├── .coveragerc ├── .dockerignore ├── .gitignore ├── .travis.yml ├── COPYING ├── Dockerfile ├── README.md ├── changeme.1 ├── changeme.py ├── changeme ├── __init__.py ├── core.py ├── cred.py ├── redis_queue.py ├── report.py ├── scan_engine.py ├── scanners │ ├── __init__.py │ ├── database.py │ ├── ftp.py │ ├── http_basic_auth.py │ ├── http_fingerprint.py │ ├── http_get.py │ ├── http_post.py │ ├── http_raw_post.py │ ├── memcached.py │ ├── mongo.py │ ├── mssql.py │ ├── mysql.py │ ├── postgres.py │ ├── redis_scanner.py │ ├── scanner.py │ ├── snmp.py │ ├── ssh.py │ ├── ssh_key.py │ └── telnet.py ├── schema.py ├── target.py ├── templates │ └── report.j2 ├── tests │ ├── __init__.py │ ├── core.py │ ├── http.py │ ├── memcached.py │ ├── mock_responses.py │ ├── mongodb.py │ ├── redis_scanner.py │ ├── snmp.py │ ├── target.py │ └── tomcat_nmap.xml └── version.py ├── creds ├── ftp │ ├── ftp.yml │ └── zyxel.yml ├── http │ ├── camera │ │ ├── icatch.yml │ │ └── speco_technologies_ip_camera.yml │ ├── general │ │ ├── activemq.yml │ │ ├── amano_ts-3000i.yml │ │ ├── apache_tomcat.yml │ │ ├── apache_tomcat_host_manager.yml │ │ ├── apc_network_management_card.yml │ │ ├── audiocodes_mediant_1000.yml │ │ ├── avaya_contact_center.yml │ │ ├── ca_apm_team_center.yml │ │ ├── ca_netqos.yml │ │ ├── cisco_collaboration_endpoint.yml │ │ ├── cisco_systems.yml │ │ ├── clearpass.yml │ │ ├── crestron_hd-md4x1-4k-e.yml │ │ ├── datastax_opscenter.yml │ │ ├── dell_idrac.yml │ │ ├── dynatrace.yml │ │ ├── elasticsearch.yml │ │ ├── endpoint_protector.yml │ │ ├── grafana.yml │ │ ├── haivision_makito_x_decoder.yml │ │ ├── hp_server_automation.yml │ │ ├── ibm_imm.yml │ │ ├── ibm_netezza.yml │ │ ├── ibm_urbancode_deploy.yml │ │ ├── jasperreports.yml │ │ ├── jboss_as_6.yml │ │ ├── jboss_as_6_alt.yml │ │ ├── jenkins.yml │ │ ├── kanboard.yml │ │ ├── makito_decoder.yml │ │ ├── netbackup_opscenter_analytics.yml │ │ ├── nexus_repository_manager.yml │ │ ├── nortel_integrated_call_director.yml │ │ ├── nuxeo_server.yml │ │ ├── odoo.yml │ │ ├── oracle_glassfish.yml │ │ ├── sonarqube.yml │ │ ├── sonarqube_7.x.yml │ │ ├── supermicro.yml │ │ ├── teamcity_9_guest.yml │ │ ├── teleopti_wfm.yml │ │ ├── ubiquiti_edgeos.yml │ │ ├── video_web_server.yml │ │ ├── weblogic.yml │ │ ├── websphere.yml │ │ └── zabbix.yml │ ├── iot │ │ ├── heatmiser_wifi_thermostat.yml │ │ └── proliphix_thermostat.yml │ ├── phone │ │ └── polycom_vvx_500.yml │ ├── printer │ │ ├── brother_hl_series.yml │ │ ├── canon_ir-adv.yml │ │ ├── hp_laserjet_600.yml │ │ ├── hp_laserjet_no_password.yml │ │ ├── hp_laserjet_no_password_legacy.yml │ │ ├── ricoh_mp.yml │ │ ├── xerox_phaser_6700.yml │ │ └── xerox_workcentre_5020_dn.yml │ └── webcam │ │ ├── maygion_camera.yml │ │ └── trendnet_internet_camera.yml ├── mongodb │ └── noauth.yml ├── mssql │ ├── aris.yml │ ├── bosch_rps.yml │ ├── cch.yml │ ├── easyWinArt.yml │ ├── emerson_ams.yml │ ├── geonetwork.yml │ ├── i2b2_workbench.yml │ ├── ibm_maximo.yml │ ├── ibm_was.yml │ ├── ihs_kingdom.yml │ ├── lasa_aims.yml │ ├── lenel_onguard.yml │ ├── mediaportal.yml │ ├── medocheck.yml │ ├── micro_focus_silk_central.yml │ ├── mssql.yml │ ├── napco_continental_access.yml │ ├── netxms.yml │ ├── opengts.yml │ ├── safenet_sentinel_ems.yml │ ├── schlage_sms.yml │ ├── skf.yml │ ├── splendidcrm.yml │ ├── telestream_vantage.yml │ ├── timeforce.yml │ ├── utc.yml │ ├── video_insight.yml │ ├── welchallyn.yml │ └── wonderware_historian.yml ├── mysql │ └── mysql.yml ├── postgres │ ├── ambari.yml │ ├── msf.yml │ └── postgres.yml ├── redis │ └── redis.yml ├── snmp │ ├── apc.yml │ ├── cisco_guard.yml │ ├── common.yml │ ├── eon.yml │ └── public_private.yml ├── ssh │ ├── Modern_IE.yml │ ├── antsle.yml │ ├── apple_jailbroken_device.yml │ ├── att_arris.yml │ ├── cisco.yml │ ├── cisco_aironet.yml │ ├── hipchat.yml │ ├── ibm_storwize_v7000.yml │ ├── iot.yml │ ├── netscreen.yml │ ├── raspberry_pi.yml │ └── ssh.yml ├── ssh_key │ ├── array_networks_vxag.yml │ ├── barracuda_load_balancer.yml │ ├── ceragon-fibeair.yml │ ├── exagrid.yml │ ├── f5_big-ip.yml │ ├── loadbalancer.org_enterprise_va.yml │ ├── monroe_electronics_r189.yml │ ├── quantum-dxi-v1000.yml │ └── vagrant.yml └── telnet │ ├── american_dynamics.yml │ ├── dahua.yml │ ├── netscreen.yml │ └── telnet.yml ├── dev-requirements.txt └── requirements.txt /.coveragerc: -------------------------------------------------------------------------------- 1 | [report] 2 | show_missing = True 3 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | .git 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | *.swo 3 | *.pyc 4 | .coverage 5 | data.db 6 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: python 2 | python: 3 | - "2.7" 4 | - "3.4" 5 | - "3.5" 6 | - "3.6" 7 | - "3.7" 8 | addons: 9 | apt: 10 | sources: 11 | - ubuntu-toolchain-r-test 12 | packages: 13 | - gcc 14 | - g++ 15 | - unixodbc-dev 16 | install: 17 | - pip install -r requirements.txt 18 | - pip install -r dev-requirements.txt 19 | services: 20 | - redis-server 21 | - memcached 22 | - mongodb 23 | script: nosetests --nologcapture -v -s --with-coverage --cover-erase --cover-package=changeme changeme/tests/*.py 24 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:latest 2 | MAINTAINER Zach Grace (@ztgrace) 3 | 4 | RUN mkdir /changeme 5 | COPY . /changeme/ 6 | 7 | RUN apk update \ 8 | && apk add --no-cache --virtual .changeme-deps \ 9 | bash \ 10 | libxml2 \ 11 | py-lxml \ 12 | py-pip \ 13 | && apk add --no-cache --virtual .build-deps \ 14 | ca-certificates \ 15 | gcc \ 16 | g++ \ 17 | libffi-dev \ 18 | libtool \ 19 | libxml2-dev \ 20 | make \ 21 | musl-dev \ 22 | postgresql-dev \ 23 | python-dev \ 24 | unixodbc-dev \ 25 | && pip install -r /changeme/requirements.txt \ 26 | && apk del .build-deps \ 27 | && find /usr/ -type f -a -name '*.pyc' -o -name '*.pyo' -exec rm '{}' \; \ 28 | && ln -s /changeme/changeme.py /usr/local/bin/ 29 | 30 | ENV HOME /changeme 31 | ENV PS1 "\033[00;34mchangeme>\033[0m " 32 | WORKDIR /changeme 33 | ENTRYPOINT ["./changeme.py"] 34 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # changeme [![Build Status](https://travis-ci.org/ztgrace/changeme.svg?branch=master)](https://travis-ci.org/ztgrace/changeme) 2 | 3 | A default credential scanner. 4 | 5 | ![Basic Scan](https://raw.githubusercontent.com/wiki/ztgrace/changeme/images/basic.gif) 6 | 7 | ## About 8 | 9 | changeme picks up where commercial scanners leave off. It focuses on detecting default and backdoor credentials and not necessarily common credentials. It's default mode is to scan HTTP default credentials, but has support for other credentials. 10 | 11 | changeme is designed to be simple to add new credentials without having to write any code or modules. changeme keeps credential data separate from code. All credentials are stored in [yaml](http://yaml.org/) files so they can be both easily read by humans and processed by changeme. Credential files can be created by using the `./changeme.py --mkcred` tool and answering a few questions. 12 | 13 | changeme supports the http/https, mssql, mysql, postgres, ssh, ssh w/key, snmp, mongodb and ftp protocols. Use `./changeme.py --dump` to output all of the currently available credentials. 14 | 15 | You can load your targets using a variety of methods, single ip address/host, subnet, list of hosts, nmap xml file and Shodan query. All methods except for Shodan are loaded as a positional argument and the type is inferred. 16 | 17 | ## Installation 18 | 19 | changeme has only been tested on Linux and has known issues on Windows and OS X/macOS. Use docker to run changeme on the unsupported platforms. It supports either a redis-backed queue (most stable) or an in-memory backed queue. 20 | 21 | Stable versions of changeme can be found on the [releases](https://github.com/ztgrace/changeme/releases) page. 22 | 23 | For mssql support, `unixodbc-dev` needs to be installed prior to installing the `pyodbc`. 24 | 25 | For postgres support, `libpq-dev` needs to be installed. 26 | 27 | [PhantomJS](http://phantomjs.org/) is required in your PATH for HTML report screenshots. 28 | 29 | Use `pip` to install the required python modules: `pip install -r requirements.txt` 30 | 31 | ## Docker 32 | 33 | A convenient way of running changeme is to do so inside a Docker container. You can run a pre-built container from Docker Hub, or build your own using the instructions below. 34 | 35 | ### Run changeme in Docker 36 | 37 | Docker runs best in conjunction with Redis as a queue back end. Here's how to get a linked container setup working with Redis. 38 | 39 | Get the latest containers: `docker pull redis && docker pull ztgrace/changeme` 40 | 41 | Launch redis in the background: `docker run -d --name redis1 redis` 42 | 43 | Start changeme linking the redis container by name and mounting a local directory into the container's `/mnt` directory: `docker run -it -v /tmp/results:/mnt --link redis1:redis ztgrace/changeme:latest /bin/sh` 44 | 45 | Run changeme with a `--redishost` of `redis` and `--output` file in our mounted volume: `./changeme.py --redishost redis --output /tmp/mnt/results.csv --protocols ssh --threads 20 -d 192.168.1.0/24` 46 | 47 | ### Build from Dockerfile 48 | 49 | 1. Build the docker container: `docker build -t changeme .` 50 | 2. Run changeme from inside the container: `docker run -it changeme /bin/bash' 51 | 52 | ## Usage Examples 53 | 54 | Below are some common usage examples. 55 | 56 | * Scan a single host: `./changeme.py 192.168.59.100` 57 | * Scan a subnet for default creds: `./changeme.py 192.168.59.0/24` 58 | * Scan using an nmap file `./changeme.py subnet.xml` 59 | * Scan a subnet for Tomcat default creds and set the timeout to 5 seconds: `./changeme.py -n "Apache Tomcat" --timeout 5 192.168.59.0/24` 60 | * Use [Shodan](https://www.shodan.io/) to populate a targets list and check them for default credentials: `./changeme.py --shodan_query "Server: SQ-WEBCAM" --shodan_key keygoeshere -c camera` 61 | * Scan for SSH and known SSH keys: `./changeme.py --protocols ssh,ssh_key 192.168.59.0/24` 62 | * Scan a host for SNMP creds using the protocol syntax: `./changeme.py snmp://192.168.1.20` 63 | 64 | See [Wiki Examples](https://github.com/ztgrace/changeme/wiki/Examples) for more detailed examples. 65 | 66 | ## Known Issues 67 | 68 | The telnet scanner is broken. 69 | 70 | Additionally, anything filed under https://github.com/ztgrace/changeme/issues as a bug. 71 | 72 | ## Bugs and Enhancements 73 | 74 | Bugs and enhancements are tracked at [https://github.com/ztgrace/changeme/issues](https://github.com/ztgrace/changeme/issues). 75 | 76 | **Request a credential:** Please add an issue to Github and apply the credential label. 77 | 78 | **Vote for a credential:** If you would like to help us prioritize which credentials to add, you can add a comment to a credential issue. 79 | 80 | Please see the [wiki](https://github.com/ztgrace/changeme/wiki) for more details. 81 | 82 | ## Contributors 83 | 84 | Thanks for code contributions and suggestions. 85 | 86 | * @AlessandroZ 87 | * @m0ther_ 88 | * @GraphX 89 | * @Equinox21_ 90 | * https://github.com/ztgrace/changeme/graphs/contributors 91 | -------------------------------------------------------------------------------- /changeme.1: -------------------------------------------------------------------------------- 1 | .TH CHANGEME "1" "June 2018" "changeme 1.1.1" "User Commands" 2 | .SH NAME 3 | changeme \- Default Credential Scanner 4 | .SH DESCRIPTION 5 | A default Credential Scanner with support for various protocols 6 | .PP 7 | .SH SYNOPSIS 8 | .B changeme [options] 9 | .IP 10 | .SH OPTIONS 11 | .SS "required arguments:" 12 | .TP 13 | \fBtarget\fR 14 | Target to scan. Can be IP, subnet, hostname, nmap xml 15 | file, text file or proto://host:port 16 | .SS "optional arguments:" 17 | .TP 18 | \fB\-h\fR, \fB\-\-help\fR 19 | show this help message and exit 20 | .TP 21 | \fB\-\-all\fR, \fB\-a\fR 22 | Scan for all protocols 23 | .TP 24 | \fB\-\-category\fR, \fB\-c\fR CATEGORY 25 | Category of default creds to scan for 26 | .TP 27 | \fB\-\-contributors\fR 28 | Display cred file contributors 29 | .TP 30 | \fB\-\-debug\fR, \fB\-d\fR 31 | Debug output 32 | .TP 33 | \fB\-\-delay\fR, \fB\-dl\fR DELAY 34 | Specify a delay in milliseconds to avoid 429 status 35 | codes default=500 36 | .TP 37 | \fB\-\-dump\fR 38 | Print all of the loaded credentials 39 | .TP 40 | \fB\-\-dryrun\fR 41 | Print urls to be scan, but don't scan them 42 | .TP 43 | \fB\-\-fingerprint\fR, \fB\-f\fR 44 | Fingerprint targets, but don't check creds 45 | .TP 46 | \fB\-\-fresh\fR 47 | Flush any previous scans and start fresh 48 | .TP 49 | \fB\-\-log\fR, \fB\-l\fR LOG 50 | Write logs to logfile 51 | .TP 52 | \fB\-\-mkcred\fR 53 | Make cred file 54 | .TP 55 | \fB\-\-name\fR, \fB\-n\fR NAME 56 | Narrow testing to the supplied credential name 57 | .TP 58 | \fB\-\-noversion\fR 59 | Don't perform a version check 60 | .TP 61 | \fB\-\-proxy\fR, \fB\-p\fR PROXY 62 | HTTP(S) Proxy 63 | .TP 64 | \fB\-\-output\fR, \fB\-o\fR OUTPUT 65 | Name of result file. File extension determines type 66 | (csv, html, json). 67 | .TP 68 | \fB\-\-oa\fR 69 | Output results files in csv, html and json formats 70 | .TP 71 | \fB\-\-protocols\fR PROTOCOLS 72 | Comma separated list of protocols to test: 73 | http,ssh,ssh_key. Defaults to http. 74 | .TP 75 | \fB\-\-portoverride\fR 76 | Scan all protocols on all specified ports 77 | .TP 78 | \fB\-\-redishost\fR REDISHOST 79 | Redis server 80 | .TP 81 | \fB\-\-redisport\fR REDISPORT 82 | Redis server 83 | .TP 84 | \fB\-\-resume\fR, \fB\-r\fR 85 | Resume previous scan 86 | .TP 87 | \fB\-\-shodan_query\fR, \fB\-q\fR SHODAN_QUERY 88 | Shodan query 89 | .TP 90 | \fB\-\-shodan_key\fR, \fB\-k\fR SHODAN_KEY 91 | Shodan API key 92 | .TP 93 | \fB\-\-ssl\fR 94 | Force cred to SSL and fall back to non\-SSL if an 95 | SSLError occurs 96 | .TP 97 | \fB\-\-threads\fR, \fB\-t\fR THREADS 98 | Number of threads, default=10 99 | .TP 100 | \fB\-\-timeout\fR TIMEOUT 101 | Timeout in seconds for a request, default=10 102 | .TP 103 | \fB\-\-useragent\fR, \fB\-ua\fR USERAGENT 104 | User agent string to use 105 | .TP 106 | \fB\-\-validate\fR 107 | Validate creds files 108 | .TP 109 | \fB\-\-verbose\fR, \fB\-v\fR 110 | Verbose output 111 | .SH EXAMPLES 112 | \fBchangeme 192.168.2.100\fR Scan single host 113 | .TP 114 | \fBchangeme 192.168.2.0/24\fR Scan subnet 115 | .TP 116 | \fBchangeme subnet.xml\fR Scan using a nmap output file 117 | .TP 118 | \fBchangeme -n "Apache Tomcat" --timeout 5 192.168.2.0/24\fR Scan a subnet for Tomcat default creds and set the timeout to 5 seconds 119 | .TP 120 | \fBchangeme --shodan_query "Server: SQ-WEBCAM" --shodan_key keygoeshere -c camera\fR Use Shodan to populate a targets list and check them for default credentials 121 | .TP 122 | \fBchangeme --protocols ssh,ssh_key 192.168.2.0/24\fR Scan subnet for SSH and known SSH keys 123 | .TP 124 | \fBchangeme snmp://192.168.2.100\fR Scan a host for SNMP creds using the protocol syntax 125 | .SH AUTHOR 126 | changeme was developed by ztgrace, this manpage was made by Samuel Henrique based on \fBchangeme --help\fR output and can be used by other projects as well. 127 | -------------------------------------------------------------------------------- /changeme.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from changeme import core 4 | 5 | if __name__ == '__main__': 6 | core.main() 7 | -------------------------------------------------------------------------------- /changeme/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ['core', 'version', 'scan_engine'] 2 | -------------------------------------------------------------------------------- /changeme/cred.py: -------------------------------------------------------------------------------- 1 | class Cred(object): 2 | def __init__(self, cdict): 3 | self.name = cdict['name'] 4 | 5 | # fingerprint 6 | 7 | # auth 8 | self.credentials = cdict['auth']['credentials'] 9 | self.csrf = cdict['auth']['csrf'] 10 | self.headers = cdict['auth']['headers'] 11 | 12 | self.username = cdict['auth']['username'] 13 | self.password = cdict['auth']['password'] 14 | self.b64 = cdict['auth']['base64'] 15 | self.success = cdict['auth']['success'] 16 | -------------------------------------------------------------------------------- /changeme/redis_queue.py: -------------------------------------------------------------------------------- 1 | import redis 2 | import pickle 3 | 4 | 5 | # based on http://peter-hoffmann.com/2012/python-simple-queue-redis-queue.html 6 | class RedisQueue(object): 7 | """Simple Queue with Redis Backend""" 8 | def __init__(self, name, namespace='queue', **redis_kwargs): 9 | """The default connection parameters are: host='localhost', port=6379, db=0""" 10 | self.__db= redis.Redis(**redis_kwargs) 11 | self.key = '%s:%s' %(namespace, name) 12 | 13 | def qsize(self): 14 | """Return the approximate size of the queue.""" 15 | return self.__db.llen(self.key) 16 | 17 | def empty(self): 18 | """Return True if the queue is empty, False otherwise.""" 19 | return self.qsize() == 0 20 | 21 | def put(self, item): 22 | """Put item into the queue.""" 23 | self.__db.rpush(self.key, pickle.dumps(item)) 24 | 25 | def get(self, block=True, timeout=None): 26 | """Remove and return an item from the queue. 27 | 28 | If optional args block is true and timeout is None (the default), block 29 | if necessary until an item is available.""" 30 | if block: 31 | item = self.__db.blpop(self.key, timeout=timeout) 32 | else: 33 | item = self.__db.lpop(self.key) 34 | 35 | if item: 36 | item = item[1] 37 | return pickle.loads(item) 38 | 39 | def get_nowait(self): 40 | """Equivalent to get(False).""" 41 | return self.get(False) 42 | 43 | def ping(self): 44 | self.__db.ping() 45 | 46 | def delete(self): 47 | self.__db.delete(self.key) 48 | self.__db.flushdb() 49 | -------------------------------------------------------------------------------- /changeme/report.py: -------------------------------------------------------------------------------- 1 | import csv 2 | from copy import deepcopy 3 | from datetime import datetime 4 | import jinja2 5 | import json 6 | import logging 7 | import os 8 | import re 9 | import sys 10 | from tabulate import tabulate 11 | 12 | 13 | class Report: 14 | def __init__(self, queue, output): 15 | self.results = self._convert_q2list(queue) 16 | self.output = output 17 | self.logger = logging.getLogger('changeme') 18 | 19 | def render_csv(self,): 20 | fname = self.output 21 | if not re.match(r'.*\.csv$', fname): 22 | fname += ".csv" 23 | 24 | with open(fname, 'w') as fout: 25 | fieldnames = ["name", "username", "password", "target"] 26 | writer = csv.DictWriter( 27 | fout, 28 | quoting=csv.QUOTE_ALL, 29 | fieldnames=fieldnames, 30 | extrasaction='ignore' 31 | ) 32 | writer.writeheader() 33 | writer.writerows(self.results) 34 | 35 | self.logger.critical("%i credentials written to %s" % (len(self.results), fname)) 36 | 37 | def render_json(self): 38 | # convert the Target classes to a string so it can be json'd 39 | res = deepcopy(self.results) 40 | for r in res: 41 | t = r['target'] 42 | r['target'] = str(t) 43 | 44 | results = dict() 45 | results["results"] = res 46 | j = json.dumps(results) 47 | fname = self.output 48 | if not re.match(r'.*\.json$', fname): 49 | fname += ".json" 50 | 51 | with open(fname, 'w') as fout: 52 | fout.write(j) 53 | 54 | self.logger.critical("%i credentials written to %s" % (len(self.results), fname)) 55 | 56 | def print_results(self): 57 | if len(self.results) > 0: 58 | results = deepcopy(self.results) 59 | for r in results: 60 | if 'http' in r['target'].protocol: 61 | r['evidence'] = '' 62 | 63 | print("") 64 | print("") 65 | self.logger.critical('Found %i default credentials' % len(self.results)) 66 | print("") 67 | print(tabulate(results, headers={'name': 'Name', 68 | 'username': 'Username', 69 | 'password': 'Password', 70 | 'target': 'Target', 71 | 'evidence': 'Evidence'})) 72 | 73 | print("") 74 | else: 75 | print("No default credentials found") 76 | 77 | def render_html(self): 78 | template_loader = jinja2.FileSystemLoader(searchpath=self.get_template_path()) 79 | template_env = jinja2.Environment(loader=template_loader) 80 | report_template = template_env.get_template('report.j2') 81 | cli = ' '.join(sys.argv) 82 | timestamp = datetime.now() 83 | report = report_template.render({'found': self.results, 'cli': cli, 'timestamp': timestamp}) 84 | 85 | fname = self.output 86 | if not re.match(r'.*\.html$', fname): 87 | fname += ".html" 88 | 89 | with open(fname, 'w') as fout: 90 | fout.write(report) 91 | 92 | self.logger.critical("%i credentials written to %s" % (len(self.results), fname)) 93 | 94 | @staticmethod 95 | def get_template_path(): 96 | PATH = os.path.dirname(os.path.abspath(__file__)) 97 | template_path = os.path.join(PATH, 'templates') 98 | return template_path 99 | 100 | def _convert_q2list(self, q): 101 | items = list() 102 | while not q.qsize() == 0: 103 | i = q.get() 104 | items.append(i) 105 | 106 | # Restore queue 107 | for i in items: 108 | q.put(i) 109 | 110 | return items 111 | -------------------------------------------------------------------------------- /changeme/scan_engine.py: -------------------------------------------------------------------------------- 1 | import logging 2 | import multiprocessing as mp 3 | import redis 4 | from changeme.redis_queue import RedisQueue 5 | import pickle 6 | from .scanners.ftp import FTP 7 | from .scanners.http_fingerprint import HttpFingerprint 8 | from .scanners.memcached import MemcachedScanner 9 | from .scanners.mongo import Mongodb 10 | from .scanners.mssql import MSSQL 11 | from .scanners.mysql import MySQL 12 | from .scanners.postgres import Postgres 13 | from .scanners.redis_scanner import RedisScanner 14 | from .scanners.snmp import SNMP 15 | from .scanners.ssh import SSH 16 | from .scanners.ssh_key import SSHKey 17 | from .scanners.telnet import Telnet 18 | from .scanners.http_fingerprint import HttpFingerprint 19 | from .target import Target 20 | import time 21 | try: 22 | # Python 2 23 | from Queue import Queue 24 | except: 25 | # Python 3 26 | from queue import Queue 27 | 28 | 29 | class ScanEngine(object): 30 | def __init__(self, creds, config): 31 | self.creds = creds 32 | self.config = config 33 | self.logger = logging.getLogger('changeme') 34 | self.scanners = self._get_queue('scanners') 35 | self.total_scanners = 0 36 | self.targets = set() 37 | self.fingerprints = self._get_queue('fingerprints') 38 | self.total_fps = 0 39 | self.found_q = self._get_queue('found_q') 40 | 41 | def scan(self): 42 | 43 | # Phase I - Fingerprint 44 | ###################################################################### 45 | if not self.config.resume: 46 | self._build_targets() 47 | 48 | if self.config.dryrun: 49 | self.dry_run() 50 | 51 | num_procs = self.config.threads if self.fingerprints.qsize() > self.config.threads else self.fingerprints.qsize() 52 | 53 | self.logger.debug('Number of procs: %i' % num_procs) 54 | self.total_fps = self.fingerprints.qsize() 55 | procs = [mp.Process(target=self.fingerprint_targets) for i in range(num_procs)] 56 | 57 | self._add_terminators(self.fingerprints) 58 | 59 | for proc in procs: 60 | proc.start() 61 | 62 | for proc in procs: 63 | proc.join() 64 | 65 | self.logger.info('Fingerprinting completed') 66 | 67 | # Phase II - Scan 68 | ###################################################################### 69 | # Unique the queue 70 | scanners = list() 71 | while self.scanners.qsize() > 0: 72 | s = self.scanners.get() 73 | 74 | if s not in scanners: 75 | scanners.append(s) 76 | 77 | for s in scanners: 78 | self.scanners.put(s) 79 | 80 | if not self.config.fingerprint: 81 | num_procs = self.config.threads if self.scanners.qsize() > self.config.threads else self.scanners.qsize() 82 | self.total_scanners = self.scanners.qsize() 83 | 84 | self.logger.debug('Starting %i scanner procs' % num_procs) 85 | procs = [mp.Process(target=self._scan, args=(self.scanners, self.found_q)) for i in range(num_procs)] 86 | 87 | self._add_terminators(self.scanners) 88 | 89 | for proc in procs: 90 | self.logger.debug('Starting scanner proc') 91 | proc.start() 92 | 93 | for proc in procs: 94 | proc.join() 95 | 96 | self.logger.info('Scanning Completed') 97 | 98 | # Hack to address a broken pipe IOError per https://stackoverflow.com/questions/36359528/broken-pipe-error-with-multiprocessing-queue 99 | time.sleep(0.1) 100 | 101 | def _add_terminators(self, q): 102 | # Add poison pills 103 | for i in range(self.config.threads): 104 | q.put(None) 105 | 106 | def _scan(self, scanq, foundq): 107 | while True: 108 | remaining = self.scanners.qsize() 109 | self.logger.debug('%i scanners remaining' % remaining) 110 | 111 | try: 112 | scanner = scanq.get(block=True) 113 | if scanner is None: 114 | return 115 | except Exception as e: 116 | self.logger.debug('Caught exception: %s' % type(e).