Default Credentials
Vendor-shipped admin/admin, root/calvin, etc. on appliance UIs and installed apps (Tomcat manager, Jenkins, GLPI, …).
§ Where this technique fits
W-AUTH-DEFAULT is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 4 approved dossiers in the registry, typically at step 2.8 on average.
§ Dossiers chaining this technique
- step 2 / 7
Reconfigure MFP LDAP → harvest service-account credentials
Walk up to / network-into the MFP admin web panel (default creds), change the LDAP address-book server to attacker IP — printer immediately re-binds and sends its service-account creds in cleartext.
- step 2 / 6
ArgoCD weak RBAC → cluster admin via custom Application
ArgoCD installed with the default admin user and broad RBAC. Attacker creates an Application pointing at attacker manifests — ArgoCD syncs them with cluster-admin.
- step 2 / 6
Jenkins /script Groovy console → RCE → AD
Jenkins script console exposed unauth on the corporate intranet — Groovy 'execute()' = RCE as the Jenkins service account, often a domain user with broad agent access.
- step 5 / 6
DNS rebinding → access internal router admin from a browser
Victim visits attacker page. JS opens a connection to attacker.com, which after the first request flips its DNS A record to 192.168.1.1 — subsequent requests now go to the victim's router under the attacker's origin.
§ What commonly comes next
- 01ArgoCD Misconfigured RBACseen 1×CI-ARGOCD-TAKEOVER · Privilege Escalation
- 02Jenkins Script Console RCEseen 1×CI-PIPELINE-RCE · Execution
- 03MFP LDAP Address-Book Credential Theftseen 1×PRT-LDAP-CRED-STEAL · Credential Access
- 04OTA Update MITMseen 1×IOT-OTA-MITM · Initial Access