Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Replacing usernames.lst?

From: David Fifield <david () bamsoftware com>
Date: Mon, 22 Mar 2010 13:19:09 -0600
On Mon, Mar 22, 2010 at 01:44:42PM -0500, Ron wrote:

This is a cool project that tracks ssh bruteforcing:
http://0au.de/projects/ssh-failures/

According to his stats, the top 10 usernames people attempt are:
#     User
---------------
50604 root
1798  admin
1243  test
944   nagios
634   a
626   user
620   guest
574   oracle
403   temp
393   ts

Obviously, the bruteforcers don't know much that we don't know, but their list is likely better than ours (although 
they do overlap significantly):
root
admin
administrator
webadmin
sysadmin
netadmin
guest
user
web
test

I'd definitely keep "administrator" from our list. "nagios" and
"oracle" are probably promising. 


We've been talking about having (at least) two lists. One would contain
only likely default names like "admin", "root", "guest", "web". The
other would have names people are likely to choose for themselves, like
email addresses or user IDs. Some scripts that runs against systems like
databases and routers expect them to have only a few, root-like users,
and would use the first list. A script like http-userdir-enum that's
looking for user home directories would use the second list.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: