Depant your network
sth posted in tools on October 12th, 2008
MRL has a new tool we’re releasing that will check your network for services with default passwords. The tool is called depant ((DE)fault (PA)ssword (N)etwork (T)ool). Depant works by downloading a default password list, and then mapping out the local network to see what open services are available. Once it has a list of services, it will test each service for default passwords. Once it’s gone through each of the services, depant will determine the fastest service (as recorded in phase one) and use it to perform an optional second phase of tests with a larger (user-supplied) set of default users/passwords.
By default depant has a list of “safe” services to test. These are tested services that hydra seems to work well with. Currently it’s a small list as depant (and hydra) needs to be tested against more networks to see what are good default services to test for. Alternately a user can specify ‘-A’ to scan all ports that hydra knows services for. You can also specify only certain ports with ‘-o’ (it supports ranges, and comma separated lists). If any errors arise from running with extra services, please try to run depant with the ‘-d’ flag (debug), and send us the output.
User/Password combinations can be entered in one of two ways, either with separate files for usernames and passwords (this will test every combination of username/passwords), or with a “combined” file that has entries formatted like “username:password”. ‘-u’, and ‘-p’ (or ‘-U’, and ‘-P’ for the second phase) specify the individual username/password files, and ‘-c’ (or ‘-C’ for the second phase) specifies a “combined” username:password file. Only one of these methods is intended to be used at one time.
Here is the usage information, along with a couple examples:
usage: depant ( -H <host> | -f <hostList>) ( -c <userPassList> | -u <userList> -p <passList>) <options>
Options:
-H <host (or CIDR block) to scan>
-f <host list file> (each ip or CIDR block per line)
-e <exclude hosts list> (each ip or CIDR block per line)
-g <output file for default password list> (Gets list from Phenoelit site)
-c <combined user:password list> (not in conjunction with -u/-p)
-u <username list> (used in conjunction with password list)
-p <password list> (used in conjunction with username list)
-o <port list> (e.g. 21,22,137-139 default is “safe ports”)
-O <output file> (CSV log of any user/passwords we find)
-C <second phase combined user:password list> (not in conjunction with -U/-P)
-U <second phase user list>
-P <second phase password list>
-A (run all ports hydra knows about)
-D (Do a dry run only, map network, and output what things are going to be checked)
-h (help)
-d (debug)Examples:
Downloads the default password list into dpl.txt:./depant.py -g ./dpl.txt
Checks for the user:pass combinations in dpl.txt on all ports for ips in hosts.txt:
./depant.py -f ~/hosts.txt -d -A -c dpl.txt
Checks the network services anywhere in 192.168.1.1/24 (excluding hosts listed in exclude.txt)
with the users and passwords specified, and if nothing is found, it will check the
larger user and dictionary list against the fastest service:./depant.py -A -H 192.168.1.1/24 -e exclude.txt -u users.txt -p passwd.txt -U more-users.txt -P big-dict.txt
And here’s a quick example of it running against a local system. This will check against a combined user/pasword file for the first phase, and then use the separated user and password files for the second phase. You can see that in the second phase it is able to find a username and password:
$ depant -c ./dpl -U ./user.txt -P ./pass.txt -H 127.0.0.1/30
-=[[ Depant v0.1a ]]=-
-=[[ Midnight Research Labs ]]=-[*] Phase 2 scanning enabled
[*] Starting phase 1 nmap scan of [2] host(s)
[*] Adding host [127.0.0.1] port [22] to list of services to test
[*] Found [1] thing(s) to check for default passwords
[*] Starting phase 1 hydra scans
[*] Checking for default passwords on host [127.0.0.1] port [22]
[*] Fastest service to run second phase on is [127.0.0.1] port [22]
[*] We did not find results in phase one… going to second phase
[*] Starting phase 2
[*] Checking for default passwords on host [127.0.0.1] port [22]
[!!!] Found user [testuser] with pass [YourPasswordSucks] on [127.0.0.1] service/port [22]
[!!!] We found logins on [1] hosts
[*] Total runtime was [34] seconds
[*] Finished.
Thanks to the other resources that make something like this possible. Hydra does the password brute-forcing, and nmap does the actual scanning. Also thanks to Phenoelit for the default password list.
