'] = auth_urls 216 | 217 | while True: 218 | t = cli_prompt('Type of authentication method (post, basic_auth, get, raw_post): ') 219 | if t in auth_types: 220 | auth['type'] = t 221 | break 222 | else: 223 | print('Invalid auth type') 224 | 225 | if auth['type'] == 'post' or auth['type'] == 'get': 226 | form = dict() 227 | form['username'] = cli_prompt('Name of username field: ') 228 | form['password'] = cli_prompt('Name of password field: ') 229 | form_params = cli_prompt('Post parameters, query string or raw post (json, xml): ') 230 | 231 | if form_params: 232 | form_params = unquote_plus(form_params) # decode the parameters 233 | for f in form_params.split('&'): 234 | fname = f.split('=')[0] 235 | fvalue = f.split('=')[1] 236 | if fname == form['username'] or fname == form['password']: 237 | continue 238 | else: 239 | form[fname] = fvalue 240 | 241 | if auth['type'] == 'raw_post': 242 | form['raw'] = form_params 243 | 244 | auth[auth['type']] = form 245 | while True: 246 | header = cli_prompt('Pleae enter any custom header needed. Hit enter if done or not needed \n Example: Content-Type: application/json: ') 247 | if len(header) > 0: 248 | if len(header.split(':')) == 2: 249 | h = header.split(':') 250 | header = {h[0]: h[1]} 251 | headers.append(header) 252 | else: 253 | print('Invalid header. Headers must be in the format "Header_name: header_value"\n') 254 | else: 255 | break 256 | csrf = cli_prompt('Name of csrf field: ') 257 | if csrf: 258 | auth['csrf'] = csrf 259 | 260 | sessionid = cli_prompt('Name of session cookie: ') 261 | if sessionid: 262 | auth['sessionid'] = sessionid 263 | 264 | creds = list() 265 | num_creds = cli_prompt('How many default creds for this service (1, 2, 3): ') 266 | for i in range(0, int(num_creds)): 267 | user = cli_prompt('Username %i: ' % (i + 1)) 268 | passwd = cli_prompt('Password %i: ' % (i + 1)) 269 | 270 | if auth['type'] == 'raw_post': 271 | raw = cli_prompt('Raw post %i: ' % (i + 1)) 272 | creds.append({'username': user, 'password': passwd, 'raw': raw}) 273 | else: 274 | creds.append({'username': user, 'password': passwd}) 275 | 276 | auth['credentials'] = creds 277 | auth['headers'] = headers 278 | 279 | success = dict() 280 | success['status'] = 200 281 | success['body'] = list() 282 | success['body'].append(cli_prompt('Unique string in page of a successful login (Logout): ')) 283 | 284 | auth['success'] = success 285 | parameters['auth'] = auth 286 | 287 | print() 288 | fname = parameters['name'].lower().replace(' ', '_').replace('/', '_') + '.yml' 289 | print('Writing config to %s' % fname) 290 | 291 | cdir = os.path.join('creds', parameters['protocol'], parameters['category']) 292 | if not os.path.isdir(cdir): 293 | os.makedirs(cdir) 294 | 295 | with open(os.path.join(cdir, fname), 'w') as fout: 296 | fout.write(yaml.dump(parameters, default_flow_style=False)) 297 | 298 | print(yaml.dump(parameters, default_flow_style=False)) 299 | 300 | changeme.core.validate_cred(parameters, fname, parameters['category']) 301 | -------------------------------------------------------------------------------- /changeme/target.py: -------------------------------------------------------------------------------- 1 | from libnmap.parser import NmapParser as np 2 | import logging 3 | from netaddr import IPNetwork 4 | from netaddr.core import AddrFormatError 5 | import re 6 | from os.path import isfile 7 | import shodan 8 | import socket 9 | 10 | class Target(object): 11 | def __init__(self, host=None, port=None, protocol=None, url=None): 12 | self.host = host 13 | if port: 14 | port = re.sub(r'\D','',str(port)) 15 | if 0 < int(port) < 65535: 16 | self.port = int(port) 17 | else: 18 | #just disregard the port for now. 19 | self.port = None 20 | else: 21 | self.port = None 22 | self.protocol = protocol 23 | self.url = url 24 | self.ip = None 25 | 26 | def __eq__(self, other): 27 | return self.__dict__ == other.__dict__ 28 | 29 | def __hash__(self): 30 | return id(self) 31 | 32 | def __repr__(self): 33 | return self.__str__() 34 | 35 | def __str__(self): 36 | target = self 37 | 38 | if self.host: 39 | target = self.host 40 | 41 | if self.port: 42 | target += ":%s" % self.port 43 | 44 | if self.protocol: 45 | target = "%s://" % self.protocol + target 46 | 47 | if self.url: 48 | target += self.url 49 | 50 | return str(target) 51 | 52 | def get_ip(self): 53 | if self.ip is None: 54 | regex = re.compile(r'^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$') 55 | result = regex.match(self.host) 56 | if not result: 57 | self.ip = socket.gethostbyname(self.host) 58 | else: 59 | self.ip = self.host 60 | 61 | return self.ip 62 | 63 | @staticmethod 64 | def parse_target(target): 65 | logger = logging.getLogger('changeme') 66 | targets = set() 67 | if isfile(target): 68 | try: 69 | # parse nmap 70 | report = np.parse_fromfile(target) 71 | logger.info('Loaded %i hosts from %s' % (len(report.hosts), target)) 72 | for h in report.hosts: 73 | for s in h.services: 74 | targets.add(Target(host=h.address, port=s.port)) 75 | except: 76 | # parse text file 77 | with open(target, 'r') as fin: 78 | for line in fin: 79 | res = Target._parse_target_string(line) 80 | for t in res: 81 | targets.add(t) 82 | else: 83 | targets = Target._parse_target_string(target) 84 | 85 | return targets 86 | 87 | @staticmethod 88 | def _parse_target_string(target): 89 | logger = logging.getLogger('changeme') 90 | logger.debug('Parsing target %s' % target) 91 | target = target.strip().rstrip('/') 92 | targets = set() 93 | try: 94 | for ip in IPNetwork(target).iter_hosts(): #(covers IP or cidr) #3,4 95 | targets.add(Target(host=str(ip))) 96 | except AddrFormatError: 97 | if len(target.split(':')) == 3: 98 | # mysql://127.0.0.1:3306 99 | protocol = target.split(':')[0] 100 | host = target.split(':')[1].replace('//', '') 101 | port = target.split(':')[2] 102 | targets.add(Target(host=host, port=port, protocol=protocol)) 103 | elif "://" in target: 104 | # snmp://127.0.0.1 105 | protocol = target.split(':')[0] 106 | host = target.split(':')[1].replace('//', '') 107 | targets.add(Target(host=host, protocol=protocol)) 108 | elif ":" in target: 109 | # 127.0.0.1:8080 110 | host = target.split(':')[0] 111 | port = target.split(':')[1] 112 | targets.add(Target(host=host, port=port)) 113 | else: 114 | targets.add(Target(host=target)) 115 | 116 | return targets 117 | 118 | @staticmethod 119 | def get_shodan_targets(config): 120 | logger = logging.getLogger('changeme') 121 | targets = set() 122 | api = shodan.Shodan(config.shodan_key) 123 | results = api.search(config.shodan_query) 124 | logger.debug("shodan results: %s" % results) 125 | for r in results['matches']: 126 | targets.add(Target(host=r['ip_str'])) 127 | 128 | return targets 129 | -------------------------------------------------------------------------------- /changeme/templates/report.j2: -------------------------------------------------------------------------------- 1 | 2 | 3 | Changme Default Credential Report 4 | 5 | 6 | 7 | 13 | 14 | 15 |
16 |
17 |
18 |

Changeme

19 |
    20 |
  • Found {{ found|length }} credentials
    • 21 |
  • Scan: {{ cli }}
    • 22 |
  • Report Timestamp: {{ timestamp }}
    • 23 |
24 |
25 |
26 | {% for cred in found %} 27 |
28 |
29 |
    30 |
  • Service: {{ cred['name'] }}
    • 31 |
  • Username: {{ cred['username'] if cred['username'] != None }}
    • 32 |
  • Password: {{ cred['password'] if cred['password'] != None }}
    • 33 | {% if 'http' in cred['target'].protocol %} 34 |
  • {{ cred['target'] }}
    • 35 | {% else %} 36 |
  • {{ cred['target'] }}
    • 37 | {% endif %} 38 |
39 |
40 |
41 | {% if 'http' in cred['target'].protocol %} 42 | {{ cred['url'] }} 43 | {% else %} 44 | {{ cred['evidence'] }} 45 | {% endif %} 46 |
47 |
48 | {% endfor %} 49 |
50 | 51 | 52 | -------------------------------------------------------------------------------- /changeme/tests/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ['core', 'http', 'memcached', 'redis_scanner', 'snmp', 'target'] 2 | -------------------------------------------------------------------------------- /changeme/tests/core.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from changeme import * 3 | from copy import deepcopy 4 | import mock 5 | from nose.tools import * 6 | from netaddr import IPAddress 7 | 8 | 9 | cli_args = {'all': False, 10 | 'category': None, 11 | 'contributors': False, 12 | 'debug': True, 13 | 'delay': 500, 14 | 'dump': False, 15 | 'dryrun': False, 16 | 'fingerprint': False, 17 | 'fresh': True, 18 | 'log': None, 19 | 'mkcred': False, 20 | 'name': None, 21 | 'noversion': True, 22 | 'output': None, 23 | 'oa': False, 24 | 'portoverride': False, 25 | 'protocols': 'http', 26 | 'proxy': None, 27 | 'resume': False, 28 | 'shodan_query': None, 29 | 'shodan_key': None, 30 | 'ssl': False, 31 | 'target': '127.0.0.1', 32 | 'threads': 20, 33 | 'timeout': 10, 34 | 'useragent': None, 35 | 'validate': False, 36 | 'verbose': False,} 37 | 38 | 39 | 40 | def test_banner(): 41 | core.banner(version.__version__) 42 | 43 | no_args = deepcopy(cli_args) 44 | no_args['target'] = None 45 | @raises(SystemExit) 46 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**no_args)) 47 | def test_no_args(mock_args): 48 | args = core.parse_args() 49 | core.init_logging(args['args'].verbose, args['args'].debug, args['args'].log) 50 | config = core.Config(args['args'], args['parser']) 51 | 52 | 53 | args = deepcopy(cli_args) 54 | args['target'] = '127.0.0.1' 55 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**args)) 56 | def test_target(mock_args): 57 | args = core.parse_args() 58 | core.init_logging(args['args'].verbose, args['args'].debug, args['args'].log) 59 | config = core.Config(args['args'], args['parser']) 60 | 61 | 62 | """ 63 | args = deepcopy(cli_args) 64 | args['targets'] = '/etc/hosts' 65 | args['target'] = None 66 | print args 67 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**args)) 68 | def test_targets(mock_args): 69 | core.Config() 70 | """ 71 | 72 | args = deepcopy(cli_args) 73 | args['contributors'] = True 74 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**args)) 75 | def test_contributors(mock_args): 76 | args = core.parse_args() 77 | core.init_logging(args['args'].verbose, args['args'].debug, args['args'].log) 78 | config = core.Config(args['args'], args['parser']) 79 | creds = core.load_creds(config) 80 | core.print_contributors(creds) 81 | 82 | 83 | args = deepcopy(cli_args) 84 | args['dump'] = True 85 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**args)) 86 | def test_print_creds(mock_args): 87 | args = core.parse_args() 88 | core.init_logging(args['args'].verbose, args['args'].debug, args['args'].log) 89 | config = core.Config(args['args'], args['parser']) 90 | creds = core.load_creds(config) 91 | core.print_creds(creds) 92 | -------------------------------------------------------------------------------- /changeme/tests/http.