One place for all the default credentials to assist pentesters during an engagement, this document has several product default login/passwords gathered from multiple sources.
P.S : Most of the credentials were extracted from changeme,routersploit and Seclists projects, you can use these tools to automate the process https://github.com/ztgrace/changeme , https://github.com/threat9/routersploit (kudos for the awesome work)
- Project in progress
Motivation
- One document for the most known vendor’s default credentials
- Assist pentesters during a pentest/red teaming engagement
- Helping the Blue teamers to secure the company infrastructure assets by discovering this security flaw in order to mitigate it. See OWASP Guide [WSTG-ATHN-02] – Testing_for_Default_Credentials
Short stats of the dataset
| Product/Vendor | Username | Password | |
|---|---|---|---|
| count | 3460 | 3460 | 3460 |
| unique | 1182 | 1086 | 1601 |
| top | Oracle | ||
| freq | 235 | 718 | 461 |
Sources
- Changeme
- Routersploit
- betterdefaultpasslist
- Seclists
- ics-default-passwords (thanks to @noraj)
- Vendor’s documentation/blogs
Installation
The Default Credentials Cheat Sheet is available through pypi
$ pip3 install defaultcreds-cheat-sheet $ creds search tomcat
Tested on
- Kali linux
- Ubuntu
Manual Installation
$ git clone https://github.com/ihebski/DefaultCreds-cheat-sheet $ pip3 install -r requirements.txt $ cp creds /usr/bin/ && chmod +x /usr/bin/creds $ creds search tomcat
Creds script
- Usage Guide
# Search for product creds ➤ creds search tomcat +----------------------------------+------------+------------+ | Product | username | password | +----------------------------------+------------+------------+ | apache tomcat (web) | tomcat | tomcat | | apache tomcat (web) | admin | admin | ... +----------------------------------+------------+------------+ # Update records ➤ creds update Check for new updates...? New updates are available ? [+] Download database... # Export Creds to files (could be used for brute force attacks) ➤ creds search tomcat export +----------------------------------+------------+------------+ | Product | username | password | +----------------------------------+------------+------------+ | apache tomcat (web) | tomcat | tomcat | | apache tomcat (web) | admin | admin | ... +----------------------------------+------------+------------+ [+] Creds saved to /tmp/tomcat-usernames.txt , /tmp/tomcat-passwords.txt ?
Pass Station
noraj created CLI & library to search for default credentials among this database using DefaultCreds-Cheat-Sheet.csv. The tool is named Pass Station (Doc) and has some powerful search features (fields, switches, regexp, highlight) and output (simple table, pretty table, JSON, YAML, CSV).
Download: https://github.com/ihebski/DefaultCreds-cheat-sheet
