lolcreds

Public credential defaults and exposure patterns for authorized security testing.

RabbitMQ

Broadcom / VMware Tanzumiddleware3 credentials1 default credential

Credentials3 documented
01

Default guest User

rabbitmq / default-guest-user

RabbitMQ documents a default pair of credentials called the default user. The default guest user is restricted to local connections in modern RabbitMQ deployments unless loopback restrictions are changed.

static defaultsecretusername/password

Default credentials

guest:guest

Location

public interface
AMQP 5672, management UI 15672

RabbitMQ broker and management login surfaces

config file

rabbitmq.conf settings that relax loopback_users or configure default users

source code

Docker Compose files, tutorials, and local dev configurations

logs

connection logs and management authentication failures

Notes

Treat guest/guest as high-risk when reachable remotely or when loopback restrictions are disabled.

02

RabbitMQ User Password

rabbitmq / user-password

RabbitMQ clients authenticate with a username/password pair, JWT token, or x.509 certificate. RabbitMQ documents rabbitmqctl add_user and rabbitmqadmin users declare for creating users and setting passwords.

user definedsecretusername/password

Looks like

pattern
pattern

rabbitmqctl command creating a user with a password argument

rabbitmqctl\s+add_user\s+[^\s]+\s+[^\s]+

Location

config file

definitions.json, rabbitmq.conf, advanced.config, Helm values, and Docker Compose files

environment
RABBITMQ_DEFAULT_USER, RABBITMQ_DEFAULT_PASS, RABBITMQ_USER, RABBITMQ_PASSWORD
secret store

Kubernetes Secrets, Docker secrets, cloud secret managers, and vault entries

source code

broker definitions, deployment scripts, tests, and accidentally committed configs

logs

broker connection logs, management API traces, and CI output

public interface
AMQP 5672, management UI/API 15672

Notes

User permissions are scoped by virtual host and tags; management UI access additionally depends on user tags.

03

OAuth 2 / JWT Access Token

rabbitmq / oauth-jwt-token

RabbitMQ can authenticate clients and management UI users with OAuth 2.0 JWT tokens. RabbitMQ documents JWT token credentials and management UI OAuth authorization code flows.

generated on installsecrettoken

Location

http header
Authorization

Bearer JWT used for management UI/API or OAuth-enabled clients

config file

rabbitmq.conf OAuth provider and resource server settings

secret store

OAuth client secrets, Kubernetes Secrets, and vault entries

logs

management UI OAuth logs and broker authentication traces

Notes

JWT blast radius depends on token scopes, resource server configuration, and mapped RabbitMQ permissions.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.