Tips and Tricks
Tips and tricks
Default Credential
Jenkins
admin
admin
AWS EC2
ec2-user
N/A (use SSH key)
AWS RDS
N/A (use IAM credentials)
N/A (use IAM credentials)
AWS S3
N/A (use IAM credentials)
N/A (use IAM credentials)
Azure VM
azureuser
N/A (use SSH key)
Azure SQL Database
N/A (use Azure AD authentication or SQL Server authentication)
N/A (use Azure AD authentication or SQL Server authentication)
Google Compute Engine
N/A (use project-level SSH key)
N/A (use project-level SSH key)
Google Cloud SQL
N/A (use Cloud SQL Proxy or SSL/TLS certificate)
N/A (use Cloud SQL Proxy or SSL/TLS certificate)
Docker
root
N/A
Kubernetes
N/A
N/A (use Kubernetes authentication mechanisms)
OpenStack
ubuntu
ubuntu
VMware ESXi
root
N/A
Cisco IOS
cisco
cisco
Juniper Junos
root
juniper123
more: https://github.com/ihebski/DefaultCreds-cheat-sheet
Dork
Nginx
“nginx” http.component:nginx
“nginx” AND tags:web AND tags:https
http.html_body.server:nginx
service.name:nginx
http.servers:nginx
app:”nginx”
http.server:nginx
title=”nginx” || header=”nginx”
http.servers=”nginx”
server:nginx
Apache
“apache” http.component:apache
“apache” AND tags:web AND tags:https
http.html_body.server:apache
service.name:apache
http.servers:apache
app:”apache”
http.server:apache
title=”apache” || header=”apache”
http.servers=”apache”
server:apache
Phpmyadmin
Server: phpmyadmin
org asn
asn:ASXXXXXXX org:
asn:ASXXXXXXX AND tags:
include:asn:ASXXXXXXX AND type:organization
asn:ASXXXXXXX organization:
asn:ASXXXXXXX organization:
asn:ASXXXXXXX org:
asn:ASXXXXXXX org:
header=”ASXXXXXXX” && title=” "
asn:ASXXXXXXX organization:
asn:ASXXXXXXX org:
elasticsearch
product:elasticsearch
elasticsearch.protocol:tcp
os:elasticsearch
port:9200
elasticsearch
app:”Elasticsearch” port:”9200”
product:”Elasticsearch”
title=”Elasticsearch” || body=”Elasticsearch” || header=”Elasticsearch”
product:”elasticsearch”
title:”kibana” && title:”elastic”
Minio
http.html:” “
(443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names: minio.*)
ssl.cert_subject_alt_name: minio
metadata.product: “MinIO”
“http.component:Minio” OR “http.title:Minio”
title:Minio
http.title:”Minio”
title=”MinIO” || header=”Minio” || header=”X-Amz-Bucket-Region”
intitle:”MinIO”
intitle:”MinIO”
kuberneties
“kubernetes port:6443”
“443.https.get.body: “kubernetes””
“kubernetes.*.cloudapp.azure.com”
“tags:kubernetes”
“title:”kubernetes-dashboard””
“app:”kubernetes-dashboard””
“app:”kubernetes-dashboard””
“title=”Kubernetes Dashboard” || header=”kubernetes””
“title:”kubernetes dashboard””
“title:”Kubernetes Dashboard””
mssql
product:”Microsoft SQL Server”
443.https.get.body:”microsoft sql server” OR 1433.banner:”microsoft sql server”
http.html_content:”Microsoft SQL Server” OR http.html_content:”MSSQLSERVER”
tags:”mssql” OR tags:”microsoft sql server”
product:”Microsoft SQL Server”
app:”Microsoft SQL Server”
title:”Microsoft SQL Server” OR body:”Microsoft SQL Server” OR body:”MSSQLSERVER”
title=”Microsoft SQL Server” || header=”Microsoft SQL Server”
title:”Microsoft SQL Server” OR body:”Microsoft SQL Server”