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from changeme.scan_engine import ScanEngine 3 | from changeme.target import Target 4 | from changeme import core 5 | from .core import cli_args 6 | from copy import deepcopy 7 | import csv 8 | import json 9 | import logging 10 | import mock 11 | from .mock_responses import MockResponses 12 | from nose.tools import * 13 | import os 14 | import responses 15 | 16 | """ 17 | TODO: 18 | - Custom headers 19 | - 429 response code 20 | - 21 | 22 | """ 23 | 24 | def reset_handlers(): 25 | logger = logging.getLogger('changeme') 26 | logger.handlers = [] 27 | core.remove_queues() 28 | 29 | 30 | fp_args = deepcopy(cli_args) 31 | fp_args['nmap'] = 'tests/tomcat_nmap.xml' 32 | fp_args['name'] = 'Tomcat' 33 | @responses.activate 34 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**fp_args)) 35 | def test_tomcat_match_nmap(mock_args): 36 | def tomcat_callback(request): 37 | if request.headers.get('Authorization', False): 38 | return (200, MockResponses.tomcat_auth['adding_headers'], MockResponses.tomcat_auth['body']) 39 | else: 40 | return (401, MockResponses.tomcat_fp['adding_headers'], '') 41 | 42 | responses.add_callback( 43 | responses.GET, 44 | MockResponses.tomcat_fp['url'], 45 | callback=tomcat_callback, 46 | ) 47 | 48 | reset_handlers() 49 | try: 50 | os.remove(core.PERSISTENT_QUEUE) 51 | except OSError: 52 | pass 53 | 54 | args = core.parse_args() 55 | core.init_logging(args['args'].verbose, args['args'].debug, args['args'].log) 56 | config = core.Config(args['args'], args['parser']) 57 | creds = core.load_creds(config) 58 | s = ScanEngine(creds, config) 59 | s._build_targets() 60 | s._add_terminators(s.fingerprints) 61 | 62 | print(("fp: %i" % s.fingerprints.qsize())) 63 | s.fingerprint_targets() 64 | 65 | # Queue is not serializeable so we can't copy it using deepcopy 66 | scanners = list() 67 | print(("scanners: %s" % s.scanners.qsize())) 68 | 69 | t1 = Target(host='127.0.0.1', port=8080, protocol='http', url='/manager/html') 70 | t2 = Target(host='127.0.0.1', port=8080, protocol='http', url='/tomcat/manager/html') 71 | while s.scanners.qsize() > 0: 72 | scanner = s.scanners.get() 73 | assert scanner.target == t1 or scanner.target == t2 74 | scanners.append(scanner) 75 | 76 | # Load the scanners back into the queue 77 | for scanner in scanners: 78 | s.scanners.put(scanner) 79 | assert s.scanners.qsize() == 34 80 | s._add_terminators(s.scanners) 81 | 82 | responses.reset() 83 | responses.add(**MockResponses.tomcat_auth) 84 | s._scan(s.scanners, s.found_q) 85 | assert s.found_q.qsize() == 17 86 | 87 | 88 | fp_args = deepcopy(cli_args) 89 | fp_args['fingerprint'] = True 90 | fp_args['name'] = 'Tomcat' 91 | fp_args['noversion'] = False 92 | @responses.activate 93 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**fp_args)) 94 | def test_tomcat_fingerprint(mock_args): 95 | responses.add(**MockResponses.tomcat_fp) 96 | reset_handlers() 97 | se = core.main() 98 | print(("Scanners:",se.scanners.qsize())) 99 | assert se.scanners.qsize() == 34 100 | core.remove_queues() 101 | 102 | @responses.activate 103 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**cli_args)) 104 | def test_tomcat_invalid_creds(mock_args): 105 | responses.add(**MockResponses.tomcat_fp) 106 | reset_handlers() 107 | se = core.main() 108 | assert se.found_q.qsize() == 0 109 | 110 | @responses.activate 111 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**cli_args)) 112 | def test_jboss_scan_fail(mock_args): 113 | responses.add(**MockResponses.jboss_fp) 114 | responses.add(**MockResponses.jboss_auth_fail) 115 | 116 | reset_handlers() 117 | args = core.parse_args() 118 | core.init_logging(args['args'].verbose, args['args'].debug, args['args'].log) 119 | config = core.Config(args['args'], args['parser']) 120 | creds = core.load_creds(config) 121 | se = ScanEngine(creds, config) 122 | se._build_targets() 123 | se._add_terminators(se.fingerprints) 124 | se.fingerprint_targets() 125 | print(se.scanners.qsize()) 126 | scanners = list() 127 | while se.scanners.qsize() > 0: 128 | s = se.scanners.get() 129 | print(s.cred['name']) 130 | print(s.target) 131 | print(s.username) 132 | print(s.password) 133 | scanners.append(s) 134 | 135 | print("num scanners: %i" % len(scanners)) 136 | assert len(scanners) == 2 137 | 138 | # put scanners back in queue 139 | for s in scanners: 140 | se.scanners.put(s) 141 | 142 | se._add_terminators(se.scanners) 143 | se._scan(se.scanners, se.found_q) 144 | assert se.found_q.qsize() == 0 145 | 146 | 147 | jboss_args = deepcopy(cli_args) 148 | jboss_args['name'] = 'JBoss AS 6 Alt' 149 | @responses.activate 150 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**jboss_args)) 151 | def test_jboss_scan_success(mock_args): 152 | responses.add(**MockResponses.jboss_fp) 153 | responses.add(**MockResponses.jboss_auth) 154 | reset_handlers() 155 | se = core.main() 156 | assert se.found_q.qsize() == 1 157 | 158 | 159 | subnet_args = deepcopy(cli_args) 160 | subnet_args['target'] = '127.0.0.1/32' 161 | subnet_args['protocols'] = 'http' 162 | subnet_args['name'] = 'JBoss AS 6 Alt' 163 | @responses.activate 164 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**subnet_args)) 165 | def test_jboss_scan_success_subnet(mock_args): 166 | responses.add(**MockResponses.jboss_fp) 167 | responses.add(**MockResponses.jboss_auth) 168 | reset_handlers() 169 | se = core.main() 170 | assert se.found_q.qsize() == 1 171 | 172 | 173 | @responses.activate 174 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**cli_args)) 175 | def test_jboss_csrf_fail(mock_args): 176 | responses.add(**MockResponses.jboss_fp_no_csrf) 177 | reset_handlers() 178 | se = core.main() 179 | assert se.found_q.qsize() == 0 180 | 181 | 182 | idrac_args = deepcopy(cli_args) 183 | idrac_args['name'] = "Dell iDRAC" 184 | @responses.activate 185 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**idrac_args)) 186 | def test_idrac_scan_success(mock_args): 187 | responses.reset() 188 | responses.add(**MockResponses.idrac_fp) 189 | responses.add(**MockResponses.idrac_auth) 190 | reset_handlers() 191 | se = core.main() 192 | assert se.found_q.qsize() == 1 193 | 194 | 195 | targets_args = deepcopy(cli_args) 196 | targets_args['target'] = '/tmp/targets.txt' 197 | @responses.activate 198 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**targets_args)) 199 | def test_targets_scan_success(mock_args): 200 | responses.reset() 201 | responses.add(**MockResponses.idrac_fp) 202 | responses.add(**MockResponses.idrac_auth) 203 | with open(targets_args['target'], 'w') as fout: 204 | fout.write('127.0.0.1' + '\n') 205 | 206 | reset_handlers() 207 | se = core.main() 208 | assert se.found_q.qsize() == 1 209 | 210 | 211 | csv_args = deepcopy(cli_args) 212 | csv_args['log'] = '/tmp/output.log' 213 | csv_args['output'] = '/tmp/output.csv' 214 | csv_args['name'] = 'JBoss AS 6 Alt' 215 | @responses.activate 216 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**csv_args)) 217 | def test_csv_output(mock_args): 218 | responses.add(**MockResponses.jboss_fp) 219 | responses.add(**MockResponses.jboss_auth) 220 | reset_handlers() 221 | se = core.main() 222 | print(se.found_q.qsize()) 223 | assert se.found_q.qsize() == 1 224 | 225 | assert os.path.isfile(csv_args['output']) 226 | i = 0 227 | with open(csv_args['output'], 'r') as csvfile: 228 | reader = csv.reader(csvfile) 229 | for line in reader: 230 | if i == 1: 231 | assert line[0] == 'JBoss AS 6 Alt' 232 | assert line[1] == 'admin' 233 | assert line[2] == 'admin' 234 | assert line[3] == 'http://127.0.0.1:8080/admin-console/login.seam' 235 | i += 1 236 | 237 | assert os.path.isfile(csv_args['log']) 238 | 239 | 240 | json_args = deepcopy(cli_args) 241 | json_args['output'] = '/tmp/output.json' 242 | json_args['name'] = 'JBoss AS 6 Alt' 243 | @responses.activate 244 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**json_args)) 245 | def test_json_output(mock_args): 246 | responses.add(**MockResponses.jboss_fp) 247 | responses.add(**MockResponses.jboss_auth) 248 | reset_handlers() 249 | se = core.main() 250 | assert se.found_q.qsize() == 1 251 | 252 | assert os.path.isfile(json_args['output']) 253 | i = 0 254 | with open(json_args['output'], 'r') as json_file: 255 | j = json.loads(json_file.read()) 256 | assert j["results"][0]['name'] == 'JBoss AS 6 Alt' 257 | assert j['results'][0]['username'] == 'admin' 258 | assert j['results'][0]['password'] == 'admin' 259 | assert j['results'][0]['target'] == 'http://127.0.0.1:8080/admin-console/login.seam' 260 | 261 | 262 | dr_args = deepcopy(cli_args) 263 | dr_args['dryrun'] = True 264 | @raises(SystemExit) 265 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**dr_args)) 266 | def test_dryrun(mock_args): 267 | reset_handlers() 268 | se = core.main() 269 | assert se.found_q.qsize() == 0 270 | 271 | 272 | es_args = deepcopy(cli_args) 273 | es_args['name'] = "elasticsearch" 274 | @responses.activate 275 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**es_args)) 276 | def test_es_scan_success(mock_args): 277 | responses.reset() 278 | responses.add(**MockResponses.elasticsearch) 279 | reset_handlers() 280 | se = core.main() 281 | assert se.found_q.qsize() == 1 282 | -------------------------------------------------------------------------------- /changeme/tests/memcached.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from changeme import core 3 | from .core import cli_args 4 | from copy import deepcopy 5 | import logging 6 | import mock 7 | import os 8 | 9 | logger = logging.getLogger('changeme') 10 | 11 | def reset_handlers(): 12 | logger = logging.getLogger('changeme') 13 | logger.handlers = [] 14 | core.remove_queues() 15 | 16 | memcached_args = deepcopy(cli_args) 17 | memcached_args['protocols'] = 'memcached' 18 | memcached_args['target'] = '127.0.0.1' 19 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**memcached_args)) 20 | def memcached(mock_args): 21 | reset_handlers() 22 | se = core.main() 23 | try: 24 | assert se.found_q.qsize() == 1 25 | except Exception as e: 26 | # Raise an assertion error if we're in Travis CI and fail 27 | if os.environ.get('TRAVIS', None): 28 | raise e 29 | # Warn if we're not Travis CI 30 | else: 31 | logger.warning('memcached failed') 32 | 33 | -------------------------------------------------------------------------------- /changeme/tests/mock_responses.py: -------------------------------------------------------------------------------- 1 | import responses 2 | 3 | 4 | class MockResponses: 5 | tomcat_fp = { 6 | 'method': responses.GET, 7 | 'url': 'http://127.0.0.1:8080/manager/html', 8 | 'status': 401, 9 | 'adding_headers': { 10 | 'Server': 'Apache-Coyote/1.1', 11 | 'WWW-Authenticate': 'Basic realm="Tomcat Manager Application'} 12 | } 13 | 14 | tomcat_fp_alt = { 15 | 'method': responses.GET, 16 | 'url': 'http://127.0.0.1:8080/tomcat/manager/html', 17 | 'status': 404, 18 | 'adding_headers': { 19 | 'Server': 'Apache-Coyote/1.1', 20 | 'WWW-Authenticate': 'Basic realm="Tomcat Manager Application'} 21 | } 22 | 23 | tomcat_auth = { 24 | 'method': responses.GET, 25 | 'url': 'http://127.0.0.1:8080/manager/html', 26 | 'status': 200, 27 | 'body': 'Tomcat Web Application Manager', 28 | 'adding_headers': {'Server': 'Apache-Coyote/1.1'} 29 | } 30 | 31 | jboss_fp = { 32 | 'method': responses.GET, 33 | 'url': 'http://127.0.0.1:8080/admin-console/login.seam', 34 | 'status': 200, 35 | 'body': '

Welcome to the JBoss AS 6 Admin Console.

', 36 | 'adding_headers': { 37 | 'Server': 'Apache-Coyote/1.1', 38 | 'Set-Cookie': 'JSESSIONID=foobar' 39 | } 40 | } 41 | 42 | jboss_fp_no_csrf = { 43 | 'method': responses.GET, 44 | 'url': 'http://127.0.0.1:8080/admin-console/login.seam', 45 | 'status': 200, 46 | 'body': '

Welcome to the JBoss AS 6 Admin Console.

