lolcreds

Public credential defaults and exposure patterns for authorized security testing.

QNAP QTS / QuTS hero

QNAPnetwork4 credentials

Credentials4 documented
01

QNAP Administrator/User Password

qnap / admin-user-password

QNAP systems use local and directory users for the web admin UI, SSH, file services, apps, and APIs. Modern firmware may disable the default admin account or require setup-defined credentials.

generated on installuser definedsecretusername/password

Location

public interface
QTS/QuTS hero web UI, SSH, SMB/NFS/AFP, WebDAV, apps, and management APIs
config file

/etc/config/shadow, account config files, and app configuration

database

system and application databases storing user/session metadata

secret store

password vaults, HBS backup stores, and directory services

logs

system event logs, auth logs, web logs, and app logs

Notes

No universal QNAP admin password is modeled; default admin behavior changed across firmware and setup modes.

02

QTS API Session Token

qnap / api-session-token

QNAP web/API clients authenticate with session IDs, cookies, or CSRF-style tokens that authorize management operations until expiry/logout.

generated on installsecrettoken

Location

http header
Cookie

QTS/QuTS web and API session cookies

http response

API login responses containing session ID/token fields

config file

automation client caches and scripts

logs

web access logs, API traces, and reverse proxy logs

03

App, Backup, Cloud, and Service Secrets

qnap / app-backup-cloud-secrets

QNAP apps and services store credentials for HBS/Hybrid Backup Sync, cloud storage, myQNAPcloud, containers, virtualization, surveillance cameras, LDAP/AD, SMTP, VPN, and databases.

user definedgenerated on installsecretsecret value

Location

config file

QPKG app configs, /etc/config, Container Station compose files, VPN and cloud sync configs

database

QNAP app databases and system credential records

secret store

internal app credential stores, backup vaults, and password managers

artifact

system configuration backups and diagnostic dumps

logs

HBS, cloud, container, VPN, and app debug logs

04

Certificate / SSH / VPN Private Key

qnap / certificate-ssh-vpn-key

QNAP devices store TLS certificate keys, SSH host/user keys, VPN keys, and app-specific private keys.

generated on installuser definedsecretkey pair

Looks like

pattern
pattern

private key material from QNAP TLS, SSH, VPN, or app configurations

-----BEGIN (RSA |EC |OPENSSH |ENCRYPTED |)PRIVATE KEY-----

Location

config file

certificate directories, SSH keys, VPN configs, and QPKG app key files

secret store

certificate stores and backup vaults

artifact

configuration backups, app backups, and support bundles

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.