Password Reuse / Default Passwords

Credential Stuffing

Trying default passwords counts as Credential Stuffing

There are various databases that keep a running list of known default credentials. One of them is the DefaultCreds-Cheat-Sheet.

Other attemps could be done with already found passwords that might be re-used, maybe integrating some mutation rules

Here, OSINT plays another significant role. Because OSINT gives us a "feel" for how the company and its infrastructure are structured, we will understand which passwords and user names we can combine. We can then store these in our lists and use them afterward. In addition, we can use Google to see if the applications we find have hardcoded credentials that can be used.

Besides the default credentials for applications, some lists offer them for routers. One of these lists can be found here.