__name__) 117 | continue 118 | 119 | result = scanner.scan() 120 | if result: 121 | foundq.put(result) 122 | 123 | def fingerprint_targets(self): 124 | while True: 125 | remaining = self.fingerprints.qsize() 126 | self.logger.debug('%i fingerprints remaining' % remaining) 127 | 128 | try: 129 | fp = self.fingerprints.get() 130 | if type(fp) == bytes: 131 | fp = pickle.loads(fp) 132 | 133 | # Exit process 134 | if fp is None: 135 | return 136 | 137 | except Exception as e: 138 | self.logger.debug('Caught exception: %s' % type(e).__name__) 139 | self.logger.debug('Exception: %s: %s' % (type(e).__name__, e.__str__().replace('\n', '|'))) 140 | return 141 | 142 | if fp.fingerprint(): 143 | results = fp.get_scanners(self.creds) 144 | if results: 145 | for result in results: 146 | self.scanners.put(result) 147 | else: 148 | self.logger.debug('failed fingerprint') 149 | 150 | self.logger.debug('scanners: %i, %s' % (self.scanners.qsize(), id(self.scanners))) 151 | 152 | def _build_targets(self): 153 | self.logger.debug('Building targets') 154 | 155 | if self.config.target: 156 | self.targets = Target.parse_target(self.config.target) 157 | else: 158 | self.logger.warning('shodan') 159 | self.targets = Target.get_shodan_targets(self.config) 160 | 161 | 162 | # Load set of targets into queue 163 | self.logger.debug('%i targets' % len(self.targets)) 164 | 165 | # If there's only one protocol and the user specified a protocol, override the defaults 166 | if len(self.targets) == 1: 167 | t = self.targets.pop() 168 | if t.protocol: 169 | self.config.protocols = t.protocol 170 | self.targets.add(t) 171 | 172 | fingerprints = list() 173 | # Build a set of unique fingerprints 174 | if 'http' in self.config.protocols or self.config.all: 175 | fingerprints = fingerprints + HttpFingerprint.build_fingerprints(self.targets, self.creds, self.config) 176 | 177 | fingerprints = list(set(fingerprints)) # unique the HTTP fingerprints 178 | 179 | # Add any protocols if they were included in the targets 180 | for t in self.targets: 181 | if t.protocol and t.protocol not in self.config.protocols: 182 | self.config.protocols += ",%s" % t.protocol 183 | 184 | self.logger.info('Configured protocols: %s' % self.config.protocols) 185 | 186 | # scanner_map maps the friendly proto:// name to the actual class name 187 | scanner_map = { 188 | 'ssh': 'SSH', 189 | 'ssh_key': 'SSHKey', 190 | 'ftp': 'FTP', 191 | 'memcached': 'MemcachedScanner', 192 | 'mongodb': 'Mongodb', 193 | 'mssql': 'MSSQL', 194 | 'mysql': 'MySQL', 195 | 'postgres': 'Postgres', 196 | 'redis': 'RedisScanner', 197 | 'snmp': 'SNMP', 198 | 'telnet': 'Telnet', 199 | } 200 | 201 | for target in self.targets: 202 | for cred in self.creds: 203 | for proto, classname in scanner_map.items(): 204 | if cred['protocol'] == proto and (proto in self.config.protocols or self.config.all): 205 | t = Target(host=target.host, port=target.port, protocol=proto) 206 | fingerprints.append(globals()[classname](cred, t, self.config, '', '')) 207 | 208 | self.logger.info("Loading creds into queue") 209 | for fp in set(fingerprints): 210 | self.fingerprints.put(fp) 211 | self.total_fps = self.fingerprints.qsize() 212 | self.logger.debug('%i fingerprints' % self.fingerprints.qsize()) 213 | 214 | 215 | def dry_run(self): 216 | self.logger.info("Dry run targets:") 217 | while self.fingerprints.qsize() > 0: 218 | fp = self.fingerprints.get() 219 | print(fp.target) 220 | quit() 221 | 222 | def _get_queue(self, name): 223 | try: 224 | # Try for redis 225 | r = RedisQueue(name) 226 | r.ping() 227 | self.logger.debug('Using RedisQueue for %s' % name) 228 | return r 229 | 230 | except redis.ConnectionError: 231 | # Fall back to sqlite persistent queue 232 | self.logger.debug('Using in-memory queue for %s' % name) 233 | m = mp.Manager() 234 | q = m.Queue() 235 | return q 236 | -------------------------------------------------------------------------------- /changeme/scanners/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = [ 2 | 'database', 3 | 'ftp', 4 | 'http_basic_auth', 5 | 'http_fingerprint', 6 | 'http_get', 7 | 'http_post', 8 | 'http_raw_post', 9 | 'memcached', 10 | 'mongo', 11 | 'mssql', 12 | 'mysql', 13 | 'postgres', 14 | 'redis_scanner', 15 | 'scanner', 16 | 'snmp', 17 | 'ssh_key', 18 | 'ssh', 19 | 'telnet' 20 | ] 21 | -------------------------------------------------------------------------------- /changeme/scanners/database.py: -------------------------------------------------------------------------------- 1 | from .scanner import Scanner 2 | import sqlalchemy 3 | 4 | 5 | class Database(Scanner): 6 | 7 | def __init__(self, cred, target, username, password, config): 8 | super(Database, self).__init__(cred, target, config, username, password) 9 | self.database = None 10 | self.query = None 11 | 12 | def _check(self): 13 | url = "%s://%s:%s@%s:%s/%s" % (self.target.protocol, self.username, self.password, self.target.host, self.target.port, self.database) 14 | engine = sqlalchemy.create_engine(url, connect_args={'connect_timeout': self.config.timeout}) 15 | c = engine.connect() 16 | res = c.execute(self.query) 17 | 18 | results = list() 19 | [results.append(i) for i in res.fetchall()] 20 | 21 | return str(results[0][0]) 22 | 23 | def _mkscanner(self, cred, target, u, p, config): 24 | raise NotImplementedError("A Database class needs to implement a _mkscanner method.") 25 | -------------------------------------------------------------------------------- /changeme/scanners/ftp.py: -------------------------------------------------------------------------------- 1 | from .scanner import Scanner 2 | import ftplib 3 | 4 | 5 | class FTP(Scanner): 6 | def __init__(self, cred, target, username, password, config): 7 | super(FTP, self).__init__(cred, target, config, username, password) 8 | 9 | def _check(self): 10 | ftp = ftplib.FTP() 11 | ftp.connect(self.target.host, self.target.port) 12 | 13 | ftp.login(self.username, self.password) 14 | evidence = ftp.retrlines('LIST') 15 | ftp.quit() 16 | 17 | return evidence 18 | 19 | def _mkscanner(self, cred, target, u, p, config): 20 | return FTP(cred, target, u, p, config) 21 | -------------------------------------------------------------------------------- /changeme/scanners/http_basic_auth.py: -------------------------------------------------------------------------------- 1 | from changeme.scanners.http_get import HTTPGetScanner 2 | from requests.auth import HTTPBasicAuth 3 | 4 | 5 | class HTTPBasicAuthScanner(HTTPGetScanner): 6 | pass 7 | 8 | def _make_request(self): 9 | self.logger.debug("Requesting %s" % self.target) 10 | self.response = self.request.get(self.target, 11 | auth=HTTPBasicAuth(self.username, self.password), 12 | verify=False, 13 | proxies=self.config.proxy, 14 | timeout=self.config.timeout, 15 | headers=self.headers, 16 | cookies=self.cookies) 17 | -------------------------------------------------------------------------------- /changeme/scanners/http_fingerprint.py: -------------------------------------------------------------------------------- 1 | from changeme.scanners.http_basic_auth import HTTPBasicAuthScanner 2 | from changeme.scanners.http_get import HTTPGetScanner 3 | from changeme.scanners.http_post import HTTPPostScanner 4 | from changeme.scanners.http_raw_post import HTTPRawPostScanner 5 | from changeme.target import Target 6 | from copy import deepcopy 7 | import logging 8 | from lxml import html 9 | import re 10 | import requests 11 | 12 | 13 | class HttpFingerprint: 14 | def __init__(self, target, headers, cookies, config): 15 | self.target = target # changeme.target.Target() 16 | self.headers = headers 17 | self.cookies = cookies 18 | self.config = config 19 | self.logger = logging.getLogger('changeme') 20 | self.res = None 21 | self.req = requests.Session() 22 | 23 | def __getstate__(self): 24 | state = self.__dict__ 25 | state['logger'] = None # Need to clear the logger when serializing otherwise mp.Queue blows up 26 | return state 27 | 28 | def __setstate__(self, d): 29 | self.__dict__ = d 30 | self.logger = logging.getLogger('changeme') 31 | 32 | def __hash__(self): 33 | return hash(str(self.target) + str(self.headers) + str(self.cookies)) 34 | 35 | def __eq__(self, other): 36 | s = dict() 37 | o = dict() 38 | s['target'] = self.target 39 | s['headers'] = self.headers 40 | s['cookies'] = self.cookies 41 | o['target'] = other.target 42 | o['headers'] = other.headers 43 | o['cookies'] = other.cookies 44 | return s == o 45 | 46 | def fingerprint(self): 47 | 48 | try: 49 | self._fp() 50 | except Exception as e: 51 | if self.config.ssl and e.__class__ == requests.exceptions.SSLError: 52 | self.target.protocol = 'http' 53 | self.logger.debug('Retrying with non-SSL target: %s' % self.target) 54 | try: 55 | self._fp() 56 | except Exception as e: 57 | self.logger.debug('Failed to connect to %s' % self.target) 58 | 59 | return False 60 | 61 | return True 62 | 63 | def _fp(self): 64 | self.res = self.req.get( 65 | str(self.target), 66 | timeout=self.config.timeout, 67 | verify=False, 68 | proxies=self.config.proxy, 69 | headers=self.headers, 70 | cookies=self.cookies 71 | ) 72 | 73 | def _get_csrf_token(self, res, cred): 74 | name = cred['auth'].get('csrf', False) 75 | if name: 76 | tree = html.fromstring(res.content) 77 | try: 78 | csrf = str(tree.xpath('//input[@name="%s"]/@value' % name)[0]) 79 | except: 80 | self.logger.error( 81 | 'Failed to get CSRF token %s in %s' % (str(name), str(res.url))) 82 | return False 83 | self.logger.debug('Got CSRF token %s: %s' % (name, csrf)) 84 | else: 85 | csrf = False 86 | 87 | return csrf 88 | 89 | def _get_session_id(self, res, cred): 90 | cookie = cred['auth'].get('sessionid', False) 91 | 92 | if cookie: 93 | try: 94 | value = res.cookies[cookie] 95 | self.logger.debug('Got session cookie value: %s' % value) 96 | except: 97 | self.logger.error( 98 | 'Failed to get %s cookie from %s' % (cookie, res.url)) 99 | return False 100 | return {cookie: value} 101 | else: 102 | self.logger.debug('No cookie') 103 | return False 104 | 105 | def ismatch(self, cred, response): 106 | match = False 107 | if cred['protocol'] == 'http': 108 | fp = cred['fingerprint'] 109 | basic_auth = fp.get('basic_auth_realm', None) 110 | if basic_auth and basic_auth in response.headers.get('WWW-Authenticate', list()): 111 | self.logger.info('%s basic auth matched: %s' % (cred['name'], basic_auth)) 112 | match = True 113 | 114 | server = response.headers.get('Server', None) 115 | fp_server = fp.get('server_header', None) 116 | if fp_server and server and fp_server in server: 117 | self.logger.debug('%s server header matched: %s' % (cred['name'], fp_server)) 118 | match = True 119 | 120 | body = fp.get('body', None) 121 | if body: 122 | for b in body: 123 | if re.search(b, response.text): 124 | match = True 125 | self.logger.info('%s body matched: %s' % (cred['name'], b)) 126 | elif body: 127 | match = False 128 | 129 | return match 130 | 131 | def get_scanners(self, creds): 132 | scanners = list() 133 | for cred in creds: 134 | if self.ismatch(cred, self.res): 135 | 136 | csrf = self._get_csrf_token(self.res, cred) 137 | if cred['auth'].get('csrf', False) and not csrf: 138 | self.logger.error('Missing required CSRF token') 139 | return 140 | 141 | sessionid = self._get_session_id(self.res, cred) 142 | if cred['auth'].get('sessionid') and not sessionid: 143 | self.logger.error("Missing session cookie %s for %s" % (cred['auth'].get('sessionid'), self.res.url)) 144 | return 145 | 146 | for pair in cred['auth']['credentials']: 147 | for u in cred['auth']['url']: # pass in the auth url 148 | target = deepcopy(self.target) 149 | target.url = u 150 | self.logger.debug('Building %s %s:%s, %s' % (cred['name'], pair['username'], pair['password'], target)) 151 | 152 | if cred['auth']['type'] == 'get': 153 | scanners.append(HTTPGetScanner(cred, target, pair['username'], pair['password'], self.config, self.req.cookies)) 154 | elif cred['auth']['type'] == 'post': 155 | scanners.append(HTTPPostScanner(cred, target, pair['username'], pair['password'], self.config, self.req.cookies, csrf)) 156 | elif cred['auth']['type'] == 'raw_post': 157 | scanners.append(HTTPRawPostScanner(cred, target, pair['username'], pair['password'], self.config, self.req.cookies, csrf, pair['raw'])) 158 | elif cred['auth']['type'] == 'basic_auth': 159 | scanners.append(HTTPBasicAuthScanner(cred, target, pair['username'], pair['password'], self.config, self.req.cookies)) 160 | 161 | return scanners 162 | 163 | @staticmethod 164 | def build_fingerprints(targets, creds, config): 165 | fingerprints = list() 166 | logger = logging.getLogger('changeme') 167 | # Build a set of unique fingerprints 168 | for target in targets: 169 | for c in creds: 170 | if not c['protocol'] == 'http': 171 | continue 172 | if not config.portoverride and (target.port and not c['default_port'] == target.port): 173 | continue 174 | 175 | fp = c['fingerprint'] 176 | for url in fp.get('url'): 177 | t = Target(host=target.host, port=target.port, protocol=target.protocol) 178 | if c.get('ssl') or config.ssl: 179 | t.protocol = 'https' 180 | else: 181 | t.protocol = 'http' 182 | 183 | if not t.port: 184 | t.port = c['default_port'] 185 | t.url = url 186 | 187 | hfp = HttpFingerprint(t, fp.get('headers', None), fp.get('cookie', None), config) 188 | logger.debug('Adding %s to fingerprint list' % hfp.target) 189 | fingerprints.append(hfp) 190 | 191 | return fingerprints 192 | -------------------------------------------------------------------------------- /changeme/scanners/http_get.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import random 3 | from requests import session 4 | from .scanner import Scanner 5 | import re 6 | from selenium import webdriver 7 | from time import sleep 8 | try: 9 | # Python 3 10 | from urllib.parse import urlencode, urlparse 11 | except ImportError: 12 | # Python 2 13 | from urllib import urlencode 14 | from urlparse import urlparse 15 | 16 | HEADERS_USERAGENTS = [ 17 | 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3', 18 | 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)', 19 | 'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)', 20 | 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1', 21 | 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1', 22 | 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)', 23 | 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)', 24 | 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)', 25 | 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)', 26 | 'Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)', 27 | 'Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51' 28 | ] 29 | 30 | 31 | def get_useragent(): 32 | return random.choice(HEADERS_USERAGENTS) 33 | 34 | 35 | class HTTPGetScanner(Scanner): 36 | 37 | def __init__(self, cred, target, username, password, config, cookies): 38 | super(HTTPGetScanner, self).__init__(cred, target, config, username, password) 39 | self.cred = cred 40 | self.config = config 41 | self.cookies = cookies 42 | self.headers = dict() 43 | self.request = session() 44 | self.response = None 45 | 46 | headers = self.cred['auth'].get('headers', dict()) 47 | custom_ua = False 48 | if headers: 49 | for h in headers: 50 | self.headers.update(h) 51 | if not custom_ua and any(k.lower() == 'user-agent' for k in h): 52 | custom_ua = True 53 | 54 | # If set, take user agent from CLI args, otherwise, pick a random 55 | # one if not provided in the cred file. 56 | if self.config.useragent: 57 | self.headers.update(self.config.useragent) 58 | elif not custom_ua: 59 | self.headers.update({'User-Agent': get_useragent()}) 60 | 61 | # make the cred have only one u:p combo 62 | self.cred['auth']['credentials'] = [{'username': self.username, 'password': self.password}] 63 | 64 | def __reduce__(self): 65 | return self.__class__, (self.cred, self.target, self.username, self.password, self.config, self.cookies) 66 | 67 | def scan(self): 68 | try: 69 | self._make_request() 70 | except Exception as e: 71 | self.logger.error('Failed to connect to %s' % self.target) 72 | self.logger.debug('Exception: %s: %s' % (type(e).__name__, e.__str__().replace('\n', '|'))) 73 | return None 74 | 75 | if self.response.status_code == 429: 76 | self.warn('Status 429 received. Sleeping for %d seconds and trying again' % self.config.delay) 77 | sleep(self.config.delay) 78 | try: 79 | self._make_request() 80 | except Exception as e: 81 | self.logger.error('Failed to connect to %s' % self.target) 82 | 83 | return self.check_success() 84 | 85 | def check_success(self): 86 | match = False 87 | success = self.cred['auth']['success'] 88 | 89 | if self.cred['auth'].get('base64', None): 90 | self.username = base64.b64decode(self.cred.username) 91 | self.password = base64.b64decode(self.cred.password) 92 | 93 | if success.get('status') == self.response.status_code or self.response.history and self.response.history[0].status_code == success.get('status'): 94 | self.logger.debug('%s matched %s success status code %s' % (self.target, self.cred['name'], self.response.status_code)) 95 | if success.get('body'): 96 | for string in success.get('body'): 97 | if re.search(string, self.response.text, re.IGNORECASE): 98 | self.logger.debug('%s matched %s success body text %s' % (self.target, self.cred['name'], success.get('body'))) 99 | match = True 100 | break 101 | else: 102 | match = True 103 | 104 | if match: 105 | self.logger.critical('[+] Found %s default cred %s:%s at %s' % 106 | (self.cred['name'], self.username, self.password, self.target)) 107 | evidence = '' 108 | if self.config.output is not None: 109 | try: 110 | evidence = self._screenshot(self.target) 111 | except Exception as e: 112 | self.logger.error("Error gathering screenshot for %s" % self.target) 113 | self.logger.debug('Exception: %s: %s' % (type(e).__name__, e.__str__().replace('\n', '|'))) 114 | 115 | return {'name': self.cred['name'], 116 | 'username': self.username, 117 | 'password': self.password, 118 | 'target': self.target, 119 | 'evidence': evidence} 120 | else: 121 | self.logger.info('Invalid %s default cred %s:%s at %s' % 122 | (self.cred['name'], self.username, self.password, self.target)) 123 | return False 124 | 125 | def _check_fingerprint(self): 126 | self.logger.debug("_check_fingerprint") 127 | self.request = session() 128 | self.response = self.request.get(self.target, 129 | timeout=self.config.timeout, 130 | verify=False, 131 | proxies=self.config.proxy, 132 | cookies=self.fingerprint.cookies, 133 | headers=self.fingerprint.headers) 134 | self.logger.debug('_check_fingerprint', '%s - %i' % (self.target, self.response.status_code)) 135 | return self.fingerprint.match(self.response) 136 | 137 | def _make_request(self): 138 | self.logger.debug("_make_request") 139 | data = self.render_creds(self.cred) 140 | qs = urlencode(data) 141 | url = "%s?%s" % (self.target, qs) 142 | self.logger.debug("url: %s" % url) 143 | self.response = self.request.get(self.target, 144 | verify=False, 145 | proxies=self.config.proxy, 146 | timeout=self.config.timeout, 147 | headers=self.headers, 148 | cookies=self.cookies) 149 | 150 | def render_creds(self, candidate, csrf=None): 151 | """ 152 | Return a list of dicts with post/get data and creds. 153 | 154 | The list of dicts have a data element and a username and password 155 | associated with the data. The data will either be a dict if its a 156 | regular GET or POST and a string if its a raw POST. 157 | """ 158 | b64 = candidate['auth'].get('base64', None) 159 | type = candidate['auth'].get('type') 160 | config = None 161 | if type == 'post': 162 | config = candidate['auth'].get('post', None) 163 | if type == 'get': 164 | config = candidate['auth'].get('get', None) 165 | 166 | if not type == 'raw_post': 167 | data = self._get_parameter_dict(candidate['auth']) 168 | 169 | if csrf: 170 | csrf_field = candidate['auth']['csrf'] 171 | data[csrf_field] = csrf 172 | 173 | for cred in candidate['auth']['credentials']: 174 | cred_data = {} 175 | username = "" 176 | password = "" 177 | if b64: 178 | username = base64.b64encode(cred['username']) 179 | password = base64.b64encode(cred['password']) 180 | else: 181 | username = cred['username'] 182 | password = cred['password'] 183 | 184 | cred_data[config['username']] = username 185 | cred_data[config['password']] = password 186 | 187 | data_to_send = dict(list(data.items()) + list(cred_data.items())) 188 | return data_to_send 189 | else: # raw post 190 | return None 191 | 192 | def _get_parameter_dict(self, auth): 193 | params = dict() 194 | data = auth.get('post', auth.get('get', None)) 195 | for k in list(data.keys()): 196 | if k not in ('username', 'password', 'url'): 197 | params[k] = data[k] 198 | 199 | return params 200 | 201 | @staticmethod 202 | def get_base_url(req): 203 | parsed = urlparse(req) 204 | url = "%s://%s" % (parsed[0], parsed[1]) 205 | return url 206 | 207 | def _screenshot(self, target): 208 | self.logger.debug("Screenshotting %s" % self.target) 209 | # Set up the selenium webdriver 210 | # This feels like it will have threading issues 211 | for key, value in self.response.request.headers.items(): 212 | capability_key = 'phantomjs.page.customHeaders.