Links
Comment on page

Tips and Tricks

Tips and tricks

Default Credential

S/P
username
password
Jenkins
admin
admin
AWS EC2
ec2-user
N/A (use SSH key)
AWS RDS
N/A (use IAM credentials)
N/A (use IAM credentials)
AWS S3
N/A (use IAM credentials)
N/A (use IAM credentials)
Azure VM
azureuser
N/A (use SSH key)
Azure SQL Database
N/A (use Azure AD authentication or SQL Server authentication)
N/A (use Azure AD authentication or SQL Server authentication)
Google Compute Engine
N/A (use project-level SSH key)
N/A (use project-level SSH key)
Google Cloud SQL
N/A (use Cloud SQL Proxy or SSL/TLS certificate)
N/A (use Cloud SQL Proxy or SSL/TLS certificate)
Docker
root
N/A
Kubernetes
N/A
N/A (use Kubernetes authentication mechanisms)
OpenStack
ubuntu
ubuntu
VMware ESXi
root
N/A
Cisco IOS
cisco
cisco
Juniper Junos
root
juniper123
more: https://github.com/ihebski/DefaultCreds-cheat-sheet

Dork

Text
shodan
censys
securitytrails
greynoise
binaryedge
zoomeye
Netlas
fofa
huntr
leakix
Text
Text
Text
Text
Text
Text
Text
Text
Text
Text
Nginx
“nginx” http.component:nginx
“nginx” AND tags:web AND tags:https
http.html_body.server:nginx
service.name:nginx
http.servers:nginx
app:”nginx”
http.server:nginx
title=”nginx” || header=”nginx”
http.servers=”nginx”
server:nginx
Apache
“apache” http.component:apache
“apache” AND tags:web AND tags:https
http.html_body.server:apache
service.name:apache
http.servers:apache
app:”apache”
http.server:apache
title=”apache” || header=”apache”
http.servers=”apache”
server:apache
Phpmyadmin
Server: phpmyadmin
org asn
asn:ASXXXXXXX org:
asn:ASXXXXXXX AND tags:
include:asn:ASXXXXXXX AND type:organization
asn:ASXXXXXXX organization:
asn:ASXXXXXXX organization:
asn:ASXXXXXXX org:
asn:ASXXXXXXX org:
header=”ASXXXXXXX” && title=” "
asn:ASXXXXXXX organization:
asn:ASXXXXXXX org:
elasticsearch
product:elasticsearch
elasticsearch.protocol:tcp
os:elasticsearch
port:9200
elasticsearch
app:”Elasticsearch” port:”9200”
product:”Elasticsearch”
title=”Elasticsearch” || body=”Elasticsearch” || header=”Elasticsearch”
product:”elasticsearch”
title:”kibana” && title:”elastic”
Minio
http.html:” “
(443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names: minio.*)
ssl.cert_subject_alt_name: minio
metadata.product: “MinIO”
“http.component:Minio” OR “http.title:Minio”
title:Minio
http.title:”Minio”
title=”MinIO” || header=”Minio” || header=”X-Amz-Bucket-Region”
intitle:”MinIO”
intitle:”MinIO”
kuberneties
“kubernetes port:6443”
“443.https.get.body: “kubernetes””
“kubernetes.*.cloudapp.azure.com”
“tags:kubernetes”
“title:”kubernetes-dashboard””
“app:”kubernetes-dashboard””
“app:”kubernetes-dashboard””
“title=”Kubernetes Dashboard” || header=”kubernetes””
“title:”kubernetes dashboard””
“title:”Kubernetes Dashboard””
mssql
product:”Microsoft SQL Server”
443.https.get.body:”microsoft sql server” OR 1433.banner:”microsoft sql server”
http.html_content:”Microsoft SQL Server” OR http.html_content:”MSSQLSERVER”
tags:”mssql” OR tags:”microsoft sql server”
product:”Microsoft SQL Server”
app:”Microsoft SQL Server”
title:”Microsoft SQL Server” OR body:”Microsoft SQL Server” OR body:”MSSQLSERVER”
title=”Microsoft SQL Server” || header=”Microsoft SQL Server”
title:”Microsoft SQL Server” OR body:”Microsoft SQL Server”
server:Microsoft-IIS/8.5 intitle:”sql server login”
rdp
“rdp” OR “port:3389”
3389.rdp.banner:”\x03\x00\x00\x0b\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00”
“rdp” AND port:3389
“tags.rdp” OR “tags.mstsc”
“rdp” AND port:3389
