One place for all the default credentials to assist the pentesters during an engagement, this document has a several products default credentials that are gathered from several sources.
P.S : Most of the credentials are extracted from the changeme,routersploit and Seclists projects, you can use these tools to automate the process changeme, routersploit (kudos for the awesome work)
Motivation
- One document for the most known vendors default credentials
- Assist pentesters during a pentest/red teaming engagement
- Helping the Red/Blue teamers to secure the company infrastructure by discovering this security flaw in order to mitigate it. See OWASP Guide [WSTG-ATHN-02]
Short stats of the dataset
. | Product/Vendor | Username | Password |
---|---|---|---|
count | 3525 | 3152 | 3525 |
unique | 1075 | 1169 | 1713 |
top | Oracle | admin | |
freq | 235 | 507 | 422 |
Sources
- Changeme
- Routersploit
- betterdefaultpasslist
- Seclists
- Vendors documentations/blogs
Creds script
You can turn the cheat sheet into a cli command and perform search queries for a specific product.
# Usage
➤ python3 creds search tomcat
+----------------------------------+------------+------------+
| Product | username | password |
+----------------------------------+------------+------------+
| apache tomcat (web) | tomcat | tomcat |
| apache tomcat (web) | admin | admin |
...
+----------------------------------+------------+------------+
Contribute
If you cannot find the password for a specific product, please submit a pull request to update the dataset.
Product/Vendor | Username | Password |
---|---|---|
Zyxel (ssh) | zyfwp | PrOw!aN_fXp |
APC UPS (web) | apc | apc |
Weblogic (web) | system | manager |
Weblogic (web) | system | manager |
Weblogic (web) | weblogic | weblogic1 |
Weblogic (web) | WEBLOGIC | WEBLOGIC |
Weblogic (web) | PUBLIC | PUBLIC |
Weblogic (web) | EXAMPLES | EXAMPLES |
Weblogic (web) | weblogic | weblogic |
Weblogic (web) | system | password |
Weblogic (web) | weblogic | welcome(1) |
Weblogic (web) | system | welcome(1) |
Weblogic (web) | operator | weblogic |
Weblogic (web) | operator | password |
Weblogic (web) | system | Passw0rd |
Weblogic (web) | monitor | password |
more…. | ….. | … |
DefaultCreds-cheat-sheet (this link opens in a new window) by ihebski (this link opens in a new window)
One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️