lolcreds

Public credential defaults and exposure patterns for authorized security testing.

OPNsense

Deciso / OPNsensenetwork4 credentials1 default credential

Credentials4 documented
01

Default root Login

opnsense / default-root

OPNsense default console/web credentials for fresh installations are used to complete initial setup and should be changed immediately.

static defaultuser definedsecretusername/password

Default credentials

root:opnsense

Location

public interface
OPNsense web GUI, console, SSH, and API-capable plugins
config file
/conf/config.xml

system users and hashed passwords

artifact

configuration backups and diagnostics bundles

02

Local User Password Hash

opnsense / local-user-password

OPNsense local users authenticate to the web GUI, console/SSH, captive portal, VPN, and package/plugin services.

user definedsecretusername/password

Looks like

pattern
pattern

OPNsense config.xml user entry containing username and password hash

<user>.*?<name>[^<]+</name>.*?<password>[^<]+</password>

Location

config file
/conf/config.xml

user manager entries, groups, privileges, and password hashes

public interface
web GUI, SSH/console, VPN, captive portal, and plugins
secret store

password managers and firewall backup vaults

logs

system, auth, web GUI, VPN, and captive portal logs

03

API Key and Secret

opnsense / api-key-secret

OPNsense supports API keys/secrets for automation and plugin APIs. The key and secret together authorize API operations for the associated user privileges.

generated on installuser definedsecretAPI key

Location

http header
Authorization

Basic authentication using API key and secret

config file
/conf/config.xml

API key metadata and user association

environment
OPNSENSE_API_KEY, OPNSENSE_API_SECRET
secret store

CI/CD variables and network automation vaults

source code

Terraform/Ansible scripts and monitoring configs

logs

API and web GUI access logs

04

VPN, SNMP, LDAP, RADIUS, and Certificate Secrets

opnsense / vpn-snmp-ldap-radius-secrets

OPNsense config backups include VPN keys/PSKs, SNMP communities, LDAP bind passwords, RADIUS shared secrets, certificates/private keys, PPP credentials, and plugin secrets.

user definedgenerated on installsecretsecret value

Looks like

pattern
pattern

private key material from OPNsense certificate or VPN exports

-----BEGIN (RSA |EC |OPENVPN |ENCRYPTED |)PRIVATE KEY-----

Location

config file
/conf/config.xml

VPN, certificate, SNMP, auth server, gateway, package, and plugin secrets

secret store

configuration backup vaults and certificate stores

artifact

configuration backups, diagnostics, and VPN client exports

source code

firewall automation repositories

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.