changeme: The Data-Driven Default Credential Scanner That Separates Code from Credentials
Hook
While security teams scramble to patch the latest zero-day, attackers are walking through the front door using credentials like admin/admin on production systems. changeme exists because default credentials remain one of the easiest—and most embarrassing—attack vectors in 2024.
Context
Commercial vulnerability scanners excel at finding CVEs and misconfigurations, but they often skip over a fundamental security gap: default and backdoor credentials. Devices ship with factory passwords. Developers leave test credentials in place. Legacy equipment runs with vendor-set admin accounts that were never changed.
changeme fills the gap between heavyweight penetration testing frameworks and general-purpose password crackers. It’s not trying to brute-force common passwords or crack hashes. Instead, it focuses on a curated database of known default and backdoor credentials across vendors, protocols, and device types. The tool’s philosophy is simple: separate credential data from scanning logic, make it trivial to add new credentials, and support the protocols that matter for infrastructure and IoT security.
Technical Insight
The architecture of changeme revolves around a deliberate separation of concerns: YAML files store credentials, Python handles protocol-specific scanning, and an optional Redis backend enables distributed execution. This data-driven design means adding support for a new device’s default credentials requires zero code changes—just a new YAML file in the credentials directory.
Each credential is defined declaratively in YAML format with information about the target service, protocol, and credential pairs. This YAML-first approach makes changeme’s credential database community-extensible. Security researchers can contribute new credentials without understanding the scanning engine’s internals. The --mkcred interactive tool scaffolds these YAML files by asking questions, lowering the barrier to contribution.
changeme implements protocol-specific scanners for HTTP/HTTPS, SSH (both password and key-based), MSSQL, MySQL, PostgreSQL, MongoDB, SNMP, and FTP. The SSH scanner can test both traditional passwords and known private keys—a feature most credential scanners overlook.
Target loading is flexible. You can specify a single IP, a subnet in CIDR notation, a list of hosts in a text file, an nmap XML output, or even a Shodan query. The Shodan integration is particularly powerful for security research:
./changeme.py --shodan_query "Server: SQ-WEBCAM" --shodan_key YOUR_API_KEY -c cameraThis command queries Shodan for internet-facing webcams, retrieves their IP addresses, and immediately tests them against camera-specific default credentials.
The queuing system supports both an in-memory queue (simple, single-instance) and a Redis-backed queue (recommended for production use). The Redis option enables horizontal scaling: you can spin up multiple changeme containers or processes pointing at the same Redis instance, effectively creating a distributed credential scanner:
# Start Redis
docker run -d --name redis1 redis
# Launch scanner instance
docker run -it --link redis1:redis ztgrace/changeme ./changeme.py --redishost redis --threads 20 192.168.0.0/16Each instance pulls targets from the shared Redis queue, scans them, and reports results back. The queue prevents duplicate work and provides resilience—if one scanner crashes, others continue processing.
The protocol-specific syntax is another useful feature: ./changeme.py snmp://192.168.1.20 explicitly tests only SNMP credentials against that host, bypassing irrelevant HTTP or database checks.
Gotcha
changeme has only been tested on Linux and has known issues on Windows and macOS. The recommended workaround is Docker, which adds overhead and complexity for developers on non-Linux systems who just want to run a quick scan. If you’re a security consultant on a MacBook, you’ll be managing containers instead of running a native binary.
The README explicitly states that the telnet scanner is broken. Before relying on changeme for production security audits, you’ll want to verify which protocols actually work in the current release.
Dependency management requires manual installation of platform-specific system libraries: unixodbc-dev for MSSQL support and libpq-dev for PostgreSQL support must be installed before running pip. PhantomJS is required for HTML report screenshots but must be separately installed and added to PATH. This isn’t the plug-and-play experience developers expect from contemporary security tools.
Verdict
Use changeme if you’re conducting authorized penetration tests or security audits where identifying default credentials quickly across diverse network equipment is critical. It’s especially valuable when scanning large heterogeneous networks with IoT devices, industrial systems, and legacy equipment from multiple vendors—exactly the environments where default credentials proliferate. The Shodan integration makes it powerful for bug bounty hunters and security researchers mapping internet-facing attack surface. Skip it if you need native Windows or macOS support, require telnet scanning, or need a general-purpose password cracking tool. For Windows-centric network pentesting, CrackMapExec may be more appropriate. For broader protocol support, consider Metasploit’s auxiliary modules or Hydra with custom wordlists. changeme’s sweet spot is Linux-based security teams with Redis infrastructure who need to audit default credentials at scale and want a credential database they can extend without touching code.