', 47 | 'adding_headers': { 48 | 'Server': 'Apache-Coyote/1.1', 49 | 'Set-Cookie': 'JSESSIONID=foobar' 50 | } 51 | } 52 | 53 | jboss_auth = { 54 | 'method': responses.POST, 55 | 'url': 'http://127.0.0.1:8080/admin-console/login.seam', 56 | 'status': 200, 57 | 'body': 'Logout', 58 | 'adding_headers': {'Server': 'Apache-Coyote/1.1'} 59 | } 60 | 61 | jboss_auth_fail = { 62 | 'method': responses.POST, 63 | 'url': 'http://127.0.0.1:8080/admin-console/login.seam', 64 | 'status': 200, 65 | 'body': 'Fail', 66 | 'adding_headers': {'Server': 'Apache-Coyote/1.1'} 67 | } 68 | 69 | idrac_fp = { 70 | 'method': responses.GET, 71 | 'url': 'https://127.0.0.1:443/login.html', 72 | 'status': 200, 73 | 'body': 'Integrated Dell Remote Access Controller', 74 | 'adding_headers': { 75 | 'Server': 'Mbedthis-Appweb/2.4.2', 76 | 'Content-type': 'text/xml', 77 | 'Set-Cookie': '_appwebSessionId_=dffaac7c4fb4e3c4cbd46d3691aeb40f;', 78 | }, 79 | 'body': 'Integrated Dell Remote Access Controller 6 - Express', 80 | } 81 | 82 | idrac_auth = { 83 | 'method': responses.POST, 84 | 'url': 'https://127.0.0.1:443/data/login', 85 | 'status': 200, 86 | 'body': 'Integrated Dell Remote Access Controller', 87 | 'adding_headers': { 88 | 'Server': 'Mbedthis-Appweb/2.4.2', 89 | 'Content-type': 'text/xml', 90 | 'Set-Cookie': '_appwebSessionId_=dffaac7c4fb4e3c4cbd46d3691aeb40f', 91 | }, 92 | 'body': ' ok 0 index.html ' 93 | } 94 | 95 | zabbix_fp = { 96 | 'method': responses.GET, 97 | 'url': 'http://127.0.0.1/zabbix/index.php', 98 | 'status': 200, 99 | 'body': 'by Zabbix SIA', 100 | } 101 | 102 | zabbix_auth = { 103 | 'method': responses.POST, 104 | 'url': 'http://127.0.0.1/zabbix/index.php', 105 | 'status': 200, 106 | 'body': 'Logout', 107 | } 108 | 109 | zabbix_fail = { 110 | 'method': responses.POST, 111 | 'url': 'http://127.0.0.1/zabbix/index.php', 112 | 'status': 200, 113 | 'body': 'foobar', 114 | } 115 | 116 | ipcamera_fp = { 117 | 'method': responses.GET, 118 | 'url': 'http://127.0.0.1:81/', 119 | 'status': 200, 120 | 'body': 'GetXml("login.xml?"+param,OnLoginAckOK,OnLoginAckFail);' 121 | } 122 | 123 | ipcamera_auth = { 124 | 'method': responses.GET, 125 | 'url': 'http://127.0.0.1:81/login.xml', 126 | 'status': 200, 127 | 'body': '10Admin' 128 | } 129 | 130 | elasticsearch = { 131 | 'method': responses.GET, 132 | 'url': 'http://127.0.0.1:9200/', 133 | 'status': 200, 134 | 'body': """{ 135 | "name" : "foo", 136 | "cluster_name" : "elasticsearch", 137 | "cluster_uuid" : "1C4hbDs6TRetjINxrOKBZw", 138 | "version" : { 139 | "number" : "5.0.2", 140 | "build_hash" : "f6b4951", 141 | "build_date" : "2016-11-24T10:07:18.101Z", 142 | "build_snapshot" : false, 143 | "lucene_version" : "6.2.1" 144 | }, 145 | "tagline" : "You Know, for Search" 146 | }""" 147 | } 148 | 149 | -------------------------------------------------------------------------------- /changeme/tests/mongodb.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from changeme import core 3 | from .core import cli_args 4 | from copy import deepcopy 5 | import logging 6 | import mock 7 | import os 8 | 9 | 10 | logger = logging.getLogger('changeme') 11 | 12 | def reset_handlers(): 13 | logger = logging.getLogger('changeme') 14 | logger.handlers = [] 15 | core.remove_queues() 16 | 17 | mongodb_args = deepcopy(cli_args) 18 | mongodb_args['target'] = 'mongodb://127.0.0.1' 19 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**mongodb_args)) 20 | def test_mongodb(mock_args): 21 | reset_handlers() 22 | se = core.main() 23 | 24 | try: 25 | assert se.found_q.qsize() == 1 26 | except Exception as e: 27 | # Raise an assertion error if we're in Travis CI and fail 28 | if os.environ.get('TRAVIS', None): 29 | raise e 30 | # Warn if we're not Travis CI 31 | else: 32 | logger.warning('mongodb failed') 33 | 34 | -------------------------------------------------------------------------------- /changeme/tests/redis_scanner.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from changeme import core 3 | from .core import cli_args 4 | from copy import deepcopy 5 | import logging 6 | import mock 7 | 8 | 9 | 10 | def reset_handlers(): 11 | logger = logging.getLogger('changeme') 12 | logger.handlers = [] 13 | core.remove_queues() 14 | 15 | redis_args = deepcopy(cli_args) 16 | redis_args['protocols'] = 'redis' 17 | redis_args['target'] = '127.0.0.1' 18 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**redis_args)) 19 | def test_redis(mock_args): 20 | reset_handlers() 21 | se = core.main() 22 | assert se.found_q.qsize() == 1 23 | 24 | -------------------------------------------------------------------------------- /changeme/tests/snmp.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from changeme import core 3 | from .core import cli_args 4 | from copy import deepcopy 5 | import logging 6 | import mock 7 | 8 | 9 | 10 | def reset_handlers(): 11 | logger = logging.getLogger('changeme') 12 | logger.handlers = [] 13 | core.remove_queues() 14 | 15 | snmp_args = deepcopy(cli_args) 16 | snmp_args['protocols'] = 'snmp' 17 | snmp_args['name'] = 'publicprivate' 18 | snmp_args['target'] = 'demo.snmplabs.com' 19 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**snmp_args)) 20 | def test_snmp(mock_args): 21 | reset_handlers() 22 | se = core.main() 23 | assert se.found_q.qsize() == 2 24 | 25 | 26 | snmp_args = deepcopy(cli_args) 27 | snmp_args['name'] = 'publicprivate' 28 | snmp_args['target'] = 'snmp://demo.snmplabs.com' 29 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**snmp_args)) 30 | def test_snmp_proto(mock_args): 31 | reset_handlers() 32 | se = core.main() 33 | assert se.found_q.qsize() == 2 34 | 35 | -------------------------------------------------------------------------------- /changeme/tests/target.py: -------------------------------------------------------------------------------- 1 | from changeme.target import Target 2 | import os 3 | 4 | """ 5 | 1. nmap.xml 6 | 2. targets.txt 7 | 3. 127.0.0.1 8 | 4. 192.168.1.0/24 9 | 5. 192.168.59.139:8080 10 | 6. snmp://192.168.59.101 11 | 7. mysql://192.168.59.101:33306 12 | """ 13 | 14 | def test_nmap(): 15 | path = os.path.dirname(os.path.abspath(__file__)) 16 | nmap = os.path.join(path, "tomcat_nmap.xml") 17 | targets = Target.parse_target(nmap) 18 | assert len(targets) == 1 19 | t = targets.pop() 20 | path = os.path.dirname(os.path.abspath(__file__)) 21 | print("target: %s" % t) 22 | assert t == Target(host='127.0.0.1', port='8080') 23 | 24 | 25 | def test_targets_file(): 26 | target = '/tmp/targets.txt' 27 | with open(target, 'w') as fout: 28 | fout.write('127.0.0.1\n') 29 | fout.write('127.0.0.2:8080\n') 30 | 31 | targets = Target.parse_target(target) 32 | assert len(targets) == 2 33 | 34 | for t in targets: 35 | if t.host == '127.0.0.1': 36 | t1(t) 37 | else: 38 | t2(t) 39 | 40 | os.remove(target) 41 | 42 | 43 | def t1(t): 44 | assert t == Target(host='127.0.0.1') 45 | 46 | 47 | def t2(t): 48 | assert t == Target(host='127.0.0.2', port=8080) 49 | 50 | 51 | def test_ip(): 52 | target = '127.0.0.1' 53 | targets = Target.parse_target(target) 54 | assert len(targets) == 1 55 | t = targets.pop() 56 | assert t == Target(host=target) 57 | assert str(t) == target 58 | 59 | 60 | def test_cidr(): 61 | target = '192.168.1.0/24' 62 | targets = Target.parse_target(target) 63 | assert len(targets) == 254 64 | 65 | # TODO explicitly validate the range 66 | """ 67 | for ip in IPNetwork(target).iter_hosts(): 68 | print str(ip) 69 | assert Target(host=str(ip)) in targets 70 | """ 71 | 72 | 73 | def test_ip_port(): 74 | target = '192.168.1.1:8080' 75 | targets = Target.parse_target(target) 76 | assert len(targets) == 1 77 | t = targets.pop() 78 | assert t == Target(host='192.168.1.1', port='8080') 79 | assert str(t) == target 80 | 81 | 82 | def test_proto_ip(): 83 | target = 'snmp://192.168.1.1' 84 | targets = Target.parse_target(target) 85 | assert len(targets) == 1 86 | 87 | t = targets.pop() 88 | assert t == Target(host='192.168.1.1', protocol='snmp') 89 | assert str(t) == target 90 | 91 | 92 | def test_proto_ip_port(): 93 | target = 'snmp://192.168.1.1:8080' 94 | targets = Target.parse_target(target) 95 | assert len(targets) == 1 96 | 97 | t = targets.pop() 98 | assert t == Target(host='192.168.1.1', port=8080, protocol='snmp') 99 | assert str(t) == target 100 | 101 | 102 | def test_hostname(): 103 | target = 'example.com' 104 | targets = Target.parse_target(target) 105 | assert len(targets) == 1 106 | 107 | t = targets.pop() 108 | assert t == Target(host='example.com') 109 | 110 | 111 | def test_hostname_proto(): 112 | target = 'http://example.com' 113 | targets = Target.parse_target(target) 114 | assert len(targets) == 1 115 | 116 | t = targets.pop() 117 | assert t == Target(host='example.com', protocol='http') 118 | 119 | 120 | def test_hostname_proto_port(): 121 | target = 'http://example.com:80' 122 | targets = Target.parse_target(target) 123 | assert len(targets) == 1 124 | 125 | t = targets.pop() 126 | assert t == Target(host='example.com', port='80', protocol='http') 127 | -------------------------------------------------------------------------------- /changeme/tests/tomcat_nmap.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 |
21 |
22 | 23 | 24 | cpe:/a:apache:coyote_http_connector:1.1 25 | 26 | 27 | 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /changeme/version.py: -------------------------------------------------------------------------------- 1 | __version__ = '1.1' 2 | contributors = [ 3 | "ztgrace", 4 | "the-c0d3r", 5 | "Graph-X", 6 | "AlessandroZ", 7 | "ThomasTJ", 8 | "Alistair Chapman", 9 | "John Van de Meulebrouck Brendgard", 10 | "network23", 11 | ] 12 | -------------------------------------------------------------------------------- /creds/ftp/ftp.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: anonymous 4 | password: 5 | - username: ftp 6 | password: ftp 7 | - username: guest 8 | password: guest 9 | category: ftp 10 | default_port: 21 11 | name: ftp 12 | contributor: AlessandroZ 13 | -------------------------------------------------------------------------------- /creds/http/camera/speco_technologies_ip_camera.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '1234' 4 | username: admin 5 | headers: [] 6 | success: 7 | body: 8 | - Network Camera Viewer 9 | status: 200 10 | type: basic_auth 11 | url: 12 | - / 13 | category: camera 14 | contributor: ztgrace 15 | default_port: 80 16 | fingerprint: 17 | basic_auth_realm: SuperNova 18 | status: 401 19 | url: 20 | - / 21 | name: Speco Technologies IP Camera 22 | protocol: http 23 | ssl: false 24 | -------------------------------------------------------------------------------- /creds/http/general/activemq.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | - password: '' 6 | username: '' 7 | headers: [] 8 | success: 9 | body: 10 | - 'localhost : ActiveMQ Console' 11 | status: 200 12 | type: basic_auth 13 | url: 14 | - /admin 15 | category: general 16 | contributor: sil3ntcor3 17 | default_port: 8161 18 | fingerprint: 19 | body: 20 | - Apache ActiveMQ 21 | status: 200 22 | url: 23 | - / 24 | name: ActiveMQ 25 | protocol: http 26 | ssl: false 27 | -------------------------------------------------------------------------------- /creds/http/general/amano_ts-3000i.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '6569' 4 | username: Admin 5 | post: 6 | Submit: Login 7 | password: atvsUserPassword 8 | username: atvsUserName 9 | success: 10 | body: 11 | - '>Logout' 12 | status: 200 13 | type: post 14 | url: 15 | - /Forms/index_1 16 | category: web 17 | contributor: ztgrace 18 | default_port: 80 19 | fingerprint: 20 | body: 21 | - APC | Log On 27 | status: 200 28 | url: 29 | - /logon.htm 30 | name: APC Network Management Card 31 | ssl: false 32 | -------------------------------------------------------------------------------- /creds/http/general/audiocodes_mediant_1000.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: Admin 4 | username: Admin 5 | post: 6 | c0: '0' 7 | t: '1' 8 | password: u 9 | username: c1 10 | success: 11 | body: 12 | - 13 | status: 200 14 | type: post 15 | url: 16 | - /UE/Login 17 | category: web 18 | contributor: ztgrace 19 | default_port: 80 20 | fingerprint: 21 | body: 22 | - Mediant 1000 23 | status: 200 24 | url: 25 | - / 26 | name: AudioCodes Mediant 1000 27 | ssl: false 28 | -------------------------------------------------------------------------------- /creds/http/general/avaya_contact_center.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: webadmin 4 | username: webadmin 5 | post: 6 | LoginBtn: '' 7 | OpenSSOAutheticated: '' 8 | OpenSSOUserID: '' 9 | password: Password 10 | username: UserID 11 | success: 12 | body: 13 | - Contact Center Manager - Accept terms and conditions 14 | status: 200 15 | type: post 16 | url: 17 | - /Authenticate.asp 18 | category: web 19 | contributor: ztgrace 20 | default_port: 80 21 | fingerprint: 22 | body: 23 | - Contact Center - Manager - Login 24 | status: 200 25 | url: 26 | - / 27 | headers: 28 | - User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) 29 | name: Avaya Contact Center 30 | ssl: false 31 | -------------------------------------------------------------------------------- /creds/http/general/ca_apm_team_center.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: Admin 5 | - password: Guest 6 | username: Guest 7 | post: 8 | password: j_password 9 | username: j_username 10 | sessionid: WSESSIONID 11 | success: 12 | body: 13 | - ja/webview/webview.nocache.js 14 | status: 200 15 | type: post 16 | url: 17 | - /jsp/j_security_check 18 | category: web 19 | contributor: ztgrace 20 | default_port: 80 21 | fingerprint: 22 | body: 23 | - APM WebView 24 | status: 200 25 | url: 26 | - / 27 | name: CA APM Team Center 28 | ssl: false 29 | -------------------------------------------------------------------------------- /creds/http/general/ca_netqos.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: nq 4 | username: nqadmin 5 | - password: nq 6 | username: nquser 7 | csrf: __VIEWSTATE 8 | post: 9 | __LASTFOCUS: '' 10 | hdnCookiesEnabled: '1' 11 | hdnRunCookieTest: '0' 12 | ibSignIn.x: '0' 13 | ibSignIn.y: '0' 14 | password: tbPassword 15 | username: tbUsername 16 | sessionid: ASP.NET_SessionId 17 | success: 18 | body: 19 | -

Object moved to here.

