Skip to content

One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️

License

Notifications You must be signed in to change notification settings

akitavi/DefaultCreds-cheat-sheet

 
 

Repository files navigation

Open Source Love svg3

Default Credentials Cheat Sheet

One place for all the default credentials to assist pentesters during an engagement, this document has several products default login/password gathered from multiple sources.

P.S : Most of the credentials were extracted from changeme,routersploit and Seclists projects, you can use these tools to automate the process https://github.com/ztgrace/changeme , https://github.com/threat9/routersploit (kudos for the awesome work)

  • Project in progress

Motivation

  • One document for the most known vendors default credentials
  • Assist pentesters during a pentest/red teaming engagement
  • Helping the Blue teamers to secure the company infrastructure assets by discovering this security flaw in order to mitigate it. See OWASP Guide [WSTG-ATHN-02] - Testing_for_Default_Credentials

Short stats of the dataset

Product/Vendor Username Password
count 3460 3460 3460
unique 1182 1086 1601
top Oracle
freq 235 718 461

Sources

Installtion

The Default Credentials Cheat Sheet is available through pypi

$ pip3 install defaultcreds-cheat-sheet
$ creds search tomcat

Tested on

  • Kali linux
  • Ubuntu
Manual Installation
$ git clone https://github.com/ihebski/DefaultCreds-cheat-sheet
$ pip3 install -r requirements.txt
$ cp creds /usr/bin/ && chmod +x /usr/bin/creds
$ creds search tomcat

Creds script

  • Usage Guide
# Search for product creds
➤ creds search tomcat                                                                                                      
+----------------------------------+------------+------------+
| Product                          |  username  |  password  |
+----------------------------------+------------+------------+
| apache tomcat (web)              |   tomcat   |   tomcat   |
| apache tomcat (web)              |   admin    |   admin    |
...
+----------------------------------+------------+------------+

# Update records
➤ creds update
Check for new updates...🔍
New updates are available 🚧
[+] Download database...

# Export Creds to files (could be used for brute force attacks)
➤ creds search tomcat export
+----------------------------------+------------+------------+
| Product                          |  username  |  password  |
+----------------------------------+------------+------------+
| apache tomcat (web)              |   tomcat   |   tomcat   |
| apache tomcat (web)              |   admin    |   admin    |
...
+----------------------------------+------------+------------+

[+] Creds saved to /tmp/tomcat-usernames.txt , /tmp/tomcat-passwords.txt 📥

asciicast

Pass Station

noraj created CLI & library to search for default credentials among this database using DefaultCreds-Cheat-Sheet.csv. The tool is named Pass Station (Doc) and has some powerful search feature (fields, switches, regexp, highlight) and output (simple table, pretty table, JSON, YAML, CSV).

asciicast

Contribute

If you cannot find the password for a specific product, please submit a pull request to update the dataset.

Disclaimer

For educational purposes only, use it at your own responsibility.

About

One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%