As mentioned previously, in this section, there are applications that have default credentials when they are installed. With some of them, this is because they are not installed directly, but use packages with the OS or because they are part of another application. For example, some integrated development environments (IDE) have web or application servers in their installations, which are used for testing purposes.

Also, there are testing tools or packages that use database management systems (DBMS), but these systems have vulnerabilities or default access that exposes them.

After doing some scouting, you will be able to know the applications, servers, and technology behind an application, and just looking for the term default password find the correct credentials, or accessing to the web that stores them, as shown in the following screenshot:

To identify the correct ones, you just need to load them as payload in Intruder and launch the applications, as we will see in more detail in this chapter.