We’re very interested in getting feedback for this or anything else we’re up to. Let us know either way, whether you run into major problems, or if works well for you. You can try running the tool with “-d” (for debug) to get extra information during the run. If you submit any bugs, please include the debug output to help us troubleshoot the issue. You can email me at aaron {@t} midnightresearch.com if you have any feedback (which is greatly appreciated).
.Update: Here’s an updated version that adds a couple extra options to optimize the nmap flags that are run.
October 13th, 2008 at 3:56 pm
[...] Research Labs has just published a new tool. Depant will scan your network and check to see if services are using default passwords. It starts by [...]
October 14th, 2008 at 5:34 am
just installed, but hydra looks like giving problems:
depant -c ../dpl.txt -H 127.0.0.1/30
-=[[ Depant v0.1a ]]=-
-=[[ Midnight Research Labs ]]=-
[*] Starting phase 1 nmap scan of [2] host(s)
[*] Adding host [127.0.0.1] port [22] to list of services to test
[*] Adding host [127.0.0.1] port [25] to list of services to test
[*] Adding host [127.0.0.1] port [4000] to list of services to test
[*] Adding host [127.0.0.2] port [4000] to list of services to test
[*] Found [4] thing(s) to check for default passwords
[*] Starting phase 1 hydra scans
[*] Checking for default passwords on host [127.0.0.1] port [22]
*** glibc detected *** hydra: double free or corruption (out): 0xb7d85158 ***
*** glibc detected *** hydra: double free or corruption (out): 0xb7d85158 ***
======= Backtrace: =========
/lib/libc.so.6[0xb7cb87e4]
/lib/libc.so.6(cfree+0×9c)[0xb7cba66c]
/usr/lib/libssh.so(ssh_userauth_kbdint_setanswer+0×61)[0xb7d957a1]
hydra[0x80535ba]
hydra[0x80537f9]
hydra[0x805d8bd]
hydra[0x80612f8]
hydra[0x8062e72]
/lib/libc.so.6(__libc_start_main+0xe5)[0xb7c66005]
hydra(exit+0×51)[0x8049f81]
======= Memory map: ========
08048000-08069000 r-xp 00000000 08:01 4326197 /usr/bin/hydra
08069000-0806a000 r–p 00020000 08:01 4326197 /usr/bin/hydra
0806a000-0806b000 rw-p 00021000 08:01 4326197 /usr/bin/hydra
0806b000-0808d000 rw-p 0806b000 00:00 0 [heap]
b7a00000-b7a21000 rw-p b7a00000 00:00 0
b7a21000-b7b00000 —p b7a21000 00:00 0
b7bee000-b7bfa000 r-xp 00000000 08:01 4215215 /usr/lib/gcc/i686-pc-linux-gnu/4.3.2/libgcc_s.so.1
b7bfa000-b7bfb000 r–p 0000b000 08:01 4215215 /usr/lib/gcc/i686-pc-linux-gnu/4.3.2/libgcc_s.so.1
b7bfb000-b7bfc000 rw-p 0000c000 08:01 4215215 /usr/lib/gcc/i686-pc-linux-gnu/4.3.2/libgcc_s.so.1
b7bfc000-b7c00000 r-xp 00000000 08:01 4239093 /lib/libnss_dns-2.6.1.so
b7c00000-b7c01000 r–p 00003000 08:01 4239093 /lib/libnss_dns-2.6.1.so
b7c01000-b7c02000 rw-p 00004000 08:01 4239093 /lib/libnss_dns-2.6.1.so
b7c02000-b7c0b000 r-xp 00000000 08:01 4238993 /lib/libnss_files-2.6.1.so
b7c0b000-b7c0c000 r–p 00008000 08:01 4238993 /lib/libnss_files-2.6.1.so