“rdp” OR “port:3389”
“rdp” OR “port:3389”
“protocol=rdp” OR “port=3389”
“rdp” OR “port:3389”
“rdp” OR “port:3389”
ftp
“ftp”
“service.ftp.banner”
“service:ftp”
“protocol:ftp”
“ftp”
“ftp”
“ftp”
“protocol==ftp”
“ftp”
“ftp”
ssh
port:22 ssh
22.ssh.banner.raw_version: SSH
22 || ssh
/ssh/ && port:22
ssh port:22
port:22 ssh
port:22 AND service.ssh==true
protocol=ssh
22.ssh.banner.raw_version:SSH
service.ssh == true
dns
hostname:{DNS name}
parsed.names: {DNS name}
domain:{DNS name}
metadata.dns: {DNS name}
dns.name:{DNS name}
site:{DNS name}
dns.host: {DNS name}
domain={DNS name}
domain:{DNS name}
data.hostnames: {DNS name}
modbus
port:502 modbus
modbus
port:502
modbus
port:502
port:502 modbus
port:502 modbus
protocol=modbus
port:502
port:502 modbus
rtsp
port:554 rtsp
protocols: rtsp
port:554
protocols:rtsp
port:554 rtsp
port:554 rtsp
protocol:rtsp
protocol=rtsp
protocol:rtsp
port:554
SMTP
smtp
protocols:smtp
smtp
port:25
port:25
service:smtp
service:smtp
protocol==smtp
smtp
port.tcp eq 25
SMB
smb
protocols.smb.banner.signatures.name: “SMB”
tags.smb = true
metadata.protocol = smb
protocols:”smb”
app:”SMB/CIFS”
service:”smb”
protocol=”smb”
tags:”smb”
protocol:smb
NFS
port:2049 nfs
protocols:”nfs”
port:2049 AND service:nfs
tag:nfs
port:2049 nfs
app:”nfsd”
nfs
title=”NFS” || body=”NFS” || header=”NFS” || keyword=”NFS”
port:2049 AND service:nfs
port:2049 nfs
Docker registries
http.title:”Docker Registry”” OR “http.html:”Docker Registry”” OR “http.component:”docker”” OR “http.component:”registry”
443.https.get.metadata.protocol: Docker
http.headers.server: docker-registry” OR “http.html: docker-registry” OR “http.title: docker-registry
http.metadata.product: Docker Registry
http.component:docker-registry
title:”Docker Registry”” OR “body:”Docker Registry”
product:”Docker Registry”
title=”Docker Registry”” OR “header=”docker-registry”” OR “body=”docker-registry”
docker-registry
http.component:”docker-registry”
memcached
port:11211 memcached
protocols: “memcached”
type:server “memcached” port:11211
service:memcached
port:11211 && memcached
port:”11211” memcached
port:11211 && memcached
title=”Memcached” && protocol=”port:11211”
port: 11211 AND tags: memcached
protocols:”memcached” port:”11211”
RabbitMQ
product:rabbitmq
443.https.get.body:/{“product”:”RabbitMQ”,”version”:”
http.html: /management/rabbitmq/
port:5672 (RabbitMQ) AND tags:RabbitMQ
title:”RabbitMQ Management”
app:”RabbitMQ Management”
port:5672 AND product:rabbitmq
title=”RabbitMQ Management” || body=”RabbitMQ” || header=”RabbitMQ”
port:5672 AND service.name:rabbitmq
product:rabbitmq
WinRM
product:winrm
protocols:winrm
os:windows winrm
winrm
winrm
port:5985 winrm
service:WinRM
protocol==winrm
winrm
winrm
CouchDB
couchdb port:5984
protocols: “couchdb” and port: 5984
http.component: “couchdb” and port: 5984
http.server: “CouchDB” and port: 5984
protocols:couchdb and port:5984
app:”CouchDB” and port:5984
port:5984 and app:couchdb
title=”couchdb” && port=5984
couchdb inurl:5984
app:couchdb && port:5984
PostgreSQL
port:5432 postgres
443.versions.protocol: “PostgreSQL” or 5432.versions.protocol: “PostgreSQL”
pgsql-server
port:5432
service:”postgresql”
port:”5432”
title:”pgAdmin” OR title:”PostgreSQL” OR title:”pgAdmin 4” OR title:”pgAdmin 3”
title=”Adminer” || body=”pgsql” || body=”PostgreSQL”
title:”postgresql” OR body:”postgresql”
pgsql-server
Gitlab
http.favicon.hash:-335242539 “gitlab”
443.https.get.metadata.server: GitLab
http.headers.server:”gitlab”
metadata.service:gitlab