{}'.format(key) 213 | webdriver.DesiredCapabilities.PHANTOMJS[capability_key] = value 214 | 215 | if self.config.proxy: 216 | webdriver.DesiredCapabilities.PHANTOMJS['proxy'] = { 217 | "httpProxy": self.config.proxy['http'].replace('http://', ''), 218 | "ftpProxy": self.config.proxy['http'].replace('http://', ''), 219 | "sslProxy": self.config.proxy['http'].replace('http://', ''), 220 | "noProxy":None, 221 | "proxyType":"MANUAL", 222 | "autodetect":False 223 | } 224 | driver = webdriver.PhantomJS() 225 | driver.set_page_load_timeout(int(self.config.timeout) - 0.1) 226 | driver.set_window_position(0, 0) 227 | driver.set_window_size(850, 637.5) 228 | for cookie in self.response.request._cookies.items(): 229 | self.logger.debug("Adding cookie: %s:%s" % cookie) 230 | driver.add_cookie({'name': cookie[0], 231 | 'value': cookie[1], 232 | 'path': '/', 233 | 'domain': self.target.host 234 | }) 235 | 236 | try: 237 | driver.get(str(self.target)) 238 | driver.save_screenshot('screenshot.png') 239 | evidence = driver.get_screenshot_as_base64() 240 | driver.quit() 241 | except Exception as e: 242 | self.logger.error('Error getting screenshot for %s' % self.target) 243 | self.logger.debug('Exception: %s: %s' % (type(e).__name__, e.__str__().replace('\n', '|'))) 244 | evidence = "" 245 | 246 | return evidence 247 | 248 | -------------------------------------------------------------------------------- /changeme/scanners/http_post.py: -------------------------------------------------------------------------------- 1 | from changeme.scanners.http_get import HTTPGetScanner 2 | 3 | 4 | class HTTPPostScanner(HTTPGetScanner): 5 | 6 | def __init__(self, cred, target, username, password, config, cookies, csrf): 7 | super(HTTPPostScanner, self).__init__(cred, target, username, password, config, cookies) 8 | self.csrf = csrf 9 | 10 | def __reduce__(self): 11 | return (self.__class__, (self.cred, self.target, self.username, self.password, self.config, self.cookies, self.csrf)) 12 | 13 | def _make_request(self): 14 | self.logger.debug('_make_request') 15 | self.logger.debug("target: %s" % self.target) 16 | data = self.render_creds(self.cred, self.csrf) 17 | 18 | if self.cred.get('form_data'): 19 | form_data = {} 20 | for k in data: 21 | form_data[k] = (None, data[k]) 22 | 23 | self.response = self.request.post(self.target, 24 | file=form_data, 25 | verify=False, 26 | proxies=self.config.proxy, 27 | timeout=self.config.timeout, 28 | headers=self.headers, 29 | cookies=self.cookies) 30 | else: 31 | self.response = self.request.post(self.target, 32 | data, 33 | verify=False, 34 | proxies=self.config.proxy, 35 | timeout=self.config.timeout, 36 | headers=self.headers, 37 | cookies=self.cookies) 38 | -------------------------------------------------------------------------------- /changeme/scanners/http_raw_post.py: -------------------------------------------------------------------------------- 1 | from changeme.scanners.http_post import HTTPPostScanner 2 | 3 | 4 | class HTTPRawPostScanner(HTTPPostScanner): 5 | 6 | def __init__(self, cred, target, username, password, config, cookies, csrf, raw): 7 | super(HTTPRawPostScanner, self).__init__(cred, target, username, password, config, cookies, csrf) 8 | self.raw = raw 9 | 10 | def __reduce__(self): 11 | return (self.__class__, (self.cred, self.target, self.username, self.password, self.config, self.cookies, self.csrf, self.raw)) 12 | 13 | def _make_request(self): 14 | self.logger.debug('_make_request') 15 | self.logger.debug("target: %s" % self.target) 16 | self.response = self.request.post(self.target, 17 | self.raw, 18 | verify=False, 19 | proxies=self.config.proxy, 20 | timeout=self.config.timeout, 21 | headers=self.headers, 22 | cookies=self.cookies) 23 | -------------------------------------------------------------------------------- /changeme/scanners/memcached.py: -------------------------------------------------------------------------------- 1 | import memcache 2 | from .scanner import Scanner 3 | 4 | 5 | class MemcachedScanner(Scanner): 6 | 7 | def __init__(self, cred, target, username, password, config): 8 | super(MemcachedScanner, self).__init__(cred, target, config, username, password) 9 | 10 | def _check(self): 11 | mc = memcache.Client(['%s:%s' % (self.target.host, self.target.port)], debug=0) 12 | stats = mc.get_stats() 13 | evidence = "version: %s" % (stats[0][1]['version']) 14 | 15 | return evidence 16 | 17 | def _mkscanner(self, cred, target, u, p, config): 18 | return MemcachedScanner(cred, target, u, p, config) 19 | -------------------------------------------------------------------------------- /changeme/scanners/mongo.py: -------------------------------------------------------------------------------- 1 | from pymongo import MongoClient 2 | from .scanner import Scanner 3 | import socket 4 | 5 | 6 | class Mongodb(Scanner): 7 | 8 | def __init__(self, cred, target, username, password, config): 9 | super(Mongodb, self).__init__(cred, target, config, username, password) 10 | 11 | def _check(self): 12 | u_p = "" 13 | if self.username or self.password: 14 | u_p = "%s:%s@" % (self.username, self.password) 15 | client = MongoClient('mongodb://%s%s:%s/' % (u_p, self.target.host, self.target.port)) 16 | dbs = client.database_names() 17 | server_info = client.server_info() 18 | evidence = 'Version: %s, databases: %s' % (server_info['version'], ', '.join(dbs)) 19 | 20 | return evidence 21 | 22 | def _mkscanner(self, cred, target, u, p, config): 23 | return Mongodb(cred, target, u, p, config) 24 | -------------------------------------------------------------------------------- /changeme/scanners/mssql.py: -------------------------------------------------------------------------------- 1 | from .database import Database 2 | 3 | class MSSQL(Database): 4 | def __init__(self, cred, target, username, password, config): 5 | super(MSSQL, self).__init__(cred, target, username, password, config) 6 | self.target.protocol = "mssql+pyodbc" 7 | self.database = "" 8 | self.query = "SELECT @@VERSION AS 'SQL Server Version';" 9 | 10 | def _mkscanner(self, cred, target, u, p, config): 11 | return MSSQL(cred, target, u, p, config) -------------------------------------------------------------------------------- /changeme/scanners/mysql.py: -------------------------------------------------------------------------------- 1 | from .database import Database 2 | 3 | class MySQL(Database): 4 | def __init__(self, cred, target, username, password, config): 5 | super(MySQL, self).__init__(cred, target, username, password, config) 6 | self.database = "" 7 | self.query = "select version();" 8 | 9 | def _mkscanner(self, cred, target, u, p, config): 10 | return MySQL(cred, target, u, p, config) -------------------------------------------------------------------------------- /changeme/scanners/postgres.py: -------------------------------------------------------------------------------- 1 | from .database import Database 2 | 3 | class Postgres(Database): 4 | def __init__(self, cred, target, username, password, config): 5 | super(Postgres, self).__init__(cred, target, username, password, config) 6 | self.target.protocol = "postgresql+psycopg2" 7 | self.database = "" 8 | self.query = "select version();" 9 | 10 | def _mkscanner(self, cred, target, u, p, config): 11 | return Postgres(cred, target, u, p, config) -------------------------------------------------------------------------------- /changeme/scanners/redis_scanner.py: -------------------------------------------------------------------------------- 1 | import redis 2 | from .scanner import Scanner 3 | 4 | 5 | class RedisScanner(Scanner): 6 | 7 | def __init__(self, cred, target, username, password, config): 8 | super(RedisScanner, self).__init__(cred, target, config, username, password) 9 | 10 | def _check(self): 11 | r = redis.StrictRedis(host=self.target.host, port=self.target.port) 12 | info = r.info() 13 | evidence = "redis_version: %s, os: %s" % (info['redis_version'], info['os']) 14 | 15 | return evidence 16 | 17 | def _mkscanner(self, cred, target, u, p, config): 18 | return RedisScanner(cred, target, u, p, config) 19 | -------------------------------------------------------------------------------- /changeme/scanners/scanner.py: -------------------------------------------------------------------------------- 1 | import logging 2 | from netaddr import IPAddress 3 | import socket 4 | 5 | 6 | class Scanner(object): 7 | def __init__(self, cred, target, config, username, password): 8 | self.logger = logging.getLogger('changeme') 9 | self.cred = cred 10 | self.target = target 11 | if self.target.port is None: 12 | self.target.port = self.cred['default_port'] 13 | self.config = config 14 | self.username = username 15 | self.password = password 16 | 17 | def __hash__(self): 18 | return id(self) 19 | 20 | def scan(self): 21 | return self.check_success() 22 | 23 | def fingerprint(self): 24 | if self.target.port is None: 25 | self.target.port = self.cred['default_port'] 26 | try: 27 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 28 | sock.settimeout(3) 29 | result = sock.connect_ex((str(self.target.host), self.target.port)) 30 | sock.shutdown(2) 31 | if result == 0: 32 | return True 33 | self.logger.info('Port %i open' % self.target.port) 34 | else: 35 | return False 36 | except Exception as e: 37 | self.logger.debug(str(e)) 38 | return False 39 | 40 | def get_scanners(self, creds): 41 | scanners = list() 42 | for pair in self.cred['auth']['credentials']: 43 | 44 | scanners.append(self._mkscanner(self.cred, self.target, pair['username'], pair['password'], self.config)) 45 | return scanners 46 | 47 | 48 | def check_success(self): 49 | try: 50 | evidence = self._check() 51 | self.logger.critical('[+] Found %s default cred %s:%s at %s' % (self.cred['name'], self.username, self.password, self.target)) 52 | self.logger.debug('%s %s:%s evidence: %s' % (self.target, self.username, self.password, evidence)) 53 | return {'name': self.cred['name'], 54 | 'username': self.username, 55 | 'password': self.password, 56 | 'target': self.target, 57 | 'evidence': evidence} 58 | 59 | except Exception as e: 60 | self.logger.info('Invalid %s default cred %s:%s at %s' % (self.cred['name'], self.username, self.password, str(self.target))) 61 | self.logger.debug('%s Exception: %s' % (type(e).__name__, str(e))) 62 | return False 63 | 64 | def _check(self): 65 | raise NotImplementedError("A Scanner class needs to implement a _check method.") 66 | 67 | def __getstate__(self): 68 | state = self.__dict__ 69 | state['logger'] = None # Need to clear the logger when serializing otherwise mp.Queue blows up 70 | return state 71 | 72 | def __setstate__(self, d): 73 | self.__dict__ = d 74 | self.logger = logging.getLogger('changeme') 75 | 76 | def __eq__(self, other): 77 | return self.__dict__ == other.__dict__ 78 | #return (str(self.target) + self.username + self.password) == (other.target + other.username + other.password) 79 | -------------------------------------------------------------------------------- /changeme/scanners/snmp.py: -------------------------------------------------------------------------------- 1 | from pysnmp.hlapi import * 2 | from .scanner import Scanner 3 | 4 | 5 | class SNMP(Scanner): 6 | def __init__(self, cred, target, username, password, config): 7 | super(SNMP, self).__init__(cred, target, config, username, password) 8 | 9 | def fingerprint(self): 10 | # Don't fingerprint since it's UDP 11 | return True 12 | 13 | def _check(self): 14 | iterator = getCmd(SnmpEngine(), 15 | CommunityData(self.password), 16 | UdpTransportTarget((str(self.target.host), 161)), 17 | ContextData(), 18 | ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))) 19 | 20 | errorIndication, errorStatus, errorIndex, varBinds = next(iterator) 21 | 22 | evidence = "" 23 | if errorIndication: 24 | self.logger.debug(errorIndication) 25 | elif errorStatus: 26 | self.logger.debug('%s at %s' % (errorStatus.prettyPrint(), 27 | errorIndex and varBinds[int(errorIndex) - 1][0] or '?')) 28 | else: 29 | for varBind in varBinds: 30 | evidence += ' = '.join([x.prettyPrint() for x in varBind]) 31 | 32 | if evidence == "": 33 | raise Exception 34 | 35 | return evidence 36 | 37 | def _mkscanner(self, cred, target, u, p, config): 38 | return SNMP(cred, target, u, p, config) 39 | -------------------------------------------------------------------------------- /changeme/scanners/ssh.py: -------------------------------------------------------------------------------- 1 | import paramiko 2 | from .scanner import Scanner 3 | import socket 4 | 5 | 6 | class SSH(Scanner): 7 | 8 | def __init__(self, cred, target, username, password, config): 9 | super(SSH, self).__init__(cred, target, config, username, password) 10 | 11 | def _check(self): 12 | c = paramiko.SSHClient() 13 | c.set_missing_host_key_policy(paramiko.MissingHostKeyPolicy()) # ignore unknown hosts 14 | c.connect(hostname=self.target.host, port=self.target.port, username=self.username, password=self.password) 15 | stdin, stdout, stderr = c.exec_command('uname -a') 16 | evidence = stdout.readlines()[0] 17 | c.close() 18 | 19 | return evidence 20 | 21 | def _mkscanner(self, cred, target, u, p, config): 22 | return SSH(cred, target, u, p, config) 23 | -------------------------------------------------------------------------------- /changeme/scanners/ssh_key.py: -------------------------------------------------------------------------------- 1 | import logging 2 | import paramiko 3 | from .ssh import SSH 4 | from io import StringIO 5 | 6 | 7 | class SSHKey(SSH): 8 | 9 | def __init__(self, cred, target, username, key, config): 10 | super(SSHKey, self).__init__(cred, target, username, key, config) 11 | self.logger = logging.getLogger('changeme') 12 | 13 | def _check(self): 14 | fake = StringIO(self.password) 15 | if "RSA PRIVATE KEY" in self.password: 16 | key = paramiko.RSAKey.from_private_key(fake) 17 | elif "DSA PRIVATE KEY" in self.password: 18 | key = paramiko.DSSKey.from_private_key(fake) 19 | 20 | c = paramiko.SSHClient() 21 | c.set_missing_host_key_policy(paramiko.MissingHostKeyPolicy()) # ignore unknown hosts 22 | c.connect(hostname=self.target.host, port=self.target.port, username=self.username, pkey=key) 23 | stdin, stdout, stderr = c.exec_command('uname -a') 24 | evidence = stdout.readlines()[0] 25 | c.close() 26 | 27 | self.password = 'Private Key' 28 | return evidence 29 | 30 | def _mkscanner(self, cred, target, u, p, config): 31 | return SSHKey(cred, target, u, p, config) 32 | -------------------------------------------------------------------------------- /changeme/scanners/telnet.py: -------------------------------------------------------------------------------- 1 | from .scanner import Scanner 2 | import telnetlib 3 | import re 4 | import time 5 | 6 | class Telnet(Scanner): 7 | 8 | def __init__(self, cred, target, username, password, config): 9 | super(Telnet, self).__init__(cred, target, config, username, password) 10 | 11 | def _check(self): 12 | try: 13 | telnet = telnetlib.Telnet(str(self.target.host)) 14 | timeout_allowed = int(self.cred['auth']['blockingio_timeout']) 15 | wait_for_pass_prompt = int(self.cred['auth']['telnet_read_timeout']) 16 | 17 | retval = telnet.open(str(self.target.host), int(self.target.port), timeout=timeout_allowed) 18 | retval._has_poll = False # telnetlib hackery :) 19 | banner = telnet.read_until("login: ") 20 | telnet.write(self.username + "\n") 21 | 22 | password = str(self.password) if self.password else '' 23 | 24 | result = telnet.read_until("Password: ", timeout=wait_for_pass_prompt) 25 | result = Telnet._trim_string(result) 26 | 27 | if "Password:" in result: 28 | telnet.write(password + "\n") 29 | 30 | else: 31 | self.logger.debug("Check closed at: 1") 32 | telnet.close() 33 | raise Exception("Telnet credential not found") 34 | 35 | telnet.write(b"ls\n") 36 | 37 | # evidence = '(slow connection, evidence not collected)' 38 | # try: 39 | # evidence = telnet.read_all() 40 | # except: 41 | # pass 42 | 43 | evidence = "(slow connection, evidence not collected)" 44 | time.sleep(3) 45 | evidence = telnet.read_very_eager() 46 | evidence_fp_check = Telnet._trim_string(evidence) 47 | 48 | self.logger.debug("Evidence string returned (stripped): %s" % str(evidence_fp_check)) 49 | evidence_fp_check_as_bytes = ":".join("{:02x}".format(ord(c)) for c in evidence_fp_check) 50 | self.logger.debug("Evidence string returned (bytes): %s" % str(evidence_fp_check_as_bytes)) 51 | 52 | # Remove simple echos or additional password prompt (wrong password) 53 | if (not evidence_fp_check) or (evidence_fp_check == "ls") or ("Password:" in evidence) or (evidence == ""): 54 | self.logger.debug("Check closed at: 2") 55 | telnet.close() 56 | raise Exception("Telnet credential not found") 57 | 58 | # Remove additional prompts to login - we have a correct username, but incorrect password 59 | if evidence_fp_check.endswith("login:") or evidence_fp_check.endswith("login: "): 60 | self.logger.debug("Check closed at: 3") 61 | telnet.close() 62 | raise Exception("Telnet credential not found") 63 | 64 | telnet.write("exit\n") 65 | telnet.close() 66 | 67 | return evidence 68 | 69 | except Exception as e: 70 | self.logger.debug("Error: %s" % str(e)) 71 | raise e 72 | 73 | @staticmethod 74 | def _trim_string(str_to_trim): 75 | return str(str_to_trim).replace(' ','').replace('\s','').replace('\t','').replace('\r','').replace('\n','') 76 | 77 | def _mkscanner(self, cred, target, u, p, config): 78 | return Telnet(cred, target, u, p, config) 79 | -------------------------------------------------------------------------------- /changeme/schema.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import changeme.core 4 | import os 5 | try: 6 | # Python 3 7 | from urllib.parse import unquote_plus 8 | except ImportError: 9 | # Python 2 10 | from urllib import unquote_plus 11 | import yaml 12 | 13 | cli_prompt = input 14 | try: 15 | cli_prompt = raw_input 16 | except NameError: 17 | pass 18 | 19 | http_schema = { 20 | 'auth': { 21 | 'type': 'dict', 22 | 'required': True, 23 | 'schema': { 24 | 'credentials': { 25 | 'type': 'list', 26 | 'required': True, 27 | 'schema': { 28 | 'type': 'dict', 29 | 'schema': { 30 | 'username': { 31 | 'type': ['string', 'integer'], 32 | 'nullable': True, 33 | 'required': True, 34 | }, 35 | 'password': { 36 | 'type': ['string', 'integer'], 37 | 'nullable': True, 38 | 'required': True, 39 | }, 40 | 'ref': {'type': 'string', 'required': False}, 41 | 'raw': {'type': 'string', 'required': False}, 42 | } 43 | } 44 | }, 45 | 'headers': { 46 | 'type': 'list', 47 | 'required': False, 48 | 'schema': { 49 | 'type': 'dict' 50 | } 51 | }, 52 | 'csrf': { 53 | 'type': 'string', 54 | 'nullable': True, 55 | 'required': False, 56 | }, 57 | 'form_data': { 58 | 'type': 'boolean', 59 | 'nullable': False, 60 | 'required': False, 61 | }, 62 | 'post': { 63 | 'type': 'dict', 64 | 'allow_unknown': True, 65 | 'schema': { 66 | 'username': {'type': 'string', 'required': True}, 67 | 'password': {'type': 'string', 'required': True}, 68 | } 69 | }, 70 | 'get': { 71 | 'type': 'dict', 72 | 'allow_unknown': True, 73 | 'schema': { 74 | 'username': {'type': 'string', 'required': True}, 75 | 'password': {'type': 'string', 'required': True}, 76 | } 77 | }, 78 | 'sessionid': { 79 | 'type': 'string', 80 | 'nullable': True, 81 | 'required': False, 82 | }, 83 | 'base64': { 84 | 'type': 'boolean', 85 | 'nullable': False, 86 | 'required': False, 87 | }, 88 | 'success': { 89 | 'type': 'dict', 90 | 'schema': { 91 | 'body': { 92 | 'type': 'list', 93 | 'required': False 94 | }, 95 | 'status': {'type': 'integer', 'required': True}, 96 | }, 97 | }, 98 | 'type': { 99 | 'type': 'string', 100 | 'regex': 'post|basic_auth|get|raw_post', 101 | 'required': True 102 | }, 103 | 'url': { 104 | 'type': 'list', 105 | 'required': True, 106 | 'schema': {'type': 'string'} 107 | }, 108 | } 109 | }, 110 | 'category': {'type': 'string', 'required': True}, 111 | 'contributor': {'type': 'string', 'required': True}, 112 | 'fingerprint': { 113 | 'type': 'dict', 114 | 'required': True, 115 | 'schema': { 116 | 'body': {'type': 'list', 'required': False}, 117 | 'server_header': {'type': 'string', 'required': False}, 118 | 'cookie': { 119 | 'type': 'list', 120 | 'required': False, 121 | 'schema': { 122 | 'type': 'dict' 123 | }, 124 | }, 125 | 'headers': { 126 | 'type': 'list', 127 | 'required': False, 128 | 'schema': { 129 | 'type': 'dict' 130 | } 131 | }, 132 | 'status': {'type': 'integer', 'required': True}, 133 | 'basic_auth_realm': { 134 | 'type': 'string', 135 | 'nullable': True, 136 | 'required': False, 137 | }, 138 | 'url': { 139 | 'type': 'list', 140 | 'required': True, 141 | 'schema': {'type': 'string'} 142 | }, 143 | }, 144 | }, 145 | 'default_port': {'type': 'integer', 'required': True}, 146 | 'name': {'type': 'string', 'required': True}, 147 | 'ssl': {'type': 'boolean', 'required': True}, 148 | 'references': {'type': 'list', 'required': False}, 149 | 'versions': {'type': 'list', 'required': False}, 150 | 'protocol': {'type': 'string', 'required': False}, 151 | } 152 | 153 | 154 | def mkcred(): 155 | """ 156 | TODO: 157 | - move credentials under auth 158 | - move auth url under auth 159 | - move success under auth 160 | - move auth url under auth 161 | - move type under auth 162 | """ 163 | 164 | parameters = dict() 165 | auth_types = ['post', 'basic_auth', 'get', 'raw_post'] 166 | 167 | def get_data(field, prompt, boolean=False, integer=False): 168 | result = cli_prompt(prompt).strip() 169 | if boolean and result.lower() == 'y': 170 | result = True 171 | elif boolean: 172 | result = False 173 | 174 | if integer: 175 | result = int(result) 176 | 177 | parameters[field] = result 178 | 179 | get_data('contributor', 'Your name or handle: ') 180 | get_data('name', 'Name of service (JBoss, Tomcat): ') 181 | get_data('protocol', 'Protocol of service (http, ssh, ftp): ') 182 | get_data('category', 'Category of service (general, printer, phone): ') 183 | get_data('default_port', 'Default port: ', integer=True) 184 | get_data('ssl', 'Does the service use ssl (y/n): ', boolean=True) 185 | 186 | # Fingerprint 187 | ############################################################################### 188 | fp = dict() 189 | 190 | # Fingerprint url is confiured as a list so we can have more than one path 191 | path = cli_prompt('Path to the fingerprint page (/index.php): ') 192 | path_list = list() 193 | path_list.append(path) 194 | fp['url'] = path_list 195 | 196 | fp_status = cli_prompt('HTTP status code of fingerprint (401, 200): ') 197 | fp_body = cli_prompt('Unique string in the fingerprint page (Welcome to ***): ') 198 | server_header = cli_prompt('Server header (if unique): ') 199 | basic_auth_realm = cli_prompt('Basic Auth Realm: ') 200 | 201 | fp['status'] = int(fp_status) 202 | if fp_body: 203 | b = list() 204 | b.append(fp_body) 205 | fp['body'] = b 206 | if basic_auth_realm: 207 | fp['basic_auth_realm'] = basic_auth_realm 208 | if server_header: 209 | fp['server_header'] = server_header 210 | 211 | parameters['fingerprint'] = fp 212 | 213 | # Authentication 214 | ############################################################################### 215 | auth = dict() 216 | headers = list() 217 | auth_urls = list() 218 | url = cli_prompt('Authentication URL (/login.php): ') 219 | auth_urls.append(url) 220 | auth['url'] = auth_urls 221 | 222 | while True: 223 | t = cli_prompt('Type of authentication method (post, basic_auth, get, raw_post): ') 224 | if t in auth_types: 225 | auth['type'] = t 226 | break 227 | else: 228 | print('Invalid auth type') 229 | 230 | if auth['type'] == 'post' or auth['type'] == 'get': 231 | form = dict() 232 | form['username'] = cli_prompt('Name of username field: ') 233 | form['password'] = cli_prompt('Name of password field: ') 234 | form_params = cli_prompt('Post parameters, query string or raw post (json, xml): ') 235 | 236 | if form_params: 237 | form_params = unquote_plus(form_params) # decode the parameters 238 | for f in form_params.split('&'): 239 | fname = f.split('=')[0] 240 | fvalue = f.split('=')[1] 241 | if fname == form['username'] or fname == form['password']: 242 | continue 243 | else: 244 | form[fname] = fvalue 245 | 246 | if auth['type'] == 'raw_post': 247 | form['raw'] = form_params 248 | 249 | auth[auth['type']] = form 250 | while True: 251 | header = cli_prompt('Pleae enter any custom header needed. Hit enter if done or not needed \n Example: Content-Type: application/json: ') 252 | if len(header) > 0: 253 | if len(header.split(':')) == 2: 254 | h = header.split(':') 255 | header = {h[0]: h[1]} 256 | headers.append(header) 257 | else: 258 | print('Invalid header. Headers must be in the format "Header_name: header_value"\n') 259 | else: 260 | break 261 | csrf = cli_prompt('Name of csrf field: ') 262 | if csrf: 263 | auth['csrf'] = csrf 264 | 265 | sessionid = cli_prompt('Name of session cookie: ') 266 | if sessionid: 267 | auth['sessionid'] = sessionid 268 | 269 | creds = list() 270 | num_creds = cli_prompt('How many default creds for this service (1, 2, 3): ') 271 | for i in range(0, int(num_creds)): 272 | user = cli_prompt('Username %i: ' % (i + 1)) 273 | passwd = cli_prompt('Password %i: ' % (i + 1)) 274 | 275 | if auth['type'] == 'raw_post': 276 | raw = cli_prompt('Raw post %i: ' % (i + 1)) 277 | creds.append({'username': user, 'password': passwd, 'raw': raw}) 278 | else: 279 | creds.append({'username': user, 'password': passwd}) 280 | 281 | auth['credentials'] = creds 282 | auth['headers'] = headers 283 | 284 | success = dict() 285 | success['status'] = 200 286 | success['body'] = list() 287 | success['body'].append(cli_prompt('Unique string in page of a successful login (Logout): ')) 288 | 289 | auth['success'] = success 290 | parameters['auth'] = auth 291 | 292 | print() 293 | fname = parameters['name'].lower().replace(' ', '_').replace('/', '_') + '.yml' 294 | print('Writing config to %s' % fname) 295 | 296 | cdir = os.path.join('creds', parameters['protocol'], parameters['category']) 297 | if not os.path.isdir(cdir): 298 | os.makedirs(cdir) 299 | 300 | with open(os.path.join(cdir, fname), 'w') as fout: 301 | fout.write(yaml.dump(parameters, default_flow_style=False)) 302 | 303 | print(yaml.dump(parameters, default_flow_style=False)) 304 | 305 | changeme.core.validate_cred(parameters, fname, parameters['category']) 306 | -------------------------------------------------------------------------------- /changeme/target.py: -------------------------------------------------------------------------------- 1 | from libnmap.parser import NmapParser as np 2 | import logging 3 | from netaddr import IPNetwork 4 | from netaddr.core import AddrFormatError 5 | import re 6 | from os.path import isfile 7 | import shodan 8 | import socket 9 | 10 | class Target(object): 11 | def __init__(self, host=None, port=None, protocol=None, url=None): 12 | self.host = host 13 | if port: 14 | port = re.sub(r'\D','',str(port)) 15 | if 0 < int(port) < 65535: 16 | self.port = int(port) 17 | else: 18 | #just disregard the port for now. 19 | self.port = None 20 | else: 21 | self.port = None 22 | self.protocol = protocol 23 | self.url = url 24 | self.ip = None 25 | 26 | def __eq__(self, other): 27 | return self.__dict__ == other.__dict__ 28 | 29 | def __hash__(self): 30 | return id(self) 31 | 32 | def __repr__(self): 33 | return self.__str__() 34 | 35 | def __str__(self): 36 | target = self 37 | 38 | if self.host: 39 | target = self.host 40 | 41 | if self.port: 42 | target += ":%s" % self.port 43 | 44 | if self.protocol: 45 | target = "%s://" % self.protocol + target 46 | 47 | if self.url: 48 | target += self.url 49 | 50 | return str(target) 51 | 52 | def get_ip(self): 53 | if self.ip is None: 54 | regex = re.compile(r'^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$') 55 | result = regex.match(self.host) 56 | if not result: 57 | self.ip = socket.gethostbyname(self.host) 58 | else: 59 | self.ip = self.host 60 | 61 | return self.ip 62 | 63 | @staticmethod 64 | def parse_target(target): 65 | logger = logging.getLogger('changeme') 66 | targets = set() 67 | if isfile(target): 68 | try: 69 | # parse nmap 70 | report = np.parse_fromfile(target) 71 | logger.info('Loaded %i hosts from %s' % (len(report.hosts), target)) 72 | for h in report.hosts: 73 | for s in h.services: 74 | targets.add(Target(host=h.address, port=s.port)) 75 | except: 76 | # parse text file 77 | with open(target, 'r') as fin: 78 | for line in fin: 79 | res = Target._parse_target_string(line) 80 | for t in res: 81 | targets.add(t) 82 | else: 83 | targets = Target._parse_target_string(target) 84 | 85 | return targets 86 | 87 | @staticmethod 88 | def _parse_target_string(target): 89 | logger = logging.getLogger('changeme') 90 | logger.debug('Parsing target %s' % target) 91 | target = target.strip().rstrip('/') 92 | targets = set() 93 | try: 94 | for ip in IPNetwork(target).iter_hosts(): #(covers IP or cidr) #3,4 95 | targets.add(Target(host=str(ip))) 96 | except AddrFormatError: 97 | if len(target.split(':')) == 3: 98 | # mysql://127.0.0.1:3306 99 | protocol = target.split(':')[0] 100 | host = target.split(':')[1].replace('//', '') 101 | port = target.split(':')[2] 102 | targets.add(Target(host=host, port=port, protocol=protocol)) 103 | elif "://" in target: 104 | # snmp://127.0.0.1 105 | protocol = target.split(':')[0] 106 | host = target.split(':')[1].replace('//', '') 107 | targets.add(Target(host=host, protocol=protocol)) 108 | elif ":" in target: 109 | # 127.0.0.1:8080 110 | host = target.split(':')[0] 111 | port = target.split(':')[1] 112 | targets.add(Target(host=host, port=port)) 113 | else: 114 | targets.add(Target(host=target)) 115 | 116 | return targets 117 | 118 | @staticmethod 119 | def get_shodan_targets(config): 120 | logger = logging.getLogger('changeme') 121 | targets = set() 122 | api = shodan.Shodan(config.shodan_key) 123 | results = api.search(config.shodan_query) 124 | logger.debug("shodan results: %s" % results) 125 | for r in results['matches']: 126 | targets.add(Target(host=r['ip_str'])) 127 | 128 | return targets 129 | -------------------------------------------------------------------------------- /changeme/templates/report.j2: -------------------------------------------------------------------------------- 1 | 2 | 3 | Changme Default Credential Report 4 | 5 | 6 | 7 | 13 | 14 | 15 |
16 |
17 |
18 |

Changeme

19 |
    20 |
  • Found {{ found|length }} credentials
    • 21 |
  • Scan: {{ cli }}
    • 22 |
  • Report Timestamp: {{ timestamp }}
    • 23 |
24 |
25 |
26 | {% for cred in found %} 27 |
28 |
29 |
    30 |
  • Service: {{ cred['name'] }}
    • 31 |
  • Username: {{ cred['username'] if cred['username'] != None }}
    • 32 |
  • Password: {{ cred['password'] if cred['password'] != None }}
    • 33 | {% if 'http' in cred['target'].protocol %} 34 |
  • {{ cred['target'] }}
    • 35 | {% else %} 36 |
  • {{ cred['target'] }}
    • 37 | {% endif %} 38 |
39 |
40 |
41 | {% if 'http' in cred['target'].protocol %} 42 | {{ cred['url'] }} 43 | {% else %} 44 | {{ cred['evidence'] }} 45 | {% endif %} 46 |
47 |
48 | {% endfor %} 49 |
50 | 51 | 52 | -------------------------------------------------------------------------------- /changeme/tests/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ['core', 'http', 'memcached', 'redis_scanner', 'snmp', 'target'] 2 | -------------------------------------------------------------------------------- /changeme/tests/core.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from changeme import * 3 | from copy import deepcopy 4 | import mock 5 | from nose.tools import * 6 | from netaddr import IPAddress 7 | 8 | 9 | cli_args = {'all': False, 10 | 'category': None, 11 | 'contributors': False, 12 | 'debug': True, 13 | 'delay': 500, 14 | 'dump': False, 15 | 'dryrun': False, 16 | 'fingerprint': False, 17 | 'fresh': True, 18 | 'log': None, 19 | 'mkcred': False, 20 | 'name': None, 21 | 'noversion': True, 22 | 'output': None, 23 | 'oa': False, 24 | 'portoverride': False, 25 | 'protocols': 'http', 26 | 'proxy': None, 27 | 'resume': False, 28 | 'shodan_query': None, 29 | 'shodan_key': None, 30 | 'ssl': False, 31 | 'target': '127.0.0.1', 32 | 'threads': 20, 33 | 'timeout': 10, 34 | 'useragent': None, 35 | 'validate': False, 36 | 'verbose': False,} 37 | 38 | 39 | 40 | def test_banner(): 41 | core.banner(version.__version__) 42 | 43 | no_args = deepcopy(cli_args) 44 | no_args['target'] = None 45 | @raises(SystemExit) 46 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**no_args)) 47 | def test_no_args(mock_args): 48 | args = core.parse_args() 49 | core.init_logging(args['args'].verbose, args['args'].debug, args['args'].log) 50 | config = core.Config(args['args'], args['parser']) 51 | 52 | 53 | args = deepcopy(cli_args) 54 | args['target'] = '127.0.0.1' 55 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**args)) 56 | def test_target(mock_args): 57 | args = core.parse_args() 58 | core.init_logging(args['args'].verbose, args['args'].debug, args['args'].log) 59 | config = core.Config(args['args'], args['parser']) 60 | 61 | 62 | """ 63 | args = deepcopy(cli_args) 64 | args['targets'] = '/etc/hosts' 65 | args['target'] = None 66 | print args 67 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**args)) 68 | def test_targets(mock_args): 69 | core.Config() 70 | """ 71 | 72 | args = deepcopy(cli_args) 73 | args['contributors'] = True 74 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**args)) 75 | def test_contributors(mock_args): 76 | args = core.parse_args() 77 | core.init_logging(args['args'].verbose, args['args'].debug, args['args'].log) 78 | config = core.Config(args['args'], args['parser']) 79 | creds = core.load_creds(config) 80 | core.print_contributors(creds) 81 | 82 | 83 | args = deepcopy(cli_args) 84 | args['dump'] = True 85 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**args)) 86 | def test_print_creds(mock_args): 87 | args = core.parse_args() 88 | core.init_logging(args['args'].verbose, args['args'].debug, args['args'].log) 89 | config = core.Config(args['args'], args['parser']) 90 | creds = core.load_creds(config) 91 | core.print_creds(creds) 92 | -------------------------------------------------------------------------------- /changeme/tests/http.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from changeme.scan_engine import ScanEngine 3 | from changeme.target import Target 4 | from changeme import core 5 | from .core import cli_args 6 | from copy import deepcopy 7 | import csv 8 | import json 9 | import logging 10 | import mock 11 | from .mock_responses import MockResponses 12 | from nose.tools import * 13 | import os 14 | import responses 15 | 16 | """ 17 | TODO: 18 | - Custom headers 19 | - 429 response code 20 | - 21 | 22 | """ 23 | 24 | def reset_handlers(): 25 | logger = logging.getLogger('changeme') 26 | logger.handlers = [] 27 | core.remove_queues() 28 | 29 | 30 | fp_args = deepcopy(cli_args) 31 | fp_args['nmap'] = 'tests/tomcat_nmap.xml' 32 | fp_args['name'] = 'Tomcat' 33 | @responses.activate 34 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**fp_args)) 35 | def test_tomcat_match_nmap(mock_args): 36 | def tomcat_callback(request): 37 | if request.headers.get('Authorization', False): 38 | return (200, MockResponses.tomcat_auth['adding_headers'], MockResponses.tomcat_auth['body']) 39 | else: 40 | return (401, MockResponses.tomcat_fp['adding_headers'], '') 41 | 42 | responses.add_callback( 43 | responses.GET, 44 | MockResponses.tomcat_fp['url'], 45 | callback=tomcat_callback, 46 | ) 47 | 48 | reset_handlers() 49 | try: 50 | os.remove(core.PERSISTENT_QUEUE) 51 | except OSError: 52 | pass 53 | 54 | args = core.parse_args() 55 | core.init_logging(args['args'].verbose, args['args'].debug, args['args'].log) 56 | config = core.Config(args['args'], args['parser']) 57 | creds = core.load_creds(config) 58 | s = ScanEngine(creds, config) 59 | s._build_targets() 60 | s._add_terminators(s.fingerprints) 61 | 62 | print(("fp: %i" % s.fingerprints.qsize())) 63 | s.fingerprint_targets() 64 | 65 | # Queue is not serializeable so we can't copy it using deepcopy 66 | scanners = list() 67 | print(("scanners: %s" % s.scanners.qsize())) 68 | 69 | t1 = Target(host='127.0.0.1', port=8080, protocol='http', url='/manager/html') 70 | t2 = Target(host='127.0.0.1', port=8080, protocol='http', url='/tomcat/manager/html') 71 | while s.scanners.qsize() > 0: 72 | scanner = s.scanners.get() 73 | assert scanner.target == t1 or scanner.target == t2 74 | scanners.append(scanner) 75 | 76 | # Load the scanners back into the queue 77 | for scanner in scanners: 78 | s.scanners.put(scanner) 79 | assert s.scanners.qsize() == 34 80 | s._add_terminators(s.scanners) 81 | 82 | responses.reset() 83 | responses.add(**MockResponses.tomcat_auth) 84 | s._scan(s.scanners, s.found_q) 85 | assert s.found_q.qsize() == 17 86 | 87 | 88 | fp_args = deepcopy(cli_args) 89 | fp_args['fingerprint'] = True 90 | fp_args['name'] = 'Tomcat' 91 | fp_args['noversion'] = False 92 | @responses.activate 93 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**fp_args)) 94 | def test_tomcat_fingerprint(mock_args): 95 | responses.add(**MockResponses.tomcat_fp) 96 | print(responses.__dict__) 97 | reset_handlers() 98 | se = core.main() 99 | print(("Scanners:",se.scanners.qsize())) 100 | assert se.scanners.qsize() == 34 101 | core.remove_queues() 102 | 103 | @responses.activate 104 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**cli_args)) 105 | def test_tomcat_invalid_creds(mock_args): 106 | responses.add(**MockResponses.tomcat_fp) 107 | reset_handlers() 108 | se = core.main() 109 | assert se.found_q.qsize() == 0 110 | 111 | @responses.activate 112 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**cli_args)) 113 | def test_jboss_scan_fail(mock_args): 114 | responses.add(**MockResponses.jboss_fp) 115 | responses.add(**MockResponses.jboss_auth_fail) 116 | 117 | reset_handlers() 118 | args = core.parse_args() 119 | core.init_logging(args['args'].verbose, args['args'].debug, args['args'].log) 120 | config = core.Config(args['args'], args['parser']) 121 | creds = core.load_creds(config) 122 | se = ScanEngine(creds, config) 123 | se._build_targets() 124 | se._add_terminators(se.fingerprints) 125 | se.fingerprint_targets() 126 | print(se.scanners.qsize()) 127 | scanners = list() 128 | while se.scanners.qsize() > 0: 129 | s = se.scanners.get() 130 | print(s.cred['name']) 131 | print(s.target) 132 | print(s.username) 133 | print(s.password) 134 | scanners.append(s) 135 | 136 | print("num scanners: %i" % len(scanners)) 137 | assert len(scanners) == 2 138 | 139 | # put scanners back in queue 140 | for s in scanners: 141 | se.scanners.put(s) 142 | 143 | se._add_terminators(se.scanners) 144 | se._scan(se.scanners, se.found_q) 145 | assert se.found_q.qsize() == 0 146 | 147 | 148 | jboss_args = deepcopy(cli_args) 149 | jboss_args['name'] = 'JBoss AS 6 Alt' 150 | @responses.activate 151 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**jboss_args)) 152 | def test_jboss_scan_success(mock_args): 153 | responses.add(**MockResponses.jboss_fp) 154 | responses.add(**MockResponses.jboss_auth) 155 | reset_handlers() 156 | se = core.main() 157 | assert se.found_q.qsize() == 1 158 | 159 | 160 | subnet_args = deepcopy(cli_args) 161 | subnet_args['target'] = '127.0.0.1/32' 162 | subnet_args['protocols'] = 'http' 163 | subnet_args['name'] = 'JBoss AS 6 Alt' 164 | @responses.activate 165 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**subnet_args)) 166 | def test_jboss_scan_success_subnet(mock_args): 167 | responses.add(**MockResponses.jboss_fp) 168 | responses.add(**MockResponses.jboss_auth) 169 | reset_handlers() 170 | se = core.main() 171 | assert se.found_q.qsize() == 1 172 | 173 | 174 | @responses.activate 175 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**cli_args)) 176 | def test_jboss_csrf_fail(mock_args): 177 | responses.add(**MockResponses.jboss_fp_no_csrf) 178 | reset_handlers() 179 | se = core.main() 180 | assert se.found_q.qsize() == 0 181 | 182 | 183 | idrac_args = deepcopy(cli_args) 184 | idrac_args['name'] = "Dell iDRAC" 185 | @responses.activate 186 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**idrac_args)) 187 | def test_idrac_scan_success(mock_args): 188 | responses.reset() 189 | responses.add(**MockResponses.idrac_fp) 190 | responses.add(**MockResponses.idrac_auth) 191 | reset_handlers() 192 | se = core.main() 193 | assert se.found_q.qsize() == 1 194 | 195 | 196 | targets_args = deepcopy(cli_args) 197 | targets_args['target'] = '/tmp/targets.txt' 198 | @responses.activate 199 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**targets_args)) 200 | def test_targets_scan_success(mock_args): 201 | responses.reset() 202 | responses.add(**MockResponses.idrac_fp) 203 | responses.add(**MockResponses.idrac_auth) 204 | with open(targets_args['target'], 'w') as fout: 205 | fout.write('127.0.0.1' + '\n') 206 | 207 | reset_handlers() 208 | se = core.main() 209 | assert se.found_q.qsize() == 1 210 | 211 | 212 | csv_args = deepcopy(cli_args) 213 | csv_args['log'] = '/tmp/output.log' 214 | csv_args['output'] = '/tmp/output.csv' 215 | csv_args['name'] = 'JBoss AS 6 Alt' 216 | @responses.activate 217 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**csv_args)) 218 | def test_csv_output(mock_args): 219 | responses.add(**MockResponses.jboss_fp) 220 | responses.add(**MockResponses.jboss_auth) 221 | reset_handlers() 222 | se = core.main() 223 | print(se.found_q.qsize()) 224 | assert se.found_q.qsize() == 1 225 | 226 | assert os.path.isfile(csv_args['output']) 227 | i = 0 228 | with open(csv_args['output'], 'r') as csvfile: 229 | reader = csv.reader(csvfile) 230 | for line in reader: 231 | if i == 1: 232 | assert line[0] == 'JBoss AS 6 Alt' 233 | assert line[1] == 'admin' 234 | assert line[2] == 'admin' 235 | assert line[3] == 'http://127.0.0.1:8080/admin-console/login.seam' 236 | i += 1 237 | 238 | assert os.path.isfile(csv_args['log']) 239 | 240 | 241 | json_args = deepcopy(cli_args) 242 | json_args['output'] = '/tmp/output.json' 243 | json_args['name'] = 'JBoss AS 6 Alt' 244 | @responses.activate 245 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**json_args)) 246 | def test_json_output(mock_args): 247 | responses.add(**MockResponses.jboss_fp) 248 | responses.add(**MockResponses.jboss_auth) 249 | reset_handlers() 250 | se = core.main() 251 | assert se.found_q.qsize() == 1 252 | 253 | assert os.path.isfile(json_args['output']) 254 | i = 0 255 | with open(json_args['output'], 'r') as json_file: 256 | j = json.loads(json_file.read()) 257 | assert j["results"][0]['name'] == 'JBoss AS 6 Alt' 258 | assert j['results'][0]['username'] == 'admin' 259 | assert j['results'][0]['password'] == 'admin' 260 | assert j['results'][0]['target'] == 'http://127.0.0.1:8080/admin-console/login.seam' 261 | 262 | 263 | dr_args = deepcopy(cli_args) 264 | dr_args['dryrun'] = True 265 | @raises(SystemExit) 266 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**dr_args)) 267 | def test_dryrun(mock_args): 268 | reset_handlers() 269 | se = core.main() 270 | assert se.found_q.qsize() == 0 271 | 272 | 273 | es_args = deepcopy(cli_args) 274 | es_args['name'] = "elasticsearch" 275 | @responses.activate 276 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**es_args)) 277 | def test_es_scan_success(mock_args): 278 | responses.reset() 279 | responses.add(**MockResponses.elasticsearch) 280 | reset_handlers() 281 | se = core.main() 282 | assert se.found_q.qsize() == 1 283 | 284 | -------------------------------------------------------------------------------- /changeme/tests/memcached.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from changeme import core 3 | from .core import cli_args 4 | from copy import deepcopy 5 | import logging 6 | import mock 7 | import os 8 | 9 | logger = logging.getLogger('changeme') 10 | 11 | def reset_handlers(): 12 | logger = logging.getLogger('changeme') 13 | logger.handlers = [] 14 | core.remove_queues() 15 | 16 | memcached_args = deepcopy(cli_args) 17 | memcached_args['protocols'] = 'memcached' 18 | memcached_args['target'] = '127.0.0.1' 19 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**memcached_args)) 20 | def memcached(mock_args): 21 | reset_handlers() 22 | se = core.main() 23 | try: 24 | assert se.found_q.qsize() == 1 25 | except Exception as e: 26 | # Raise an assertion error if we're in Travis CI and fail 27 | if os.environ.get('TRAVIS', None): 28 | raise e 29 | # Warn if we're not Travis CI 30 | else: 31 | logger.warning('memcached failed') 32 | 33 | -------------------------------------------------------------------------------- /changeme/tests/mock_responses.py: -------------------------------------------------------------------------------- 1 | import responses 2 | 3 | 4 | class MockResponses: 5 | tomcat_fp = { 6 | 'method': responses.GET, 7 | 'url': 'http://127.0.0.1:8080/manager/html', 8 | 'status': 401, 9 | 'adding_headers': { 10 | 'Server': 'Apache-Coyote/1.1', 11 | 'WWW-Authenticate': 'Basic realm="Tomcat Manager Application'} 12 | } 13 | 14 | tomcat_fp_alt = { 15 | 'method': responses.GET, 16 | 'url': 'http://127.0.0.1:8080/tomcat/manager/html', 17 | 'status': 404, 18 | 'adding_headers': { 19 | 'Server': 'Apache-Coyote/1.1', 20 | 'WWW-Authenticate': 'Basic realm="Tomcat Manager Application'} 21 | } 22 | 23 | tomcat_auth = { 24 | 'method': responses.GET, 25 | 'url': 'http://127.0.0.1:8080/manager/html', 26 | 'status': 200, 27 | 'body': 'Tomcat Web Application Manager', 28 | 'adding_headers': {'Server': 'Apache-Coyote/1.1'} 29 | } 30 | 31 | jboss_fp = { 32 | 'method': responses.GET, 33 | 'url': 'http://127.0.0.1:8080/admin-console/login.seam', 34 | 'status': 200, 35 | 'body': '

Welcome to the JBoss AS 6 Admin Console.

