Learning as I go user…
Ran my first test scan against an ESX host the other day and my SIEM triggered a possible Brute Force attack from this activity (seen from the scan engine to the host I scanned) with failed logins … I am looking in my SIEM to gather more information and details to confirm but the summary shows accounts as ‘admin’ ‘root’ ‘jack’…
I was using a slightly modified full audit template no web spidering, assuming something select runs some brute force checks but is there somewhere I can see the list this might be using to confirm?
There are several default account checks built into the scanner. If you edit your scan template and go to the vulnerability check tab - you will find a category called Default Accounts - all of the various default account checks are listed there.
For the jack account - there is a check for a default account/password for OpenSolaris - where a version was released with a default account called jack. The actual vulnerability id name is solaris-live-boot-default-jack-account, so you could also use the search function in the UI to find a description.
Hope this helps,