PCI On default passwords

Support for security such as Firewalls and securing linux
Post Reply
EL_Beginner
Posts: 13
Joined: 2015/02/06 23:30:32

PCI On default passwords

Post by EL_Beginner » 2016/08/16 04:54:15

All,

We have a requirement to monitor for default username/password combinations left on our boxes. Just wondering how you all are handling this? Any open source tools? I was pretty much going to write a giant SSH in a loop thing. But thought there might be a smarter (free) way of doing this. Bonus points if it can work on Juniper Firewalls too.

Code: Select all

"2.1.a Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.)"

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: PCI On default passwords

Post by aks » 2016/08/28 17:14:10

Perhaps you should look at an expect script?

You could then create a loop and send the default credentials and assert (via expect) a result. Failure means it didn't work, success means it did and the default user name/passwords are active.

I'd just do it in a for loop.

The main problem is the assertion. If you expect to get back the string "login succeeded" that may not work for other operating systems, so you'd have to make a decision tree for each and every case....

Post Reply