', 36 | 'adding_headers': { 37 | 'Server': 'Apache-Coyote/1.1', 38 | 'Set-Cookie': 'JSESSIONID=foobar' 39 | } 40 | } 41 | 42 | jboss_fp_no_csrf = { 43 | 'method': responses.GET, 44 | 'url': 'http://127.0.0.1:8080/admin-console/login.seam', 45 | 'status': 200, 46 | 'body': '

Welcome to the JBoss AS 6 Admin Console.

', 47 | 'adding_headers': { 48 | 'Server': 'Apache-Coyote/1.1', 49 | 'Set-Cookie': 'JSESSIONID=foobar' 50 | } 51 | } 52 | 53 | jboss_auth = { 54 | 'method': responses.POST, 55 | 'url': 'http://127.0.0.1:8080/admin-console/login.seam', 56 | 'status': 200, 57 | 'body': 'Logout', 58 | 'adding_headers': {'Server': 'Apache-Coyote/1.1'} 59 | } 60 | 61 | jboss_auth_fail = { 62 | 'method': responses.POST, 63 | 'url': 'http://127.0.0.1:8080/admin-console/login.seam', 64 | 'status': 200, 65 | 'body': 'Fail', 66 | 'adding_headers': {'Server': 'Apache-Coyote/1.1'} 67 | } 68 | 69 | idrac_fp = { 70 | 'method': responses.GET, 71 | 'url': 'https://127.0.0.1:443/login.html', 72 | 'status': 200, 73 | 'body': 'Integrated Dell Remote Access Controller', 74 | 'adding_headers': { 75 | 'Server': 'Mbedthis-Appweb/2.4.2', 76 | 'Content-type': 'text/xml', 77 | 'Set-Cookie': '_appwebSessionId_=dffaac7c4fb4e3c4cbd46d3691aeb40f;', 78 | }, 79 | 'body': 'Integrated Dell Remote Access Controller 6 - Express', 80 | } 81 | 82 | idrac_auth = { 83 | 'method': responses.POST, 84 | 'url': 'https://127.0.0.1:443/data/login', 85 | 'status': 200, 86 | 'body': 'Integrated Dell Remote Access Controller', 87 | 'adding_headers': { 88 | 'Server': 'Mbedthis-Appweb/2.4.2', 89 | 'Content-type': 'text/xml', 90 | 'Set-Cookie': '_appwebSessionId_=dffaac7c4fb4e3c4cbd46d3691aeb40f', 91 | }, 92 | 'body': ' ok 0 index.html ' 93 | } 94 | 95 | zabbix_fp = { 96 | 'method': responses.GET, 97 | 'url': 'http://127.0.0.1/zabbix/index.php', 98 | 'status': 200, 99 | 'body': 'by Zabbix SIA', 100 | } 101 | 102 | zabbix_auth = { 103 | 'method': responses.POST, 104 | 'url': 'http://127.0.0.1/zabbix/index.php', 105 | 'status': 200, 106 | 'body': 'Logout', 107 | } 108 | 109 | zabbix_fail = { 110 | 'method': responses.POST, 111 | 'url': 'http://127.0.0.1/zabbix/index.php', 112 | 'status': 200, 113 | 'body': 'foobar', 114 | } 115 | 116 | ipcamera_fp = { 117 | 'method': responses.GET, 118 | 'url': 'http://127.0.0.1:81/', 119 | 'status': 200, 120 | 'body': 'GetXml("login.xml?"+param,OnLoginAckOK,OnLoginAckFail);' 121 | } 122 | 123 | ipcamera_auth = { 124 | 'method': responses.GET, 125 | 'url': 'http://127.0.0.1:81/login.xml', 126 | 'status': 200, 127 | 'body': '10Admin' 128 | } 129 | 130 | elasticsearch = { 131 | 'method': responses.GET, 132 | 'url': 'http://127.0.0.1:9200/', 133 | 'status': 200, 134 | 'body': """{ 135 | "name" : "foo", 136 | "cluster_name" : "elasticsearch", 137 | "cluster_uuid" : "1C4hbDs6TRetjINxrOKBZw", 138 | "version" : { 139 | "number" : "5.0.2", 140 | "build_hash" : "f6b4951", 141 | "build_date" : "2016-11-24T10:07:18.101Z", 142 | "build_snapshot" : false, 143 | "lucene_version" : "6.2.1" 144 | }, 145 | "tagline" : "You Know, for Search" 146 | }""" 147 | } 148 | 149 | endpoint_protector_fp = { 150 | 'method': responses.GET, 151 | 'url': 'https://127.0.0.1/index.php/login', 152 | 'status': 200, 153 | 'body': 'Endpoint Protector - Reporting and Administration Tool ', 154 | 'adding_headers': { 155 | 'Set-Cookie': 'ratool=foobar' 156 | } 157 | } 158 | 159 | endpoint_protector_auth = { 160 | 'method': responses.POST, 161 | 'url': 'http://127.0.0.1:8080/index.php/login', 162 | 'status': 200, 163 | 'body': 'Edit Profile', 164 | } 165 | -------------------------------------------------------------------------------- /changeme/tests/mongodb.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from changeme import core 3 | from .core import cli_args 4 | from copy import deepcopy 5 | import logging 6 | import mock 7 | import os 8 | 9 | 10 | logger = logging.getLogger('changeme') 11 | 12 | def reset_handlers(): 13 | logger = logging.getLogger('changeme') 14 | logger.handlers = [] 15 | core.remove_queues() 16 | 17 | mongodb_args = deepcopy(cli_args) 18 | mongodb_args['target'] = 'mongodb://127.0.0.1' 19 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**mongodb_args)) 20 | def test_mongodb(mock_args): 21 | reset_handlers() 22 | se = core.main() 23 | 24 | try: 25 | assert se.found_q.qsize() == 1 26 | except Exception as e: 27 | # Raise an assertion error if we're in Travis CI and fail 28 | if os.environ.get('TRAVIS', None): 29 | raise e 30 | # Warn if we're not Travis CI 31 | else: 32 | logger.warning('mongodb failed') 33 | 34 | -------------------------------------------------------------------------------- /changeme/tests/redis_scanner.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from changeme import core 3 | from .core import cli_args 4 | from copy import deepcopy 5 | import logging 6 | import mock 7 | 8 | 9 | 10 | def reset_handlers(): 11 | logger = logging.getLogger('changeme') 12 | logger.handlers = [] 13 | core.remove_queues() 14 | 15 | redis_args = deepcopy(cli_args) 16 | redis_args['protocols'] = 'redis' 17 | redis_args['target'] = '127.0.0.1' 18 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**redis_args)) 19 | def test_redis(mock_args): 20 | reset_handlers() 21 | se = core.main() 22 | assert se.found_q.qsize() == 1 23 | 24 | -------------------------------------------------------------------------------- /changeme/tests/snmp.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from changeme import core 3 | from .core import cli_args 4 | from copy import deepcopy 5 | import logging 6 | import mock 7 | 8 | 9 | 10 | def reset_handlers(): 11 | logger = logging.getLogger('changeme') 12 | logger.handlers = [] 13 | core.remove_queues() 14 | 15 | snmp_args = deepcopy(cli_args) 16 | snmp_args['protocols'] = 'snmp' 17 | snmp_args['name'] = 'publicprivate' 18 | snmp_args['target'] = 'demo.snmplabs.com' 19 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**snmp_args)) 20 | def test_snmp(mock_args): 21 | reset_handlers() 22 | se = core.main() 23 | assert se.found_q.qsize() == 2 24 | 25 | 26 | snmp_args = deepcopy(cli_args) 27 | snmp_args['name'] = 'publicprivate' 28 | snmp_args['target'] = 'snmp://demo.snmplabs.com' 29 | @mock.patch('argparse.ArgumentParser.parse_args', return_value=argparse.Namespace(**snmp_args)) 30 | def test_snmp_proto(mock_args): 31 | reset_handlers() 32 | se = core.main() 33 | assert se.found_q.qsize() == 2 34 | 35 | -------------------------------------------------------------------------------- /changeme/tests/target.py: -------------------------------------------------------------------------------- 1 | from changeme.target import Target 2 | import os 3 | 4 | """ 5 | 1. nmap.xml 6 | 2. targets.txt 7 | 3. 127.0.0.1 8 | 4. 192.168.1.0/24 9 | 5. 192.168.59.139:8080 10 | 6. snmp://192.168.59.101 11 | 7. mysql://192.168.59.101:33306 12 | """ 13 | 14 | def test_nmap(): 15 | path = os.path.dirname(os.path.abspath(__file__)) 16 | nmap = os.path.join(path, "tomcat_nmap.xml") 17 | targets = Target.parse_target(nmap) 18 | assert len(targets) == 1 19 | t = targets.pop() 20 | path = os.path.dirname(os.path.abspath(__file__)) 21 | print("target: %s" % t) 22 | assert t == Target(host='127.0.0.1', port='8080') 23 | 24 | 25 | def test_targets_file(): 26 | target = '/tmp/targets.txt' 27 | with open(target, 'w') as fout: 28 | fout.write('127.0.0.1\n') 29 | fout.write('127.0.0.2:8080\n') 30 | 31 | targets = Target.parse_target(target) 32 | assert len(targets) == 2 33 | 34 | for t in targets: 35 | if t.host == '127.0.0.1': 36 | t1(t) 37 | else: 38 | t2(t) 39 | 40 | os.remove(target) 41 | 42 | 43 | def t1(t): 44 | assert t == Target(host='127.0.0.1') 45 | 46 | 47 | def t2(t): 48 | assert t == Target(host='127.0.0.2', port=8080) 49 | 50 | 51 | def test_ip(): 52 | target = '127.0.0.1' 53 | targets = Target.parse_target(target) 54 | assert len(targets) == 1 55 | t = targets.pop() 56 | assert t == Target(host=target) 57 | assert str(t) == target 58 | 59 | 60 | def test_cidr(): 61 | target = '192.168.1.0/24' 62 | targets = Target.parse_target(target) 63 | assert len(targets) == 254 64 | 65 | # TODO explicitly validate the range 66 | """ 67 | for ip in IPNetwork(target).iter_hosts(): 68 | print str(ip) 69 | assert Target(host=str(ip)) in targets 70 | """ 71 | 72 | 73 | def test_ip_port(): 74 | target = '192.168.1.1:8080' 75 | targets = Target.parse_target(target) 76 | assert len(targets) == 1 77 | t = targets.pop() 78 | assert t == Target(host='192.168.1.1', port='8080') 79 | assert str(t) == target 80 | 81 | 82 | def test_proto_ip(): 83 | target = 'snmp://192.168.1.1' 84 | targets = Target.parse_target(target) 85 | assert len(targets) == 1 86 | 87 | t = targets.pop() 88 | assert t == Target(host='192.168.1.1', protocol='snmp') 89 | assert str(t) == target 90 | 91 | 92 | def test_proto_ip_port(): 93 | target = 'snmp://192.168.1.1:8080' 94 | targets = Target.parse_target(target) 95 | assert len(targets) == 1 96 | 97 | t = targets.pop() 98 | assert t == Target(host='192.168.1.1', port=8080, protocol='snmp') 99 | assert str(t) == target 100 | 101 | 102 | def test_hostname(): 103 | target = 'example.com' 104 | targets = Target.parse_target(target) 105 | assert len(targets) == 1 106 | 107 | t = targets.pop() 108 | assert t == Target(host='example.com') 109 | 110 | 111 | def test_hostname_proto(): 112 | target = 'http://example.com' 113 | targets = Target.parse_target(target) 114 | assert len(targets) == 1 115 | 116 | t = targets.pop() 117 | assert t == Target(host='example.com', protocol='http') 118 | 119 | 120 | def test_hostname_proto_port(): 121 | target = 'http://example.com:80' 122 | targets = Target.parse_target(target) 123 | assert len(targets) == 1 124 | 125 | t = targets.pop() 126 | assert t == Target(host='example.com', port='80', protocol='http') 127 | -------------------------------------------------------------------------------- /changeme/tests/tomcat_nmap.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 |
21 |
22 | 23 | 24 | cpe:/a:apache:coyote_http_connector:1.1 25 | 26 | 27 | 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /changeme/version.py: -------------------------------------------------------------------------------- 1 | __version__ = '1.2.3' 2 | contributors = [ 3 | "ztgrace", 4 | "the-c0d3r", 5 | "Graph-X", 6 | "AlessandroZ", 7 | "ThomasTJ", 8 | "Alistair Chapman", 9 | "John Van de Meulebrouck Brendgard", 10 | "network23", 11 | "decidedlygray", 12 | "Joe Testa", 13 | "Chandrapal", 14 | "Naglis Jonaitis", 15 | "Samuel Henrique", 16 | "sil3ntcor3", 17 | ] 18 | -------------------------------------------------------------------------------- /creds/ftp/ftp.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: anonymous 4 | password: 5 | - username: ftp 6 | password: ftp 7 | - username: guest 8 | password: guest 9 | category: ftp 10 | default_port: 21 11 | name: ftp 12 | contributor: AlessandroZ 13 | -------------------------------------------------------------------------------- /creds/ftp/zyxel.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: devicehaecived 4 | password: 1234 5 | category: ftp 6 | default_port: 21 7 | name: Zyxel NWA/NAP/WAC wireless access point series 8 | contributor: h4knet 9 | references: 10 | - https://www.zyxel.com/support/hardcoded-FTP-credential-vulnerability-of-access-points.shtml 11 | -------------------------------------------------------------------------------- /creds/http/camera/icatch.yml: -------------------------------------------------------------------------------- 1 | # Shodan dork: http.html_hash:"1640961097" 2 | # 3 | # author git://d34db33f-1007 | https://t.me/asleep_cg 4 | # 5 | # also check https://github.com/d34db33f-1007/icatch_rce 6 | # and https://gitlab.com/Reinmar/IPSca 7 | 8 | auth: 9 | credentials: 10 | - password: '123456' 11 | username: admin 12 | - password: icatch99 13 | username: root 14 | headers: [] 15 | success: 16 | body: 17 | - DVR 18 | status: 200 19 | type: basic_auth 20 | url: 21 | - '' 22 | category: camera 23 | contributor: 't.me/asleep_cg' 24 | default_port: 80 25 | fingerprint: 26 | basic_auth_realm: . 27 | body: 28 | - Unauthorized 29 | server_header: mini_httpd/1.19 19dec2003 30 | status: 401 31 | url: 32 | - '' 33 | name: icatch 34 | protocol: http 35 | ssl: false 36 | -------------------------------------------------------------------------------- /creds/http/camera/speco_technologies_ip_camera.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '1234' 4 | username: admin 5 | headers: [] 6 | success: 7 | body: 8 | - Network Camera Viewer 9 | status: 200 10 | type: basic_auth 11 | url: 12 | - / 13 | category: camera 14 | contributor: ztgrace 15 | default_port: 80 16 | fingerprint: 17 | basic_auth_realm: SuperNova 18 | status: 401 19 | url: 20 | - / 21 | name: Speco Technologies IP Camera 22 | protocol: http 23 | ssl: false 24 | -------------------------------------------------------------------------------- /creds/http/general/activemq.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | - password: '' 6 | username: '' 7 | headers: [] 8 | success: 9 | body: 10 | - ActiveMQ Console 11 | status: 200 12 | type: basic_auth 13 | url: 14 | - /admin 15 | category: general 16 | contributor: sil3ntcor3 17 | default_port: 8161 18 | fingerprint: 19 | body: 20 | - Apache ActiveMQ 21 | status: 200 22 | url: 23 | - / 24 | name: ActiveMQ 25 | protocol: http 26 | ssl: false 27 | -------------------------------------------------------------------------------- /creds/http/general/amano_ts-3000i.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '6569' 4 | username: Admin 5 | post: 6 | Submit: Login 7 | password: atvsUserPassword 8 | username: atvsUserName 9 | success: 10 | body: 11 | - '>Logout' 12 | status: 200 13 | type: post 14 | url: 15 | - /Forms/index_1 16 | category: web 17 | contributor: ztgrace 18 | default_port: 80 19 | fingerprint: 20 | body: 21 | - APC | Log On 27 | status: 200 28 | url: 29 | - /logon.htm 30 | name: APC Network Management Card 31 | ssl: false 32 | -------------------------------------------------------------------------------- /creds/http/general/audiocodes_mediant_1000.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: Admin 4 | username: Admin 5 | post: 6 | c0: '0' 7 | t: '1' 8 | password: u 9 | username: c1 10 | success: 11 | body: 12 | - 13 | status: 200 14 | type: post 15 | url: 16 | - /UE/Login 17 | category: web 18 | contributor: ztgrace 19 | default_port: 80 20 | fingerprint: 21 | body: 22 | - Mediant 1000 23 | status: 200 24 | url: 25 | - / 26 | name: AudioCodes Mediant 1000 27 | ssl: false 28 | -------------------------------------------------------------------------------- /creds/http/general/avaya_contact_center.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: webadmin 4 | username: webadmin 5 | post: 6 | LoginBtn: '' 7 | OpenSSOAutheticated: '' 8 | OpenSSOUserID: '' 9 | password: Password 10 | username: UserID 11 | success: 12 | body: 13 | - Contact Center Manager - Accept terms and conditions 14 | status: 200 15 | type: post 16 | url: 17 | - /Authenticate.asp 18 | category: web 19 | contributor: ztgrace 20 | default_port: 80 21 | fingerprint: 22 | body: 23 | - Contact Center - Manager - Login 24 | status: 200 25 | url: 26 | - / 27 | headers: 28 | - User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) 29 | name: Avaya Contact Center 30 | ssl: false 31 | -------------------------------------------------------------------------------- /creds/http/general/ca_apm_team_center.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: Admin 5 | - password: Guest 6 | username: Guest 7 | post: 8 | password: j_password 9 | username: j_username 10 | sessionid: WSESSIONID 11 | success: 12 | body: 13 | - ja/webview/webview.nocache.js 14 | status: 200 15 | type: post 16 | url: 17 | - /jsp/j_security_check 18 | category: web 19 | contributor: ztgrace 20 | default_port: 80 21 | fingerprint: 22 | body: 23 | - APM WebView 24 | status: 200 25 | url: 26 | - / 27 | name: CA APM Team Center 28 | ssl: false 29 | -------------------------------------------------------------------------------- /creds/http/general/ca_netqos.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: nq 4 | username: nqadmin 5 | - password: nq 6 | username: nquser 7 | csrf: __VIEWSTATE 8 | post: 9 | __LASTFOCUS: '' 10 | hdnCookiesEnabled: '1' 11 | hdnRunCookieTest: '0' 12 | ibSignIn.x: '0' 13 | ibSignIn.y: '0' 14 | password: tbPassword 15 | username: tbUsername 16 | sessionid: ASP.NET_SessionId 17 | success: 18 | body: 19 | -

Object moved to here.