20 | status: 302 21 | type: post 22 | url: 23 | - /SingleSignOn/SignIn.aspx?SsoProductCode=npc&SsoRedirectUrl=%2fnpc%2fdefault.aspx 24 | category: web 25 | contributor: ztgrace 26 | default_port: 80 27 | fingerprint: 28 | body: 29 | - Network Performance Management Console 30 | status: 200 31 | url: 32 | - /SingleSignOn/SignIn.aspx?SsoProductCode=npc&SsoRedirectUrl=%2fnpc%2fdefault.aspx 33 | name: CA NetQoS 34 | ssl: false 35 | -------------------------------------------------------------------------------- /creds/http/general/cisco_collaboration_endpoint.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: cisco 5 | post: 6 | password: username 7 | username: password 8 | headers: [] 9 | success: 10 | body: 11 | - '"result": "ok"' 12 | status: 200 13 | type: post 14 | url: 15 | - /web/signin/open 16 | category: general 17 | contributor: AlessandroZ 18 | default_port: 443 19 | fingerprint: 20 | status: 200 21 | body: 22 | - Cisco Collaboration Endpoint 23 | url: 24 | - /web/signin 25 | name: Cisco Collaboration Endpoint 26 | protocol: http 27 | ssl: true 28 | -------------------------------------------------------------------------------- /creds/http/general/cisco_systems.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: cisco 4 | username: cisco 5 | headers: [] 6 | success: 7 | body: 8 | - Cisco Systems 9 | status: 200 10 | type: basic_auth 11 | url: 12 | - / 13 | category: general 14 | contributor: ztgrace, madtownliz 15 | default_port: 80 16 | fingerprint: 17 | basic_auth_realm: level_15_access 18 | status: 401 19 | url: 20 | - / 21 | name: Cisco Systems 22 | protocol: http 23 | ssl: false 24 | -------------------------------------------------------------------------------- /creds/http/general/crestron_hd-md4x1-4k-e.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | get: 6 | a: command 7 | cmd: check_login 8 | password: p2 9 | username: p1 10 | success: 11 | body: 12 | - '{"login_ur":1}' 13 | status: 200 14 | type: get 15 | url: 16 | - /aj.html 17 | category: web 18 | contributor: ztgrace 19 | default_port: 80 20 | fingerprint: 21 | body: 22 | - HD-MD4x1-4K-E 23 | status: 200 24 | url: 25 | - / 26 | name: Crestron HD-MD4x1-4K-E 27 | ssl: false 28 | -------------------------------------------------------------------------------- /creds/http/general/datastax_opscenter.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | raw: '{"username":"admin","password":"admin"}' 5 | username: admin 6 | success: 7 | body: 8 | - '{"sessionid":' 9 | status: 200 10 | type: raw_post 11 | url: 12 | - /login 13 | category: web 14 | contributor: ztgrace 15 | default_port: 8889 16 | fingerprint: 17 | body: 18 | - DataStax OpsCenter Login 19 | status: 200 20 | url: 21 | - /opscenter/login.html 22 | name: DataStax OpsCenter 6.0.x 23 | ssl: false 24 | -------------------------------------------------------------------------------- /creds/http/general/dell_idrac.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: calvin 4 | username: root 5 | post: 6 | password: password 7 | username: user 8 | sessionid: _appwebSessionId_ 9 | success: 10 | body: 11 | - [0|5] 12 | status: 200 13 | type: post 14 | url: 15 | - /data/login 16 | category: web 17 | contributor: ztgrace 18 | default_port: 443 19 | fingerprint: 20 | body: 21 | - Integrated Dell Remote Access Controller 22 | status: 200 23 | url: 24 | - /login.html 25 | name: Dell iDRAC 26 | ssl: true 27 | -------------------------------------------------------------------------------- /creds/http/general/dynatrace.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | success: 6 | body: 7 | - dynaTrace Server Browsable REST Webservices 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - /rest/html/management/dashboards 12 | category: web 13 | contributor: BuckyGoat 14 | default_port: 8020 15 | fingerprint: 16 | basic_auth_realm: dynaTrace Server 17 | body: 18 | - dynaTrace Server Webinterface 19 | status: 401 20 | url: 21 | - /rest/html/management/dashboards 22 | name: Dynatrace 23 | ssl: false 24 | -------------------------------------------------------------------------------- /creds/http/general/elasticsearch.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: '' 5 | get: 6 | password: '' 7 | username: '' 8 | success: 9 | body: 10 | - '"tagline" : "You Know, for Search"' 11 | status: 200 12 | type: get 13 | url: 14 | - / 15 | category: http 16 | contributor: ztgrace 17 | default_port: 9200 18 | fingerprint: 19 | body: 20 | - '"tagline" : "You Know, for Search"' 21 | status: 200 22 | url: 23 | - / 24 | name: Elasticsearch 25 | ssl: false 26 | -------------------------------------------------------------------------------- /creds/http/general/grafana.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | raw: '{"user":"admin","email":"","password":"admin"}' 5 | username: admin 6 | headers: 7 | - Content-Type: application/json;charset=utf-8 8 | sessionid: grafana_sess 9 | success: 10 | body: 11 | - '{"message":"Logged in"}' 12 | status: 200 13 | type: raw_post 14 | url: 15 | - /login 16 | category: general 17 | contributor: ztgrace 18 | default_port: 3000 19 | fingerprint: 20 | body: 21 | - <title>Grafana 22 | status: 200 23 | url: 24 | - /login 25 | name: Grafana 26 | protocol: http 27 | ssl: false 28 | -------------------------------------------------------------------------------- /creds/http/general/haivision_makito_x_decoder.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: manager 4 | username: admin 5 | raw: '{"username":"admin","uid":-1,"gid":-1,"password":"manager"}' 6 | success: 7 | body: 8 | - '{"data":{"username": "admin","uid": 500' 9 | status: 200 10 | type: raw_post 11 | url: 12 | - /apis/authentication 13 | category: web 14 | contributor: ztgrace 15 | default_port: 443 16 | fingerprint: 17 | body: 18 | - Haivision 19 | server_header: lighttpd/1.4.35 20 | status: 200 21 | url: 22 | - /login 23 | name: Haivision Makito X Decoder 24 | ssl: true 25 | -------------------------------------------------------------------------------- /creds/http/general/hp_server_automation.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: Administrator 5 | - password: opsware_admin 6 | username: admin 7 | post: 8 | password: j_password 9 | username: j_username 10 | sessionid: JSESSIONID 11 | success: 12 | body: 13 | - Log Out 14 | status: 200 15 | type: post 16 | url: 17 | - /j_security_check 18 | category: web 19 | contributor: ztgrace 20 | default_port: 443 21 | fingerprint: 22 | body: 23 | - Hewlett-Packard Server Automation System Web Client 24 | status: 200 25 | url: 26 | - / 27 | name: HP Server Automation 28 | ssl: true 29 | -------------------------------------------------------------------------------- /creds/http/general/ibm_imm.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: PASSW0RD 4 | username: USERID 5 | raw: USERNAME=USERID,PASSWORD=PASSW0RD 6 | success: 7 | body: 8 | - 'ok:' 9 | status: 200 10 | type: raw_post 11 | url: 12 | - /session/create 13 | category: web 14 | contributor: ztgrace 15 | default_port: 80 16 | fingerprint: 17 | body: 18 | - IMM 19 | status: 200 20 | url: 21 | - / 22 | name: IBM IMM 23 | ssl: false 24 | -------------------------------------------------------------------------------- /creds/http/general/ibm_netezza.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: password 4 | raw: 127.0.0.1 portal false admin password 8 | 9 | username: admin 10 | success: 11 | body: 12 | - ">IBM Netezza 23 | status: 200 24 | url: 25 | - /com.netezza.portal.Portal/index.html 26 | name: IBM Netezza 27 | ssl: true 28 | -------------------------------------------------------------------------------- /creds/http/general/ibm_urbancode_deploy.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | - password: ucdpadmin 6 | username: ucdpadmin 7 | post: 8 | password: password 9 | requestedHash: '' 10 | username: username 11 | sessionid: JSESSIONID_80 12 | success: 13 | body: 14 | - Sign Out 15 | status: 200 16 | type: post 17 | url: 18 | - /tasks/LoginTasks/login 19 | category: web 20 | contributor: ztgrace 21 | default_port: 443 22 | fingerprint: 23 | body: 24 | - IBM UrbanCode Deploy 25 | status: 200 26 | url: 27 | - / 28 | name: IBM UrbanCode Deploy 29 | ssl: true 30 | -------------------------------------------------------------------------------- /creds/http/general/jasperreports.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: jasperadmin 4 | username: jasperadmin 5 | - password: bitnami 6 | username: jasperadmin 7 | post: 8 | j_password_pseudo: jasperadmin 9 | password: j_password 10 | userLocale: en_US 11 | userTimezone: Asia/Calcutta 12 | username: j_username 13 | sessionid: JSESSIONID 14 | success: 15 | body: 16 | - 'Jaspersoft: Browse Repository' 17 | status: 200 18 | type: post 19 | url: 20 | - /jasperserver/j_spring_security_check 21 | - /j_spring_security_check 22 | category: web 23 | contributor: ztgrace 24 | default_port: 8080 25 | fingerprint: 26 | body: 27 | - 'Jaspersoft: Login' 28 | status: 200 29 | url: 30 | - /login.html 31 | - /jasperserver/login.html 32 | name: JasperReports 33 | ssl: false 34 | -------------------------------------------------------------------------------- /creds/http/general/jboss_as_6.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | csrf: javax.faces.ViewState 6 | post: 7 | login_post: login_form 8 | login_post:submit: Login 9 | password: login_post:password 10 | username: login_post:name 11 | sessionid: JSESSIONID 12 | success: 13 | body: 14 | - Logout 15 | status: 200 16 | type: post 17 | url: 18 | - /admin-console/login.seam 19 | category: web 20 | contributor: ztgrace 21 | default_port: 8080 22 | fingerprint: 23 | body: 24 | - Welcome to the JBoss AS 6 Admin Console 25 | status: 200 26 | url: 27 | - /admin-console/login.seam 28 | name: JBoss AS 6 29 | ssl: false 30 | -------------------------------------------------------------------------------- /creds/http/general/jboss_as_6_alt.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | csrf: javax.faces.ViewState 6 | post: 7 | login_form: login_form 8 | login_form:submit: Login 9 | password: login_form:password 10 | username: login_form:name 11 | sessionid: JSESSIONID 12 | success: 13 | body: 14 | - Logout 15 | status: 200 16 | type: post 17 | url: 18 | - /admin-console/login.seam 19 | category: web 20 | contributor: ztgrace 21 | default_port: 8080 22 | fingerprint: 23 | body: 24 | - Welcome to the JBoss AS 6 Admin Console 25 | status: 200 26 | url: 27 | - /admin-console/login.seam 28 | name: JBoss AS 6 Alt 29 | ssl: false 30 | -------------------------------------------------------------------------------- /creds/http/general/jenkins.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: '' 5 | success: 6 | body: 7 | - Dashboard \[Jenkins\] 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - / 12 | category: web 13 | contributor: ztgrace 14 | default_port: 8080 15 | fingerprint: 16 | body: 17 | - Dashboard \[Jenkins\] 18 | status: 200 19 | url: 20 | - / 21 | name: Jenkins 22 | ssl: false 23 | -------------------------------------------------------------------------------- /creds/http/general/kanboard.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | csrf: csrf_token 6 | post: 7 | password: password 8 | remember_me: '1' 9 | username: username 10 | sessionid: KB_SID 11 | success: 12 | body: 13 | - Dashboard 14 | status: 200 15 | type: post 16 | url: 17 | - /?controller=auth&action=check 18 | category: web 19 | contributor: ztgrace 20 | default_port: 80 21 | fingerprint: 22 | body: 23 | - /?controller=auth&action=check 24 | status: 200 25 | url: 26 | - /?controller=auth&action=login 27 | name: Kanboard 28 | ssl: false 29 | -------------------------------------------------------------------------------- /creds/http/general/makito_decoder.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: "%89%F0%01%8F%D0%01%80%F0%01%85%D0%01%83%F0%01%83%E0%01%84%F0%01" 4 | username: admin 5 | ref: http://media.extron.com/download/files/drivers/haiv_44_7036_3.pdf 6 | post: 7 | action: login 8 | md5encrypted: 'no' 9 | password: password 10 | username: username 11 | success: 12 | body: 13 | - '>LogoutMAKITO Login 24 | status: 200 25 | url: 26 | - /cgi-bin/web.cgi 27 | name: Makito Decoder 28 | ssl: false 29 | -------------------------------------------------------------------------------- /creds/http/general/netbackup_opscenter_analytics.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: password 4 | username: admin 5 | csrf: 6 | post: 7 | domain: OpsCenterUsers(vx) 8 | password: password 9 | save: Log In 10 | username: userName 11 | sessionid: JSESSIONID 12 | success: 13 | body: 14 | - 'document.location.href="/opscenter/homeLandingAction.do"' 15 | status: 200 16 | type: post 17 | url: 18 | - /opscenter/loadLogin.do 19 | category: web 20 | contributor: ztgrace 21 | default_port: 443 22 | fingerprint: 23 | body: 24 | - Symantec NetBackup OpsCenter Analytics 25 | status: 200 26 | url: 27 | - /opscenter/ 28 | name: NetBackup OpsCenter Analytics 29 | ssl: true 30 | -------------------------------------------------------------------------------- /creds/http/general/nexus_repository_manager.