server:Microsoft-IIS/8.5 intitle:”sql server login”
rdp
“rdp” OR “port:3389”
3389.rdp.banner:”\x03\x00\x00\x0b\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00”
“rdp” AND port:3389
“tags.rdp” OR “tags.mstsc”
“rdp” AND port:3389
“rdp” OR “port:3389”
“rdp” OR “port:3389”
“protocol=rdp” OR “port=3389”
“rdp” OR “port:3389”
“rdp” OR “port:3389”
ftp
“ftp”
“service.ftp.banner”
“service:ftp”
“protocol:ftp”
“ftp”
“ftp”
“ftp”
“protocol==ftp”
“ftp”
“ftp”
ssh
port:22 ssh
22.ssh.banner.raw_version: SSH
22 || ssh
/ssh/ && port:22
ssh port:22
port:22 ssh
port:22 AND service.ssh==true
protocol=ssh
22.ssh.banner.raw_version:SSH
service.ssh == true
dns
hostname:{DNS name}
parsed.names: {DNS name}
domain:{DNS name}
metadata.dns: {DNS name}
dns.name:{DNS name}
site:{DNS name}
dns.host: {DNS name}
domain={DNS name}
domain:{DNS name}
data.hostnames: {DNS name}
modbus
port:502 modbus
modbus
port:502
modbus
port:502
port:502 modbus
port:502 modbus
protocol=modbus
port:502
port:502 modbus
rtsp
port:554 rtsp
protocols: rtsp
port:554
protocols:rtsp
port:554 rtsp
port:554 rtsp
protocol:rtsp
protocol=rtsp
protocol:rtsp
port:554
SMTP
smtp
protocols:smtp
smtp
port:25
port:25
service:smtp
service:smtp
protocol==smtp
smtp
port.tcp eq 25
SMB
smb
protocols.smb.banner.signatures.name: “SMB”
tags.smb = true
metadata.protocol = smb
protocols:”smb”
app:”SMB/CIFS”
service:”smb”
protocol=”smb”
tags:”smb”
protocol:smb
NFS
port:2049 nfs
protocols:”nfs”
port:2049 AND service:nfs
tag:nfs
port:2049 nfs
app:”nfsd”
nfs
title=”NFS” || body=”NFS” || header=”NFS” || keyword=”NFS”
port:2049 AND service:nfs
port:2049 nfs
Docker registries
http.title:”Docker Registry”” OR “http.html:”Docker Registry”” OR “http.component:”docker”” OR “http.component:”registry”
443.https.get.metadata.protocol: Docker
http.headers.server: docker-registry” OR “http.html: docker-registry” OR “http.title: docker-registry
http.metadata.product: Docker Registry
http.component:docker-registry
title:”Docker Registry”” OR “body:”Docker Registry”
product:”Docker Registry”
title=”Docker Registry”” OR “header=”docker-registry”” OR “body=”docker-registry”
docker-registry
http.component:”docker-registry”
memcached
port:11211 memcached
protocols: “memcached”
type:server “memcached” port:11211
service:memcached
port:11211 && memcached
port:”11211” memcached
port:11211 && memcached
title=”Memcached” && protocol=”port:11211”
port: 11211 AND tags: memcached
protocols:”memcached” port:”11211”
RabbitMQ
product:rabbitmq
443.https.get.body:/{“product”:”RabbitMQ”,”version”:”
http.html: /management/rabbitmq/
port:5672 (RabbitMQ) AND tags:RabbitMQ
title:”RabbitMQ Management”
app:”RabbitMQ Management”
port:5672 AND product:rabbitmq
title=”RabbitMQ Management” || body=”RabbitMQ” || header=”RabbitMQ”
port:5672 AND service.name:rabbitmq
product:rabbitmq
WinRM
product:winrm
protocols:winrm
os:windows winrm
winrm
winrm
port:5985 winrm
service:WinRM
protocol==winrm
winrm
winrm
CouchDB
couchdb port:5984
protocols: “couchdb” and port: 5984
http.component: “couchdb” and port: 5984
http.server: “CouchDB” and port: 5984