20 | status: 302 21 | type: post 22 | url: 23 | - /SingleSignOn/SignIn.aspx?SsoProductCode=npc&SsoRedirectUrl=%2fnpc%2fdefault.aspx 24 | category: web 25 | contributor: ztgrace 26 | default_port: 80 27 | fingerprint: 28 | body: 29 | - Network Performance Management Console 30 | status: 200 31 | url: 32 | - /SingleSignOn/SignIn.aspx?SsoProductCode=npc&SsoRedirectUrl=%2fnpc%2fdefault.aspx 33 | name: CA NetQoS 34 | ssl: false 35 | -------------------------------------------------------------------------------- /creds/http/general/cisco_collaboration_endpoint.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: cisco 5 | post: 6 | password: username 7 | username: password 8 | headers: [] 9 | success: 10 | body: 11 | - '"result": "ok"' 12 | status: 200 13 | type: post 14 | url: 15 | - /web/signin/open 16 | category: general 17 | contributor: AlessandroZ 18 | default_port: 443 19 | fingerprint: 20 | status: 200 21 | body: 22 | - Cisco Collaboration Endpoint 23 | url: 24 | - /web/signin 25 | name: Cisco Collaboration Endpoint 26 | protocol: http 27 | ssl: true 28 | -------------------------------------------------------------------------------- /creds/http/general/cisco_systems.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: cisco 4 | username: cisco 5 | headers: [] 6 | success: 7 | body: 8 | - Cisco Systems 9 | status: 200 10 | type: basic_auth 11 | url: 12 | - / 13 | category: general 14 | contributor: ztgrace, madtownliz 15 | default_port: 80 16 | fingerprint: 17 | basic_auth_realm: level_15_access 18 | status: 401 19 | url: 20 | - / 21 | name: Cisco Systems 22 | protocol: http 23 | ssl: false 24 | -------------------------------------------------------------------------------- /creds/http/general/clearpass.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: eTIPS123 4 | username: admin 5 | headers: [] 6 | post: 7 | password: password 8 | username: username 9 | sessionid: JSESSIONID 10 | success: 11 | body: 12 | - "" 13 | status: 302 14 | type: post 15 | url: 16 | - /tips/tipsLoginSubmit.action 17 | category: general 18 | contributor: mzet 19 | default_port: 443 20 | fingerprint: 21 | body: 22 | - ClearPass Policy Manager - Aruba Networks 23 | status: 200 24 | url: 25 | - /tips/tipsLogin.action 26 | name: ClearPass 27 | protocol: http 28 | ssl: true 29 | -------------------------------------------------------------------------------- /creds/http/general/crestron_hd-md4x1-4k-e.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | get: 6 | a: command 7 | cmd: check_login 8 | password: p2 9 | username: p1 10 | success: 11 | body: 12 | - '{"login_ur":1}' 13 | status: 200 14 | type: get 15 | url: 16 | - /aj.html 17 | category: web 18 | contributor: ztgrace 19 | default_port: 80 20 | fingerprint: 21 | body: 22 | - HD-MD4x1-4K-E 23 | status: 200 24 | url: 25 | - / 26 | name: Crestron HD-MD4x1-4K-E 27 | ssl: false 28 | -------------------------------------------------------------------------------- /creds/http/general/datastax_opscenter.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | raw: '{"username":"admin","password":"admin"}' 5 | username: admin 6 | success: 7 | body: 8 | - '{"sessionid":' 9 | status: 200 10 | type: raw_post 11 | url: 12 | - /login 13 | category: web 14 | contributor: ztgrace 15 | default_port: 8889 16 | fingerprint: 17 | body: 18 | - DataStax OpsCenter Login 19 | status: 200 20 | url: 21 | - /opscenter/login.html 22 | name: DataStax OpsCenter 6.0.x 23 | ssl: false 24 | -------------------------------------------------------------------------------- /creds/http/general/dell_idrac.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: calvin 4 | username: root 5 | post: 6 | password: password 7 | username: user 8 | sessionid: _appwebSessionId_ 9 | success: 10 | body: 11 | - [0|5] 12 | status: 200 13 | type: post 14 | url: 15 | - /data/login 16 | category: web 17 | contributor: ztgrace 18 | default_port: 443 19 | fingerprint: 20 | body: 21 | - Integrated Dell Remote Access Controller 22 | status: 200 23 | url: 24 | - /login.html 25 | name: Dell iDRAC 26 | ssl: true 27 | -------------------------------------------------------------------------------- /creds/http/general/dynatrace.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | success: 6 | body: 7 | - dynaTrace Server Browsable REST Webservices 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - /rest/html/management/dashboards 12 | category: web 13 | contributor: BuckyGoat 14 | default_port: 8020 15 | fingerprint: 16 | basic_auth_realm: dynaTrace Server 17 | body: 18 | - dynaTrace Server Webinterface 19 | status: 401 20 | url: 21 | - /rest/html/management/dashboards 22 | name: Dynatrace 23 | ssl: false 24 | -------------------------------------------------------------------------------- /creds/http/general/elasticsearch.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: '' 5 | get: 6 | password: '' 7 | username: '' 8 | success: 9 | body: 10 | - '"tagline" : "You Know, for Search"' 11 | status: 200 12 | type: get 13 | url: 14 | - / 15 | category: http 16 | contributor: ztgrace 17 | default_port: 9200 18 | fingerprint: 19 | body: 20 | - '"tagline" : "You Know, for Search"' 21 | status: 200 22 | url: 23 | - / 24 | name: Elasticsearch 25 | ssl: false 26 | -------------------------------------------------------------------------------- /creds/http/general/endpoint_protector.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: epp2011 4 | username: root 5 | csrf: csrf_token_anon 6 | post: 7 | password: password 8 | username: username 9 | form_data: true 10 | sessionid: ratool 11 | success: 12 | body: 13 | - Edit Profile</a> 14 | status: 200 15 | type: post 16 | url: 17 | - /index.php/login 18 | category: general 19 | contributor: ccammilleri 20 | default_port: 443 21 | fingerprint: 22 | body: 23 | - Endpoint Protector - Reporting and Administration Tool 24 | status: 200 25 | url: 26 | - /index.php/login 27 | name: Endpoint Protector 28 | protocol: http 29 | ssl: true 30 | -------------------------------------------------------------------------------- /creds/http/general/grafana.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | raw: '{"user":"admin","email":"","password":"admin"}' 5 | username: admin 6 | headers: 7 | - Content-Type: application/json;charset=utf-8 8 | sessionid: grafana_sess 9 | success: 10 | body: 11 | - '{"message":"Logged in"}' 12 | status: 200 13 | type: raw_post 14 | url: 15 | - /login 16 | category: general 17 | contributor: ztgrace 18 | default_port: 3000 19 | fingerprint: 20 | body: 21 | - <title>Grafana 22 | status: 200 23 | url: 24 | - /login 25 | name: Grafana 26 | protocol: http 27 | ssl: false 28 | -------------------------------------------------------------------------------- /creds/http/general/haivision_makito_x_decoder.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: manager 4 | username: admin 5 | raw: '{"username":"admin","uid":-1,"gid":-1,"password":"manager"}' 6 | success: 7 | body: 8 | - '{"data":{"username": "admin","uid": 500' 9 | status: 200 10 | type: raw_post 11 | url: 12 | - /apis/authentication 13 | category: web 14 | contributor: ztgrace 15 | default_port: 443 16 | fingerprint: 17 | body: 18 | - Haivision 19 | server_header: lighttpd/1.4.35 20 | status: 200 21 | url: 22 | - /login 23 | name: Haivision Makito X Decoder 24 | ssl: true 25 | -------------------------------------------------------------------------------- /creds/http/general/hp_server_automation.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: Administrator 5 | - password: opsware_admin 6 | username: admin 7 | post: 8 | password: j_password 9 | username: j_username 10 | sessionid: JSESSIONID 11 | success: 12 | body: 13 | - Log Out 14 | status: 200 15 | type: post 16 | url: 17 | - /j_security_check 18 | category: web 19 | contributor: ztgrace 20 | default_port: 443 21 | fingerprint: 22 | body: 23 | - Hewlett-Packard Server Automation System Web Client 24 | status: 200 25 | url: 26 | - / 27 | name: HP Server Automation 28 | ssl: true 29 | -------------------------------------------------------------------------------- /creds/http/general/ibm_imm.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: PASSW0RD 4 | username: USERID 5 | raw: USERNAME=USERID,PASSWORD=PASSW0RD 6 | success: 7 | body: 8 | - 'ok:' 9 | status: 200 10 | type: raw_post 11 | url: 12 | - /session/create 13 | category: web 14 | contributor: ztgrace 15 | default_port: 80 16 | fingerprint: 17 | body: 18 | - IMM 19 | status: 200 20 | url: 21 | - / 22 | name: IBM IMM 23 | ssl: false 24 | -------------------------------------------------------------------------------- /creds/http/general/ibm_netezza.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: password 4 | raw: 127.0.0.1 portal false admin password 8 | 9 | username: admin 10 | success: 11 | body: 12 | - ">IBM Netezza 23 | status: 200 24 | url: 25 | - /com.netezza.portal.Portal/index.html 26 | name: IBM Netezza 27 | ssl: true 28 | -------------------------------------------------------------------------------- /creds/http/general/ibm_urbancode_deploy.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | - password: ucdpadmin 6 | username: ucdpadmin 7 | post: 8 | password: password 9 | requestedHash: '' 10 | username: username 11 | sessionid: JSESSIONID_80 12 | success: 13 | body: 14 | - Sign Out 15 | status: 200 16 | type: post 17 | url: 18 | - /tasks/LoginTasks/login 19 | category: web 20 | contributor: ztgrace 21 | default_port: 443 22 | fingerprint: 23 | body: 24 | - IBM UrbanCode Deploy 25 | status: 200 26 | url: 27 | - / 28 | name: IBM UrbanCode Deploy 29 | ssl: true 30 | -------------------------------------------------------------------------------- /creds/http/general/jasperreports.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: jasperadmin 4 | username: jasperadmin 5 | - password: bitnami 6 | username: jasperadmin 7 | post: 8 | j_password_pseudo: jasperadmin 9 | password: j_password 10 | userLocale: en_US 11 | userTimezone: Asia/Calcutta 12 | username: j_username 13 | sessionid: JSESSIONID 14 | success: 15 | body: 16 | - 'Jaspersoft: Browse Repository' 17 | status: 200 18 | type: post 19 | url: 20 | - /jasperserver/j_spring_security_check 21 | - /j_spring_security_check 22 | category: web 23 | contributor: ztgrace 24 | default_port: 8080 25 | fingerprint: 26 | body: 27 | - 'Jaspersoft: Login' 28 | status: 200 29 | url: 30 | - /login.html 31 | - /jasperserver/login.html 32 | name: JasperReports 33 | ssl: false 34 | -------------------------------------------------------------------------------- /creds/http/general/jboss_as_6.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | csrf: javax.faces.ViewState 6 | post: 7 | login_post: login_form 8 | login_post:submit: Login 9 | password: login_post:password 10 | username: login_post:name 11 | sessionid: JSESSIONID 12 | success: 13 | body: 14 | - Logout 15 | status: 200 16 | type: post 17 | url: 18 | - /admin-console/login.seam 19 | category: web 20 | contributor: ztgrace 21 | default_port: 8080 22 | fingerprint: 23 | body: 24 | - Welcome to the JBoss AS 6 Admin Console 25 | status: 200 26 | url: 27 | - /admin-console/login.seam 28 | name: JBoss AS 6 29 | ssl: false 30 | -------------------------------------------------------------------------------- /creds/http/general/jboss_as_6_alt.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | csrf: javax.faces.ViewState 6 | post: 7 | login_form: login_form 8 | login_form:submit: Login 9 | password: login_form:password 10 | username: login_form:name 11 | sessionid: JSESSIONID 12 | success: 13 | body: 14 | - Logout 15 | status: 200 16 | type: post 17 | url: 18 | - /admin-console/login.seam 19 | category: web 20 | contributor: ztgrace 21 | default_port: 8080 22 | fingerprint: 23 | body: 24 | - Welcome to the JBoss AS 6 Admin Console 25 | status: 200 26 | url: 27 | - /admin-console/login.seam 28 | name: JBoss AS 6 Alt 29 | ssl: false 30 | -------------------------------------------------------------------------------- /creds/http/general/jenkins.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: '' 5 | success: 6 | body: 7 | - Dashboard \[Jenkins\] 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - / 12 | category: web 13 | contributor: ztgrace 14 | default_port: 8080 15 | fingerprint: 16 | body: 17 | - Dashboard \[Jenkins\] 18 | status: 200 19 | url: 20 | - / 21 | name: Jenkins 22 | ssl: false 23 | -------------------------------------------------------------------------------- /creds/http/general/kanboard.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | csrf: csrf_token 6 | post: 7 | password: password 8 | remember_me: '1' 9 | username: username 10 | sessionid: KB_SID 11 | success: 12 | body: 13 | - Dashboard 14 | status: 200 15 | type: post 16 | url: 17 | - /?controller=auth&action=check 18 | category: web 19 | contributor: ztgrace 20 | default_port: 80 21 | fingerprint: 22 | body: 23 | - /?controller=auth&action=check 24 | status: 200 25 | url: 26 | - /?controller=auth&action=login 27 | name: Kanboard 28 | ssl: false 29 | -------------------------------------------------------------------------------- /creds/http/general/makito_decoder.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: "%89%F0%01%8F%D0%01%80%F0%01%85%D0%01%83%F0%01%83%E0%01%84%F0%01" 4 | username: admin 5 | ref: http://media.extron.com/download/files/drivers/haiv_44_7036_3.pdf 6 | post: 7 | action: login 8 | md5encrypted: 'no' 9 | password: password 10 | username: username 11 | success: 12 | body: 13 | - '>LogoutMAKITO Login 24 | status: 200 25 | url: 26 | - /cgi-bin/web.cgi 27 | name: Makito Decoder 28 | ssl: false 29 | -------------------------------------------------------------------------------- /creds/http/general/netbackup_opscenter_analytics.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: password 4 | username: admin 5 | csrf: 6 | post: 7 | domain: OpsCenterUsers(vx) 8 | password: password 9 | save: Log In 10 | username: userName 11 | sessionid: JSESSIONID 12 | success: 13 | body: 14 | - 'document.location.href="/opscenter/homeLandingAction.do"' 15 | status: 200 16 | type: post 17 | url: 18 | - /opscenter/loadLogin.do 19 | category: web 20 | contributor: ztgrace 21 | default_port: 443 22 | fingerprint: 23 | body: 24 | - Symantec NetBackup OpsCenter Analytics 25 | status: 200 26 | url: 27 | - /opscenter/ 28 | name: NetBackup OpsCenter Analytics 29 | ssl: true 30 | -------------------------------------------------------------------------------- /creds/http/general/nexus_repository_manager.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin123 4 | username: admin 5 | success: 6 | body: 7 | - true 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - /service/local/authentication/login 12 | - /nexus/service/local/authentication/login 13 | category: web 14 | contributor: ztgrace 15 | default_port: 8081 16 | fingerprint: 17 | body: 18 | - Nexus Repository Manager 19 | status: 200 20 | url: 21 | - / 22 | - /nexus/ 23 | name: Nexus Repository Manager 24 | ssl: false 25 | -------------------------------------------------------------------------------- /creds/http/general/nortel_integrated_call_director.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | post: 6 | password: password 7 | system: win32 8 | username: login 9 | success: 10 | body: 11 | - 27 | status: 200 28 | url: 29 | - /web/login 30 | default_port: 8069 31 | name: Odoo 32 | ssl: false 33 | references: 34 | - https://github.com/odoo/odoo/blob/a06747c03d30b6b463655884b6875db6b9588003/addons/web/controllers/main.py#L468-L504 35 | protocol: http 36 | -------------------------------------------------------------------------------- /creds/http/general/oracle_glassfish.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | - password: '' 6 | username: admin 7 | post: 8 | loginButton: Login 9 | loginButton.DisabledHiddenField: 'true' 10 | password: j_password 11 | username: j_username 12 | sessionid: JSESSIONID 13 | success: 14 | body: 15 | - Logout from GlassFish Administration Console 16 | status: 200 17 | type: post 18 | url: 19 | - /j_security_check 20 | category: web 21 | contributor: ztgrace 22 | default_port: 4848 23 | fingerprint: 24 | body: 25 | - Log In to GlassFish Administration Console 26 | status: 200 27 | url: 28 | - / 29 | name: Oracle Glassfish 30 | ssl: true 31 | -------------------------------------------------------------------------------- /creds/http/general/sonarqube.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | post: 6 | password: password 7 | return_to_anchor: '' 8 | username: login 9 | success: 10 | body: 11 | - '' 12 | status: 200 13 | type: post 14 | url: 15 | - /sessions/new?return_to=%2F 16 | headers: 17 | - Host: sonar.cx-build.plan.learnvest.net 18 | category: web 19 | contributor: ztgrace 20 | default_port: 80 21 | fingerprint: 22 | body: 23 | - Welcome to SonarQube Dashboard 24 | status: 200 25 | url: 26 | - / 27 | headers: 28 | - Host: sonar.cx-build.plan.learnvest.net 29 | name: SonarQube 30 | ssl: false 31 | -------------------------------------------------------------------------------- /creds/http/general/sonarqube_7.x.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | headers: 6 | - Accept: 'application/json' 7 | post: 8 | password: password 9 | username: login 10 | success: 11 | body: 12 | - '' 13 | status: 200 14 | type: post 15 | url: 16 | - /api/authentication/login 17 | category: general 18 | contributor: ztgrace 19 | default_port: 80 20 | fingerprint: 21 | body: 22 | - SonarQube 23 | status: 200 24 | url: 25 | - /sessions/new 26 | name: SonarQube 7.x 27 | protocol: http 28 | ssl: false 29 | -------------------------------------------------------------------------------- /creds/http/general/supermicro.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: ADMIN 4 | username: ADMIN 5 | post: 6 | password: pwd 7 | username: name 8 | success: 9 | body: 10 | - 'self.location="../cgi/url_redirect.cgi\?url_name=mainmenu"; ' 11 | status: 200 12 | type: post 13 | url: 14 | - /cgi/login.cgi 15 | category: web 16 | contributor: ztgrace 17 | default_port: 80 18 | fingerprint: 19 | body: 20 | - '

' 21 | status: 200 22 | url: 23 | - / 24 | name: Supermicro 25 | ssl: false 26 | -------------------------------------------------------------------------------- /creds/http/general/teamcity_9_guest.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: '' 5 | sessionid: TCSESSIONID 6 | success: 7 | body: 8 | - Projects — TeamCity 9 | status: 200 10 | type: basic_auth 11 | url: 12 | - /guestLogin.html?guest=1 13 | category: web 14 | contributor: ztgrace 15 | default_port: 80 16 | fingerprint: 17 | body: 18 | - Log in to TeamCity 19 | status: 200 20 | url: 21 | - /login.html 22 | name: TeamCity 9 Guest 23 | ssl: false 24 | -------------------------------------------------------------------------------- /creds/http/general/teleopti_wfm.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - raw: '{"granttype":"password","username":"admin@company.com","password":"admin"}' 4 | username: admin@company.com 5 | password: admin 6 | success: 7 | body: 8 | - '"AccessToken":"C1F2BF74658F78E6928A2E8A2426BE6360720989","UserName"' 9 | status: 200 10 | type: raw_post 11 | url: 12 | - /TeleoptiWFM/Administration/Login 13 | headers: 14 | - Content-Type: application/json;charset=UTF-8 15 | category: web 16 | contributor: Graph-X 17 | default_port: 80 18 | fingerprint: 19 | body: 20 | - Teleopti WFM Administration 21 | status: 200 22 | url: 23 | - /TeleoptiWFM/Administration/ 24 | name: Teleopti WFM 25 | ssl: false 26 | -------------------------------------------------------------------------------- /creds/http/general/ubiquiti_edgeos.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: ubnt 4 | password: ubnt 5 | post: 6 | username: username 7 | password: password 8 | sessionid: PHPSESSID 9 | success: 10 | body: 11 | - Please wait while the application loads 12 | status: 200 13 | type: post 14 | url: 15 | - / 16 | headers: 17 | - Content-Type: application/x-www-form-urlencoded 18 | category: web 19 | contributor: Gijutsu 20 | fingerprint: 21 | body: 22 | - EdgeOS 23 | status: 200 24 | url: 25 | - / 26 | name: Ubiquiti EdgeOS 27 | default_port: 443 28 | ssl: true 29 | -------------------------------------------------------------------------------- /creds/http/general/video_web_server.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | post: 6 | Submit: Submit 7 | password: password 8 | username: username 9 | success: 10 | body: 11 | - title="Next Channel" 12 | status: 200 13 | type: post 14 | url: 15 | - /home.htm 16 | category: webcam 17 | contributor: ztgrace 18 | default_port: 80 19 | fingerprint: 20 | body: 21 | - '--- VIDEO WEB SERVER ---' 22 | status: 200 23 | url: 24 | - / 25 | name: Video Web Server 26 | ssl: false 27 | -------------------------------------------------------------------------------- /creds/http/general/weblogic.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: system 4 | password: manager 5 | - username: weblogic 6 | password: weblogic1 7 | - username: WEBLOGIC 8 | password: WEBLOGIC 9 | - username: PUBLIC 10 | password: PUBLIC 11 | - username: EXAMPLES 12 | password: EXAMPLES 13 | - username: weblogic 14 | password: weblogic 15 | - username: system 16 | password: password 17 | - username: weblogic 18 | password: welcome(1) 19 | - username: system 20 | password: welcome(1) 21 | - username: operator 22 | password: weblogic 23 | - username: operator 24 | password: password 25 | - username: system 26 | password: Passw0rd 27 | - username: monitor 28 | password: password 29 | post: 30 | username: j_username 31 | password: j_password 32 | j_character_encoding: UTF-8 33 | sessionid: ADMINCONSOLESESSION 34 | success: 35 | body: 36 | - Logout 37 | status: 200 38 | type: post 39 | url: 40 | - /console/j_security_check 41 | category: web 42 | contributor: AlessandroZ 43 | default_port: 7001 44 | fingerprint: 45 | body: 46 | - Oracle WebLogic Server Administration Console 47 | status: 200 48 | url: 49 | - /console/login/LoginForm.jsp 50 | name: Weblogic 51 | ssl: false 52 | -------------------------------------------------------------------------------- /creds/http/general/websphere.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: manager 4 | username: system 5 | post: 6 | password: j_password 7 | submit: Login 8 | username: j_username 9 | sessionid: JSESSIONID 10 | success: 11 | body: 12 | - Logout 13 | status: 200 14 | type: post 15 | url: 16 | - /console/portal/Server/j_security_check 17 | category: web 18 | contributor: BuckyGoat 19 | default_port: 8080 20 | fingerprint: 21 | body: 22 | - Administrative Console Login 23 | status: 200 24 | url: 25 | - /console/portal/Server/Web%20Server 26 | name: WebSphere 27 | ssl: false 28 | -------------------------------------------------------------------------------- /creds/http/general/zabbix.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: zabbix 4 | username: Admin 5 | post: 6 | autologin: '1' 7 | enter: Sign in 8 | password: password 9 | request: '' 10 | username: name 11 | sessionid: zbx_sessionid 12 | success: 13 | body: 14 | - Logout 15 | status: 200 16 | type: post 17 | url: 18 | - /zabbix/index.php 19 | category: web 20 | contributor: ztgrace 21 | default_port: 80 22 | fingerprint: 23 | body: 24 | - by Zabbix SIA 25 | status: 200 26 | url: 27 | - /zabbix/index.php 28 | name: Zabbix 29 | ssl: false 30 | -------------------------------------------------------------------------------- /creds/http/iot/heatmiser_wifi_thermostat.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | headers: 6 | - Content-Type: application/x-www-form-urlencoded 7 | post: 8 | password: lgpw 9 | username: lgnm 10 | success: 11 | body: 12 | - document.logfm.lgst.value 13 | status: 200 14 | type: post 15 | url: 16 | - / 17 | category: iot 18 | contributor: ztgrace 19 | default_port: 80 20 | fingerprint: 21 | body: 22 | - Heatmiser Wifi Thermostat 23 | status: 200 24 | url: 25 | - / 26 | name: Heatmiser Wifi Thermostat 27 | protocol: http 28 | ssl: false 29 | -------------------------------------------------------------------------------- /creds/http/iot/proliphix_thermostat.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | headers: [] 6 | success: 7 | body: 8 | - Thermostat 9 | status: 200 10 | type: basic_auth 11 | url: 12 | - /index.shtml 13 | category: iot 14 | contributor: ztgrace 15 | default_port: 8086 16 | fingerprint: 17 | basic_auth_realm: tstat 18 | status: 401 19 | url: 20 | - /index.shtml 21 | name: Proliphix Thermostat 22 | protocol: http 23 | ssl: false 24 | references: 25 | - http://www.proliphix.com/Collateral/Documents/English-US/Thermostat%20Installation%20Guide.pdf 26 | -------------------------------------------------------------------------------- /creds/http/phone/polycom_vvx_500.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '123' 4 | username: User 5 | - password: '456' 6 | username: Admin 7 | success: 8 | body: 9 | - Polycom - VVX 500 Configuration Utility 10 | status: 200 11 | type: basic_auth 12 | url: 13 | - /auth.htm 14 | category: phone 15 | contributor: ztgrace 16 | default_port: 80 17 | fingerprint: 18 | body: 19 | - Polycom Web Configuration Utility 20 | status: 200 21 | url: 22 | - /login.htm 23 | name: Polycom VVX 500 24 | ssl: false 25 | -------------------------------------------------------------------------------- /creds/http/printer/brother_hl_series.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: access 4 | username: admin 5 | success: 6 | body: 7 | - Administrator Settings 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - /admin/password.html 12 | category: printer 13 | contributor: ztgrace 14 | default_port: 80 15 | fingerprint: 16 | basic_auth_realm: Printer Config 17 | body: 18 | - <TITLE>Brother HL-[0-9]+[A-Z]{2} series 19 | status: 401 20 | url: 21 | - /admin/password.html 22 | name: Brother HL Series 23 | ssl: false 24 | -------------------------------------------------------------------------------- /creds/http/printer/canon_ir-adv.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '7654321' 4 | username: '7654321' 5 | post: 6 | loginType: admin 7 | password: password 8 | password2: '' 9 | uri: /rps/ 10 | user_type_generic: '' 11 | username: deptid 12 | sessionid: sessionid 13 | success: 14 | body: 15 | -
