Changeme: How Default Credentials Are Hiding in Plain Sight Across Your Infrastructure

Hook

After a decade of security awareness training, default credentials still account for over 60% of successful IoT and device compromises. The username 'admin' with password 'admin' remains disturbingly effective in 2024.

Context

Enterprise networks are sprawling ecosystems of devices, databases, and services—each potentially shipped with default credentials that administrators forget to change. While commercial vulnerability scanners excel at finding CVEs and configuration issues, they often treat default credentials as an afterthought, burying them in massive scan reports or requiring expensive plugin subscriptions. Password cracking tools like Hydra and Medusa can brute-force authentication, but they're designed for dictionary attacks, not the specific problem of testing known manufacturer defaults.

This gap matters because default credentials are fundamentally different from weak passwords. They're not guesses—they're documented facts. Cisco ships certain models with 'cisco/cisco', MongoDB historically ran without authentication, and countless IP cameras use 'admin/12345'. Yet most security teams resort to manually maintaining spreadsheets of defaults or running multiple specialized tools. Changeme emerged to solve this precise problem: a single scanner that maintains a curated database of default and backdoor credentials across protocols, making it trivial to test whether your new database server, inherited IoT device, or acquired company's infrastructure is sitting wide open.

Technical Insight

Changeme's architecture revolves around a brilliant separation of concerns: credential definitions live in YAML files completely decoupled from the scanning logic. This means security researchers can contribute new default credentials without touching Python code. Each credential is defined with metadata specifying the affected protocol, product, and authentication details.

Here's what a credential definition looks like:

name: Tomcat Manager
author: ztgrace
category: web
default_port: 8080
protocol: http
auth:
  credentials:
    - username: tomcat
      password: tomcat
    - username: admin
      password: admin
  type: basic_auth
fingerprint:
  - status_code: 401
    body_text: Apache Tomcat
  - status_code: 200
    url_path: /manager/html
    body_text: Tomcat Web Application Manager

This YAML structure contains everything needed to identify and test the service. The fingerprint section ensures the scanner only attempts credentials against actual Tomcat instances, avoiding false positives and unnecessary authentication attempts. The multiple credential pairs get tested sequentially, and the scanner reports which combination succeeded.

The protocol handling architecture uses a class hierarchy where each protocol inherits from a base Cred class. The HTTP scanner, for instance, implements BasicAuth, DigestAuth, and form-based authentication. For databases, changeme leverages protocol-specific libraries—psycopg2 for PostgreSQL, pymongo for MongoDB, pymssql for Microsoft SQL Server. This means adding a new protocol requires implementing only the connection and authentication logic, while the queuing, reporting, and orchestration infrastructure remains unchanged.

The scanning workflow operates through a producer-consumer model. Targets get loaded into a queue (either Python's built-in queue for standalone operation or Redis for distributed scanning), and worker threads pull targets, match them against appropriate credential definitions based on port and protocol, then attempt authentication:

# Simplified scanning workflow
for target in queue:
    protocol = identify_protocol(target.port)
    creds = load_credentials_for_protocol(protocol)
    
    for cred in creds:
        if fingerprint_matches(target, cred):
            result = attempt_auth(target, cred)
            if result.success:
                report_finding(target, cred, result)

What makes changeme particularly powerful for penetration testers is its Shodan integration. Instead of manually discovering devices, you can query Shodan's database and immediately test results. Running changeme --shodan_query 'product:mongodb' --shodan_limit 100 will find MongoDB instances exposed on the internet and test them for default credentials in one operation. This transforms internet-wide reconnaissance from a multi-tool, manual process into a single command.

The Redis-backed distributed scanning addresses a real scalability concern. Testing a /16 subnet with multiple protocols across hundreds of default credentials generates thousands of connection attempts. By using Redis as a shared queue, multiple changeme instances can coordinate scanning without duplicating work. One instance might handle web services while another focuses on databases, all reporting to a centralized results database. For large penetration testing firms or bug bounty hunters, this architecture enables horizontal scaling without complex orchestration frameworks.

The HTML reporting feature with PhantomJS screenshots deserves mention because it solves a common documentation problem. When you find a vulnerable Tomcat manager or router admin panel, clients often want proof beyond "I logged in." Changeme automatically captures screenshots of successful authentication sessions, generating self-contained HTML reports with visual evidence. For compliance audits where stakeholders may not understand technical details, showing a screenshot of an admin panel accessed with 'admin/admin' communicates risk instantly.

Gotcha

Changeme's Linux-centric development shows its rough edges on other platforms. The project documentation explicitly states that Windows and macOS have known issues, pushing users toward Docker containers for cross-platform deployment. This isn't unusual for security tools, but it means quick laptop-based testing during an engagement requires Docker setup overhead. The telnet scanner is openly marked as broken with no timeline for fixes—problematic if you're auditing legacy industrial control systems or network equipment where telnet remains common.

The tool's focus on default credentials is simultaneously its strength and limitation. If an administrator changed the Tomcat password from 'admin' to 'administrator', changeme won't find it because it's not testing password variations or performing true brute-forcing. This narrow scope is intentional—the tool solves one problem well—but it means changeme is always one component in a broader security assessment toolkit, never a complete authentication testing solution. You'll still need Hydra, Burp Suite's Intruder, or other tools for comprehensive password attacks.

Dependency management can be frustrating. Database protocol support requires system-level packages like unixodbc-dev and libpq-dev, which complicates deployment on minimal container images or restricted environments where you can't install system packages. PhantomJS is deprecated and increasingly difficult to install on modern Linux distributions, though the project continues depending on it for screenshots. These dependencies work, but they require more setup than a pure Python tool would need.

Verdict

Use changeme if you're conducting penetration tests or security audits where discovering default credentials is part of your scope, especially when scanning large IP ranges or integrating with Shodan for internet-wide device discovery. Its YAML credential database receives community contributions, meaning you get updated defaults without maintaining your own lists. The multi-protocol support makes it ideal for heterogeneous environments with web services, databases, and network devices all requiring authentication testing in a single pass. Use it when you need automated, repeatable scanning that can scale horizontally with Redis.

Skip changeme if you need native Windows or macOS support without containerization, if your target environment is primarily telnet-based (since that scanner is broken), or if you're looking for general password brute-forcing capabilities beyond default credentials. Skip it if you need enterprise support, guaranteed maintenance, or a GUI—this is a command-line tool maintained by a small community. Consider commercial scanners like Nessus or Qualys if you need vendor support and broader vulnerability coverage, or use Metasploit if you want credential scanning integrated into a full exploitation framework with better Windows compatibility.