protocols:couchdb and port:5984
app:”CouchDB” and port:5984
port:5984 and app:couchdb
title=”couchdb” && port=5984
couchdb inurl:5984
app:couchdb && port:5984
PostgreSQL
port:5432 postgres
443.versions.protocol: “PostgreSQL” or 5432.versions.protocol: “PostgreSQL”
pgsql-server
port:5432
service:”postgresql”
port:”5432”
title:”pgAdmin” OR title:”PostgreSQL” OR title:”pgAdmin 4” OR title:”pgAdmin 3”
title=”Adminer” || body=”pgsql” || body=”PostgreSQL”
title:”postgresql” OR body:”postgresql”
pgsql-server
Gitlab
http.favicon.hash:-335242539 “gitlab”
443.https.get.metadata.server: GitLab
http.headers.server:”gitlab”
metadata.service:gitlab
title:”GitLab” && protocols:”https”
title:”GitLab”
http.favicon.hash:-335242539 “gitlab”
title=”GitLab”
title=”GitLab”
title=”GitLab”
SVN
Server: Apache SVN
tags: svn
svn
/svn/index.cgi
title:”viewvc” svn
port: 3690 svn
os:svn
title=”ViewVC” || title=”SVN repository browser” || title=”VisualSVN Server” || body=”Powered by Subversion version”
svn
svn
Tomcat
tomcat country:XX
protocols: “http” and “product:Apache Tomcat”
http.web_server.name:”Apache Tomcat”
metadata.product:tomcat
http.server.product:”Apache Tomcat”
app:”Tomcat”
product:Tomcat
title=”Apache Tomcat” || body=”Apache Tomcat”
http.favicon.hash: -1448465410 && http.html: “Apache Tomcat”
os.query:”Apache Tomcat”
VNC
“vnc” port:5900
port: “5900” AND “VNC protocol”
“vnc” AND port:5900
“vnc” -port:5900
protocol:”vnc” AND port:5900
port:5900 AND app:”RealVNC”
service:”vnc” port:”5900”
port=”5900” && protocol=”vnc”
vnc AND port:5900
“vnc” port:5900
LDAP
“ldap” port:389 or port:636
tags: ldap
service:ldap
tag:ldap
service:”LDAP (389/tcp)” or service:”LDAP SSL (636/tcp)”
app:”openLDAP” or app:”ActiveDirectory”
service.ldap.banner:”ldap”
protocol==LDAP
service:ldap
port:389 or port:636
NetBIOS
port:”137” org:”" or netbios_name:""
protocols: “netbios-ssn” or netbios.name: “"
netbios_host: or netbios_host:
netbios
netbios.domain: “" or netbios.host:
netbios.name: or netbios.ip:
netbios.host:
protocol=”NetBIOS” && cert=””
netbios
netbios
TeamViewer
product:teamviewer
443.versions.banner:TeamViewer
os:’Windows 7’ && port:5938 && app:’TeamViewer’
metadata.teamviewer.enabled:true
product:’TeamViewer’ && type:’host’
app:teamviewer
teamviewer
title=”TeamViewer” || header=”TeamViewer”
service:”TeamViewer”
port.tcp eq 5938 and port.tcp eq 443 and product eq ‘TeamViewer’
NoMachine
“nomachine” port:4000, “nomachine” port:4010, “nomachine” port:4011, “nomachine” port:4022
“nomachine” and port:4000 or port:4010 or port:4011 or port:4022
service:”nomachine” and (port:4000 or port:4010 or port:4011 or port:4022)
“nomachine” port:4000 or port:4010 or port:4011 or port:4022
service:nomachine and (port:4000 or port:4010 or port:4011 or port:4022)
app:”NoMachine” port:4000 or port:4010 or port:4011 or port:4022
service:”nomachine” and (port:”4000” or port:”4010” or port:”4011” or port:”4022”)
title=”NoMachine” && (port=4000 || port=4010 || port=4011 || port=4022)
nomachine AND (port:4000 OR port:4010 OR port:4011 OR port:4022)