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin123 4 | username: admin 5 | success: 6 | body: 7 | - true 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - /service/local/authentication/login 12 | - /nexus/service/local/authentication/login 13 | category: web 14 | contributor: ztgrace 15 | default_port: 8081 16 | fingerprint: 17 | body: 18 | - Nexus Repository Manager 19 | status: 200 20 | url: 21 | - / 22 | - /nexus/ 23 | name: Nexus Repository Manager 24 | ssl: false 25 | -------------------------------------------------------------------------------- /creds/http/general/nortel_integrated_call_director.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | post: 6 | password: password 7 | system: win32 8 | username: login 9 | success: 10 | body: 11 | - ' 21 | status: 200 22 | url: 23 | - / 24 | name: Supermicro 25 | ssl: false 26 | -------------------------------------------------------------------------------- /creds/http/general/teamcity_9_guest.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: '' 5 | sessionid: TCSESSIONID 6 | success: 7 | body: 8 | - Projects — TeamCity 9 | status: 200 10 | type: basic_auth 11 | url: 12 | - /guestLogin.html?guest=1 13 | category: web 14 | contributor: ztgrace 15 | default_port: 80 16 | fingerprint: 17 | body: 18 | - Log in to TeamCity 19 | status: 200 20 | url: 21 | - /login.html 22 | name: TeamCity 9 Guest 23 | ssl: false 24 | -------------------------------------------------------------------------------- /creds/http/general/teleopti_wfm.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - raw: '{"granttype":"password","username":"admin@company.com","password":"admin"}' 4 | username: admin@company.com 5 | password: admin 6 | success: 7 | body: 8 | - '"AccessToken":"C1F2BF74658F78E6928A2E8A2426BE6360720989","UserName"' 9 | status: 200 10 | type: raw_post 11 | url: 12 | - /TeleoptiWFM/Administration/Login 13 | headers: 14 | - Content-Type: application/json;charset=UTF-8 15 | category: web 16 | contributor: Graph-X 17 | default_port: 80 18 | fingerprint: 19 | body: 20 | - Teleopti WFM Administration 21 | status: 200 22 | url: 23 | - /TeleoptiWFM/Administration/ 24 | name: Teleopti WFM 25 | ssl: false 26 | -------------------------------------------------------------------------------- /creds/http/general/ubiquiti_edgeos.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: ubnt 4 | password: ubnt 5 | post: 6 | username: username 7 | password: password 8 | sessionid: PHPSESSID 9 | success: 10 | body: 11 | - Please wait while the application loads 12 | status: 200 13 | type: post 14 | url: 15 | - / 16 | headers: 17 | - Content-Type: application/x-www-form-urlencoded 18 | category: web 19 | contributor: Gijutsu 20 | fingerprint: 21 | body: 22 | - EdgeOS 23 | status: 200 24 | url: 25 | - / 26 | name: Ubiquiti EdgeOS 27 | default_port: 443 28 | ssl: true 29 | -------------------------------------------------------------------------------- /creds/http/general/video_web_server.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | post: 6 | Submit: Submit 7 | password: password 8 | username: username 9 | success: 10 | body: 11 | - title="Next Channel" 12 | status: 200 13 | type: post 14 | url: 15 | - /home.htm 16 | category: webcam 17 | contributor: ztgrace 18 | default_port: 80 19 | fingerprint: 20 | body: 21 | - '--- VIDEO WEB SERVER ---' 22 | status: 200 23 | url: 24 | - / 25 | name: Video Web Server 26 | ssl: false 27 | -------------------------------------------------------------------------------- /creds/http/general/weblogic.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: system 4 | password: manager 5 | - username: weblogic 6 | password: weblogic1 7 | - username: WEBLOGIC 8 | password: WEBLOGIC 9 | - username: PUBLIC 10 | password: PUBLIC 11 | - username: EXAMPLES 12 | password: EXAMPLES 13 | - username: weblogic 14 | password: weblogic 15 | - username: system 16 | password: password 17 | - username: weblogic 18 | password: welcome(1) 19 | - username: system 20 | password: welcome(1) 21 | - username: operator 22 | password: weblogic 23 | - username: operator 24 | password: password 25 | - username: system 26 | password: Passw0rd 27 | - username: monitor 28 | password: password 29 | post: 30 | username: j_username 31 | password: j_password 32 | j_character_encoding: UTF-8 33 | sessionid: ADMINCONSOLESESSION 34 | success: 35 | body: 36 | - Logout 37 | status: 200 38 | type: post 39 | url: 40 | - /console/j_security_check 41 | category: web 42 | contributor: AlessandroZ 43 | default_port: 7001 44 | fingerprint: 45 | body: 46 | - Oracle WebLogic Server Administration Console 47 | status: 200 48 | url: 49 | - /console/login/LoginForm.jsp 50 | name: Weblogic 51 | ssl: false 52 | -------------------------------------------------------------------------------- /creds/http/general/websphere.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: manager 4 | username: system 5 | post: 6 | password: j_password 7 | submit: Login 8 | username: j_username 9 | sessionid: JSESSIONID 10 | success: 11 | body: 12 | - Logout 13 | status: 200 14 | type: post 15 | url: 16 | - /console/portal/Server/j_security_check 17 | category: web 18 | contributor: BuckyGoat 19 | default_port: 8080 20 | fingerprint: 21 | body: 22 | - Administrative Console Login 23 | status: 200 24 | url: 25 | - /console/portal/Server/Web%20Server 26 | name: WebSphere 27 | ssl: false 28 | -------------------------------------------------------------------------------- /creds/http/general/zabbix.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: zabbix 4 | username: Admin 5 | post: 6 | autologin: '1' 7 | enter: Sign in 8 | password: password 9 | request: '' 10 | username: name 11 | sessionid: zbx_sessionid 12 | success: 13 | body: 14 | - Logout 15 | status: 200 16 | type: post 17 | url: 18 | - /zabbix/index.php 19 | category: web 20 | contributor: ztgrace 21 | default_port: 80 22 | fingerprint: 23 | body: 24 | - by Zabbix SIA 25 | status: 200 26 | url: 27 | - /zabbix/index.php 28 | name: Zabbix 29 | ssl: false 30 | -------------------------------------------------------------------------------- /creds/http/iot/heatmiser_wifi_thermostat.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | headers: 6 | - Content-Type: application/x-www-form-urlencoded 7 | post: 8 | password: lgpw 9 | username: lgnm 10 | success: 11 | body: 12 | - document.logfm.lgst.value 13 | status: 200 14 | type: post 15 | url: 16 | - / 17 | category: iot 18 | contributor: ztgrace 19 | default_port: 80 20 | fingerprint: 21 | body: 22 | - Heatmiser Wifi Thermostat 23 | status: 200 24 | url: 25 | - / 26 | name: Heatmiser Wifi Thermostat 27 | protocol: http 28 | ssl: false 29 | -------------------------------------------------------------------------------- /creds/http/iot/proliphix_thermostat.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | headers: [] 6 | success: 7 | body: 8 | - Thermostat 9 | status: 200 10 | type: basic_auth 11 | url: 12 | - /index.shtml 13 | category: iot 14 | contributor: ztgrace 15 | default_port: 8086 16 | fingerprint: 17 | basic_auth_realm: tstat 18 | status: 401 19 | url: 20 | - /index.shtml 21 | name: Proliphix Thermostat 22 | protocol: http 23 | ssl: false 24 | references: 25 | - http://www.proliphix.com/Collateral/Documents/English-US/Thermostat%20Installation%20Guide.pdf 26 | -------------------------------------------------------------------------------- /creds/http/phone/polycom_vvx_500.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '123' 4 | username: User 5 | - password: '456' 6 | username: Admin 7 | success: 8 | body: 9 | - Polycom - VVX 500 Configuration Utility 10 | status: 200 11 | type: basic_auth 12 | url: 13 | - /auth.htm 14 | category: phone 15 | contributor: ztgrace 16 | default_port: 80 17 | fingerprint: 18 | body: 19 | - Polycom Web Configuration Utility 20 | status: 200 21 | url: 22 | - /login.htm 23 | name: Polycom VVX 500 24 | ssl: false 25 | -------------------------------------------------------------------------------- /creds/http/printer/brother_hl_series.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: access 4 | username: admin 5 | success: 6 | body: 7 | - Administrator Settings 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - /admin/password.html 12 | category: printer 13 | contributor: ztgrace 14 | default_port: 80 15 | fingerprint: 16 | basic_auth_realm: Printer Config 17 | body: 18 | - <TITLE>Brother HL-[0-9]+[A-Z]{2} series 19 | status: 401 20 | url: 21 | - /admin/password.html 22 | name: Brother HL Series 23 | ssl: false 24 | -------------------------------------------------------------------------------- /creds/http/printer/canon_ir-adv.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '7654321' 4 | username: '7654321' 5 | post: 6 | loginType: admin 7 | password: password 8 | password2: '' 9 | uri: /rps/ 10 | user_type_generic: '' 11 | username: deptid 12 | sessionid: sessionid 13 | success: 14 | body: 15 | -
16 | status: 200 17 | type: post 18 | url: 19 | - /login 20 | category: printer 21 | contributor: ztgrace 22 | default_port: 8000 23 | fingerprint: 24 | body: 25 | - 'Default Authentication : iR-ADV' 26 | status: 200 27 | url: 28 | - /rps/ 29 | name: Canon iR-ADV 30 | ssl: false 31 | -------------------------------------------------------------------------------- /creds/http/printer/hp_laserjet_600.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: '' 5 | sessionid: sessionId 6 | success: 7 | body: 8 | - Password is not set. 9 | status: 200 10 | type: basic_auth 11 | url: 12 | - /hp/device/GeneralSecurity/Index 13 | category: printer 14 | contributor: ztgrace 15 | default_port: 443 16 | fingerprint: 17 | body: 18 | - id="HomeDeviceName">HP LaserJet 19 | status: 200 20 | url: 21 | - /hp/device/GeneralSecurity/Index 22 | name: HP LaserJet 600 23 | ssl: true 24 | -------------------------------------------------------------------------------- /creds/http/printer/hp_laserjet_no_password.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: '' 5 | success: 6 | body: 7 | - <span id="Text8" class="hpPageText" >Not Configured</span></td> 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - /hp/device/this.LCDispatcher?nav=hp.Security 12 | category: printer 13 | contributor: ztgrace 14 | default_port: 443 15 | fingerprint: 16 | body: 17 | - HP LaserJet 18 | status: 200 19 | url: 20 | - /hp/device/this.LCDispatcher?nav=hp.Security 21 | name: HP LaserJet No Password 22 | ssl: true 23 | -------------------------------------------------------------------------------- /creds/http/printer/hp_laserjet_no_password_legacy.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: '' 5 | success: 6 | body: 7 | - A security password can be set to prevent unauthorized users 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - /hp/device/this.LCDispatcher?dispatch=html&cat=1&pos=3 12 | - /hp/device/this.LCDispatcher?dispatch=html&cat=1&pos=4 13 | category: printer 14 | contributor: ztgrace 15 | default_port: 443 16 | fingerprint: 17 | body: 18 | - hp LaserJet 19 | status: 200 20 | url: 21 | - /hp/device/this.LCDispatcher?dispatch=html&cat=1&pos=3 22 | - /hp/device/this.LCDispatcher?dispatch=html&cat=1&pos=4 23 | name: HP LaserJet No Password Legacy 24 | ssl: true 25 | -------------------------------------------------------------------------------- /creds/http/printer/ricoh_mp.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: supervisor 5 | post: 6 | open: '' 7 | password: password 8 | password_work: '' 9 | userid_work: '' 10 | username: userid 11 | wimToken: '995573576' 12 | sessionid: risessionid 13 | base64: true 14 | success: 15 | body: 16 | - Web Image Monitor 17 | status: 200 18 | type: post 19 | url: 20 | - /web/guest/en/websys/webArch/login.cgi 21 | category: printer 22 | contributor: ztgrace 23 | default_port: 80 24 | fingerprint: 25 | body: 26 | - title="Web Image Monitor" 27 | cookie: 28 | - cookieOnOffChecker: 'on' 29 | status: 200 30 | url: 31 | - /web/guest/en/websys/webArch/authForm.cgi 32 | name: Ricoh MP 33 | ssl: false 34 | -------------------------------------------------------------------------------- /creds/http/printer/xerox_phaser_6700.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '1111' 4 | username: admin 5 | post: 6 | NextPage: /properties/authentication/luidLogin.php 7 | _fun_function: HTTP_Authenticate_fn 8 | frmaltDomain: default 9 | password: webPassword 10 | username: webUsername 11 | sessionid: PHPSESSID 12 | success: 13 | body: 14 | - window.opener.top.location.pathname 15 | status: 200 16 | type: post 17 | url: 18 | - /userpost/xerox.set 19 | category: printer 20 | contributor: ztgrace 21 | default_port: 80 22 | fingerprint: 23 | body: 24 | - XEROX Phaser 6700 25 | status: 200 26 | url: 27 | - /header.php?tab=status 28 | name: XEROX Phaser 6700 29 | ssl: false 30 | -------------------------------------------------------------------------------- /creds/http/printer/xerox_workcentre_5020_dn.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: '11111' 5 | success: 6 | body: 7 | - IP Filtering 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - /prscipfil.htm 12 | category: printer 13 | contributor: ztgrace 14 | default_port: 80 15 | fingerprint: 16 | body: 17 | - Xerox WorkCentre 5020/DN 18 | status: 200 19 | url: 20 | - /prop.htm 21 | name: Xerox WorkCentre 5020/DN 22 | ssl: false 23 | -------------------------------------------------------------------------------- /creds/http/webcam/maygion_camera.