b7c0c000-b7c0d000 rw-p 00009000 08:01 4238993 /lib/libnss_files-2.6.1.so
b7c0d000-b7c0e000 rw-p b7c0d000 00:00 0
b7c0e000-b7c20000 r-xp 00000000 08:01 299114 /lib/libz.so.1.2.3
b7c20000-b7c21000 r–p 00011000 08:01 299114 /lib/libz.so.1.2.3
b7c21000-b7c22000 rw-p 00012000 08:01 299114 /lib/libz.so.1.2.3
b7c22000-b7c30000 r-xp 00000000 08:01 4239014 /lib/libresolv-2.6.1.so
b7c30000-b7c31000 r–p 0000e000 08:01 4239014 /lib/libresolv-2.6.1.so
b7c31000-b7c32000 rw-p 0000f000 08:01 4239014 /lib/libresolv-2.6.1.so
b7c32000-b7c34000 rw-p b7c32000 00:00 0
b7c34000-b7c47000 r-xp 00000000 08:01 4239012 /lib/libnsl-2.6.1.so
b7c47000-b7c48000 r–p 00012000 08:01 4239012 /lib/libnsl-2.6.1.so
b7c48000-b7c49000 rw-p 00013000 08:01 4239012 /lib/libnsl-2.6.1.so
b7c49000-b7c4c000 rw-p b7c49000 00:00 0
b7c4c000-b7c4e000 r-xp 00000000 08:01 4239165 /lib/libdl-2.6.1.so
b7c4e000-b7c4f000 r–p 00001000 08:01 4239165 /lib/libdl-2.6.1.so
b7c4f000-b7c50000 rw-p 00002000 08:01 4239165 /lib/libdl-2.6.1.so
b7c50000-b7d82000 r-xp 00000000 08:01 4239013 /lib/libc-2.6.1.so
b7d82000-b7d84000 r–p 00132000 08:01 4239013 /lib/libc-2.6.1.so
b7d84000-b7d85000 rw-p 00134000 08:01 4239013 /lib/libc-2.6.1.so
b7d85000-b7d88000 rw-p b7d85000 00:00 0
b7d88000-b7d9e000 r-xp 00000000 08:01 4325757 /usr/lib/libssh.so
b7d9e000-b7d9f000 r–p 00015000 08:01 4325757 /usr/lib/libssh.so
b7d9f000-b7da0000 rw-p 00016000 08:01 4325757 /usr/lib/libssh.so
b7da0000-b7da2000 rw-p b7da0000 00:00 0
b7da2000-b7de4000 r-xp 00000000 08:01 4102354 /usr/lib/libssl.so.0.9.8
b7de4000-b7de5000 r–p 00042000 08:01 4102354 /usr/lib/libssl.so.0.9.8
b7de5000-b7de8000 rw-p 00043000 08:01 4102354 /usr/lib/libssl.so.0.9.8
b7de8000-b7f17000 r-xp 00000000 08:01 4102349 /usr/lib/libcrypto.so.0.9.8
b7f17000-b7f1f000 r–p 0012e000 08:01 4102349 /usr/lib/libcrypto.so.0.9.8
b7f1f000-b7f2d000 rw-p 00136000 08:01 4102349 /usr/lib/libcrypto.so.0.9.8
b7f2d000-b7f30000 rw-p b7f2d000 00:00 0
b7f30000-b7f54000 r-xp 00000000 08:01 4239163 /lib/libm-2.6.1.so
b7f54000-b7f55000 r–p 00023000 08:01 4239163 /lib/libm-2.6.1.so
b7f55000-b7f56000 rw-p 00024000 08:01 4239163 /lib/libm-2.6.1.so
b7f56000-b7f57000 rw-p b7f56000 00:00 0
b7f75000-b7f76000 r-xp b7f75000 00:00 0 [vdso]
b7f76000-b7f91000 r-xp 00000000 08:01 4239185 /lib/ld-2.6.1.so
b7f91000-b7f92000 r–p 0001a000 08:01 4239185 /lib/ld-2.6.1.so
b7f92000-b7f93000 rw-p 0001b000 08:01 4239185 /lib/ld-2.6.1.so
bfa7d000-bfa92000 rw-p bffeb000 00:00 0 [stack]
it gives 12 or more errors like that an continue:
b7c340 [*] Checking for default passwords on host [127.0.0.1] port [25]
[!] [ERROR: Unknown hydra error [Error: SMTP AUTH LOGIN error: 502 5.5.2 Error: command not recognized]] seen [554] times
[*] Checking for default passwords on host [127.0.0.1] port [4000]
in this poit it takes along time, and I can see there are about 16 hydra precess.
