Wordlists and Defaults

Overview

Brutus ships with protocol-specific default credential wordlists in the wordlists/ directory (21 files, 208 total entries). The --defaults flag loads the appropriate wordlist automatically based on the target protocol.

Default Wordlists

Protocol	File	Entries	Example Defaults
SSH	`ssh_defaults.txt`	10	`root:root`, `root:toor`, `admin:admin`
FTP	`ftp_defaults.txt`	9	`anonymous:anonymous`, `ftp:ftp`
Telnet	`telnet_defaults.txt`	11	`root:root`, `admin:admin`, `user:user`
VNC	`vnc_defaults.txt`	11	`password`, `admin`, `vnc` (password-only)
SMB	`smb_defaults.txt`	10	`administrator:password`, `admin:admin`
LDAP	`ldap_defaults.txt`	9	`cn=admin:admin`, `cn=Manager:secret`
RDP	`rdp_defaults.txt`	17	`administrator:password`, `admin:admin`
MySQL	`mysql_defaults.txt`	10	`root:` (empty), `root:root`, `root:mysql`
PostgreSQL	`postgresql_defaults.txt`	7	`postgres:postgres`, `postgres:password`
MSSQL	`mssql_defaults.txt`	9	`sa:sa`, `sa:password`, `sa:Password1`
MongoDB	`mongodb_defaults.txt`	9	`admin:admin`, `root:root`
Redis	`redis_defaults.txt`	9	`redis`, `password`, `admin` (password-only)
Neo4j	`neo4j_defaults.txt`	7	`neo4j:neo4j`, `neo4j:password`
Cassandra	`cassandra_defaults.txt`	8	`cassandra:cassandra`, `admin:admin`
CouchDB	`couchdb_defaults.txt`	8	`admin:admin`, `admin:password`
Elasticsearch	`elasticsearch_defaults.txt`	7	`elastic:changeme`, `admin:admin`
InfluxDB	`influxdb_defaults.txt`	7	`admin:admin`, `root:root`
SMTP	`smtp_defaults.txt`	9	`admin:admin`, `postmaster:password`
IMAP	`imap_defaults.txt`	9	`admin:admin`, `user:password`
POP3	`pop3_defaults.txt`	9	`admin:admin`, `user:password`
SNMP	`snmp_defaults.txt`	23	See SNMP Tiers below

SNMP Community String Tiers

SNMP uses a tiered system organized by prevalence and value:

Default Tier (~25 strings)

Universal defaults with the highest hit rate:

Category	Strings
RFC 1157 Defaults	`public`, `private`, `community`
Common Lazy Defaults	`snmp`, `default`, `password`, `admin`, `manager`, `root`, `test`, `guest`
High-Value Vendor	`cisco`, `CISCO`, `cable-docsis`, `apc`, `hp_admin`, `netman`
Access Levels	`read`, `write`, `monitor`, `secret`
IPMI/BMC	`ADMIN` (Supermicro), `PASSW0RD` (Dell iDRAC)

Extended Tier (~75 strings)

Adds vendor-specific defaults (includes all Default Tier):

Category	Strings
Cisco	`c`, `san-fran`
HP/Aruba	`HP`, `procurve`, `aruba`, `aruba123`
Juniper	`juniper`, `JUNIPER`
Fortinet	`fortinet`, `fortigate`
Ubiquiti	`ubnt`, `ubiquiti`
Dell iDRAC	`calvin`, `Dell`, `idrac`
Supermicro	`supermicro`, `SUPERMICRO`
HP iLO	`ilo`, `iLO`, `hpinvent`
IBM/Lenovo	`ibm`, `IBM`, `lenovo`, `imm`, `USERID`
Printers	`xerox`, `canon`, `ricoh`, `brother`, `epson`, `kyocera`, `lexmark`, `samsung`
Cable Modems	`motorola`, `arris`, `surfboard`

Full Tier (200+ strings)

Comprehensive database (includes all Extended Tier):

Category	Examples
IP Cameras/DVR	`hikvision`, `dahua`, `axis`, `foscam`, `amcrest`, `reolink`
Industrial/SCADA	`schneider`, `siemens`, `rockwell`, `allen-bradley`, `plc`, `scada`
UPS/PDU/Power	`APC`, `eaton`, `liebert`, `tripplite`, `cyberpower`
NAS/Storage	`synology`, `qnap`, `netgear`, `readynas`, `buffalo`
Consumer Routers	`linksys`, `dlink`, `tplink`, `asus`, `zyxel`, `huawei`
VoIP/Telephony	`polycom`, `avaya`, `mitel`, `yealink`, `grandstream`
Legacy/Vulnerable	`OrigEquipMfr`, `NoGaH$@!`, `xyzzy`, `freekevin`
Regional Variants	`publico`, `privado`, `oeffentlich`, `publique`
Numeric Patterns	`123`, `1234`, `admin123`, `snmp123`
Special	`` (empty), (space), `null`, `undefined`

SNMP Usage

brutus -target 10.0.0.1:161 -protocol snmp --snmp-tier default   # ~25 strings
brutus -target 10.0.0.1:161 -protocol snmp --snmp-tier extended  # ~75 strings
brutus -target 10.0.0.1:161 -protocol snmp --snmp-tier full      # 200+ strings

Custom Wordlists

# Custom files
brutus -target 10.0.0.1:22 -protocol ssh -U users.txt -P passwords.txt

# Inline credentials
brutus -target 10.0.0.1:22 -protocol ssh -u root,admin -p password,toor