Default Credentials

Conducting Penetration Testing Using Default Passwords

Objective: Identify and exploit systems and applications that use default or weak credentials, often left unchanged by administrators, to gain unauthorized access.

Strategy and Tools

1. Reconnaissance and Information Gathering

   • Tools: Nmap, Shodan, Censys

   • Objective: Identify systems and services running on the target network.

   • Steps:

     • Use Nmap to scan the network for open ports and services:

       nmap -sV -p- <target_ip_range>

     • Use Shodan or Censys to find publicly exposed systems with default credentials.

2. Enumerate Services and Identify Default Credentials

   • Tools: Hydra, Medusa, Ncrack, Metasploit, Searchsploit

   • Objective: Identify services running on discovered ports and attempt to login using default or common credentials.

   • Steps:

     • Use Hydra to perform a brute-force attack with a list of default credentials:

       hydra -L usernames.txt -P passwords.txt <target_ip> ssh

       Replace usernames.txt and passwords.txt with files containing common usernames and default passwords.

     • Use Metasploit’s auxiliary modules to enumerate services:

       msfconsole
       use auxiliary/scanner/ssh/ssh_login
       set RHOSTS <target_ip>
       set USER_FILE usernames.txt
       set PASS_FILE passwords.txt
       run

3. Automated Vulnerability Scanning

   • Tools: Nessus, OpenVAS, Nexpose

   • Objective: Perform automated scans to identify systems with default credentials and other vulnerabilities.

   • Steps:

     • Configure the scanner to include checks for default credentials.

     • Run the scan and analyze the results for systems using default credentials.

4. Manual Verification and Exploitation

   • Tools: Burp Suite, Nikto, Nmap Scripts

   • Objective: Manually verify findings and exploit systems using default credentials.

   • Steps:

     • Use Nmap’s NSE scripts to check for default credentials:

       nmap --script http-default-accounts -p 80 <target_ip>

     • Use Burp Suite to intercept and modify login requests, checking for successful authentication with default credentials.

     • Use Nikto to scan for web servers with default credentials and known vulnerabilities:

       nikto -h <target_ip>

5. Privilege Escalation

   • Tools: Metasploit, LinPEAS, WinPEAS

   • Objective: Once access is gained, attempt to escalate privileges to gain higher-level access.

   • Steps:

     • Use Metasploit’s post-exploitation modules to escalate privileges:

       msfconsole
       use exploit/windows/local/bypassuac
       set SESSION <session_id>
       run

     • Use LinPEAS or WinPEAS scripts to enumerate potential privilege escalation vectors on Linux or Windows systems.

6. Reporting and Remediation

   • Tools: Dradis, Faraday, Custom Reporting Templates

   • Objective: Document findings, provide evidence of default credentials, and recommend remediation steps.

   • Steps:

     • Use Dradis or Faraday to compile and organize findings.

     • Create a detailed report highlighting systems with default credentials, exploitation steps, and remediation recommendations.

Example Workflow

1. Reconnaissance:

   nmap -sV -p- 192.168.1.0/24

2. Enumeration and Brute-forcing:

   hydra -L common_usernames.txt -P default_passwords.txt 192.168.1.100 ssh

3. Automated Scanning:

   • Configure Nessus to scan for default credentials.

   • Analyze scan results for systems with default credentials.

4. Manual Verification:

   nmap --script http-default-accounts -p 80 192.168.1.100

5. Privilege Escalation:

   • Use Metasploit or local enumeration scripts to escalate privileges.

6. Reporting:

   • Compile findings using Dradis and generate a detailed report.

Mitigation Tips

• Change Default Passwords: Ensure all default credentials are changed to strong, unique passwords.

• Regular Audits: Perform regular audits to identify systems using default or weak credentials.

• Enforce Strong Password Policies: Implement and enforce strong password policies across the organization.

• Employee Training: Educate employees and administrators about the importance of changing default credentials.

By following this strategy and using the mentioned tools, you can effectively identify and exploit systems with default passwords during penetration testing, helping organizations to enhance their security posture.