16 | status: 200 17 | type: post 18 | url: 19 | - /login 20 | category: printer 21 | contributor: ztgrace 22 | default_port: 8000 23 | fingerprint: 24 | body: 25 | - 'Default Authentication : iR-ADV' 26 | status: 200 27 | url: 28 | - /rps/ 29 | name: Canon iR-ADV 30 | ssl: false 31 | -------------------------------------------------------------------------------- /creds/http/printer/hp_laserjet_600.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: '' 5 | sessionid: sessionId 6 | success: 7 | body: 8 | - Password is not set. 9 | status: 200 10 | type: basic_auth 11 | url: 12 | - /hp/device/GeneralSecurity/Index 13 | category: printer 14 | contributor: ztgrace 15 | default_port: 443 16 | fingerprint: 17 | body: 18 | - id="HomeDeviceName">HP LaserJet 19 | status: 200 20 | url: 21 | - /hp/device/GeneralSecurity/Index 22 | name: HP LaserJet 600 23 | ssl: true 24 | -------------------------------------------------------------------------------- /creds/http/printer/hp_laserjet_no_password.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: '' 5 | success: 6 | body: 7 | - <span id="Text8" class="hpPageText" >Not Configured</span></td> 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - /hp/device/this.LCDispatcher?nav=hp.Security 12 | category: printer 13 | contributor: ztgrace 14 | default_port: 443 15 | fingerprint: 16 | body: 17 | - HP LaserJet 18 | status: 200 19 | url: 20 | - /hp/device/this.LCDispatcher?nav=hp.Security 21 | name: HP LaserJet No Password 22 | ssl: true 23 | -------------------------------------------------------------------------------- /creds/http/printer/hp_laserjet_no_password_legacy.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: '' 5 | success: 6 | body: 7 | - A security password can be set to prevent unauthorized users 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - /hp/device/this.LCDispatcher?dispatch=html&cat=1&pos=3 12 | - /hp/device/this.LCDispatcher?dispatch=html&cat=1&pos=4 13 | category: printer 14 | contributor: ztgrace 15 | default_port: 443 16 | fingerprint: 17 | body: 18 | - hp LaserJet 19 | status: 200 20 | url: 21 | - /hp/device/this.LCDispatcher?dispatch=html&cat=1&pos=3 22 | - /hp/device/this.LCDispatcher?dispatch=html&cat=1&pos=4 23 | name: HP LaserJet No Password Legacy 24 | ssl: true 25 | -------------------------------------------------------------------------------- /creds/http/printer/ricoh_mp.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: supervisor 5 | post: 6 | open: '' 7 | password: password 8 | password_work: '' 9 | userid_work: '' 10 | username: userid 11 | wimToken: '995573576' 12 | sessionid: risessionid 13 | base64: true 14 | success: 15 | body: 16 | - Web Image Monitor 17 | status: 200 18 | type: post 19 | url: 20 | - /web/guest/en/websys/webArch/login.cgi 21 | category: printer 22 | contributor: ztgrace 23 | default_port: 80 24 | fingerprint: 25 | body: 26 | - title="Web Image Monitor" 27 | cookie: 28 | - cookieOnOffChecker: 'on' 29 | status: 200 30 | url: 31 | - /web/guest/en/websys/webArch/authForm.cgi 32 | name: Ricoh MP 33 | ssl: false 34 | -------------------------------------------------------------------------------- /creds/http/printer/xerox_phaser_6700.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '1111' 4 | username: admin 5 | post: 6 | NextPage: /properties/authentication/luidLogin.php 7 | _fun_function: HTTP_Authenticate_fn 8 | frmaltDomain: default 9 | password: webPassword 10 | username: webUsername 11 | sessionid: PHPSESSID 12 | success: 13 | body: 14 | - window.opener.top.location.pathname 15 | status: 200 16 | type: post 17 | url: 18 | - /userpost/xerox.set 19 | category: printer 20 | contributor: ztgrace 21 | default_port: 80 22 | fingerprint: 23 | body: 24 | - XEROX Phaser 6700 25 | status: 200 26 | url: 27 | - /header.php?tab=status 28 | name: XEROX Phaser 6700 29 | ssl: false 30 | -------------------------------------------------------------------------------- /creds/http/printer/xerox_workcentre_5020_dn.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '' 4 | username: '11111' 5 | success: 6 | body: 7 | - IP Filtering 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - /prscipfil.htm 12 | category: printer 13 | contributor: ztgrace 14 | default_port: 80 15 | fingerprint: 16 | body: 17 | - Xerox WorkCentre 5020/DN 18 | status: 200 19 | url: 20 | - /prop.htm 21 | name: Xerox WorkCentre 5020/DN 22 | ssl: false 23 | -------------------------------------------------------------------------------- /creds/http/webcam/maygion_camera.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | get: 6 | password: password 7 | pwd: admin 8 | username: user 9 | usr: admin 10 | success: 11 | body: 12 | - 10Admin 13 | status: 200 14 | type: get 15 | url: 16 | - /login.xml 17 | category: webcam 18 | contributor: ztgrace 19 | default_port: 81 20 | fingerprint: 21 | body: 22 | - GetXml\("login.xml\?"\+param,OnLoginAckOK,OnLoginAckFail\); 23 | status: 200 24 | url: 25 | - / 26 | name: MayGion Camera 27 | ssl: false 28 | -------------------------------------------------------------------------------- /creds/http/webcam/trendnet_internet_camera.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: admin 4 | username: admin 5 | success: 6 | body: 7 | - LIVE VIDEO 8 | status: 200 9 | type: basic_auth 10 | url: 11 | - /eng/liveView.cgi 12 | category: webcam 13 | contributor: ztgrace 14 | default_port: 80 15 | fingerprint: 16 | status: 401 17 | url: 18 | - /eng/liveView.cgi 19 | server_header: dcs-lig-httpd 20 | name: TRENDnet Internet Camera 21 | ssl: false 22 | -------------------------------------------------------------------------------- /creds/mongodb/noauth.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: 4 | password: 5 | category: mongodb 6 | default_port: 27017 7 | name: Mongodb noauth 8 | contributor: ztgrace 9 | -------------------------------------------------------------------------------- /creds/mssql/aris.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: ARIS9 4 | password: '*ARIS!1dm9n#' 5 | category: mssql 6 | default_port: 1433 7 | name: Aris 8 | contributor: ztgrace 9 | references: 10 | - https://www.ariscommunity.com/system/files/ARIS%20Server%20Installation%20and%20Administration%20Guide_0_0.pdf 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/bosch_rps.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: RPSsql12345 5 | category: mssql 6 | default_port: 1433 7 | name: Bosch RPS 8 | contributor: ztgrace 9 | references: 10 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 11 | - http://resource.boschsecurity.com/documents/RPS_InGuide_Installation_Manual_enUS_2596022155.pdf 12 | -------------------------------------------------------------------------------- /creds/mssql/cch.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: PracticeUser1 5 | category: mssql 6 | default_port: 1433 7 | name: CCH 8 | contributor: ztgrace 9 | references: 10 | - https://support.cch.com/kb/solution.aspx/sw29540 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/easyWinArt.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: $easyWinArt4 5 | category: mssql 6 | default_port: 1433 7 | name: easyWinArt 8 | contributor: ztgrace 9 | references: 10 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 11 | - http://www.auftragsbearbeitung-warenwirtschaft-pps.de/p/Handbuch/Installation/Installationsanleitung/ 12 | -------------------------------------------------------------------------------- /creds/mssql/emerson_ams.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: 42Emerson42Eme 5 | category: mssql 6 | default_port: 1433 7 | name: Emerson AMS 8 | contributor: ztgrace 9 | references: 10 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 11 | - http://www.emerson.com/documents/automation/39924.pdf 12 | -------------------------------------------------------------------------------- /creds/mssql/geonetwork.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: admin 4 | password: gnos 5 | category: mssql 6 | default_port: 1433 7 | name: GeoNetwork 8 | contributor: ztgrace 9 | references: 10 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 11 | - http://geonetwork-opensource.org/manuals/2.10.4/eng/users/quickstartguide/installing/index.html 12 | -------------------------------------------------------------------------------- /creds/mssql/i2b2_workbench.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: I2b2metadata 4 | password: i2b2metadata 5 | - username: I2b2demodata 6 | password: i2b2demodata 7 | - username: I2b2workdata 8 | password: i2b2workdata 9 | - username: I2b2metadata2 10 | password: i2b2metadata2 11 | - username: I2b2demodata2 12 | password: i2b2demodata2 13 | - username: I2b2workdata2 14 | password: i2b2workdata2 15 | - username: I2b2hive 16 | password: i2b2hive 17 | category: mssql 18 | default_port: 1433 19 | name: i2b2 Workbench 20 | contributor: ztgrace 21 | references: 22 | - https://www.i2b2.org/software/projects/hivecore/Data_Installation_Guide_13.pdf 23 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 24 | -------------------------------------------------------------------------------- /creds/mssql/ibm_maximo.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: maxadmin 4 | password: maxadmin 5 | - username: mxintadm 6 | password: mxintadm 7 | - username: maxreg 8 | password: maxreg 9 | category: mssql 10 | default_port: 1433 11 | name: IBM Maximo 12 | contributor: ztgrace 13 | references: 14 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 15 | - https://www-01.ibm.com/support/docview.wss?uid=swg21645570 16 | - https://www.ibm.com/support/knowledgecenter/en/SSLKT6_7.5.0/com.ibm.mam.doc/install_was/t_ccmdb_manconfigfoundinst.html 17 | -------------------------------------------------------------------------------- /creds/mssql/ibm_was.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: wasadmin 4 | password: wasadmin 5 | category: mssql 6 | default_port: 1433 7 | name: IBM WAS 8 | contributor: ztgrace 9 | references: 10 | - https://www.ibm.com/support/knowledgecenter/en/SSQP76_8.7.0/com.ibm.odm.distrib.config.was/config_ds_res_was/tsk_was_before_res_config.html 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/ihs_kingdom.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: $ei$micMicro 5 | category: mssql 6 | default_port: 1433 7 | name: IHS Kingdom 8 | contributor: ztgrace 9 | references: 10 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 11 | - http://www.seismicmicro.com/productreleasedocumentation/kingdom/installationguide.pdf 12 | -------------------------------------------------------------------------------- /creds/mssql/lasa_aims.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: ADMIN 4 | password: AIMS 5 | - username: FB 6 | password: AIMS 7 | category: mssql 8 | default_port: 1433 9 | name: Lasa AIMS 10 | contributor: ztgrace 11 | references: 12 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 13 | - http://www.lasa.org.uk/uploads/aims/Installation_Guides/SQL_Server_Installation_Guide.pdf 14 | -------------------------------------------------------------------------------- /creds/mssql/lenel_onguard.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: LENEL 4 | password: MULTIMEDIA 5 | category: mssql 6 | default_port: 1433 7 | name: Lenel OnGuard 8 | contributor: ztgrace 9 | references: 10 | - http://kb.lenel.com/cd/12/articlesImport/1098.PDF 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/mediaportal.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: M3d!aP0rtal 5 | category: mssql 6 | default_port: 1433 7 | name: MediaPortal 8 | contributor: ztgrace 9 | references: 10 | - https://www.team-mediaportal.com/wiki/display/MediaPortal1/SQL+Server+2008 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/medocheck.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: mcUser 4 | password: medocheck123 5 | category: mssql 6 | default_port: 1433 7 | name: medo.check 8 | contributor: ztgrace 9 | references: 10 | - http://www.medocheck.com/site/assets/files/1440/kurzanleitung_mysql-server_fuer_medo_check.pdf 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/micro_focus_silk_central.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: SilkCentral12!34 5 | category: mssql 6 | default_port: 1433 7 | name: Micro Focus Silk Central 8 | contributor: ztgrace 9 | references: 10 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 11 | - http://documentation.microfocus.com/help/index.jsp?topic=%2Fcom.microfocus.sctm.doc%2FSCTM-CBA0F2AF-DATABASESETTINGSPAGE-REF.html 12 | -------------------------------------------------------------------------------- /creds/mssql/mssql.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: '' 5 | - username: sa 6 | password: sa 7 | - username: sa 8 | password: Password123 9 | - username: sa 10 | password: password 11 | - username: ADONI 12 | password: BPMS 13 | ref: https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 14 | - username: sa 15 | password: sqlserver 16 | category: mssql 17 | default_port: 1433 18 | name: MSSQL 19 | contributor: AlessandroZ, ztgrace 20 | references: 21 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 22 | -------------------------------------------------------------------------------- /creds/mssql/napco_continental_access.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: cic 5 | - username: cic 6 | password: cic 7 | - username: sa 8 | password: cic!23456789 9 | - username: cic 10 | password: cic!23456789 11 | - username: sa 12 | password: Cic!23456789 13 | - username: cic 14 | password: Cic!23456789 15 | category: mssql 16 | default_port: 1433 17 | name: Napco Continental Access 18 | contributor: ztgrace 19 | references: 20 | - http://www.napcosecurity.com/download/tg04L2RevB.pdf 21 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 22 | -------------------------------------------------------------------------------- /creds/mssql/netxms.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: admin 4 | password: netxms 5 | category: mssql 6 | default_port: 1433 7 | name: NetXMS 8 | contributor: ztgrace 9 | references: 10 | - https://wiki.netxms.org/wiki/Server_Installation_Guide 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/opengts.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: gts 4 | password: opengts 5 | category: mssql 6 | default_port: 1433 7 | name: OpenGTS 8 | contributor: ztgrace 9 | references: 10 | - http://opengts.sourceforge.net/OpenGTS_Config.pdf 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/safenet_sentinel_ems.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: DBA!sa@EMSDB123 5 | category: mssql 6 | default_port: 1433 7 | name: SafeNet Sentinel EMS 8 | contributor: ztgrace 9 | references: 10 | - http://sentinelldk.safenet-inc.com/LDKdocs/Install/Installation%20Guide/Troubleshooting/Troubleshooting.htm 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/schlage_sms.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: SECAdmin1 5 | - username: SMSAdmin 6 | password: SECAdmin1 7 | category: mssql 8 | default_port: 1433 9 | name: Schlage SMS 10 | contributor: ztgrace 11 | references: 12 | - http://protechsecurity.us/wp-content/uploads/2013/12/IR-Schlage-Security-Management-System-V5.3.pdf 13 | - http://us.allegion.com/content/dam/allegion-us-2/web-documents-2/UserGuide/Schlage_Campus_Lock_Keycard_Center_User_Guide_108225.pdf 14 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 15 | -------------------------------------------------------------------------------- /creds/mssql/skf.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: skf_admin1 5 | category: mssql 6 | default_port: 1433 7 | name: SKF @ptitude Analyst 8 | contributor: AlessandroZ, ztgrace 9 | references: 10 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 11 | - http://www.skf.com/binary/79-267781/AA_2013_323124d0_IM-EN.pdf 12 | -------------------------------------------------------------------------------- /creds/mssql/splendidcrm.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: splendidcrm2005 5 | category: mssql 6 | default_port: 1433 7 | name: SplendidCRM 8 | contributor: ztgrace 9 | references: 10 | - http://www.splendidcrm.com/Documentation/tabid/233/rvdwktid/deployment-guide-528/Default.aspx 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/telestream_vantage.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: vantage12! 5 | category: mssql 6 | default_port: 1433 7 | name: Telestream Vantage 8 | contributor: ztgrace 9 | references: 10 | - https://www.telestream.net/pdfs/app-notes/app_Vantage_DatabaseSetup.pdf 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/timeforce.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: Dr8gedog 5 | - username: sa 6 | password: dr8gedog 7 | category: mssql 8 | default_port: 1433 9 | name: TimeForce 10 | contributor: ztgrace 11 | references: 12 | - https://www.mytimeforce.com/images/videos/support/training/kb/docs/internal/support/time/TIMEFORCE1Migration.pdf 13 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 14 | -------------------------------------------------------------------------------- /creds/mssql/utc.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: SecurityMaster08 5 | category: mssql 6 | default_port: 1433 7 | name: UTC FCWnx 8 | contributor: ztgrace 9 | references: 10 | - http://www.bernationalcontrols.com/support_docs/Access/Lenel/Facility%20Commander%20Wnx%207.7%20User%20Manual.pdf 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/video_insight.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: V4in$ight 5 | category: mssql 6 | default_port: 1433 7 | name: Video Insight 8 | contributor: ztgrace 9 | references: 10 | - http://www.video-insight.com/kb/pdf.php?cat=15&id=111&artlang=en 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/welchallyn.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: sa 4 | password: Cardio.Perfect 5 | category: mssql 6 | default_port: 1433 7 | name: WelchAllyn CardioPerfect 8 | contributor: ztgrace 9 | references: 10 | - https://www.welchallyn.com/content/dam/welchallyn/documents/sap-documents/LIT/80013/80013928LITPDF.pdf 11 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 12 | -------------------------------------------------------------------------------- /creds/mssql/wonderware_historian.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: aaAdmin 4 | password: pwAdmin 5 | - username: aaPower 6 | password: pwPower 7 | - username: aaUser 8 | password: pwUser 9 | - username: aadbo 10 | password: pwddbo 11 | - username: wwUser 12 | password: wwUser 13 | - username: wwPower 14 | password: wwPower 15 | - username: wwAdmin 16 | password: wwAdmin 17 | - username: wwdbo 18 | password: wwdbo 19 | category: mssql 20 | default_port: 1433 21 | name: Wonderware Historian 22 | contributor: ztgrace 23 | references: 24 | - http://platforma.astor.com.pl/files/getfile/id/3781 25 | - https://github.com/govolution/betterdefaultpasslist/blob/master/mssql.txt 26 | -------------------------------------------------------------------------------- /creds/mysql/mysql.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: root 4 | password: root 5 | category: ssh 6 | default_port: 3306 7 | name: MySQL 8 | contributor: ztgrace 9 | -------------------------------------------------------------------------------- /creds/postgres/ambari.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: ambari 4 | password: bigdata 5 | category: postgres 6 | default_port: 5432 7 | name: postgres 8 | contributor: ztgrace 9 | ref: https://discuss.pivotal.io/hc/en-us/articles/217649658-How-to-connect-to-Ambari-s-PostgreSQL-database- 10 | -------------------------------------------------------------------------------- /creds/postgres/msf.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: msf 4 | password: msf 5 | - username: msfdev 6 | password: msfdev 7 | category: ssh 8 | default_port: 5432 9 | name: metasploit 10 | contributor: ztgrace 11 | -------------------------------------------------------------------------------- /creds/postgres/postgres.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: postgres 4 | password: postgres 5 | category: postgres 6 | default_port: 5432 7 | name: postgres 8 | contributor: ztgrace 9 | -------------------------------------------------------------------------------- /creds/redis/redis.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: 4 | password: 5 | category: redis 6 | default_port: 6379 7 | name: Redis 8 | contributor: ztgrace 9 | -------------------------------------------------------------------------------- /creds/snmp/apc.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: 4 | password: TENmanUFactOryPOWER 5 | category: snmp 6 | default_port: 161 7 | name: APC SmartSlot 8 | contributor: ztgrace 9 | references: 10 | - http://www.securityfocus.com/archive/1/354230 11 | -------------------------------------------------------------------------------- /creds/snmp/cisco_guard.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: 4 | password: riverhead 5 | category: snmp 6 | default_port: 161 7 | name: Cisco Guard 8 | contributor: ztgrace 9 | references: 10 | - https://www.cisco.com/en/US/products/ps5888/prod_release_note09186a0080237333.html 11 | -------------------------------------------------------------------------------- /creds/snmp/common.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: 4 | password: 0 5 | - username: 6 | password: 0392a0 7 | - username: 8 | password: 1234 9 | - username: 10 | password: 2read 11 | - username: 12 | password: 4changes 13 | - username: 14 | password: access 15 | - username: 16 | password: adm 17 | - username: 18 | password: admin 19 | - username: 20 | password: Admin 21 | - username: 22 | password: agent 23 | - username: 24 | password: agent_steal 25 | - username: 26 | password: all 27 | - username: 28 | password: all 29 | - username: 30 | password: private 31 | - username: 32 | password: all 33 | - username: 34 | password: ANYCOM 35 | - username: 36 | password: apc 37 | - username: 38 | password: bintec 39 | - username: 40 | password: blue 41 | - username: 42 | password: c 43 | - username: 44 | password: C0de 45 | - username: 46 | password: cable-d 47 | - username: 48 | password: canon_admin 49 | - username: 50 | password: cc 51 | - username: 52 | password: cisco 53 | - username: 54 | password: CISCO 55 | - username: 56 | password: community 57 | - username: 58 | password: core 59 | - username: 60 | password: CR52401 61 | - username: 62 | password: debug 63 | - username: 64 | password: default 65 | - username: 66 | password: dilbert 67 | - username: 68 | password: enable 69 | - username: 70 | password: field 71 | - username: 72 | password: field-service 73 | - username: 74 | password: freekevin 75 | - username: 76 | password: fubar 77 | - username: 78 | password: guest 79 | - username: 80 | password: hello 81 | - username: 82 | password: hp_admin 83 | - username: 84 | password: ibm 85 | - username: 86 | password: IBM 87 | - username: 88 | password: ilmi 89 | - username: 90 | password: ILMI 91 | - username: 92 | password: intermec 93 | - username: 94 | password: Intermec 95 | - username: 96 | password: internal 97 | - username: 98 | password: l2 99 | - username: 100 | password: l3 101 | - username: 102 | password: manager 103 | - username: 104 | password: mngt 105 | - username: 106 | password: monitor 107 | - username: 108 | password: netman 109 | - username: 110 | password: network 111 | - username: 112 | password: NoGaH$@! 