THREE PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.
THREE PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.

Pentester Guide: Weak or Default Credentials

Weak or default credentials are a common security flaw that attackers can exploit with minimal effort. They often lead to unauthorized access or a full system compromise. Despite countless warnings and high-profile breaches, these vulnerabilities continue to provide attackers with easy entry points into systems. 

Many systems are still vulnerable because they use easy-to-guess passwords or default settings that were never changed. This makes it simple for attackers to break in, often with little effort. 

It could be anything from a basic home router to a company's database, but the outcome is that the same hackers can gain access, steal information, or even take over the entire system. It's a basic mistake that can lead to serious problems, which is why it's so important to understand the risks and fix them before it's too late.

Description: Weak or Default Credentials

Weak or default credentials refer to usernames and passwords that are too simple or never changed from their original settings. Known as INT07 from OWASP, common examples include “admin/admin” or “password123.” These credentials are often found in devices, applications, and systems that haven’t been properly secured, making them an easy target for attackers.

weak-or-default-credentials-graphic


Identifying targets

Attackers often begin by scanning for open admin interfaces that may use weak or default credentials. Common targets include publicly accessible applications include: 

  • Tomcat
  • Jenkins
  • Sonicwall
  • phpMyAdmin

The initial step is identifying services running on default ports or with known admin paths. Tools like Nmap can scan for open ports. At the same time, basic reconnaissance methods such as checking URLs for common paths (/manager/html for Tomcat, /login for Jenkins) can reveal accessible admin interfaces.

Once these interfaces are identified, attackers can attempt to log in using common default credentials like “admin/admin” or “admin/password.” If successful, they gain immediate control over the application, potentially leading to a full system compromise.

Finding Default Credentials Using Google Search and Documentation

Attackers often rely on open source information (OSINT) to identify application and device default credentials. This method is straightforward and doesn’t require advanced hacking skills, making it accessible to almost anyone.

Using Google Search

Google search is one of the easiest ways to find default credentials for almost any software, hardware, or application. Attackers use specific search queries, known as Google Dorks, to locate configuration files, manuals, or forums where default credentials are listed. 

Common Google dorks include:

  • "default password site:vendor.com" to find default credentials directly from the vendor's website.
  • "default credentials filetype:pdf" to locate user manuals and setup guides in PDF format that often contain default usernames and passwords.
  • "intitle:index.of tomcat-users.xml" to find configuration files that may contain default or credentials exposed online.

By leveraging these search techniques, attackers can quickly gather a comprehensive list of credentials associated with popular services like Tomcat, Jenkins, or other admin interfaces.

Consulting Software Documentation: Official documentation is another goldmine for finding default credentials. Many vendors include setup guides, user manuals, or quick start guides that explicitly list default login details to help users during the initial setup. These documents are intended to guide administrators but often remain accessible online.

Forums and Online Communities

Technical forums like Stack Overflow, GitHub, and even social media platforms often discuss where users share default credentials when troubleshooting.

Credential Lists on GitHub 

Open repositories on GitHub often contain lists of default credentials compiled for penetration testing or educational purposes. Attackers can search these repositories using keywords related to the software or device they are targeting. Lists such as “Default Credentials” can be directly used in brute force or automated login attempts against vulnerable services.

"Apache Tomcat" port:8080

Shodan-apache-tomcat-example

Exploiting Default Credentials Using Common Lists

Log in using lists of default credentials. The following resources provide common username and password combinations that can be used to exploit these vulnerabilities:

Attackers can manually test these credentials against the identified servers or use tools like Metasploit for a more automated approach.

use auxiliary/scanner/http/tomcat_mgr_login

set RHOSTS <target_ip>

set RPORT 8080

run

Metasploit-module-example

This Metasploit module attempts to log in to the Tomcat Manager application using a list of default credentials. If successful, the attacker can deploy web shells, execute commands, and gain full control over the server, depending on the user's role.

Exploring Default Credentials in Different Services


MySQL

MySQL databases are frequent victims of weak credentials, especially when setup defaults are not altered. This oversight can lead to full database compromise.

The most common setup is root without a password or with trivial passwords. Tools like Medusa cycle through possible credentials rapidly. Once connected, attackers can extract sensitive data, alter database contents, or establish persistent access for ongoing exploitation.

Remote Management and Enterprise Services

VNC (Virtual Network Computing) and RDP (Remote Desktop Protocol)

Remote access services often suffer from weak credential management, especially in setups that skip security configurations. Simple passwords or empty fields are still seen in many VNC and RDP setups. Attackers use these services to gain direct access to desktops and servers, often leading to complete system control, data extraction, or malware deployment.

Conclusion

Default credentials remain one of the most overlooked yet exploited vulnerabilities in cybersecurity. From web servers and databases to IoT devices and cloud services, failing to change these credentials can lead to severe consequences. Attackers don’t need advanced techniques or zero-day exploits when they can walk right through the front door left unlocked by default settings.

As offensive security professionals, understanding how these credentials are used in the wild is essential. Recognizing vulnerable services, knowing the right tools, and simulating real-world attack scenarios are crucial for staying ahead. Whether it’s using Burp Suite’s Intruder to automate login attempts or leveraging Shodan to find exposed systems, the ease of exploiting weak credentials makes them a go-to target in any penetration test.

Learn how our offensive security testing solutions can help you identify and address credential weaknesses before they’re exploited. 

Back to Blog
About Shubham Chaskar
Shubham Chaskar is a core pentester with extensive experience as an application security engineer. He has certifications including CEH, eCPPTv2, and eWPTXv2. He has experience penetration testing with mobile apps, web applications, networks, cloud configurations, and thick-client apps. Bash, Python, Go, and PowerShell are his favorite programming languages to automate penetration testing. More By Shubham Chaskar
Attacking Windows Applications – Part 1
In this two-part blog series, we will discuss the overview of thick client applications and the type of architecture present.
Blog
Jul 8, 2022
File Upload Vulnerabilities
This blog aims to demonstrate how applications can be compromised using simple file upload functionalities. Core Pentester Shubham Chaskar will show how to bypass common defense mechanisms and upload web shells.
Blog
Aug 24, 2022
Attacking Windows Applications Pt. 2
Welcome to the second part of the blog series "Attacking windows application." In this blog, we go more in-depth on attacking these applications and the tools used.
Blog
Aug 4, 2022