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | get: 6 | password: password 7 | pwd: admin 8 | username: user 9 | usr: admin 10 | success: 11 | body: 12 | - 10Admin 13 | status: 200 14 | type: get 15 | url: 16 | - /login.xml 17 | category: webcam 18 | contributor: ztgrace 19 | default_port: 81 20 | fingerprint: 21 | body: 22 | - GetXml\("login.xml\?"\+param,OnLoginAckOK,OnLoginAckFail\); 23 | status: 200 24 | url: 25 | - / 26 | name: MayGion Camera 27 | ssl: false 28 | -------------------------------------------------------------------------------- /creds/http/webcam/trendnet_internet_camera.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | success: 6 | body: 7 | - LIVE VIDEO 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - /eng/liveView.cgi 12 | category: webcam 13 | contributor: ztgrace 14 | default_port: 80 15 | fingerprint: 16 | status: 401 17 | url: 18 | - /eng/liveView.cgi 19 | server_header: dcs-lig-httpd 20 | name: TRENDnet Internet Camera 21 | ssl: false 22 | -------------------------------------------------------------------------------- /creds/mongodb/noauth.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: 4 | password: 5 | category: mongodb 6 | default_port: 27017 7 | name: Mongodb noauth 8 | contributor: ztgrace 9 | -------------------------------------------------------------------------------- /creds/mssql/aris.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: ARIS9 4 | password: '*ARIS!1dm9n#' 5 | category: mssql 6 | default_port: 1433 7 | name: Aris 8 | contributor: ztgrace 9 | references: 10 | - https://www.ariscommunity.com/system/files/ARIS%20Server%20Installation%20and%20Administration%20Guide_0_0.pdf 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/bosch_rps.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: RPSsql12345 5 | category: mssql 6 | default_port: 1433 7 | name: Bosch RPS 8 | contributor: ztgrace 9 | references: 10 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 11 | - http://resource.boschsecurity.com/documents/RPS_InGuide_Installation_Manual_enUS_2596022155.pdf 12 | -------------------------------------------------------------------------------- /creds/mssql/cch.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: PracticeUser1 5 | category: mssql 6 | default_port: 1433 7 | name: CCH 8 | contributor: ztgrace 9 | references: 10 | - https://support.cch.com/kb/solution.aspx/sw29540 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/easyWinArt.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: $easyWinArt4 5 | category: mssql 6 | default_port: 1433 7 | name: easyWinArt 8 | contributor: ztgrace 9 | references: 10 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 11 | - http://www.auftragsbearbeitung-warenwirtschaft-pps.de/p/Handbuch/Installation/Installationsanleitung/ 12 | -------------------------------------------------------------------------------- /creds/mssql/emerson_ams.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: 42Emerson42Eme 5 | category: mssql 6 | default_port: 1433 7 | name: Emerson AMS 8 | contributor: ztgrace 9 | references: 10 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 11 | - http://www.emerson.com/documents/automation/39924.pdf 12 | -------------------------------------------------------------------------------- /creds/mssql/geonetwork.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: admin 4 | password: gnos 5 | category: mssql 6 | default_port: 1433 7 | name: GeoNetwork 8 | contributor: ztgrace 9 | references: 10 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 11 | - http://geonetwork-opensource.org/manuals/2.10.4/eng/users/quickstartguide/installing/index.html 12 | -------------------------------------------------------------------------------- /creds/mssql/i2b2_workbench.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: I2b2metadata 4 | password: i2b2metadata 5 | - username: I2b2demodata 6 | password: i2b2demodata 7 | - username: I2b2workdata 8 | password: i2b2workdata 9 | - username: I2b2metadata2 10 | password: i2b2metadata2 11 | - username: I2b2demodata2 12 | password: i2b2demodata2 13 | - username: I2b2workdata2 14 | password: i2b2workdata2 15 | - username: I2b2hive 16 | password: i2b2hive 17 | category: mssql 18 | default_port: 1433 19 | name: i2b2 Workbench 20 | contributor: ztgrace 21 | references: 22 | - https://www.i2b2.org/software/projects/hivecore/Data_Installation_Guide_13.pdf 23 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 24 | -------------------------------------------------------------------------------- /creds/mssql/ibm_maximo.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: maxadmin 4 | password: maxadmin 5 | - username: mxintadm 6 | password: mxintadm 7 | - username: maxreg 8 | password: maxreg 9 | category: mssql 10 | default_port: 1433 11 | name: IBM Maximo 12 | contributor: ztgrace 13 | references: 14 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 15 | - https://www-01.ibm.com/support/docview.wss?uid=swg21645570 16 | - https://www.ibm.com/support/knowledgecenter/en/SSLKT6_7.5.0/com.ibm.mam.doc/install_was/t_ccmdb_manconfigfoundinst.html 17 | -------------------------------------------------------------------------------- /creds/mssql/ibm_was.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: wasadmin 4 | password: wasadmin 5 | category: mssql 6 | default_port: 1433 7 | name: IBM WAS 8 | contributor: ztgrace 9 | references: 10 | - https://www.ibm.com/support/knowledgecenter/en/SSQP76_8.7.0/com.ibm.odm.distrib.config.was/config_ds_res_was/tsk_was_before_res_config.html 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/ihs_kingdom.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: $ei$micMicro 5 | category: mssql 6 | default_port: 1433 7 | name: IHS Kingdom 8 | contributor: ztgrace 9 | references: 10 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 11 | - http://www.seismicmicro.com/productreleasedocumentation/kingdom/installationguide.pdf 12 | -------------------------------------------------------------------------------- /creds/mssql/lasa_aims.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: ADMIN 4 | password: AIMS 5 | - username: FB 6 | password: AIMS 7 | category: mssql 8 | default_port: 1433 9 | name: Lasa AIMS 10 | contributor: ztgrace 11 | references: 12 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 13 | - http://www.lasa.org.uk/uploads/aims/Installation_Guides/SQL_Server_Installation_Guide.pdf 14 | -------------------------------------------------------------------------------- /creds/mssql/lenel_onguard.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: LENEL 4 | password: MULTIMEDIA 5 | category: mssql 6 | default_port: 1433 7 | name: Lenel OnGuard 8 | contributor: ztgrace 9 | references: 10 | - http://kb.lenel.com/cd/12/articlesImport/1098.PDF 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/mediaportal.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: M3d!aP0rtal 5 | category: mssql 6 | default_port: 1433 7 | name: MediaPortal 8 | contributor: ztgrace 9 | references: 10 | - https://www.team-mediaportal.com/wiki/display/MediaPortal1/SQL+Server+2008 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/medocheck.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: mcUser 4 | password: medocheck123 5 | category: mssql 6 | default_port: 1433 7 | name: medo.check 8 | contributor: ztgrace 9 | references: 10 | - http://www.medocheck.com/site/assets/files/1440/kurzanleitung_mysql-server_fuer_medo_check.pdf 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/micro_focus_silk_central.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: SilkCentral12!34 5 | category: mssql 6 | default_port: 1433 7 | name: Micro Focus Silk Central 8 | contributor: ztgrace 9 | references: 10 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 11 | - http://documentation.microfocus.com/help/index.jsp?topic=%2Fcom.microfocus.sctm.doc%2FSCTM-CBA0F2AF-DATABASESETTINGSPAGE-REF.html 12 | -------------------------------------------------------------------------------- /creds/mssql/mssql.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: '' 5 | - username: sa 6 | password: sa 7 | - username: sa 8 | password: Password123 9 | - username: sa 10 | password: password 11 | - username: ADONI 12 | password: BPMS 13 | ref: https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 14 | - username: sa 15 | password: sqlserver 16 | category: mssql 17 | default_port: 1433 18 | name: MSSQL 19 | contributor: AlessandroZ, ztgrace 20 | references: 21 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 22 | -------------------------------------------------------------------------------- /creds/mssql/napco_continental_access.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: cic 5 | - username: cic 6 | password: cic 7 | - username: sa 8 | password: cic!23456789 9 | - username: cic 10 | password: cic!23456789 11 | - username: sa 12 | password: Cic!23456789 13 | - username: cic 14 | password: Cic!23456789 15 | category: mssql 16 | default_port: 1433 17 | name: Napco Continental Access 18 | contributor: ztgrace 19 | references: 20 | - http://www.napcosecurity.com/download/tg04L2RevB.pdf 21 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 22 | -------------------------------------------------------------------------------- /creds/mssql/netxms.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: admin 4 | password: netxms 5 | category: mssql 6 | default_port: 1433 7 | name: NetXMS 8 | contributor: ztgrace 9 | references: 10 | - https://wiki.netxms.org/wiki/Server_Installation_Guide 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/opengts.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: gts 4 | password: opengts 5 | category: mssql 6 | default_port: 1433 7 | name: OpenGTS 8 | contributor: ztgrace 9 | references: 10 | - http://opengts.sourceforge.net/OpenGTS_Config.pdf 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/safenet_sentinel_ems.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: DBA!sa@EMSDB123 5 | category: mssql 6 | default_port: 1433 7 | name: SafeNet Sentinel EMS 8 | contributor: ztgrace 9 | references: 10 | - http://sentinelldk.safenet-inc.com/LDKdocs/Install/Installation%20Guide/Troubleshooting/Troubleshooting.htm 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/schlage_sms.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: SECAdmin1 5 | - username: SMSAdmin 6 | password: SECAdmin1 7 | category: mssql 8 | default_port: 1433 9 | name: Schlage SMS 10 | contributor: ztgrace 11 | references: 12 | - http://protechsecurity.us/wp-content/uploads/2013/12/IR-Schlage-Security-Management-System-V5.3.pdf 13 | - http://us.allegion.com/content/dam/allegion-us-2/web-documents-2/UserGuide/Schlage_Campus_Lock_Keycard_Center_User_Guide_108225.pdf 14 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 15 | -------------------------------------------------------------------------------- /creds/mssql/skf.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: skf_admin1 5 | category: mssql 6 | default_port: 1433 7 | name: SKF @ptitude Analyst 8 | contributor: AlessandroZ, ztgrace 9 | references: 10 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 11 | - http://www.skf.com/binary/79-267781/AA_2013_323124d0_IM-EN.pdf 12 | -------------------------------------------------------------------------------- /creds/mssql/splendidcrm.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: splendidcrm2005 5 | category: mssql 6 | default_port: 1433 7 | name: SplendidCRM 8 | contributor: ztgrace 9 | references: 10 | - http://www.splendidcrm.com/Documentation/tabid/233/rvdwktid/deployment-guide-528/Default.aspx 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/telestream_vantage.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: vantage12! 5 | category: mssql 6 | default_port: 1433 7 | name: Telestream Vantage 8 | contributor: ztgrace 9 | references: 10 | - https://www.telestream.net/pdfs/app-notes/app_Vantage_DatabaseSetup.pdf 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/timeforce.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: Dr8gedog 5 | - username: sa 6 | password: dr8gedog 7 | category: mssql 8 | default_port: 1433 9 | name: TimeForce 10 | contributor: ztgrace 11 | references: 12 | - https://www.mytimeforce.com/images/videos/support/training/kb/docs/internal/support/time/TIMEFORCE1Migration.pdf 13 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 14 | -------------------------------------------------------------------------------- /creds/mssql/utc.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: SecurityMaster08 5 | category: mssql 6 | default_port: 1433 7 | name: UTC FCWnx 8 | contributor: ztgrace 9 | references: 10 | - http://www.bernationalcontrols.com/support_docs/Access/Lenel/Facility%20Commander%20Wnx%207.7%20User%20Manual.pdf 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/video_insight.