tags.nomachine AND (ports:4000 OR ports:4010 OR ports:4011 OR ports:4022)
vCenter
“vCenter” port:443
443.https.get.metadata.product:VMware-vCenter-Server
http.title:”vCenter Server”
tags:”vmware-vcenter”
title:”vSphere Client”
app:”VMware vSphere”
http.html_contains:”vmware-vsphere-client”
title=”VMware vCenter Server” || body=”vCenter Server” || header=”vCenter Server”
service.name:VMware-vSphere
product:”VMware vCenter Server”
ESXi
product:ESXi
os: vmware_esxi
os:’VMware ESXi’
tag:VMware-ESXi
os:’VMware ESXi’
webapp:VMware ESXi
os:VMware ESXi
title=’VMware ESXi’
service.name:VMware ESXi
product:’VMware ESXi’
directory listings
“Server: -frontier -akamai -edgecast -fastly -incapsula -nginx -squarespace -cdn -amazonaws -cloudfront -gstatic -github”
“protocols: http and 200.status_code:/2[0-9][0-9]/ and body: “Index of /” and not (body: “HTTP/1.1 301” or body: “HTTP/1.1 302” or body: “HTTP/1.1 303” or body: “HTTP/1.1 307” or body: “HTTP/1.1 308”)”
http.title:/index of/i
metadata.product:apache && metadata.title:/index of/i
http.html.body:/Index of/i && http.status.code:200
web.title:/index of/i
http.title:/index of/i
title=”Index of /” && protocol=”http” && status_code=”200”
http.body:/index of/i && http.status_code:200
title:”Index of /” && protocol:http
SOCKS
“socks” port:1080
“socks” AND port:1080
port:1080 AND protocol:socks5
“socks” AND port:1080
“SOCKS5” AND port:1080
“SOCKS5” && port:”1080”
“SOCKS” port:”1080”
“SOCKS5” && port=”1080”
“SOCKS5” port:1080
protocol:SOCKS5 port:1080
V2Ray
v2ray
tags.v2ray
v2ray
v2ray
v2ray
v2ray
v2ray
protocol==”v2ray”
v2ray
v2ray
Squid
http.component: squid
80.http.get.headers.server: squid
HTTP.headers.server: squid
http.server_header: squid
http.component: squid
app:Squid
http.component.product: squid
title=”Squid Cache” && protocol=”http” && port=3128
Squid proxy server” OR “Squid proxy cache
intext:”Squid Object Cache”
PRTG
product:prtg port:80” or “product:prtg port:443
443.https.get.body: ‘PRTG Network Monitor’” or “80.http.get.body: ‘PRTG Network Monitor’
text:’PRTG Network Monitor’ AND port:80” or “text:’PRTG Network Monitor’ AND port:443
http.user_agent: ‘PRTG’ OR http.title: ‘PRTG’
product:PRTG” or “body:PRTG Network Monitor
app:PRTG Network Monitor” or “header.server:PRTG Network Monitor
“prtg” or “prtg network monitor”
“title=”prtg” || body=”prtg”” or “protocol=”http” && body=”prtg””
“prtg” or “prtg network monitor”
“product:PRTG” or “PRTG Network Monitor”
WebDAV
Server: Microsoft-IIS/7.5 intitle: “WebDAV” OR “WebDAV MiniRedir”
80.http.get.headers.server: Microsoft-IIS/7.5 && title:”WebDAV MiniRedir”
http.headers.server:/Microsoft-IIS/7.5/ && title:”WebDAV MiniRedir”
80.http.get.headers.server: Microsoft-IIS/7.5 && title:”WebDAV MiniRedir”
http.server: Microsoft-IIS/7.5 && html.title: “WebDAV MiniRedir”
server:Microsoft-IIS/7.5 && title:”WebDAV MiniRedir”
http.server: Microsoft-IIS/7.5 && http.title: “WebDAV MiniRedir”
“title=”WebDAV” && header=”Microsoft-IIS/7.5”
http.title:”WebDAV” && http.headers.server:”Microsoft-IIS/7.5”
http.title: “WebDAV” && http.headers.server: “Microsoft-IIS/7.5”
