Why Noxen flags exposed admin panels but never logs in
Noxen detects exposed admin surfaces: phpMyAdmin on port 80,
Grafana on 3000, Portainer on 9000, unauth Redis on 6379,
unauthenticated Elasticsearch on 9200. It reports them with a URL
and a severity. What it deliberately does not do: try the
credentials admin/admin or root/root or
redis/redis.
This sounds like a gap. It isn't. It's a product decision.
Reason 1 — Liability
An automated login attempt, even with a default credential on your own network, is still an authentication event. If the login succeeds, Noxen has now established a session on a system the software vendor (us) has no right to be on. If an audit log ever surfaces that session, "the scanner tried to log in" is not an explanation that holds legally. The scanner is a product. The product is us.
And if it's not your network? If you forgot to narrow the scope, and Noxen runs against a host you don't own? Now it's unauthorised computer access. The difference between "I accidentally scanned a neighbour's router" and "I accidentally authenticated against a neighbour's router" is the difference between an awkward phone call and a statute under the Computer Fraud and Abuse Act.
Reason 2 — App Review risk
Apple's App Review Guidelines are explicit about apps that "pretend to hack or compromise other systems." Even if MAS is a stretch goal for Noxen, every piece of behaviour that looks offensive raises the review risk across the board — including Developer ID notarisation, which is an Apple check too.
A flag-only scanner is unambiguously defensive: it observes, it reports, it recommends. An authentication-testing scanner is offensive: it tries to gain access. The categories are different, and they're treated differently.
Reason 3 — The check doesn't add signal
"Grafana is reachable on 10.0.0.7:3000" is actionable. You either wanted Grafana exposed or you didn't. If you wanted it exposed, you know your admin password. If you didn't, closing the port is the fix — not weakening the already-bad credential story.
"Grafana is reachable on 10.0.0.7:3000, and by the way the default admin/admin worked" adds nothing actionable. You're still going to close the port.
Reason 4 — It collapses into Nuclei-as-a-service
If Noxen tested default credentials today, it'd test CVE-2023-12345 exploits next week, and SQLi payloads on exposed admin interfaces the week after. That's a different product: an active-exploit scanner. Those products exist (Nuclei and Nikto lead the open-source field). The world does not need another one on Mac.
The world does need a passive, friendly, Mac-native fleet scanner that doesn't freak out your infra team. That's what Noxen is.
What flag-only looks like in practice
For every admin surface Noxen detects, the report looks like:
[HIGH] Grafana panel reachable at http://10.0.0.7:3000/login
detected via body marker "Grafana"
remediation: restrict port 3000 to the management VLAN,
or add a VPN/SSH tunnel requirementThat's the whole finding. No login attempt, no credential exfiltration, no history of session tokens. Just: "this thing is reachable."
If you want active exploitation
Run Nuclei. Run Nikto. Run Metasploit. These are excellent tools, built by people who understand the operational and legal implications of what they do. Do not run Noxen in their place, and do not run either of them unsupervised on networks you don't fully own.
Noxen is the defensive first pass. It's what you run every night to know what's changed. It's not the red team.