113 | - username: 114 | password: none 115 | - username: 116 | password: openview 117 | - username: 118 | password: OrigEquipMfr 119 | - username: 120 | password: pass 121 | - username: 122 | password: password 123 | - username: 124 | password: pr1v4t3 125 | - username: 126 | password: Private 127 | - username: 128 | password: PRIVATE 129 | - username: 130 | password: proxy 131 | - username: 132 | password: publ1c 133 | - username: 134 | password: public 135 | - username: 136 | password: Public 137 | - username: 138 | password: PUBLIC 139 | - username: 140 | password: read 141 | - username: 142 | password: read-only 143 | - username: 144 | password: readwrite 145 | - username: 146 | password: read-write 147 | - username: 148 | password: red 149 | - username: 150 | password: regional 151 | - username: 152 | password: rmon 153 | - username: 154 | password: rmon_admin 155 | - username: 156 | password: ro 157 | - username: 158 | password: root 159 | - username: 160 | password: router 161 | - username: 162 | password: rw 163 | - username: 164 | password: rwa 165 | - username: 166 | password: s!a@m#n$p%c 167 | - username: 168 | password: sanfran 169 | - username: 170 | password: san-fran 171 | - username: 172 | password: scotty 173 | - username: 174 | password: secret 175 | - username: 176 | password: Secret 177 | - username: 178 | password: SECRET 179 | - username: 180 | password: security 181 | - username: 182 | password: Security 183 | - username: 184 | password: SECURITY 185 | - username: 186 | password: seri 187 | - username: 188 | password: snmp 189 | - username: 190 | password: SNMP 191 | - username: 192 | password: snmpd 193 | - username: 194 | password: snmptrap 195 | - username: 196 | password: SNMP_trap 197 | - username: 198 | password: solaris 199 | - username: 200 | password: sun 201 | - username: 202 | password: SUN 203 | - username: 204 | password: superuser 205 | - username: 206 | password: switch 207 | - username: 208 | password: Switch 209 | - username: 210 | password: SWITCH 211 | - username: 212 | password: system 213 | - username: 214 | password: System 215 | - username: 216 | password: SYSTEM 217 | - username: 218 | password: tech 219 | - username: 220 | password: test 221 | - username: 222 | password: TEST 223 | - username: 224 | password: test2 225 | - username: 226 | password: tiv0li 227 | - username: 228 | password: tivoli 229 | - username: 230 | password: trap 231 | - username: 232 | password: world 233 | - username: 234 | password: write 235 | - username: 236 | password: xyzzy 237 | - username: 238 | password: yellow 239 | category: snmp 240 | default_port: 161 241 | name: SNMP 242 | contributor: ztgrace 243 | references: 244 | - https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/wordlist-common-snmp-community-strings.txt 245 | - https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/snmp_default_pass.txt 246 | -------------------------------------------------------------------------------- /creds/snmp/eon.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: 4 | password: EyesOfNetwork 5 | category: snmp 6 | default_port: 161 7 | name: EyesOfNetwork 8 | contributor: h4knet 9 | references: 10 | - https://www.eyesofnetwork.com/wp-content/uploads/2018/03/FR-Eon-v5-Configuration.pdf 11 | -------------------------------------------------------------------------------- /creds/snmp/public_private.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: 4 | password: public 5 | - username: 6 | password: private 7 | category: snmp 8 | default_port: 161 9 | name: publicprivate 10 | contributor: ztgrace 11 | -------------------------------------------------------------------------------- /creds/ssh/Modern_IE.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: IEUser 4 | password: D@rj33l1ng 5 | category: ssh 6 | default_port: 22 7 | name: modern.ie 8 | contributor: ztgrace 9 | references: 10 | - https://twitter.com/0rbz_/status/914171719652401152 11 | -------------------------------------------------------------------------------- /creds/ssh/antsle.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: root 4 | password: antsle 5 | category: ssh 6 | default_port: 22 7 | name: antsle 8 | contributor: ztgrace 9 | references: 10 | - http://docs.antsle.com/defaultpw/ 11 | -------------------------------------------------------------------------------- /creds/ssh/apple_jailbroken_device.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: root 4 | password: alpine 5 | - username: root 6 | password: dottie 7 | category: ssh 8 | default_port: 22 9 | name: Apple Jailbroken Device 10 | contributor: ztgrace 11 | references: 12 | - https://www.cultofmac.com/20871/how-to-change-your-iphones-default-ssh-password/ 13 | -------------------------------------------------------------------------------- /creds/ssh/att_arris.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: remotessh 4 | password: 5SaP9I26 5 | category: ssh 6 | default_port: 22 7 | name: AT&T Arris NVG589 & NVG599 (SharknAT&To) 8 | contributor: ztgrace 9 | references: 10 | - https://www.nomotion.net/blog/sharknatto/ 11 | -------------------------------------------------------------------------------- /creds/ssh/cisco.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: cisco 4 | password: cisco 5 | - username: pix 6 | password: cisco 7 | category: ssh 8 | default_port: 22 9 | name: Cisco 10 | contributor: ztgrace 11 | references: 12 | - https://www.tunnelsup.com/default-password-cisco-firewall/ 13 | -------------------------------------------------------------------------------- /creds/ssh/cisco_aironet.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: Cisco 4 | password: Cisco 5 | category: ssh 6 | default_port: 22 7 | name: Cisco Aironet 8 | contributor: ztgrace 9 | references: 10 | - https://www.cisco.com/c/en/us/td/docs/wireless/access_point/1300/quick/guide/br13qsg.html 11 | -------------------------------------------------------------------------------- /creds/ssh/hipchat.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: admin 4 | password: hipchat 5 | category: ssh 6 | default_port: 22 7 | name: HipChat Server 8 | contributor: ztgrace 9 | references: 10 | - https://confluence.atlassian.com/hipchatkb/how-to-change-the-username-and-the-ssh-password-for-the-admin-user-875608217.html 11 | -------------------------------------------------------------------------------- /creds/ssh/ibm_storwize_v7000.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: admin 4 | password: admin0001 5 | - username: superuser 6 | password: passw0rd 7 | - username: root 8 | password: Passw0rd 9 | category: ssh 10 | default_port: 22 11 | name: IBM Storwize V7000 Unified 12 | contributor: ztgrace 13 | references: 14 | - https://www.ibm.com/support/knowledgecenter/ST5Q4U_1.6.2/com.ibm.storwize.v7000.unified.162.doc/ifs_132_changedefaultpasswords11142011.html 15 | -------------------------------------------------------------------------------- /creds/ssh/iot.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: root 4 | password: 7ujMko0admin 5 | ref: http://www.cctvforum.com/viewtopic.php?t=44381 6 | - username: nasadmin 7 | password: nasadmin 8 | ref: https://community.emc.com/thread/123122?start=0&tstart=0 9 | - username: root 10 | password: ascend 11 | ref: 12 | category: ssh 13 | default_port: 22 14 | name: ssh 15 | contributor: ztgrace 16 | -------------------------------------------------------------------------------- /creds/ssh/netscreen.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: netscreen 4 | password: "<<< %s(un='%s') = %u" 5 | category: ssh 6 | default_port: 22 7 | name: Juniper ScreenOS/Netscreen 8 | contributor: ztgrace 9 | references: 10 | - https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST 11 | -------------------------------------------------------------------------------- /creds/ssh/raspberry_pi.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: pi 4 | password: raspberry 5 | category: ssh 6 | default_port: 22 7 | name: Raspberry Pi 8 | contributor: ztgrace 9 | -------------------------------------------------------------------------------- /creds/ssh/ssh.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: root 4 | password: password 5 | - username: root 6 | password: root 7 | - username: admin 8 | password: password 9 | - username: admin 10 | password: admin 11 | category: ssh 12 | default_port: 22 13 | name: ssh 14 | contributor: AlessandroZ, Joe Testa 15 | -------------------------------------------------------------------------------- /creds/ssh_key/array_networks_vxag.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN DSA PRIVATE KEY----- 4 | 5 | MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm 6 | 7 | q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM 8 | 9 | xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25 10 | 11 | Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr 12 | 13 | gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq 14 | 15 | mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K 16 | 17 | O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ 18 | 19 | OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb 20 | 21 | +0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs 22 | 23 | +sqSEhA35Le2kC4Y1/A= 24 | 25 | -----END DSA PRIVATE KEY----- 26 | 27 | ' 28 | username: sync 29 | category: ssh 30 | contributor: ztgrace, hdmoore 31 | default_port: 22 32 | name: Array Networks vxAG 33 | references: 34 | - https://packetstormsecurity.com/files/125761/Array-Networks-vxAG-xAPV-Privilege-Escalation.html 35 | - https://github.com/rapid7/ssh-badkeys 36 | -------------------------------------------------------------------------------- /creds/ssh_key/barracuda_load_balancer.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '----BEGIN DSA PRIVATE KEY----- 4 | 5 | MIIBuwIBAAKBgQDKuRHCBXXwoyWpMkJz/wQafaHOpqWmVYLn9GZ6eQuNLcIhtZQE 6 | 7 | kCWZTNajgf4ZAVmHgQh1JHDixJ1V0mcweti/lvyxiqHap7IkD0a+ewAOoz3OpjQZ 8 | 9 | 3ox2ovHEnQJfZ/9LNiEI3XK8TPAj6trhMn5tCdwFei6228a+TYBOccTPgwIVAKYW 10 | 11 | T8ztHHaN7Gwn0I6keQfBSNw1AoGAHYNfKAcqf7Y4wyoVoZpr/h21SETpEaksQb7h 12 | 13 | GRJnFpYN/JiyE9W8nX6UqLv1eKyOXLccAnyda0a+uqcOhsAq8+H15slZYa4+065L 14 | 15 | ckPfs0V4cpxeMHTT1hK4TR2/LRpUjhYjgXFE5aLl91f5Gug5HemUK2S0BWh/oI38 16 | 17 | k2WfNh0CgYEArsJgp7RLPOsCeLqoia/eljseBFVDazO5Q0ysUotTw9wgXGGVWREw 18 | 19 | m8wNggFNb9eCiBAAUfVZVfhVAtFT0pBf/eIVLPXyaMw3prBt7LqeBrbagODc3WAA 20 | 21 | dMTPIdYYcOKgv+YvTXa51zG64v6pQOfS8WXgKCzDl44puXfYeDk5lVQCFAPfgalL 22 | 23 | +FT93tofXMuNVfeQMLJl 24 | 25 | -----END DSA PRIVATE KEY----- 26 | 27 | ' 28 | username: cluster 29 | category: ssh 30 | contributor: ztgrace, hdmoore 31 | default_port: 8002 32 | name: Barracuda Load Balancer ADC VM 33 | references: 34 | - http://seclists.org/fulldisclosure/2015/Jan/76 35 | - https://github.com/rapid7/ssh-badkeys 36 | -------------------------------------------------------------------------------- /creds/ssh_key/ceragon-fibeair.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN RSA PRIVATE KEY----- 4 | 5 | MIICWwIBAAKBgQDBEh0OUdoiplc0P+XW8VPu57etz8O9eHbLHkQW27EZBEdXEYxr 6 | 7 | MOFXi+PkA0ZcNDBRgjSJmHpo5WsPLwj/L3/L5gMYK+yeqsNu48ONbbqzZsFdaBQ+ 8 | 9 | IL3dPdMDovYo7GFVyXuaWMQ4hgAJEc+kk1hUaGKcLENQf0vEyt01eA/k6QIBIwKB 10 | 11 | gQCwhZbohVm5R6AvxWRsv2KuiraQSO16B70ResHpA2AW31crCLrlqQiKjoc23mw3 12 | 13 | CyTcztDy1I0stH8j0zts+DpSbYZnWKSb5hxhl/w96yNYPUJaTatgcPB46xOBDsgv 14 | 15 | 4Lf4GGt3gsQFvuTUArIf6MCJiUn4AQA9Q96QyCH/g4mdiwJBAPHdYgTDiQcpUAbY 16 | 17 | SanIpq7XFeKXBPgRbAN57fTwzWVDyFHwvVUrpqc+SSwfzhsaNpE3IpLD9RqOyEr6 18 | 19 | B8YrC2UCQQDMWrUeNQsf6xQer2AKw2Q06bTAicetJWz5O8CF2mcpVFYc1VJMkiuV 20 | 21 | 93gCvQORq4dpApJYZxhigY4k/f46BlU1AkAbpEW3Zs3U7sdRPUo/SiGtlOyO7LAc 22 | 23 | WcMzmOf+vG8+xesCDOJwIj7uisaIsy1/cLXHdAPzhBwDCQDyoDtnGty7AkEAnaUP 24 | 25 | YHIP5Ww0F6vcYBMSybuaEN9Q5KfXuPOUhIPpLoLjWBJGzVrRKou0WeJElPIJX6Ll 26 | 27 | 7GzJqxN8SGwqhIiK3wJAOQ2Hm068EicG5WQoS+8+KIE/SVHWmFDvet+f1vgDchvT 28 | 29 | uPa5zx2eZ2rxP1pXHAdBSgh799hCF60eZZtlWnNqLg== 30 | 31 | -----END RSA PRIVATE KEY----- 32 | 33 | ' 34 | username: mateidu 35 | category: ssh 36 | contributor: ztgrace, hdmoore 37 | default_port: 22 38 | name: Ceragon FibeAir IP-10 39 | references: 40 | - https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15 41 | - https://github.com/rapid7/ssh-badkeys/ 42 | -------------------------------------------------------------------------------- /creds/ssh_key/exagrid.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN RSA PRIVATE KEY----- 4 | 5 | MIICWAIBAAKBgGdlD7qeGU9f8mdfmLmFemWMnz1tKeeuxKznWFI+6gkaagqjAF10 6 | 7 | hIruzXQAik7TEBYZyvw9SvYU6MQFsMeqVHGhcXQ5yaz3G/eqX0RhRDn5T4zoHKZa 8 | 9 | E1MU86zqAUdSXwHDe3pz5JEoGl9EUHTLMGP13T3eBJ19MAWjP7Iuji9HAgElAoGA 10 | 11 | GSZrnBieX2pdjsQ55/AJA/HF3oJWTRysYWi0nmJUmm41eDV8oRxXl2qFAIqCgeBQ 12 | 13 | BWA4SzGA77/ll3cBfKzkG1Q3OiVG/YJPOYLp7127zh337hhHZyzTiSjMPFVcanrg 14 | 15 | AciYw3X0z2GP9ymWGOnIbOsucdhnbHPuSORASPOUOn0CQQC07Acq53rf3iQIkJ9Y 16 | 17 | iYZd6xnZeZugaX51gQzKgN1QJ1y2sfTfLV6AwsPnieo7+vw2yk+Hl1i5uG9+XkTs 18 | 19 | Ry45AkEAkk0MPL5YxqLKwH6wh2FHytr1jmENOkQu97k2TsuX0CzzDQApIY/eFkCj 20 | 21 | QAgkI282MRsaTosxkYeG7ErsA5BJfwJAMOXYbHXp26PSYy4BjYzz4ggwf/dafmGz 22 | 23 | ebQs+HXa8xGOreroPFFzfL8Eg8Ro0fDOi1lF7Ut/w330nrGxw1GCHQJAYtodBnLG 24 | 25 | XLMvDHFG2AN1spPyBkGTUOH2OK2TZawoTmOPd3ymK28LriuskwxrceNb96qHZYCk 26 | 27 | 86DC8q8p2OTzYwJANXzRM0SGTqSDMnnid7PGlivaQqfpPOx8MiFR/cGr2dT1HD7y 28 | 29 | x6f/85mMeTqamSxjTJqALHeKPYWyzeSnUrp+Eg== 30 | 31 | -----END RSA PRIVATE KEY----- 32 | 33 | ' 34 | username: root 35 | category: ssh 36 | contributor: ztgrace 37 | default_port: 22 38 | name: Exagrid 39 | references: 40 | - https://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials 41 | -------------------------------------------------------------------------------- /creds/ssh_key/f5_big-ip.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN RSA PRIVATE KEY----- 4 | 5 | MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh 6 | 7 | UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk 8 | 9 | OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB 10 | 11 | gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF 12 | 13 | 8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv 14 | 15 | 7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM 16 | 17 | 2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s 18 | 19 | 37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL 20 | 21 | RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4 22 | 23 | rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/ 24 | 25 | uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU 26 | 27 | Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G 28 | 29 | LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS 30 | 31 | -----END RSA PRIVATE KEY----- 32 | 33 | ' 34 | username: root 35 | category: ssh 36 | contributor: ztgrace 37 | default_port: 22 38 | name: F5 BIG-IP 39 | references: 40 | - https://www.trustmatta.com/advisories/MATTA-2012-002.txt 41 | - https://www.trustedsec.com/june-2012/remote-root-authentication-bypass-for-f5-big-ip/ 42 | -------------------------------------------------------------------------------- /creds/ssh_key/loadbalancer.org_enterprise_va.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN DSA PRIVATE KEY----- 4 | 5 | MIIBugIBAAKBgQCsCgcOw+DgNR/7g+IbXYdOEwSB3W0o3l1Ep1ibHHvAtLb6AdNW 6 | 7 | Gq47/UxY/rX3g2FVrVCtQwNSZMqkrqALQwDScxeCOiLMndCj61t3RxU3IOl5c/Hd 8 | 9 | yhGh6JGPdzTpgf8VhJIZnvG+0NFNomYntqYFm0y11dBQPpYbJE7Tx1t/lQIVANHJ 10 | 11 | rJSVVkpcTB4XdtR7TfO317xVAoGABDytZN2OhKwGyJfenZ1Ap2Y7lkO8V8tOtqX+ 12 | 13 | t0LkViOi2ErHJt39aRJJ1lDRa/3q0NNqZH4tnj/bh5dUyNapflJiV94N3637LCzW 14 | 15 | cFlwFtJvD22Nx2UrPn+YXrzN7mt9qZyg5m0NlqbyjcsnCh4vNYUiNeMTHHW5SaJY 16 | 17 | TeYmPP8CgYAjEe5+0m/TlBtVkqQbUit+s/g+eB+PFQ+raaQdL1uztW3etntXAPH1 18 | 19 | MjxsAC/vthWYSTYXORkDFMhrO5ssE2rfg9io0NDyTIZt+VRQMGdi++dH8ptU+ldl 20 | 21 | 2ZejLFdTJFwFgcfXz+iQ1mx6h9TPX1crE1KoMAVOj3yKVfKpLB1EkAIUCsG3dIJH 22 | 23 | SzmJVCWFyVuuANR2Bnc= 24 | 25 | -----END DSA PRIVATE KEY----- 26 | 27 | ' 28 | username: root 29 | category: ssh 30 | contributor: ztgrace, hdmoore 31 | default_port: 22 32 | name: Loadbalancer.org Enterprise VA 33 | references: 34 | - http://packetstormsecurity.com/files/125754/Loadbalancer.org-Enterprise-VA-7.5.2-Static-SSH-Key.html 35 | - https://github.com/rapid7/ssh-badkeys/ 36 | -------------------------------------------------------------------------------- /creds/ssh_key/monroe_electronics_r189.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN DSA PRIVATE KEY----- 4 | 5 | MIIBuwIBAAKBgQDdwCE68iTEMjimYwJMvpkP/KThyJbuKvKc5kdKqLSmi5tssnuW 6 | 7 | tD2NqzmkEQM4uxD4XgV26k2/GvE6x4RlyOT+xlB2iYaOR4RJ8PuU8ALz+9i+y3D8 8 | 9 | MTMY/6y3Ef41frizLFXiVVo8CXFL/N8sz16FYytIayJvkSy3rkzPoE8pRwIVAPmA 10 | 11 | F1excCJPPVq3MyDfEMUXXOWjAoGAJS8ukwjJTgTNCHD7Lz//WxIw49DPGGWs3are 12 | 13 | GpjtiGjVD2Lff7CLCzkH8SI/JsgytUzqfDckSXqe1eWiAhuH90Pl5LZZi83Vp97I 14 | 15 | 721riAF3taKYxtk+vWIcXx2a/Fp+z+LaQoMqjOLh5lCq35wc0EPb5FFFrGaFFzNm 16 | 17 | e71F1X0CgYAU6eNlphQWDwx0KOBiiYhF9BM6kDbQlyw8333rAG3G4CcjI2G8eYGt 18 | 19 | pBNliaD185UjCEsjPiudhGil/j4Zt/+VY3aGOLoi8kqXBBc8ZAML9bbkXpyhQhMg 20 | 21 | wiywx3ciFmvSn2UAin8yurStYPQxtXauZN5PYbdwCHPS7ApIStdpMAIVAJ+eePIA 22 | 23 | Azb0ux287wRfcfdbjlDM 24 | 25 | -----END DSA PRIVATE KEY----- 26 | 27 | ' 28 | username: root 29 | category: ssh 30 | contributor: ztgrace, hdmoore 31 | default_port: 22 32 | name: Monroe Electronics R189 One-Net 33 | references: 34 | - https://www.kb.cert.org/vuls/id/662676 35 | - https://github.com/rapid7/ssh-badkeys/ 36 | -------------------------------------------------------------------------------- /creds/ssh_key/quantum-dxi-v1000.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN DSA PRIVATE KEY----- 4 | 5 | MIIBugIBAAKBgQCEgBNwgF+IbMU8NHUXNIMfJ0ONa91ZI/TphuixnilkZqcuwur2 6 | 7 | hMbrqY8Yne+n3eGkuepQlBBKEZSd8xPd6qCvWnCOhBqhkBS7g2dH6jMkUl/opX/t 8 | 9 | Rw6P00crq2oIMafR4/SzKWVW6RQEzJtPnfV7O3i5miY7jLKMDZTn/DRXRwIVALB2 10 | 11 | +o4CRHpCG6IBqlD/2JW5HRQBAoGAaSzKOHYUnlpAoX7+ufViz37cUa1/x0fGDA/4 12 | 13 | 6mt0eD7FTNoOnUNdfdZx7oLXVe7mjHjqjif0EVnmDPlGME9GYMdi6r4FUozQ33Y5 14 | 15 | PmUWPMd0phMRYutpihaExkjgl33AH7mp42qBfrHqZ2oi1HfkqCUoRmB6KkdkFosr 16 | 17 | E0apJ5cCgYBLEgYmr9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK 18 | 19 | 6X/6VivPAUWmmmev/BuAs8M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrn 20 | 21 | k/inYAp5l29hjidoAONcXoHmUAMYOKqn63Q2AsDpExVcmfj99/BlpQIUYS6Hs70u 22 | 23 | B3Upsx556K/iZPPnJZE= 24 | 25 | -----END DSA PRIVATE KEY----- 26 | 27 | ' 28 | username: root 29 | category: ssh 30 | contributor: ztgrace, hdmoore 31 | default_port: 22 32 | name: Quantum DXi V1000 33 | references: 34 | - https://packetstormsecurity.com/files/125755/quantum-root.txt 35 | - https://github.com/rapid7/ssh-badkeys/ 36 | -------------------------------------------------------------------------------- /creds/ssh_key/vagrant.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - password: '-----BEGIN RSA PRIVATE KEY----- 4 | 5 | MIIEogIBAAKCAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzI 6 | 7 | w+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoP 8 | 9 | kcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2 10 | 11 | hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NO 12 | 13 | Td0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcW 14 | 15 | yLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQIBIwKCAQEA4iqWPJXtzZA68mKd 16 | 17 | ELs4jJsdyky+ewdZeNds5tjcnHU5zUYE25K+ffJED9qUWICcLZDc81TGWjHyAqD1 18 | 19 | Bw7XpgUwFgeUJwUlzQurAv+/ySnxiwuaGJfhFM1CaQHzfXphgVml+fZUvnJUTvzf 20 | 21 | TK2Lg6EdbUE9TarUlBf/xPfuEhMSlIE5keb/Zz3/LUlRg8yDqz5w+QWVJ4utnKnK 22 | 23 | iqwZN0mwpwU7YSyJhlT4YV1F3n4YjLswM5wJs2oqm0jssQu/BT0tyEXNDYBLEF4A 24 | 25 | sClaWuSJ2kjq7KhrrYXzagqhnSei9ODYFShJu8UWVec3Ihb5ZXlzO6vdNQ1J9Xsf 26 | 27 | 4m+2ywKBgQD6qFxx/Rv9CNN96l/4rb14HKirC2o/orApiHmHDsURs5rUKDx0f9iP 28 | 29 | cXN7S1uePXuJRK/5hsubaOCx3Owd2u9gD6Oq0CsMkE4CUSiJcYrMANtx54cGH7Rk 30 | 31 | EjFZxK8xAv1ldELEyxrFqkbE4BKd8QOt414qjvTGyAK+OLD3M2QdCQKBgQDtx8pN 32 | 33 | CAxR7yhHbIWT1AH66+XWN8bXq7l3RO/ukeaci98JfkbkxURZhtxV/HHuvUhnPLdX 34 | 35 | 3TwygPBYZFNo4pzVEhzWoTtnEtrFueKxyc3+LjZpuo+mBlQ6ORtfgkr9gBVphXZG 36 | 37 | YEzkCD3lVdl8L4cw9BVpKrJCs1c5taGjDgdInQKBgHm/fVvv96bJxc9x1tffXAcj 38 | 39 | 3OVdUN0UgXNCSaf/3A/phbeBQe9xS+3mpc4r6qvx+iy69mNBeNZ0xOitIjpjBo2+ 40 | 41 | dBEjSBwLk5q5tJqHmy/jKMJL4n9ROlx93XS+njxgibTvU6Fp9w+NOFD/HvxB3Tcz 42 | 43 | 6+jJF85D5BNAG3DBMKBjAoGBAOAxZvgsKN+JuENXsST7F89Tck2iTcQIT8g5rwWC 44 | 45 | P9Vt74yboe2kDT531w8+egz7nAmRBKNM751U/95P9t88EDacDI/Z2OwnuFQHCPDF 46 | 47 | llYOUI+SpLJ6/vURRbHSnnn8a/XG+nzedGH5JGqEJNQsz+xT2axM0/W/CRknmGaJ 48 | 49 | kda/AoGANWrLCz708y7VYgAtW2Uf1DPOIYMdvo6fxIB5i9ZfISgcJ/bbCUkFrhoH 50 | 51 | +vq/5CIWxCPp0f85R4qxxQ5ihxJ0YDQT9Jpx4TMss4PSavPaBH3RXow5Ohe+bYoQ 52 | 53 | NE5OgEXk2wVfZczCZpigBKbKZHNYcelXtTt/nP3rsCuGcM4h53s= 54 | 55 | -----END RSA PRIVATE KEY----- 56 | 57 | ' 58 | username: vagrant 59 | category: ssh 60 | contributor: ztgrace 61 | default_port: 22 62 | name: Vagrant SSH 63 | references: 64 | - https://raw.githubusercontent.com/mitchellh/vagrant/master/keys/vagrant 65 | -------------------------------------------------------------------------------- /creds/telnet/american_dynamics.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: admin 4 | password: 9999 5 | category: telnet 6 | default_port: 23 7 | name: American Dynamics EDVR 8 | contributor: ztgrace 9 | references: 10 | - http://www.americandynamics.net/support/Download/edvr_downloads/8200-0841-00%20A0%20(BK_EDVR_QSG).pdf 11 | -------------------------------------------------------------------------------- /creds/telnet/dahua.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: root 4 | password: 7ujMko0admin 5 | - username: admin 6 | password: 7ujMko0admin 7 | - username: root 8 | password: vizxv 9 | category: telnet 10 | default_port: 23 11 | name: Duhua 12 | contributor: ztgrace 13 | references: 14 | - http://www.cctvforum.com/viewtopic.php?t=44381 15 | -------------------------------------------------------------------------------- /creds/telnet/netscreen.yml: -------------------------------------------------------------------------------- 1 | auth: 2 | credentials: 3 | - username: netscreen 4 | password: "<<< %s(un='%s') = %u" 5 | category: telnet 6 | default_port: 23 7 | name: Juniper ScreenOS/Netscreen 8 | contributor: ztgrace 9 | references: 10 | - https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST 11 | -------------------------------------------------------------------------------- /creds/telnet/telnet.yml: -------------------------------------------------------------------------------- 1 | # Mirai botnet credentials from: https://github.com/securing/mirai_credentials/blob/master/mirai_creds.txt 2 | auth: 3 | credentials: 4 | - username: root 5 | password: password 6 | - username: root 7 | password: root 8 | - username: root 9 | password: xc3511 10 | - username: root 11 | password: vizxv 12 | - username: root 13 | password: admin 14 | - username: admin 15 | password: admin 16 | - username: root 17 | password: 888888 18 | - username: root 19 | password: xmhdipc 20 | - username: root 21 | password: default 22 | - username: root 23 | password: juantech 24 | - username: root 25 | password: 123456 26 | - username: root 27 | password: 54321 28 | - username: support 29 | password: support 30 | - username: root 31 | password: 32 | - username: admin 33 | password: password 34 | - username: root 35 | password: 12345 36 | - username: user 37 | password: user 38 | - username: admin 39 | password: 40 | - username: root 41 | password: pass 42 | - username: admin 43 | password: admin1234 44 | - username: root 45 | password: 1111 46 | - username: admin 47 | password: smcadmin 48 | - username: admin 49 | password: 1111 50 | - username: root 51 | password: 666666 52 | - username: root 53 | password: 1234 54 | - username: root 55 | password: klv123 56 | - username: Administrator 57 | password: admin 58 | - username: service 59 | password: service 60 | - username: supervisor 61 | password: supervisor 62 | - username: guest 63 | password: guest 64 | - username: guest 65 | password: 12345 66 | - username: guest 67 | password: 12345 68 | - username: admin1 69 | password: password 70 | - username: administrator 71 | password: 1234 72 | - username: 666666 73 | password: 666666 74 | - username: 888888 75 | password: 888888 76 | - username: ubnt 77 | password: ubnt 78 | - username: root 79 | password: klv1234 80 | - username: root 81 | password: Zte521 82 | - username: root 83 | password: hi3518 84 | - username: root 85 | password: jvbzd 86 | - username: root 87 | password: anko 88 | - username: root 89 | password: zlxx. 90 | - username: root 91 | password: 7ujMko0vizxv 92 | - username: root 93 | password: 7ujMko0admin 94 | - username: root 95 | password: system 96 | - username: root 97 | password: ikwb 98 | - username: root 99 | password: dreambox 100 | - username: root 101 | password: user 102 | - username: root 103 | password: realtek 104 | - username: root 105 | password: 00000000 106 | - username: admin 107 | password: 1111111 108 | - username: admin 109 | password: 1234 110 | - username: admin 111 | password: 12345 112 | - username: admin 113 | password: 54321 114 | - username: admin 115 | password: 123456 116 | - username: admin 117 | password: 7ujMko0admin 118 | - username: admin 119 | password: 1234 120 | - username: admin 121 | password: pass 122 | - username: admin 123 | password: meinsm 124 | - username: tech 125 | password: tech 126 | - username: mother 127 | password: fucker 128 | blockingio_timeout: 3 129 | telnet_read_timeout: 1 130 | category: telnet 131 | default_port: 23 132 | name: telnet 133 | contributor: AlessandroZ, decidedlygray 134 | -------------------------------------------------------------------------------- /dev-requirements.txt: -------------------------------------------------------------------------------- 1 | coverage 2 | mock 3 | mock-ssh-server 4 | nose 5 | responses==0.7.0 6 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | cerberus 2 | jinja2 3 | logutils 4 | lxml 5 | netaddr 6 | nose 7 | paramiko 8 | psycopg2 9 | pymongo 10 | pyodbc 11 | pysnmp 12 | python-libnmap 13 | python-memcached 14 | pyyaml 15 | redis 16 | requests 17 | selenium 18 | shodan 19 | sqlalchemy 20 | tabulate 21 | --------------------------------------------------------------------------------