GitHub - govolution/betterdefaultpasslist

1 Branch 0 Tags

Name	Name	Last commit message	Last commit date
Latest commit govolution Merge pull request #8 from notdodo/master Oct 4, 2024 c4eb8ee · Oct 4, 2024 History 90 Commits
README	README	Update README	Jan 18, 2021
db2.txt	db2.txt	big update, more than 600 credentials	May 20, 2017
ftp.txt	ftp.txt	awesome update	Sep 27, 2017
mssql.txt	mssql.txt	added default credentials for smb, ssh, mssql	Oct 10, 2019
mysql.txt	mysql.txt	removed double entry	Mar 10, 2019
oracle.txt	oracle.txt	Added complete list from http://www.petefinnigan.com/default/oracle_d…	May 20, 2017
postgres.txt	postgres.txt	added some more credentials	May 21, 2017
sources.txt	sources.txt	Update sources.txt	Jan 6, 2021
ssh.txt	ssh.txt	Update ssh.txt	Jan 18, 2021
telnet.txt	telnet.txt	feat: Added Pet Libro (PLAF203) default telnet password	Sep 22, 2024
tomcat.txt	tomcat.txt	added sources and creds	Jul 9, 2018
vnc.txt	vnc.txt	Update vnc.txt	Mar 11, 2021
web.txt	web.txt	Create web.txt	Jan 6, 2021
windows.txt	windows.txt	added default credentials for smb, ssh, mssql	Oct 10, 2019

Repository files navigation

Note:
BetterDefaultPasslist is included in SecLists (https://github.com/danielmiessler/SecLists) and in future I will try to keep them both up-to-date (08.07.2018).

What:
- list includes default credentials from various manufacturers for their products like NAS, ERP, ICS etc., that are used for standard products like mssql, vnc, oracle and so on
- also examples for passwords, in practice those are also being used
- the sources are installation guides and other
- useful for network bruteforcing
- not meant as a complete bruteforcing list, hopefully it is a useful supplement

Why:
- some manufactures use default credentials for their products
- that might be poorly handled by the users
- setting networks at risk

What to do:
- manufacturers: do not use default passwords, instead force users to use strong credentials and document them
- users: check if it is possible to change the credentials, otherwise mitigate the risk, for example by network separation or by using proper firewall rules - yes, you can actually use local firewalls too

Changelog (small updates not included):
- 18.01.2021 added CVE-2017-7722, kudos to mcjon3z (#7)
- 06.01.2021 added zyxel hard coded credentials for ssh, added web.txt (default creds for web apps) with same credentials
- 11.07.2020 added some backdoor credentials for telnet
- 10.10.2019 added default credentials for smb, ssh, mssql
- 10.10.2018 added 22 default credentials, ssh, telnet & mysql
- 12.07.2018 edoz90 added tomcat.txt
- 08.07.2018 added more credentials for ssh.txt and windows.txt
- 24.03.2018 added some creds, for VMs that are offered to download (SANS, osboxes.org and more)
- 27.09.2017 added about 10 creds
- 20.05.2017 added lots of passwords from http://www.petefinnigan.com/default/oracle_default_passwords.htm, msf wordlists and other sources, more than 600 new credentials (most oracle), added db2 and postgres.
  Thanks to Pete Finnigan for creating the huge oracle default credentials list!
- 27.12.2016 addded 3 creds
- 08.11.2016 added cirros default credentials
- 01.11.2016 added a few credentials for telnet and ftp
- 29.10.2016 added sources.txt for the sources (more or less complete)
- 28.10.2016 added more credentials the last weeks
- 03.10.2016 added some default passwords from mirai bot
- 01.10.2016 now 305 default credentials
- 25.09.2016 added some credentials
- 24.09.2016 added README, 270 credentials