Dear all,
We have just launched a new Enumeration Project with the hope it will be
useful. We rely on the "philosophy" spread by all the *.mitre.org
projects.
It can then be used along with softwares that integrates standards as well
as OVAL, SCAP or other.
-----------------
DPE is the security-database naming scheme that provides structured
enumeration of default logons and passwords of network devices,
applications and Operating Systems.
The main goal is to increase the "password auditing scanners"
interoperability potential.
Any kind of tool integrating the XML DPE scheme will be able to identify
and report default access configurations on specific devices, softwares or
operating systems.
Taking into account the benefits of SecurityMetrics standards principles,
DPE integrates the CPE naming scheme (cpe.mitre.org) to describe
information technology systems, plateforms and packages.
DPE provides the default usernames and passwords information for the
following :
- Operating Systems : Unix, Linux, Windows, iSeries AS/400 ...
- Network devices : Routers, firewalls, switches, printers
- Databases : Oracle, MySQL, MS SQL and more
- Web applications : WebSphere, Apache ...
- Administrative Web Based solutions
- Telephony devices and SIP systems
- Other: specific applicances.
WHY DPE ?
During a security evaluation process, auditors do not have a fast and
simple way to identify at a glance the default access parameters of
targeted device.
In fact, most of them use a simple bruteforce utility to try every couple
of Logons and passwords. In one hand, this could be a time-consuming stage
and in the other it may causes indirect denial of service (accounts
lockout, IP banning, alarms raising ...)
Security-Database solves the problem by creating the DPE (Default Password
Enumeration).
Now every piece of software that integrates the DPE scheme along with the
latest passwords Database can test the appropriate default logon/password.
EXAMPLES OF USE
Testing manually usernames/passwords from security-database.com/dpe.php
Using automated XML / XSD parser software to read and test default
entries. Note, that the software should able to handle the protocol
communications(HTTP, HTTPS, SNMP, SSH, TELNET, FTP..)
BENEFITS OF THE DPE EFFORT
Unifying the passwords database information.
Standarization of the default accesses testing.
Reducing the process of passwords testing.
Minimizing the risks of lockouts and denial of service during the security
assesssment.
The usernames (logins) / passwords database is in-progress compilation
process. It will be available in our DPE repository.
Here is link to DPE schemas and a snapshot
(
http://www.security-database.com/dpe.php)
Please feel free to send us your comments, suggestions.
Best Regards
Security-Database.com Team
www.security-database.com
To unsubscribe, send an email message to
LISTSERV@... with
SIGNOFF OVAL-DISCUSSION-LIST
in the BODY of the message. If you have difficulties, write to
OVAL-DISCUSSION-LIST-request@....
