November 1st, 2014

Depant your network

MRL has a new tool we’re releasing that will check your network for services with default passwords. The tool is called depant ((DE)fault (PA)ssword (N)etwork (T)ool). Depant works by downloading a default password list, and then mapping out the local network to see what open services are available. Once it has a list of services, it will test each service for default passwords. Once it’s gone through each of the services, depant will determine the fastest service (as recorded in phase one) and use it to perform an optional second phase of tests with a larger (user-supplied) set of default users/passwords.

By default depant has a list of “safe” services to test. These are tested services that hydra seems to work well with. Currently it’s a small list as depant (and hydra) needs to be tested against more networks to see what are good default services to test for. Alternately a user can specify ‘-A’ to scan all ports that hydra knows services for. You can also specify only certain ports with ‘-o’ (it supports ranges, and comma separated lists). If any errors arise from running with extra services, please try to run depant with the ‘-d’ flag (debug), and send us the output.

User/Password combinations can be entered in one of two ways, either with separate files for usernames and passwords (this will test every combination of username/passwords), or with a “combined” file that has entries formatted like “username:password”. ‘-u’, and ‘-p’ (or ‘-U’, and ‘-P’ for the second phase) specify the individual username/password files, and ‘-c’ (or ‘-C’ for the second phase) specifies a “combined” username:password file. Only one of these methods is intended to be used at one time.

Here is the usage information, along with a couple examples:

usage: depant ( -H <host> | -f <hostList>) ( -c <userPassList> | -u <userList> -p <passList>) <options>
Options:
-H <host (or CIDR block) to scan>
-f <host list file> (each ip or CIDR block per line)
-e <exclude hosts list> (each ip or CIDR block per line)
-g <output file for default password list> (Gets list from Phenoelit site)
-c <combined user:password list> (not in conjunction with -u/-p)
-u <username list> (used in conjunction with password list)
-p <password list> (used in conjunction with username list)
-o <port list> (e.g. 21,22,137-139 default is “safe ports”)
-O <output file> (CSV log of any user/passwords we find)
-C <second phase combined user:password list> (not in conjunction with -U/-P)
-U <second phase user list>
-P <second phase password list>
-A (run all ports hydra knows about)
-D (Do a dry run only, map network, and output what things are going to be checked)
-h (help)
-d (debug)

Examples:
Downloads the default password list into dpl.txt:

./depant.py -g ./dpl.txt

Checks for the user:pass combinations in dpl.txt on all ports for ips in hosts.txt:

./depant.py -f ~/hosts.txt -d -A -c dpl.txt

Checks the network services anywhere in 192.168.1.1/24 (excluding hosts listed in exclude.txt)
with the users and passwords specified, and if nothing is found, it will check the
larger user and dictionary list against the fastest service:

./depant.py -A -H 192.168.1.1/24 -e exclude.txt -u users.txt -p passwd.txt -U more-users.txt -P big-dict.txt

And here’s a quick example of it running against a local system. This will check against a combined user/pasword file for the first phase, and then use the separated user and password files for the second phase. You can see that in the second phase it is able to find a username and password:

$ depant -c ./dpl -U ./user.txt -P ./pass.txt -H 127.0.0.1/30

-=[[ Depant v0.1a ]]=-
-=[[ Midnight Research Labs ]]=-

[*] Phase 2 scanning enabled
[*] Starting phase 1 nmap scan of [2] host(s)
[*] Adding host [127.0.0.1] port [22] to list of services to test
[*] Found [1] thing(s) to check for default passwords
[*] Starting phase 1 hydra scans
[*] Checking for default passwords on host [127.0.0.1] port [22]
[*] Fastest service to run second phase on is [127.0.0.1] port [22]
[*] We did not find results in phase one… going to second phase
[*] Starting phase 2
[*] Checking for default passwords on host [127.0.0.1] port [22]
[!!!] Found user [testuser] with pass [YourPasswordSucks] on [127.0.0.1] service/port [22]
[!!!] We found logins on [1] hosts
[*] Total runtime was [34] seconds
[*] Finished.

Thanks to the other resources that make something like this possible. Hydra does the password brute-forcing, and nmap does the actual scanning. Also thanks to Phenoelit for the default password list.

We’re very interested in getting feedback for this or anything else we’re up to. Let us know either way, whether you run into major problems, or if works well for you. You can try running the tool with “-d” (for debug) to get extra information during the run. If you submit any bugs, please include the debug output to help us troubleshoot the issue. You can email me at aaron {@t} midnightresearch.com if you have any feedback (which is greatly appreciated).

Happy Downloading, :) .

Update: Here’s an updated version that adds a couple extra options to optimize the nmap flags that are run.

Leave a Response

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS