.svg){kind=icon}
.svg){kind=icon}
Weak or default credentials are a common security flaw that attackers can exploit with minimal effort. They often lead to unauthorized access or a full system compromise. Despite countless warnings and high-profile breaches, these vulnerabilities continue to provide attackers with easy entry points into systems.
Many systems are still vulnerable because they use easy-to-guess passwords or default settings that were never changed. This makes it simple for attackers to break in, often with little effort.
It could be anything from a basic home router to a company's database, but the outcome is that the same hackers can gain access, steal information, or even take over the entire system. It's a basic mistake that can lead to serious problems, which is why it's so important to understand the risks and fix them before it's too late.
Description: Weak or Default Credentials
Weak or default credentials refer to usernames and passwords that are too simple or never changed from their original settings. Known as INT07 from OWASP, common examples include “admin/admin” or “password123.” These credentials are often found in devices, applications, and systems that haven’t been properly secured, making them an easy target for attackers.
Identifying targets
Attackers often begin by scanning for open admin interfaces that may use weak or default credentials. Common targets include publicly accessible applications include:
- Tomcat
- Jenkins
- Sonicwall
- phpMyAdmin
The initial step is identifying services running on default ports or with known admin paths. Tools like Nmap can scan for open ports. At the same time, basic reconnaissance methods such as checking URLs for common paths (/manager/html for Tomcat, /login for Jenkins) can reveal accessible admin interfaces.
Once these interfaces are identified, attackers can attempt to log in using common default credentials like “admin/admin” or “admin/password.” If successful, they gain immediate control over the application, potentially leading to a full system compromise.
Finding Default Credentials Using Google Search and Documentation
Attackers often rely on open source information (OSINT) to identify application and device default credentials. This method is straightforward and doesn’t require advanced hacking skills, making it accessible to almost anyone.
Using Google Search
Google search is one of the easiest ways to find default credentials for almost any software, hardware, or application. Attackers use specific search queries, known as Google Dorks, to locate configuration files, manuals, or forums where default credentials are listed.
Common Google dorks include:
- "default password site:vendor.com" to find default credentials directly from the vendor's website.
- "default credentials filetype:pdf" to locate user manuals and setup guides in PDF format that often contain default usernames and passwords.
- "intitle:index.of tomcat-users.xml" to find configuration files that may contain default or credentials exposed online.
By leveraging these search techniques, attackers can quickly gather a comprehensive list of credentials associated with popular services like Tomcat, Jenkins, or other admin interfaces.
Consulting Software Documentation: Official documentation is another goldmine for finding default credentials. Many vendors include setup guides, user manuals, or quick start guides that explicitly list default login details to help users during the initial setup. These documents are intended to guide administrators but often remain accessible online.
Forums and Online Communities
Technical forums like Stack Overflow, GitHub, and even social media platforms often discuss where users share default credentials when troubleshooting.
Credential Lists on GitHub
Open repositories on GitHub often contain lists of default credentials compiled for penetration testing or educational purposes. Attackers can search these repositories using keywords related to the software or device they are targeting. Lists such as “Default Credentials” can be directly used in brute force or automated login attempts against vulnerable services.
- https://github.com/danielmiessler/SecLists/tree/master/Passwords
- https://github.com/zxcv32/indian-wordlist
"Apache Tomcat" port:8080
Exploiting Default Credentials Using Common Lists
Log in using lists of default credentials. The following resources provide common username and password combinations that can be used to exploit these vulnerabilities:
Attackers can manually test these credentials against the identified servers or use tools like Metasploit for a more automated approach.
use auxiliary/scanner/http/tomcat_mgr_login
set RHOSTS <target_ip>
set RPORT 8080
run
This Metasploit module attempts to log in to the Tomcat Manager application using a list of default credentials. If successful, the attacker can deploy web shells, execute commands, and gain full control over the server, depending on the user's role.
Exploring Default Credentials in Different Services
MySQL
MySQL databases are frequent victims of weak credentials, especially when setup defaults are not altered. This oversight can lead to full database compromise.
The most common setup is root without a password or with trivial passwords. Tools like Medusa cycle through possible credentials rapidly. Once connected, attackers can extract sensitive data, alter database contents, or establish persistent access for ongoing exploitation.
Remote Management and Enterprise Services
VNC (Virtual Network Computing) and RDP (Remote Desktop Protocol)
Remote access services often suffer from weak credential management, especially in setups that skip security configurations. Simple passwords or empty fields are still seen in many VNC and RDP setups. Attackers use these services to gain direct access to desktops and servers, often leading to complete system control, data extraction, or malware deployment.
Conclusion
Default credentials remain one of the most overlooked yet exploited vulnerabilities in cybersecurity. From web servers and databases to IoT devices and cloud services, failing to change these credentials can lead to severe consequences. Attackers don’t need advanced techniques or zero-day exploits when they can walk right through the front door left unlocked by default settings.
As offensive security professionals, understanding how these credentials are used in the wild is essential. Recognizing vulnerable services, knowing the right tools, and simulating real-world attack scenarios are crucial for staying ahead. Whether it’s using Burp Suite’s Intruder to automate login attempts or leveraging Shodan to find exposed systems, the ease of exploiting weak credentials makes them a go-to target in any penetration test.
Learn how our offensive security testing solutions can help you identify and address credential weaknesses before they’re exploited.