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: V4in$ight 5 | category: mssql 6 | default_port: 1433 7 | name: Video Insight 8 | contributor: ztgrace 9 | references: 10 | - http://www.video-insight.com/kb/pdf.php?cat=15&id=111&artlang=en 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/welchallyn.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: Cardio.Perfect 5 | category: mssql 6 | default_port: 1433 7 | name: WelchAllyn CardioPerfect 8 | contributor: ztgrace 9 | references: 10 | - https://www.welchallyn.com/content/dam/welchallyn/documents/sap-documents/LIT/80013/80013928LITPDF.pdf 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/wonderware_historian.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: aaAdmin 4 | password: pwAdmin 5 | - username: aaPower 6 | password: pwPower 7 | - username: aaUser 8 | password: pwUser 9 | - username: aadbo 10 | password: pwddbo 11 | - username: wwUser 12 | password: wwUser 13 | - username: wwPower 14 | password: wwPower 15 | - username: wwAdmin 16 | password: wwAdmin 17 | - username: wwdbo 18 | password: wwdbo 19 | category: mssql 20 | default_port: 1433 21 | name: Wonderware Historian 22 | contributor: ztgrace 23 | references: 24 | - http://platforma.astor.com.pl/files/getfile/id/3781 25 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 26 | -------------------------------------------------------------------------------- /creds/mysql/mysql.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: root 4 | password: root 5 | category: ssh 6 | default_port: 3306 7 | name: MySQL 8 | contributor: ztgrace 9 | -------------------------------------------------------------------------------- /creds/postgres/ambari.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: ambari 4 | password: bigdata 5 | category: postgres 6 | default_port: 5432 7 | name: postgres 8 | contributor: ztgrace 9 | ref: https://discuss.pivotal.io/hc/en-us/articles/217649658-How-to-connect-to-Ambari-s-PostgreSQL-database- 10 | -------------------------------------------------------------------------------- /creds/postgres/msf.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: msf 4 | password: msf 5 | - username: msfdev 6 | password: msfdev 7 | category: ssh 8 | default_port: 5432 9 | name: metasploit 10 | contributor: ztgrace 11 | -------------------------------------------------------------------------------- /creds/postgres/postgres.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: postgres 4 | password: postgres 5 | category: postgres 6 | default_port: 5432 7 | name: postgres 8 | contributor: ztgrace 9 | -------------------------------------------------------------------------------- /creds/redis/redis.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: 4 | password: 5 | category: redis 6 | default_port: 6379 7 | name: Redis 8 | contributor: ztgrace 9 | -------------------------------------------------------------------------------- /creds/snmp/apc.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: 4 | password: TENmanUFactOryPOWER 5 | category: snmp 6 | default_port: 161 7 | name: APC SmartSlot 8 | contributor: ztgrace 9 | references: 10 | - http://www.securityfocus.com/archive/1/354230 11 | -------------------------------------------------------------------------------- /creds/snmp/cisco_guard.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: 4 | password: riverhead 5 | category: snmp 6 | default_port: 161 7 | name: Cisco Guard 8 | contributor: ztgrace 9 | references: 10 | - https://www.cisco.com/en/US/products/ps5888/prod_release_note09186a0080237333.html 11 | -------------------------------------------------------------------------------- /creds/snmp/common.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: 4 | password: 0 5 | - username: 6 | password: 0392a0 7 | - username: 8 | password: 1234 9 | - username: 10 | password: 2read 11 | - username: 12 | password: 4changes 13 | - username: 14 | password: access 15 | - username: 16 | password: adm 17 | - username: 18 | password: admin 19 | - username: 20 | password: Admin 21 | - username: 22 | password: agent 23 | - username: 24 | password: agent_steal 25 | - username: 26 | password: all 27 | - username: 28 | password: all 29 | - username: 30 | password: private 31 | - username: 32 | password: all 33 | - username: 34 | password: ANYCOM 35 | - username: 36 | password: apc 37 | - username: 38 | password: bintec 39 | - username: 40 | password: blue 41 | - username: 42 | password: c 43 | - username: 44 | password: C0de 45 | - username: 46 | password: cable-d 47 | - username: 48 | password: canon_admin 49 | - username: 50 | password: cc 51 | - username: 52 | password: cisco 53 | - username: 54 | password: CISCO 55 | - username: 56 | password: community 57 | - username: 58 | password: core 59 | - username: 60 | password: CR52401 61 | - username: 62 | password: debug 63 | - username: 64 | password: default 65 | - username: 66 | password: dilbert 67 | - username: 68 | password: enable 69 | - username: 70 | password: field 71 | - username: 72 | password: field-service 73 | - username: 74 | password: freekevin 75 | - username: 76 | password: fubar 77 | - username: 78 | password: guest 79 | - username: 80 | password: hello 81 | - username: 82 | password: hp_admin 83 | - username: 84 | password: ibm 85 | - username: 86 | password: IBM 87 | - username: 88 | password: ilmi 89 | - username: 90 | password: ILMI 91 | - username: 92 | password: intermec 93 | - username: 94 | password: Intermec 95 | - username: 96 | password: internal 97 | - username: 98 | password: l2 99 | - username: 100 | password: l3 101 | - username: 102 | password: manager 103 | - username: 104 | password: mngt 105 | - username: 106 | password: monitor 107 | - username: 108 | password: netman 109 | - username: 110 | password: network 111 | - username: 112 | password: NoGaH$@! 113 | - username: 114 | password: none 115 | - username: 116 | password: openview 117 | - username: 118 | password: OrigEquipMfr 119 | - username: 120 | password: pass 121 | - username: 122 | password: password 123 | - username: 124 | password: pr1v4t3 125 | - username: 126 | password: Private 127 | - username: 128 | password: PRIVATE 129 | - username: 130 | password: proxy 131 | - username: 132 | password: publ1c 133 | - username: 134 | password: public 135 | - username: 136 | password: Public 137 | - username: 138 | password: PUBLIC 139 | - username: 140 | password: read 141 | - username: 142 | password: read-only 143 | - username: 144 | password: readwrite 145 | - username: 146 | password: read-write 147 | - username: 148 | password: red 149 | - username: 150 | password: regional 151 | - username: 152 | password: rmon 153 | - username: 154 | password: rmon_admin 155 | - username: 156 | password: ro 157 | - username: 158 | password: root 159 | - username: 160 | password: router 161 | - username: 162 | password: rw 163 | - username: 164 | password: rwa 165 | - username: 166 | password: s!a@m#n$p%c 167 | - username: 168 | password: sanfran 169 | - username: 170 | password: san-fran 171 | - username: 172 | password: scotty 173 | - username: 174 | password: secret 175 | - username: 176 | password: Secret 177 | - username: 178 | password: SECRET 179 | - username: 180 | password: security 181 | - username: 182 | password: Security 183 | - username: 184 | password: SECURITY 185 | - username: 186 | password: seri 187 | - username: 188 | password: snmp 189 | - username: 190 | password: SNMP 191 | - username: 192 | password: snmpd 193 | - username: 194 | password: snmptrap 195 | - username: 196 | password: SNMP_trap 197 | - username: 198 | password: solaris 199 | - username: 200 | password: sun 201 | - username: 202 | password: SUN 203 | - username: 204 | password: superuser 205 | - username: 206 | password: switch 207 | - username: 208 | password: Switch 209 | - username: 210 | password: SWITCH 211 | - username: 212 | password: system 213 | - username: 214 | password: System 215 | - username: 216 | password: SYSTEM 217 | - username: 218 | password: tech 219 | - username: 220 | password: test 221 | - username: 222 | password: TEST 223 | - username: 224 | password: test2 225 | - username: 226 | password: tiv0li 227 | - username: 228 | password: tivoli 229 | - username: 230 | password: trap 231 | - username: 232 | password: world 233 | - username: 234 | password: write 235 | - username: 236 | password: xyzzy 237 | - username: 238 | password: yellow 239 | category: snmp 240 | default_port: 161 241 | name: SNMP 242 | contributor: ztgrace 243 | references: 244 | - https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/wordlist-common-snmp-community-strings.txt 245 | - https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/snmp_default_pass.txt 246 | -------------------------------------------------------------------------------- /creds/snmp/public_private.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: 4 | password: public 5 | - username: 6 | password: private 7 | category: snmp 8 | default_port: 161 9 | name: publicprivate 10 | contributor: ztgrace 11 | -------------------------------------------------------------------------------- /creds/ssh/Modern_IE.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: IEUser 4 | password: D@rj33l1ng 5 | category: ssh 6 | default_port: 22 7 | name: modern.ie 8 | contributor: ztgrace 9 | references: 10 | - https://twitter.com/0rbz_/status/914171719652401152 11 | -------------------------------------------------------------------------------- /creds/ssh/antsle.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: root 4 | password: antsle 5 | category: ssh 6 | default_port: 22 7 | name: antsle 8 | contributor: ztgrace 9 | references: 10 | - http://docs.antsle.com/defaultpw/ 11 | -------------------------------------------------------------------------------- /creds/ssh/apple_jailbroken_device.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: root 4 | password: alpine 5 | - username: root 6 | password: dottie 7 | category: ssh 8 | default_port: 22 9 | name: Apple Jailbroken Device 10 | contributor: ztgrace 11 | references: 12 | - https://www.cultofmac.com/20871/how-to-change-your-iphones-default-ssh-password/ 13 | -------------------------------------------------------------------------------- /creds/ssh/att_arris.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: remotessh 4 | password: 5SaP9I26 5 | category: ssh 6 | default_port: 22 7 | name: AT&T Arris NVG589 & NVG599 (SharknAT&To) 8 | contributor: ztgrace 9 | references: 10 | - https://www.nomotion.net/blog/sharknatto/ 11 | -------------------------------------------------------------------------------- /creds/ssh/cisco.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: cisco 4 | password: cisco 5 | - username: pix 6 | password: cisco 7 | category: ssh 8 | default_port: 22 9 | name: Cisco 10 | contributor: ztgrace 11 | references: 12 | - https://www.tunnelsup.com/default-password-cisco-firewall/ 13 | -------------------------------------------------------------------------------- /creds/ssh/cisco_aironet.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: Cisco 4 | password: Cisco 5 | category: ssh 6 | default_port: 22 7 | name: Cisco Aironet 8 | contributor: ztgrace 9 | references: 10 | - https://www.cisco.com/c/en/us/td/docs/wireless/access_point/1300/quick/guide/br13qsg.html 11 | -------------------------------------------------------------------------------- /creds/ssh/hipchat.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: admin 4 | password: hipchat 5 | category: ssh 6 | default_port: 22 7 | name: HipChat Server 8 | contributor: ztgrace 9 | references: 10 | - https://confluence.atlassian.com/hipchatkb/how-to-change-the-username-and-the-ssh-password-for-the-admin-user-875608217.html 11 | -------------------------------------------------------------------------------- /creds/ssh/ibm_storwize_v7000.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: admin 4 | password: admin0001 5 | - username: superuser 6 | password: passw0rd 7 | - username: root 8 | password: Passw0rd 9 | category: ssh 10 | default_port: 22 11 | name: IBM Storwize V7000 Unified 12 | contributor: ztgrace 13 | references: 14 | - https://www.ibm.com/support/knowledgecenter/ST5Q4U_1.6.2/com.ibm.storwize.v7000.unified.162.doc/ifs_132_changedefaultpasswords11142011.html 15 | -------------------------------------------------------------------------------- /creds/ssh/raspberry_pi.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: pi 4 | password: raspberry 5 | category: ssh 6 | default_port: 22 7 | name: Raspberry Pi 8 | contributor: ztgrace 9 | -------------------------------------------------------------------------------- /creds/ssh/ssh.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: root 4 | password: password 5 | - username: root 6 | password: root 7 | - username: admin 8 | password: password 9 | - username: admin 10 | password: admin 11 | category: ssh 12 | default_port: 22 13 | name: ssh 14 | contributor: AlessandroZ, Joe Testa 15 | -------------------------------------------------------------------------------- /creds/ssh_key/array_networks_vxag.