lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Splunk

Splunkmonitoring3 credentials

Credentials3 documented
01

Local User Password

splunk / local-user-password

Splunk Enterprise supports local users and roles for Splunk Web and REST API access. Local user credentials are stored in Splunk configuration and authentication stores rather than being universal static defaults.

user definedsecretusername/password

Looks like

pattern
pattern

Splunk configuration stanza containing a password or password hash; context identifies the Splunk app or user store

^\s*password\s*=\s*[^\r\n]+$

Location

config file
$SPLUNK_HOME/etc/passwd, authentication.conf, authorize.conf

local user password hashes and authentication/role configuration

public interface
Splunk Web, /services

Splunk Web login and management REST API endpoints

secret store

deployment server secrets, app passwords, and infrastructure vault entries

source code

deployment apps, Ansible roles, Docker Compose files, and committed Splunk configs

logs

splunkd logs, authentication logs, and setup output

Notes

There is no universal Splunk admin password. The initial administrator password is set during installation, image startup, or provisioning.

02

Authentication Token

splunk / authentication-token

Splunk Enterprise supports authentication tokens for REST API access. Tokens are bearer-like secrets used by clients instead of repeatedly sending interactive user credentials.

generated on installsecrettoken

Location

http header
Authorization

Splunk token authorization header used for REST API requests

config file

automation config, .env files, Splunk app config, and deployment manifests

environment
SPLUNK_TOKEN, SPLUNK_AUTH_TOKEN
secret store

CI/CD variables, deployment server secrets, and cloud secret managers

source code

Splunk SDK scripts, tests, and committed REST clients

logs

REST client traces and automation logs

Notes

Token blast radius depends on the Splunk user, role, audience, and token settings configured by administrators.

03

splunk.secret Shared Secret

splunk / splunk-secret

Splunk uses internal secret material such as splunk.secret to protect and decrypt stored credentials in configuration files. Copying or leaking this file can expose encrypted app credentials in Splunk configurations.

generated on installsecretsecret value

Location

config file
$SPLUNK_HOME/etc/auth/splunk.secret

Splunk instance secret used to protect stored credentials

secret store

Splunk backups, deployment artifacts, VM images, and vault entries

image

cloned Splunk images or containers containing splunk.secret

source code

accidentally committed Splunk etc directories and deployment bundles

Notes

splunk.secret is not a login password, but it can be required to decrypt encrypted credentials stored in Splunk app configuration.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.