Default credentials

Theory

Default credentials are a really simple and extremely common way to get initial access to a system. Many devices (especially in the Internet of Things) come with default non-random passwords that are often left unchanged. Below is a list of very common credentials :

Username Password

Username	Password
`admin`	`admin`
`root`	`root`
`tomcat`	`tomcat`
`password`	`password`

admin

root

tomcat

password

Practice

Default passwords can be found through the following means

Password lists
Wikipedia's list of most common passwords
Google Dorks: intext:'password' intext:'default' Application Name
Manual or vendor documentation
Source code
Physically (e.g. a sticker indicating the default credentials)

This technique is not to be confused with credential bruteforcing which aims at sending multiple login+password attempts until valid credentials are found. The "default credentials" technique aims at finding potential valid creds depending on the information gathered during the reconnaissance phase.

Resources

WSTG - Latest | OWASP Foundation

PreviousConfiguration NextHTTP methods

Last updated 9 months ago