One place for all the default credentials to assist pentesters during an engagement, this document has several products default login/password gathered from multiple sources.
Project description
Default Credentials Cheat Sheet
One place for all the default credentials to assist pentesters during an engagement, this document has several products default login/password gathered from multiple sources.
P.S : Most of the credentials were extracted from changeme,routersploit and Seclists projects, you can use these tools to automate the process https://github.com/ztgrace/changeme , https://github.com/threat9/routersploit (kudos for the awesome work)
- Project in progress
Motivation
- One document for the most known vendors default credentials
- Assist pentesters during a pentest/red teaming engagement
- Helping the Blue teamers to secure the company infrastructure assets by discovering this security flaw in order to mitigate it. See OWASP Guide [WSTG-ATHN-02] - Testing_for_Default_Credentials
Short stats of the dataset
| Product/Vendor | Username | Password | |
|---|---|---|---|
| count | 3460 | 3460 | 3460 |
| unique | 1182 | 1086 | 1601 |
| top | Oracle | ||
| freq | 235 | 718 | 461 |
Sources
- Changeme
- Routersploit
- betterdefaultpasslist
- Seclists
- ics-default-passwords (thanks to @noraj)
- Vendors documentations/blogs
Creds script
You can turn the cheat sheet into a cli command and perform search queries for a specific product.
- Usage Guide
# Search for product creds
➤ python3 creds search tomcat
+----------------------------------+------------+------------+
| Product | username | password |
+----------------------------------+------------+------------+
| apache tomcat (web) | tomcat | tomcat |
| apache tomcat (web) | admin | admin |
...
+----------------------------------+------------+------------+
# Update records
➤ python3 creds update
Check for new updates...🔍
New updates are available 🚧
[+] Download database...
# Export Creds to files (could be used for brute force attacks)
➤ python3 creds search tomcat export
+----------------------------------+------------+------------+
| Product | username | password |
+----------------------------------+------------+------------+
| apache tomcat (web) | tomcat | tomcat |
| apache tomcat (web) | admin | admin |
...
+----------------------------------+------------+------------+
[+] Creds saved to /tmp/tomcat-usernames.txt , /tmp/tomcat-passwords.txt 📥
Pass Station
noraj created CLI & library to search for default credentials among this database using DefaultCreds-Cheat-Sheet.csv.
The tool is named Pass Station (Doc) and has some powerful search feature (fields, switches, regexp, highlight) and output (simple table, pretty table, JSON, YAML, CSV).
Contribute
If you cannot find the password for a specific product, please submit a pull request to update the dataset.
Disclaimer
For educational purposes only, use it at your own responsibility.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for defaultcreds_cheat_sheet-0.4.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 5bb942abb873becfdea902146e98c0a2cbe008b3b7f753f16b2623cb5e4390f7 |
|
| MD5 | ae4ef95c5f2679205933ae38b5a258ab |
|
| BLAKE2b-256 | 9c19c5ba398ecd37e5ac31a82899286cf103f8f3e786b7e73142dee828330885 |
Hashes for defaultcreds_cheat_sheet-0.4-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2468ca5a3a7360f79289bb389356cdac9dde66360550800f1fc509594ae3d6f5 |
|
| MD5 | 562e6ba9515d52e8b6f708a2bdf59ee9 |
|
| BLAKE2b-256 | d17c4b67d2c999c61a127267a792788c2c8db87c3ddc3391f9550c0f1a0bbd6b |
