search
GitHub: HorrorClause

Password Reuse Default Passwords

circle-exclamation

B@tm@n2022! is sam's pass

Easy-to-remember passwords that can be typed quickly instead of typing 15-character long passwords are often used repeatedly because Single-Sign-Onarrow-up-right (SSO) is not always immediately available during initial installation, and configuration in internal networks requires significant changes. When configuring networks, we sometimes work with vast infrastructures (depending on the company's size) that can have many hundreds of interfaces. Often one network device, such as a router, printer, or a firewall, is overlooked, and the default credentials are used, or the same password is reused.

hashtag
Credential Stuffing

There are various databases that keep a running list of known default credentials. One of them is the DefaultCreds-Cheat-Sheetarrow-up-right. Here is a small excerpt from the entire table of this cheat sheet:

Product/Vendor
Username
Password

Zyxel (ssh)

zyfwp

PrOw!aN_fXp

APC UPS (web)

apc

apc

Weblogic (web)

system

manager

Weblogic (web)

system

manager

Weblogic (web)

weblogic

weblogic1

Weblogic (web)

WEBLOGIC

WEBLOGIC

Weblogic (web)

PUBLIC

PUBLIC

Weblogic (web)

EXAMPLES

EXAMPLES

Weblogic (web)

weblogic

weblogic

Weblogic (web)

system

password

Weblogic (web)

weblogic

welcome(1)

Weblogic (web)

system

welcome(1)

Weblogic (web)

operator

weblogic

Weblogic (web)

operator

password

Weblogic (web)

system

Passw0rd

Weblogic (web)

monitor

password

Kanboard (web)

admin

admin

Vectr (web)

admin

11_ThisIsTheFirstPassword_11

Caldera (web)

admin

admin

Dlink (web)

admin

admin

Dlink (web)

1234

1234

Dlink (web)

root

12345

Dlink (web)

root

root

JioFiber

admin

jiocentrum

GigaFiber

admin

jiocentrum

Kali linux (OS)

kali

kali

F5

admin

admin

F5

root

default

F5

support

Default credentials can also be found in the product documentation, as they contain the steps necessary to set up the service successfully. Some devices/applications require the user to set up a password at install, but others use a default, weak password. Attacking those services with the default or obtained credentials is called Credential Stuffingarrow-up-right. This is a simplified variant of brute-forcing because only composite usernames and the associated passwords are used.

We can imagine that we have found some applications used in the network by our customers. After searching the internet for the default credentials, we can create a new list that separates these composite credentials with a colon (username:password). In addition, we can select the passwords and mutate them by our rules to increase the probability of hits.

Credential Stuffing - Hydra Syntax

Credential Stuffing - Hydra

Here, OSINT plays another significant role. Because OSINT gives us a "feel" for how the company and its infrastructure are structured, we will understand which passwords and user names we can combine. We can then store these in our lists and use them afterward. In addition, we can use Google to see if the applications we find have hardcoded credentials that can be used.

Google Search - Default Credentials

Besides the default credentials for applications, some lists offer them for routers. One of these lists can be found herearrow-up-right. It is much less likely that the default credentials for routers are left unchanged. Since these are the central interfaces for networks, administrators typically pay much closer attention to hardening them. Nevertheless, it is still possible that a router is overlooked or is currently only being used in the internal network for test purposes, which we can then exploit for further attacks.

Router Brand
Default IP Address
Default Username
Default Password

1

3Com

http://192.168.1.1

admin

2

Belkin

http://192.168.2.1

admin

3

BenQ

http://192.168.1.1

admin

4

D-Link

http://192.168.0.1

admin

5

Digicom

http://192.168.1.254

admin

6

Linksys

http://192.168.1.1

admin

7

Netgear

http://192.168.0.1

admin

8

Sitecom

http://192.168.0.1

sitecom

9

Asus

http://192.168.1.1

admin

10

Synology

http://192.168.1.1

admin

11

Arris

http://192.168.0.1

admin

12

Apple iphoneIOS4.X

http://10.0.1.1

root

13

DELL

http://192.168.1.1

admin

14

Huawei ADSL2+

http://192.168.0.1

admin

15

Netcomm

http://192.168.1.1

admin

16

Netstar

http://192.168.0.1

admin

17

SAMSUNG

http://192.168.0.1

admin

18

Sigma

http://192.168.0.1

admin

19

SUN

http://192.168.0.1

admin

20

Telco systems

http://192.168.0.1

telco

21

TENDA

http://192.168.0.1

admin

22

ZCOM

http://192.168.0.1

root

23

ZTE

http://192.168.0.1

admin

PreviousPassword MutationsNextProtected Files