IIS
“Server: Microsoft-IIS” OR “Server: Microsoft-HTTPAPI”
“443.https.get.title: IIS” OR “80.http.get.title: IIS”
“http.headers.server: Microsoft-IIS” OR “http.headers.server: Microsoft-HTTPAPI”
“http.server: Microsoft-IIS” OR “http.server: Microsoft-HTTPAPI”
“server: Microsoft-IIS” OR “server: Microsoft-HTTPAPI”
“webapp=”IIS”” OR “webserver=”IIS””
“http.favicon.hash:-1137975641 AND http.server:”Microsoft-IIS”” OR “http.favicon.hash:-1137975641 AND http.server:”Microsoft-HTTPAPI””
“protocol==http && header==”Server: Microsoft-IIS”” OR “protocol==http && header==”Server: Microsoft-HTTPAPI””
“iis” OR “microsoft-iis”
“http.server.name: Microsoft-IIS” OR “http.server.name: Microsoft-HTTPAPI”
Redis
port:6379 product:redis
ports: “6379” AND tags.raw: “redis”
(“redis” AND port:6379)
redis.server
protocols:”redis” -os:”Windows”
redis port:6379
service:redis port:6379
title=”Redis” && protocol=”redis”
port:”6379” AND protocol:”redis”
port:6379 AND Redis
Cisco Smart Install
Server: Cisco-SMI
443.issmartinstall:true
fingerprint: “Device Type: Cisco Smart Install Client”
/cgi-bin/discovery/
title:Cisco Smart Install - Configuration Assistant
product:Cisco Smart Install
title:Cisco Smart Install
header=’X-Remote-Addr’ && title=’Cisco Smart Install’
http.favicon.hash:-1300641209 && http.title:’Cisco Smart Install’
product:Cisco Smart Install
InfluxDB
“InfluxDB” port:8086
(open_influxdb.port: 8086)
http.title:”InfluxDB Admin”
“influxdb” -service.version:1.8
http.component:influxdb
title:”InfluxDB” port:8086
port:8086 service:InfluxDB
title=”InfluxDB” || body=”InfluxDB”
type:service InfluxDB
server:”InfluxDB”
Cassandra
“cassandra” port:9042
“cassandra” AND port:9042
port:9042 AND “cassandra”
“cassandra” AND tags:{“cassandra”}
“cassandra” AND port:”9042”
“cassandra” port:”9042”
“cassandra” port:9042
title=”cassandra” && port=9042
“cassandra” AND port:”9042”
“cassandra” AND port:”9042”
GlusterFS
“GlusterFS”
443.versions = “GlusterFS”
GlusterFS
http.favicon.hash:-434599080 “gluster”
service.glusterfs.banner: “GlusterFS”
app:”GlusterFS”
http.favicon.hash:-434599080 “gluster”
title=”Gluster Management Console” || body=”GlusterFS” || header=”Gluster”
title:”GlusterFS Management Console”
service:/glusterfs/
Hadoop
“hadoop” port:”50070” or “hadoop” port:”8088”
product:Hadoop
“os:Linux” “hadoop”
“50070” || “8088” && “hadoop”
“hadoop” in_service:”50070, 8088”
“hadoop” port:”50070” or “hadoop” port:”8088”
service.name:hadoop
title=”Hadoop NameNode”” or “title=”Hadoop Resource Manager”
title:”hadoop cluster overview”
hadoop
Fortigate
http.favicon.hash:728337045 && title:”Fortinet - Login”
443.https.get.title:”Fortinet”
http.html:”Fortinet”
port:443 http.html:”FortiGate”
title:”Fortinet FortiGate”
title:”Fortinet FortiGate Login”
http.title:”FortiGate”
title=”Fortinet FortiGate Login” || header=”Fortinet” || body=”Fortinet”
fortigate
JDWP
jdwp country:”" port:"8000"
443.jdwp
(“java.debugwire”)
jdwp
jdwp
app:”JDWP-Debug-Interface”
port=8000 protocol=TCP service=JDWP
title=”Apache Tomcat”
jdwp
IPsec