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN DSA PRIVATE KEY----- 4 | 5 | MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm 6 | 7 | q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM 8 | 9 | xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25 10 | 11 | Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr 12 | 13 | gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq 14 | 15 | mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K 16 | 17 | O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ 18 | 19 | OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb 20 | 21 | +0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs 22 | 23 | +sqSEhA35Le2kC4Y1/A= 24 | 25 | -----END DSA PRIVATE KEY----- 26 | 27 | ' 28 | username: sync 29 | category: ssh 30 | contributor: ztgrace, hdmoore 31 | default_port: 22 32 | name: Array Networks vxAG 33 | references: 34 | - https://packetstormsecurity.com/files/125761/Array-Networks-vxAG-xAPV-Privilege-Escalation.html 35 | - https://github.com/rapid7/ssh-badkeys 36 | -------------------------------------------------------------------------------- /creds/ssh_key/barracuda_load_balancer.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '----BEGIN DSA PRIVATE KEY----- 4 | 5 | MIIBuwIBAAKBgQDKuRHCBXXwoyWpMkJz/wQafaHOpqWmVYLn9GZ6eQuNLcIhtZQE 6 | 7 | kCWZTNajgf4ZAVmHgQh1JHDixJ1V0mcweti/lvyxiqHap7IkD0a+ewAOoz3OpjQZ 8 | 9 | 3ox2ovHEnQJfZ/9LNiEI3XK8TPAj6trhMn5tCdwFei6228a+TYBOccTPgwIVAKYW 10 | 11 | T8ztHHaN7Gwn0I6keQfBSNw1AoGAHYNfKAcqf7Y4wyoVoZpr/h21SETpEaksQb7h 12 | 13 | GRJnFpYN/JiyE9W8nX6UqLv1eKyOXLccAnyda0a+uqcOhsAq8+H15slZYa4+065L 14 | 15 | ckPfs0V4cpxeMHTT1hK4TR2/LRpUjhYjgXFE5aLl91f5Gug5HemUK2S0BWh/oI38 16 | 17 | k2WfNh0CgYEArsJgp7RLPOsCeLqoia/eljseBFVDazO5Q0ysUotTw9wgXGGVWREw 18 | 19 | m8wNggFNb9eCiBAAUfVZVfhVAtFT0pBf/eIVLPXyaMw3prBt7LqeBrbagODc3WAA 20 | 21 | dMTPIdYYcOKgv+YvTXa51zG64v6pQOfS8WXgKCzDl44puXfYeDk5lVQCFAPfgalL 22 | 23 | +FT93tofXMuNVfeQMLJl 24 | 25 | -----END DSA PRIVATE KEY----- 26 | 27 | ' 28 | username: cluster 29 | category: ssh 30 | contributor: ztgrace, hdmoore 31 | default_port: 8002 32 | name: Barracuda Load Balancer ADC VM 33 | references: 34 | - http://seclists.org/fulldisclosure/2015/Jan/76 35 | - https://github.com/rapid7/ssh-badkeys 36 | -------------------------------------------------------------------------------- /creds/ssh_key/ceragon-fibeair.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN RSA PRIVATE KEY----- 4 | 5 | MIICWwIBAAKBgQDBEh0OUdoiplc0P+XW8VPu57etz8O9eHbLHkQW27EZBEdXEYxr 6 | 7 | MOFXi+PkA0ZcNDBRgjSJmHpo5WsPLwj/L3/L5gMYK+yeqsNu48ONbbqzZsFdaBQ+ 8 | 9 | IL3dPdMDovYo7GFVyXuaWMQ4hgAJEc+kk1hUaGKcLENQf0vEyt01eA/k6QIBIwKB 10 | 11 | gQCwhZbohVm5R6AvxWRsv2KuiraQSO16B70ResHpA2AW31crCLrlqQiKjoc23mw3 12 | 13 | CyTcztDy1I0stH8j0zts+DpSbYZnWKSb5hxhl/w96yNYPUJaTatgcPB46xOBDsgv 14 | 15 | 4Lf4GGt3gsQFvuTUArIf6MCJiUn4AQA9Q96QyCH/g4mdiwJBAPHdYgTDiQcpUAbY 16 | 17 | SanIpq7XFeKXBPgRbAN57fTwzWVDyFHwvVUrpqc+SSwfzhsaNpE3IpLD9RqOyEr6 18 | 19 | B8YrC2UCQQDMWrUeNQsf6xQer2AKw2Q06bTAicetJWz5O8CF2mcpVFYc1VJMkiuV 20 | 21 | 93gCvQORq4dpApJYZxhigY4k/f46BlU1AkAbpEW3Zs3U7sdRPUo/SiGtlOyO7LAc 22 | 23 | WcMzmOf+vG8+xesCDOJwIj7uisaIsy1/cLXHdAPzhBwDCQDyoDtnGty7AkEAnaUP 24 | 25 | YHIP5Ww0F6vcYBMSybuaEN9Q5KfXuPOUhIPpLoLjWBJGzVrRKou0WeJElPIJX6Ll 26 | 27 | 7GzJqxN8SGwqhIiK3wJAOQ2Hm068EicG5WQoS+8+KIE/SVHWmFDvet+f1vgDchvT 28 | 29 | uPa5zx2eZ2rxP1pXHAdBSgh799hCF60eZZtlWnNqLg== 30 | 31 | -----END RSA PRIVATE KEY----- 32 | 33 | ' 34 | username: mateidu 35 | category: ssh 36 | contributor: ztgrace, hdmoore 37 | default_port: 22 38 | name: Ceragon FibeAir IP-10 39 | references: 40 | - https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15 41 | - https://github.com/rapid7/ssh-badkeys/ 42 | -------------------------------------------------------------------------------- /creds/ssh_key/exagrid.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN RSA PRIVATE KEY----- 4 | 5 | MIICWAIBAAKBgGdlD7qeGU9f8mdfmLmFemWMnz1tKeeuxKznWFI+6gkaagqjAF10 6 | 7 | hIruzXQAik7TEBYZyvw9SvYU6MQFsMeqVHGhcXQ5yaz3G/eqX0RhRDn5T4zoHKZa 8 | 9 | E1MU86zqAUdSXwHDe3pz5JEoGl9EUHTLMGP13T3eBJ19MAWjP7Iuji9HAgElAoGA 10 | 11 | GSZrnBieX2pdjsQ55/AJA/HF3oJWTRysYWi0nmJUmm41eDV8oRxXl2qFAIqCgeBQ 12 | 13 | BWA4SzGA77/ll3cBfKzkG1Q3OiVG/YJPOYLp7127zh337hhHZyzTiSjMPFVcanrg 14 | 15 | AciYw3X0z2GP9ymWGOnIbOsucdhnbHPuSORASPOUOn0CQQC07Acq53rf3iQIkJ9Y 16 | 17 | iYZd6xnZeZugaX51gQzKgN1QJ1y2sfTfLV6AwsPnieo7+vw2yk+Hl1i5uG9+XkTs 18 | 19 | Ry45AkEAkk0MPL5YxqLKwH6wh2FHytr1jmENOkQu97k2TsuX0CzzDQApIY/eFkCj 20 | 21 | QAgkI282MRsaTosxkYeG7ErsA5BJfwJAMOXYbHXp26PSYy4BjYzz4ggwf/dafmGz 22 | 23 | ebQs+HXa8xGOreroPFFzfL8Eg8Ro0fDOi1lF7Ut/w330nrGxw1GCHQJAYtodBnLG 24 | 25 | XLMvDHFG2AN1spPyBkGTUOH2OK2TZawoTmOPd3ymK28LriuskwxrceNb96qHZYCk 26 | 27 | 86DC8q8p2OTzYwJANXzRM0SGTqSDMnnid7PGlivaQqfpPOx8MiFR/cGr2dT1HD7y 28 | 29 | x6f/85mMeTqamSxjTJqALHeKPYWyzeSnUrp+Eg== 30 | 31 | -----END RSA PRIVATE KEY----- 32 | 33 | ' 34 | username: root 35 | category: ssh 36 | contributor: ztgrace 37 | default_port: 22 38 | name: Exagrid 39 | references: 40 | - https://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials 41 | -------------------------------------------------------------------------------- /creds/ssh_key/f5_big-ip.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN RSA PRIVATE KEY----- 4 | 5 | MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh 6 | 7 | UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk 8 | 9 | OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB 10 | 11 | gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF 12 | 13 | 8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv 14 | 15 | 7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM 16 | 17 | 2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s 18 | 19 | 37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL 20 | 21 | RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4 22 | 23 | rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/ 24 | 25 | uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU 26 | 27 | Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G 28 | 29 | LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS 30 | 31 | -----END RSA PRIVATE KEY----- 32 | 33 | ' 34 | username: root 35 | category: ssh 36 | contributor: ztgrace 37 | default_port: 22 38 | name: F5 BIG-IP 39 | references: 40 | - https://www.trustmatta.com/advisories/MATTA-2012-002.txt 41 | - https://www.trustedsec.com/june-2012/remote-root-authentication-bypass-for-f5-big-ip/ 42 | -------------------------------------------------------------------------------- /creds/ssh_key/loadbalancer.org_enterprise_va.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN DSA PRIVATE KEY----- 4 | 5 | MIIBugIBAAKBgQCsCgcOw+DgNR/7g+IbXYdOEwSB3W0o3l1Ep1ibHHvAtLb6AdNW 6 | 7 | Gq47/UxY/rX3g2FVrVCtQwNSZMqkrqALQwDScxeCOiLMndCj61t3RxU3IOl5c/Hd 8 | 9 | yhGh6JGPdzTpgf8VhJIZnvG+0NFNomYntqYFm0y11dBQPpYbJE7Tx1t/lQIVANHJ 10 | 11 | rJSVVkpcTB4XdtR7TfO317xVAoGABDytZN2OhKwGyJfenZ1Ap2Y7lkO8V8tOtqX+ 12 | 13 | t0LkViOi2ErHJt39aRJJ1lDRa/3q0NNqZH4tnj/bh5dUyNapflJiV94N3637LCzW 14 | 15 | cFlwFtJvD22Nx2UrPn+YXrzN7mt9qZyg5m0NlqbyjcsnCh4vNYUiNeMTHHW5SaJY 16 | 17 | TeYmPP8CgYAjEe5+0m/TlBtVkqQbUit+s/g+eB+PFQ+raaQdL1uztW3etntXAPH1 18 | 19 | MjxsAC/vthWYSTYXORkDFMhrO5ssE2rfg9io0NDyTIZt+VRQMGdi++dH8ptU+ldl 20 | 21 | 2ZejLFdTJFwFgcfXz+iQ1mx6h9TPX1crE1KoMAVOj3yKVfKpLB1EkAIUCsG3dIJH 22 | 23 | SzmJVCWFyVuuANR2Bnc= 24 | 25 | -----END DSA PRIVATE KEY----- 26 | 27 | ' 28 | username: root 29 | category: ssh 30 | contributor: ztgrace, hdmoore 31 | default_port: 22 32 | name: Loadbalancer.org Enterprise VA 33 | references: 34 | - http://packetstormsecurity.com/files/125754/Loadbalancer.org-Enterprise-VA-7.5.2-Static-SSH-Key.html 35 | - https://github.com/rapid7/ssh-badkeys/ 36 | -------------------------------------------------------------------------------- /creds/ssh_key/monroe_electronics_r189.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN DSA PRIVATE KEY----- 4 | 5 | MIIBuwIBAAKBgQDdwCE68iTEMjimYwJMvpkP/KThyJbuKvKc5kdKqLSmi5tssnuW 6 | 7 | tD2NqzmkEQM4uxD4XgV26k2/GvE6x4RlyOT+xlB2iYaOR4RJ8PuU8ALz+9i+y3D8 8 | 9 | MTMY/6y3Ef41frizLFXiVVo8CXFL/N8sz16FYytIayJvkSy3rkzPoE8pRwIVAPmA 10 | 11 | F1excCJPPVq3MyDfEMUXXOWjAoGAJS8ukwjJTgTNCHD7Lz//WxIw49DPGGWs3are 12 | 13 | GpjtiGjVD2Lff7CLCzkH8SI/JsgytUzqfDckSXqe1eWiAhuH90Pl5LZZi83Vp97I 14 | 15 | 721riAF3taKYxtk+vWIcXx2a/Fp+z+LaQoMqjOLh5lCq35wc0EPb5FFFrGaFFzNm 16 | 17 | e71F1X0CgYAU6eNlphQWDwx0KOBiiYhF9BM6kDbQlyw8333rAG3G4CcjI2G8eYGt 18 | 19 | pBNliaD185UjCEsjPiudhGil/j4Zt/+VY3aGOLoi8kqXBBc8ZAML9bbkXpyhQhMg 20 | 21 | wiywx3ciFmvSn2UAin8yurStYPQxtXauZN5PYbdwCHPS7ApIStdpMAIVAJ+eePIA 22 | 23 | Azb0ux287wRfcfdbjlDM 24 | 25 | -----END DSA PRIVATE KEY----- 26 | 27 | ' 28 | username: root 29 | category: ssh 30 | contributor: ztgrace, hdmoore 31 | default_port: 22 32 | name: Monroe Electronics R189 One-Net 33 | references: 34 | - https://www.kb.cert.org/vuls/id/662676 35 | - https://github.com/rapid7/ssh-badkeys/ 36 | -------------------------------------------------------------------------------- /creds/ssh_key/quantum-dxi-v1000.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN DSA PRIVATE KEY----- 4 | 5 | MIIBugIBAAKBgQCEgBNwgF+IbMU8NHUXNIMfJ0ONa91ZI/TphuixnilkZqcuwur2 6 | 7 | hMbrqY8Yne+n3eGkuepQlBBKEZSd8xPd6qCvWnCOhBqhkBS7g2dH6jMkUl/opX/t 8 | 9 | Rw6P00crq2oIMafR4/SzKWVW6RQEzJtPnfV7O3i5miY7jLKMDZTn/DRXRwIVALB2 10 | 11 | +o4CRHpCG6IBqlD/2JW5HRQBAoGAaSzKOHYUnlpAoX7+ufViz37cUa1/x0fGDA/4 12 | 13 | 6mt0eD7FTNoOnUNdfdZx7oLXVe7mjHjqjif0EVnmDPlGME9GYMdi6r4FUozQ33Y5 14 | 15 | PmUWPMd0phMRYutpihaExkjgl33AH7mp42qBfrHqZ2oi1HfkqCUoRmB6KkdkFosr 16 | 17 | E0apJ5cCgYBLEgYmr9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK 18 | 19 | 6X/6VivPAUWmmmev/BuAs8M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrn 20 | 21 | k/inYAp5l29hjidoAONcXoHmUAMYOKqn63Q2AsDpExVcmfj99/BlpQIUYS6Hs70u 22 | 23 | B3Upsx556K/iZPPnJZE= 24 | 25 | -----END DSA PRIVATE KEY----- 26 | 27 | ' 28 | username: root 29 | category: ssh 30 | contributor: ztgrace, hdmoore 31 | default_port: 22 32 | name: Quantum DXi V1000 33 | references: 34 | - https://packetstormsecurity.com/files/125755/quantum-root.txt 35 | - https://github.com/rapid7/ssh-badkeys/ 36 | -------------------------------------------------------------------------------- /creds/ssh_key/vagrant.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN RSA PRIVATE KEY----- 4 | 5 | MIIEogIBAAKCAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzI 6 | 7 | w+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoP 8 | 9 | kcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2 10 | 11 | hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NO 12 | 13 | Td0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcW 14 | 15 | yLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQIBIwKCAQEA4iqWPJXtzZA68mKd 16 | 17 | ELs4jJsdyky+ewdZeNds5tjcnHU5zUYE25K+ffJED9qUWICcLZDc81TGWjHyAqD1 18 | 19 | Bw7XpgUwFgeUJwUlzQurAv+/ySnxiwuaGJfhFM1CaQHzfXphgVml+fZUvnJUTvzf 20 | 21 | TK2Lg6EdbUE9TarUlBf/xPfuEhMSlIE5keb/Zz3/LUlRg8yDqz5w+QWVJ4utnKnK 22 | 23 | iqwZN0mwpwU7YSyJhlT4YV1F3n4YjLswM5wJs2oqm0jssQu/BT0tyEXNDYBLEF4A 24 | 25 | sClaWuSJ2kjq7KhrrYXzagqhnSei9ODYFShJu8UWVec3Ihb5ZXlzO6vdNQ1J9Xsf 26 | 27 | 4m+2ywKBgQD6qFxx/Rv9CNN96l/4rb14HKirC2o/orApiHmHDsURs5rUKDx0f9iP 28 | 29 | cXN7S1uePXuJRK/5hsubaOCx3Owd2u9gD6Oq0CsMkE4CUSiJcYrMANtx54cGH7Rk 30 | 31 | EjFZxK8xAv1ldELEyxrFqkbE4BKd8QOt414qjvTGyAK+OLD3M2QdCQKBgQDtx8pN 32 | 33 | CAxR7yhHbIWT1AH66+XWN8bXq7l3RO/ukeaci98JfkbkxURZhtxV/HHuvUhnPLdX 34 | 35 | 3TwygPBYZFNo4pzVEhzWoTtnEtrFueKxyc3+LjZpuo+mBlQ6ORtfgkr9gBVphXZG 36 | 37 | YEzkCD3lVdl8L4cw9BVpKrJCs1c5taGjDgdInQKBgHm/fVvv96bJxc9x1tffXAcj 38 | 39 | 3OVdUN0UgXNCSaf/3A/phbeBQe9xS+3mpc4r6qvx+iy69mNBeNZ0xOitIjpjBo2+ 40 | 41 | dBEjSBwLk5q5tJqHmy/jKMJL4n9ROlx93XS+njxgibTvU6Fp9w+NOFD/HvxB3Tcz 42 | 43 | 6+jJF85D5BNAG3DBMKBjAoGBAOAxZvgsKN+JuENXsST7F89Tck2iTcQIT8g5rwWC 44 | 45 | P9Vt74yboe2kDT531w8+egz7nAmRBKNM751U/95P9t88EDacDI/Z2OwnuFQHCPDF 46 | 47 | llYOUI+SpLJ6/vURRbHSnnn8a/XG+nzedGH5JGqEJNQsz+xT2axM0/W/CRknmGaJ 48 | 49 | kda/AoGANWrLCz708y7VYgAtW2Uf1DPOIYMdvo6fxIB5i9ZfISgcJ/bbCUkFrhoH 50 | 51 | +vq/5CIWxCPp0f85R4qxxQ5ihxJ0YDQT9Jpx4TMss4PSavPaBH3RXow5Ohe+bYoQ 52 | 53 | NE5OgEXk2wVfZczCZpigBKbKZHNYcelXtTt/nP3rsCuGcM4h53s= 54 | 55 | -----END RSA PRIVATE KEY----- 56 | 57 | ' 58 | username: vagrant 59 | category: ssh 60 | contributor: ztgrace 61 | default_port: 22 62 | name: Vagrant SSH 63 | references: 64 | - https://raw.githubusercontent.com/mitchellh/vagrant/master/keys/vagrant 65 | -------------------------------------------------------------------------------- /creds/telnet/telnet.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: root 4 | password: password 5 | - username: root 6 | password: root 7 | category: telnet 8 | default_port: 23 9 | name: telnet 10 | contributor: AlessandroZ 11 | -------------------------------------------------------------------------------- /dev-requirements.txt: -------------------------------------------------------------------------------- 1 | coverage 2 | mock 3 | mock-ssh-server 4 | responses==0.7.0 5 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | cerberus 2 | jinja2 3 | logutils 4 | lxml 5 | netaddr 6 | nose 7 | paramiko 8 | psycopg2 9 | pymongo 10 | pyodbc 11 | pysnmp 12 | python-libnmap 13 | python-memcached 14 | pyyaml 15 | redis 16 | requests 17 | selenium 18 | shodan 19 | sqlalchemy 20 | tabulate 21 | --------------------------------------------------------------------------------