Page 1 of 1

PCI On default passwords

Posted: 2016/08/16 04:54:15
by EL_Beginner

We have a requirement to monitor for default username/password combinations left on our boxes. Just wondering how you all are handling this? Any open source tools? I was pretty much going to write a giant SSH in a loop thing. But thought there might be a smarter (free) way of doing this. Bonus points if it can work on Juniper Firewalls too.

Code: Select all

"2.1.a Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.)"

Re: PCI On default passwords

Posted: 2016/08/28 17:14:10
by aks
Perhaps you should look at an expect script?

You could then create a loop and send the default credentials and assert (via expect) a result. Failure means it didn't work, success means it did and the default user name/passwords are active.

I'd just do it in a for loop.

The main problem is the assertion. If you expect to get back the string "login succeeded" that may not work for other operating systems, so you'd have to make a decision tree for each and every case....