“ikev2.probe(500)” or “ikev2.probe(4500)” or “ipsec.probe()”
“protocols: ‘ikev2’ or protocols: ‘ipsec’”
“ikev2” or “ipsec”
“port:500 or port:4500 or port: 1701 and tags:ipsec”
“protocols:ikev2 or protocols:ipsec”
“ipsec” or “ikev2”
“ikev2” or “ipsec”
“title=”Fortinet Firewall Login” && body=”/remote/login” && body=”/tmui/login.jsp/” && body=”/remote/login?lang=en” && body=”/remote/login?lang=en_US” && body=”/remote/login?lang=es” && body=”/remote/login?lang=es_US””
“service.name:”IPSec”” or “service.name:”IKEv2””
“protocol:ipsec” or “protocol:ikev2”
Splunkd
product:splunkd
443.https.get.metadata.product: Splunkd
http.html: /en-US/splunkd/
metadata.splunkd.server != null
product: Splunkd
app:Splunk
Splunkd
title=”Splunk” && header=”Splunkd”
title:splunkd
splunkd
Android Debug Bridge
“Android Debug Bridge” port:5555
80.http.get.headers.server:”Android Debug Bridge”
server:adb
metadata.service == “adb”
service:”android debug bridge (adb)”
app:”Android Debug Bridge”
http.component:”Android Debug Bridge”
app=”Android Debug Bridge” || header=”Android Debug Bridge”
http.headers.server:”Android Debug Bridge”
http.server.version:”Android Debug Bridge”
OpenCTI
http.favicon.hash:-1693683099
443.https.tls.certificate.parsed.extensions.authority_key_id:0a11b3211d2e25545ed61a568a78545c
app=nginx port:443
80.http.get.body.sha256:8f2c29dbae3b1cbbe10d59d8ed144c5999329fa974aa06f529ee550dc6341e2c
http.component:nginx
title:’OpenCTI’
ssl://title:OpenCTI
title=”OpenCTI” || header=”X-Opencti-Path” || header=”X-Opencti-User”
Server: nginx intitle:”OpenCTI”
title:”OpenCTI”
Wazuh
wazuh auth_token” or “title:Wazuh
443.https.get.body_sha256:XV8WbTtTSPBOnQ2R26dA9XFeOXXz0vVdNllZlf0u0LQ
generic.server:Wazuh
metadata.product:wazuh
wazuh
title:Wazuh
Wazuh
app=”Wazuh”
wazuh
app:wazuh
Vault
“Vault Server” port:8200
443.https.tls.certificate.parsed.extensions.subject_alt_name: .vault
ssl.cert_subject_alt_name: .vault
http.html_hash:3896359815
html:” “
title:”Vault”
title:”Vault”
title=”Vault” && port=8200
title:”Vault”
“vault” port:8200
Rocket.Chat
product:”Rocket.Chat”
443.https.get.metadata.software:Rocket.Chat
http.html_body:”Rocket.Chat”
http.user_agent:”Rocket.Chat”
http.favicon.hash:-1788329738
title:”Rocket.Chat”
title:”Rocket.Chat”
title=”Rocket.Chat”
title:”Rocket.Chat”
http.title:”Rocket.Chat”
Mattermost
http.favicon.hash:1565243809
443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names:mattermost.*
https.cert.subject.common_name:mattermost.*
metadata.product: mattermost
protocols:https && service.metas.product:mattermost
app:”Mattermost”
http.url.path:/api/v4/users
title=”Mattermost” || header=”mattermost”
body:”content”:”Mattermost”
https://leakix.net/search?query=mattermost
Gitter
title:”gitter” http.component:”gitter”
443.https.tls.certificate.parsed.names: “gitter.im”
“gitter.im”
http.user_agent:”Mozilla/5.0 (compatible; Gitter)” or http.user_agent:”com.gitter”
http.component:Gitter or ssl.cert.issuer.cn:gitter
title:”Gitter” or header:”X-Powered-By: Gitter”
host:gitter.im
title=”Gitter” || domain=”gitter.im”
title:”Gitter”
domain:gitter.im