Default credentials
Theory
Default credentials are a really simple and extremely common way to get initial access to a system. Many devices (especially in the Internet of Things) come with default non-random passwords that are often left unchanged. Below is a list of very common credentials :
| Username | Password |
|---|---|
admin |
admin |
root |
root |
tomcat |
tomcat |
password |
password |
Practice
Default passwords can be found through the following means
- Password lists
- defaulty.io Default Passwords Platform
- Wikipedia's list of most common passwords
- Google Dorks:
intext:'password' intext:'default' Application Name - Manual or vendor documentation
- Source code
- Physically (e.g. a sticker indicating the default credentials)
π‘ Tip
This technique is not to be confused with credential bruteforcing which aims at sending multiple login+password attempts until valid credentials are found. The "default credentials" technique aims at finding potential valid creds depending on the information gathered during the reconnaissance phase.