I've been trying to set up password guessing using Qualys with varied results (mostly unsuccessful). First, I created an account on a Solaris 10 box where the username and password are the same. Second, I created a scan profile for brute forcing passwords (this scan profile does standard port scans, I have password brute forcing enabled with the standard system option, I have an authentication record for the scan (with an account for Qualys to use on the box), and I created a search list with a couple of brute force QIDs (38259, most importantly)).
When I scan the box with the account in question and using this profile, I don't see any brute forcing results. The scan results in the report show that brute forcing is enabled with the standard system option, Qualys detects sshd on port 22, and it shows that Qualys successfully authenticated on that box. When I add a custom brute forcing list with the account and password explicitly listed, then it succeeds: the scan report shows QID 38259 with the account in question.
I don't want to list all users in a custom brute force list, that would be a major pita. Qualys should be able to generate that list itself. (Although I wonder whether Qualys is smart enough to check nsswitch.conf and then the appropriate name service, in this particular case, I created an account directly on the box.)
So what's going on here, has anyone brute forced passwords on a Unix box using the standard system option?