Checklist

Password testing

• Service default credentials

• Empty password or anonymous user login

• Username as password

• Service name/Webpage title/Hostname as username or password

  • cewl + john fuzzying for custom dictionary

• Username/Password spraying

• Weak passwords (letmein, admin123, test and similar)

• Dictionary attack

• Bruteforce from known password structure (inferred by registering a new user)

• dumb user/password, try with empty password field too if accepted

Dumb passwords

qwerty
qwerty123
Qwerty123!
admin
admin123
adminadmin
sysadmin
password
root
toor
123456
secret
s3cret
login
letmein
letmeinplease
manager
m4n4n3r
guest
user
superuser
info
test