title:”GitLab” && protocols:”https”
title:”GitLab”
http.favicon.hash:-335242539 “gitlab”
title=”GitLab”
title=”GitLab”
title=”GitLab”
SVN
Server: Apache SVN
tags: svn
svn
/svn/index.cgi
title:”viewvc” svn
port: 3690 svn
os:svn
title=”ViewVC” || title=”SVN repository browser” || title=”VisualSVN Server” || body=”Powered by Subversion version”
svn
svn
Tomcat
tomcat country:XX
protocols: “http” and “product:Apache Tomcat”
http.web_server.name:”Apache Tomcat”
metadata.product:tomcat
http.server.product:”Apache Tomcat”
app:”Tomcat”
product:Tomcat
title=”Apache Tomcat” || body=”Apache Tomcat”
http.favicon.hash: -1448465410 && http.html: “Apache Tomcat”
os.query:”Apache Tomcat”
VNC
“vnc” port:5900
port: “5900” AND “VNC protocol”
“vnc” AND port:5900
“vnc” -port:5900
protocol:”vnc” AND port:5900
port:5900 AND app:”RealVNC”
service:”vnc” port:”5900”
port=”5900” && protocol=”vnc”
vnc AND port:5900
“vnc” port:5900
LDAP
“ldap” port:389 or port:636
tags: ldap
service:ldap
tag:ldap
service:”LDAP (389/tcp)” or service:”LDAP SSL (636/tcp)”
app:”openLDAP” or app:”ActiveDirectory”
service.ldap.banner:”ldap”
protocol==LDAP
service:ldap
port:389 or port:636
NetBIOS
port:”137” org:”" or netbios_name:""
protocols: “netbios-ssn” or netbios.name: “"
netbios_host: or netbios_host:
netbios
netbios.domain: “" or netbios.host:
netbios.name: or netbios.ip:
netbios.host:
protocol=”NetBIOS” && cert=””
netbios
netbios
TeamViewer
product:teamviewer
443.versions.banner:TeamViewer
os:’Windows 7’ && port:5938 && app:’TeamViewer’
metadata.teamviewer.enabled:true
product:’TeamViewer’ && type:’host’
app:teamviewer
teamviewer
title=”TeamViewer” || header=”TeamViewer”
service:”TeamViewer”
port.tcp eq 5938 and port.tcp eq 443 and product eq ‘TeamViewer’
NoMachine
“nomachine” port:4000, “nomachine” port:4010, “nomachine” port:4011, “nomachine” port:4022
“nomachine” and port:4000 or port:4010 or port:4011 or port:4022
service:”nomachine” and (port:4000 or port:4010 or port:4011 or port:4022)
“nomachine” port:4000 or port:4010 or port:4011 or port:4022
service:nomachine and (port:4000 or port:4010 or port:4011 or port:4022)
app:”NoMachine” port:4000 or port:4010 or port:4011 or port:4022
service:”nomachine” and (port:”4000” or port:”4010” or port:”4011” or port:”4022”)
title=”NoMachine” && (port=4000 || port=4010 || port=4011 || port=4022)
nomachine AND (port:4000 OR port:4010 OR port:4011 OR port:4022)
tags.nomachine AND (ports:4000 OR ports:4010 OR ports:4011 OR ports:4022)
vCenter
“vCenter” port:443
443.https.get.metadata.product:VMware-vCenter-Server
http.title:”vCenter Server”
tags:”vmware-vcenter”
title:”vSphere Client”
app:”VMware vSphere”
http.html_contains:”vmware-vsphere-client”
title=”VMware vCenter Server” || body=”vCenter Server” || header=”vCenter Server”
service.name:VMware-vSphere
product:”VMware vCenter Server”
ESXi
product:ESXi
os: vmware_esxi
os:’VMware ESXi’
tag:VMware-ESXi
os:’VMware ESXi’
webapp:VMware ESXi
os:VMware ESXi
title=’VMware ESXi’
service.name:VMware ESXi
product:’VMware ESXi’
directory listings
“Server: -frontier -akamai -edgecast -fastly -incapsula -nginx -squarespace -cdn -amazonaws -cloudfront -gstatic -github”
“protocols: http and 200.status_code:/2[0-9][0-9]/ and body: “Index of /” and not (body: “HTTP/1.1 301” or body: “HTTP/1.1 302” or body: “HTTP/1.1 303” or body: “HTTP/1.1 307” or body: “HTTP/1.1 308”)”
http.title:/index of/i
metadata.product:apache && metadata.title:/index of/i
http.html.body:/Index of/i && http.status.code:200