I use gcc 4.3.2 and hydra-5.4. in a gentoo box.
October 14th, 2008 at 7:11 am
[...] Anyways, Here’s the Hackaday related link… And here’s the MidnightResearchLab link… [...]
October 14th, 2008 at 7:52 am
elpeor: The error you’re seeing is coming from hydra. That’s what depant is using to check the individual service. I’m not sure what is causing hydra to have those problems, but you should be able to reproduce it by just running hydra alone, and then check with the THC guys. I’ve seen that before — I”ll see if I can reproduce it on this side as well.
October 14th, 2008 at 8:19 am
[...] By startmeAdd commentsHack A Day Midnight Research Labs has just published a new tool. Depant will scan your network and check to see if services are using default passwords. It starts by [...]
October 14th, 2008 at 10:49 am
BTW — if anyone has questions, or is running into issues running the tool, feel free to email me at aaron {@t} midnightresearch.com or join the irc channel at #mrl on efnet.
October 14th, 2008 at 11:52 am
Strange, when I test this tool on my home router, I got a output like that:
[!!!] Found user [guest] with pass [guest] on [192.168.1.1] service/port [23]
[!!!] Found user [11111] with pass [x-admin] on [192.168.1.1] service/port [23]
.
.
.
[!!!] We found logins on [56] hosts
But no one of these user:pass combinations actually let me telnet the router on the specific IP/port.
Any ideas?
October 14th, 2008 at 12:31 pm
kiddi:
Unfortunately since telnet banners are not always the same for successful logins, sometimes hydra (the tool that does the individual service checks) has false positive hits on telnet. There should also be a warning from depant that says something like “too many successful logins, this is probably a false positive”. I think the only way to be sure on a service like this is to give hydra extra options for telnet. Maybe I can add something to depant to pass in the extra options for certain services that are known to be a certain type.
October 14th, 2008 at 5:50 pm
[...] Research Labs has just published a new tool. Depant will scan your network and check to see if services are using default passwords. It starts by [...]
October 15th, 2008 at 12:26 am
[...] Depant est un nouvel outil de sécurité proposé par le Midnight Research Labs qui permet de savoir si les services et machines tournant sur un réseau utilisent (ou pas) les mots de passe par défaut. [...]
October 15th, 2008 at 5:21 am
[...] d’informations sur cette page pour l’utilisation du logiciel. classé dans: [...]
October 15th, 2008 at 10:35 am
Hello, I’m having lots of fun with this lovely tool, one thing you may want to change is that when Hydra finds an open SMB server on the network with no password, it throws out hundreds of false positive matches instead of reporting a non-passworded server. Not sure how easy it would be to implement this!
Kind regards
October 15th, 2008 at 8:43 pm
[...] - Depant -Link HERE - scan your network for devices/services with default passwords [...]
October 15th, 2008 at 9:28 pm
[...] Scanning you network for default passwords: Depant [...]
October 15th, 2008 at 9:34 pm
[...] Scanning you network for default passwords: Depant [...]
October 16th, 2008 at 5:01 pm
[...] Midnight Research Labs - Depant your network - MRL has a new tool we’re releasing that will check your network for services with default passwords. The tool is called depant ((DE)fault (PA)ssword (N)etwork (T)ool). [...]
October 18th, 2008 at 6:08 am
[...] Midnight Research Labs - Depant your network [...]
October 19th, 2008 at 5:10 am
Midnight Research Labs a développé un nouvel outil sous linux qui va vérifier les mots de passe par défaut des services de votre réseau. L’outil s’appelle DEPANT ((DE) fault (PA) ssword (N) etwork (T) OOL).
DEPANT charge une liste de mots de passe par défaut, puis cartographie le réseau local pour voir qu’elles sont les services disponibles. Une fois qu’il a la liste des services …
November 10th, 2008 at 9:12 am
hey guys
i have download this program , but it dosn’t work i mean i coudn’t know how to (( open with )) program that might makes it work !!!
cuz it’s unknown program for my pc ..
please help