Vulnerability Development mailing list archives
Release of the Default Account Database v4.00
From: "Eric Knight" <eric () swordsoft com>
Date: Fri, 31 Oct 2003 10:32:20 -0700
Greetings to the VULN-DEV Community: (Happy Halloween!) I've gone ahead and updated the Default Password Database to version 4.0. The previous release was way too old and after looking around the net for a bit, I have to admit the problem remains out of control and someone needed to reconsolidate the independent lists. Most were based on the original DAD, so it was fairly easy to recombine them. The DAD went from 850 entries to about 1,650 -- nearly doubled in size. Also, I did my best to standardize, clean redundancies, and keep quality control in check. Its a long process, 4.0.0 does need to have several entries examined for additional details. It can be downloaded at (Excel, CSV, and HTML format): http://www.swordsoft.com/publications (main site) http://63.230.73.253/publications (backup site) The main site always goes down once I release anything no matter how minor, and I'm sure its just really, really rotten luck since I'm not the only site hosted there. The backup site is more stable, but has a slower connection and sometimes gets swamped. One or the other should work if luck holds out. If I may open up a bit of a discussion here regarding default passwords and the DAD... First of all, its clear this problem isn't just "not going away", but its escalating. I don't feel I came anywhere -close- to collecting all the passwords from public sources at this time. When I originally made the list, I was really trying to squeeze the network for all its available resources, but now its just plain ugly. I don't even want to wager a guess at how many managed network devices and appliances exist in the "wild", but with the focus change to appliance technology this problem has really opened up. I've also noticed a trend in the increase of devices that function "plug-and-play" with no requirement at all to even change the password, such as wireless broadband routers. Second, the DAD list doesn't contain many web-script/app default passwords even though there are incredible numbers of them. I'm going to try my best to hunt for these and accumulate as many as I can, all assistance with ones people are familiar with would be GREATLY APPRECIATED. I believe that the problem with default passwords on WWW components may be possibly the largest problem because there are so many amateur webmasters out there that are installating software largely without supervision, training, or experience. It seems like this would be of the most value to the pen-test community where the DAD is currently lacking. A single web server may have several, dozens, or even hundreds of web services on them compared to a single device. Third, I couldn't help noticing that the size of the DAD is going to reach tree-killer status and slowly moving away from the intention that its could be used for automation or quick reference. I'm considering breaking everything into sub-categories such as PBX, Network Device, Web Service, Operating System, etc. New column or new tables? Good idea or bad idea? Or is the flat list working fine? Any thoughts? Take it easy, Eric Knight
Current thread:
- Release of the Default Account Database v4.00 Eric Knight (Nov 01)