Weak and Default Credentials

Weak and default credentials represent one of the most consistently exploited vulnerability classes in infrastructure security assessments. This vulnerability encompasses devices, applications, and services that ship with factory-default usernames and passwords that are never changed after deployment, as well as systems protected by easily guessable passwords that fail to meet minimum complexity requirements. Common examples include admin/admin on network appliances, sa with a blank password on SQL Server instances, and root/root on embedded devices.

The scope of this vulnerability extends across every layer of infrastructure: network devices (routers, switches, firewalls), server management interfaces (iDRAC, iLO, IPMI), web-based administration portals, database engines, IoT devices, printers, and virtualisation platforms. Vendors publish default credentials in their documentation, and numerous public databases aggregate these credentials, making them trivially accessible to attackers. Resources like CIRT.net, DefaultPassword.us, and the Metasploit default credentials datastore contain thousands of default credential pairs for commercial products.

Even when defaults are changed, weak credential policies allow passwords like "Password1", "Summer2025!", or "CompanyName123" that are trivially cracked through dictionary attacks or targeted wordlist generation. Service accounts and machine-to-machine credentials are particularly prone to weak passwords, as they are often configured once and never audited.

Attackers enumerate accessible services and their associated login interfaces during the reconnaissance phase. Web-based management portals are identified via HTTP scanning tools such as Aquatone, EyeWitness, or httpx. Network service authentication prompts are discovered through standard port scanning with Nmap. The attacker then systematically attempts known default credentials for each identified product and service. This process is heavily automated: tools like Hydra, Medusa, and CrackMapExec can perform rapid credential stuffing across hundreds of hosts simultaneously.

For targeted attacks, the adversary may generate custom wordlists using tools like CeWL (which scrapes the target's website for potential passwords), CUPP (Common User Password Profiler), or Mentalist. These wordlists incorporate company names, employee names, locations, and common password patterns. When combined with rules-based mutation (appending numbers, substituting characters, adding special characters), these targeted lists achieve significantly higher success rates than generic dictionaries. Hashcat and John the Ripper rule files can generate millions of password candidates from a small seed list.

Post-authentication, the attacker leverages the gained access depending on the compromised service. Default credentials on a network switch might allow VLAN reconfiguration and traffic interception. Default IPMI credentials (often admin/admin or ADMIN/ADMIN) grant out-of-band server management including the ability to mount virtual media, access the system console, and power cycle servers. Weak credentials on domain accounts can be escalated through Active Directory attack paths to full domain compromise.

• Complete compromise of network infrastructure devices enabling traffic interception, routing manipulation, and backdoor deployment
• Unauthorised administrative access to servers via out-of-band management interfaces (IPMI, iDRAC, iLO)
• Full domain compromise when weak credentials exist on Active Directory service accounts or privileged users
• Data breach through direct database access using default or weak database credentials
• Ransomware deployment leveraging compromised administrative credentials for lateral movement
• Regulatory penalties for failure to implement adequate access controls (PCI DSS Requirement 2.1, 8.2)
• Supply chain attacks through compromised vendor-managed devices with unchanged default credentials

1. Implement a mandatory credential change process for all devices and systems during initial deployment, verified through a configuration checklist before any system is placed into production
2. Enforce strong password policies requiring a minimum of 14 characters with complexity requirements, or preferably mandate passphrase-based authentication with a minimum of 20 characters
3. Deploy a privileged access management (PAM) solution such as CyberArk, BeyondTrust, or HashiCorp Vault to manage, rotate, and audit all administrative and service account credentials
4. Implement multi-factor authentication (MFA) on all administrative interfaces, management portals, and remote access services without exception
5. Conduct regular automated credential audits using tools like Nessus default credential checks, CrackMapExec password spraying (with authorisation), or internal red team exercises targeting credential weaknesses
6. Disable or rename default administrative accounts where the platform supports it, and remove any vendor-supplied test or demo accounts
7. Implement account lockout policies and monitoring for brute-force attempts, with alerts configured in the SIEM for failed authentication spikes
8. Maintain a centralised inventory of all service accounts with documented owners, rotation schedules, and required access justifications reviewed quarterly

Begin by enumerating all authentication-bearing services across the target scope. Use nmap -sV -p 21,22,23,25,80,110,143,443,445,1433,1521,3306,3389,5432,5900,8080,8443 target_range to identify common services. For web interfaces, use EyeWitness or Aquatone to screenshot and categorise management portals: eyewitness --web -f urls.txt --no-prompt. Identify the specific product and version for each service to determine applicable default credentials.

Systematically test default credentials against every identified service. Use CrackMapExec for SMB/WinRM: crackmapexec smb targets.txt -u admin -p admin and crackmapexec smb targets.txt -u administrator -p '' . For SSH, use Hydra: hydra -L default_users.txt -P default_passwords.txt ssh://target. For web applications, use Burp Suite Intruder with default credential lists from SecLists (/usr/share/seclists/Passwords/Default-Credentials/). Test IPMI interfaces with ipmitool -I lanplus -H target -U ADMIN -P ADMIN chassis status. Check SNMP with default community strings: onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target_range.

For weak credential testing (beyond defaults), conduct authorised password spraying against Active Directory using tools like Spray, DomainPasswordSpray, or CrackMapExec: crackmapexec smb dc_ip -u users.txt -p 'Season2026!' --continue-on-success. Respect lockout policies by determining the threshold first (net accounts /domain) and spacing attempts accordingly. If password hashes are obtained (e.g., from SAM dumps, NTDS.dit extraction, or Responder captures), attempt offline cracking with Hashcat using rule-based attacks: hashcat -m 1000 hashes.txt rockyou.txt -r rules/best64.rule. Document every successful authentication with the credential pair, service, host, and potential impact.