默认密码凭证备忘录工具
在一个地方提供所有默认凭据,以在参与期间协助渗透测试人员,本文档包含从多个来源收集的多个产品默认登录名/密码。
- One document for the most known vendors default credentials
一个文档,用于最知名的供应商默认凭据 - Assist pentesters during a pentest/red teaming engagement
在渗透测试/红队参与期间协助渗透测试人员 - Helping the Blue teamers to secure the company infrastructure assets by discovering this security flaw in order to mitigate it. See OWASP Guide [WSTG-ATHN-02] - Testing_for_Default_Credentials
通过发现此安全漏洞来帮助 Blue 团队成员保护公司基础设施资产,以缓解它。参见 OWASP 指南 [WSTG-ATHN-02] - Testing_for_Default_Credentials
| Product/Vendor 产品/供应商 | Username 用户名 | Password 密码 | |
|---|---|---|---|
| count 计数 | 3536 | 3536 | 3536 |
| unique 独特 | 1244 | 1102 | 1636 |
| top 返回页首 | Oracle 神谕 | ||
| freq 频率 | 235 | 725 | 463 |
- Changeme 改变
- Routersploit 路由器sploit
- betterdefaultpasslist
- Seclists Seclists (英语)
- ics-default-passwords (thanks to @noraj)
ics-default-passwords(感谢 @noraj) - Vendors documentations/blogs
供应商文档/博客
The Default Credentials Cheat Sheet tool is available on pypi
默认凭据备忘单工具可在 pypi 上找到
$ pip3 install defaultcreds-cheat-sheet
$ creds search tomcat
| Operating System 操作系统 | Tested 测试 |
|---|---|
| Linux(Kali,Ubuntu,Lubuntu) Linux(Kali,Ubuntu,Lubuntu) |
✔️ |
| Windows(10,11) 视窗(10,11) | ✔️ |
| macOS macOS操作系统 | ❌ |
$ git clone https://github.com/ihebski/DefaultCreds-cheat-sheet
$ pip3 install -r requirements.txt
$ cp creds /usr/bin/ && chmod +x /usr/bin/creds
$ creds search tomcat
# Search for product creds
➤ creds search tomcat
+----------------------------------+------------+------------+
| Product | username | password |
+----------------------------------+------------+------------+
| apache tomcat (web) | tomcat | tomcat |
| apache tomcat (web) | admin | admin |
...
+----------------------------------+------------+------------+
# Update records
➤ creds update
Check for new updates...🔍
New updates are available 🚧
[+] Download database...
# Export Creds to files (could be used for brute force attacks)
➤ creds search tomcat export
+----------------------------------+------------+------------+
| Product | username | password |
+----------------------------------+------------+------------+
| apache tomcat (web) | tomcat | tomcat |
| apache tomcat (web) | admin | admin |
...
+----------------------------------+------------+------------+
[+] Creds saved to /tmp/tomcat-usernames.txt , /tmp/tomcat-passwords.txt 📥
Run creds through proxy 通过代理运行 creds
# Search for product creds
➤ creds search tomcat --proxy=http://localhost:8080
# update records
➤ creds update --proxy=http://localhost:8080
# Search for Tomcat creds and export results to /tmp/tomcat-usernames.txt , /tmp/tomcat-passwords.txt
➤ creds search tomcat --proxy=http://localhost:8080 export
Proxy option is only available from version 0.5.2
代理选项仅从版本 0.5.2 开始可用
noraj created CLI & library to search for default credentials among this database using DefaultCreds-Cheat-Sheet.csv. The tool is named Pass Station (Doc) and has some powerful search feature (fields, switches, regexp, highlight) and output (simple table, pretty table, JSON, YAML, CSV).
noraj 创建了 CLI 和库,以使用 DefaultCreds-Cheat-Sheet.csv .该工具名为 Pass Station (Doc),具有一些强大的搜索功能(字段、开关、正则表达式、突出显示)和输出(简单表、漂亮表、JSON、YAML、CSV)。
If you cannot find the password for a specific product, please submit a pull request to update the dataset.
如果找不到特定产品的密码,请提交拉取请求以更新数据集。
For educational purposes only, use it at your own responsibility.
仅用于教育目的,请自行负责使用。
form
