changeme
changeme is a Python-based default credential scanner that identifies hardcoded and backdoor credentials across multiple protocols (HTTP, SSH, SQL databases, SNMP, FTP, MongoDB). It stores credential definitions in YAML files, making it easy to add new credentials without code changes. Primary use case is penetration testing and infrastructure security audits.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | ztgrace/changeme |
| Owner | ztgrace |
| Primary language | Python |
| License | GPL-3.0 — OSI-approved |
| Stars | 1.5k |
| Forks | 254 |
| Open issues | 16 |
| Latest release | v1.2.3 (2020-04-26) |
| Last updated | 2025-07-08 |
| Source | https://github.com/ztgrace/changeme |
What changeme is
A modular security scanner written in Python that loads target lists from various sources (IP ranges, NMAP XML, Shodan queries) and tests them against a YAML-based credential database. Supports multi-protocol testing (HTTP/HTTPS, MySQL, PostgreSQL, MSSQL, SSH, SSH keys, SNMP, FTP, MongoDB) with optional Redis-backed queuing for distributed scanning and threaded concurrency.
Get the changeme source
Clone the repository and explore it locally.
git clone https://github.com/ztgrace/changeme.gitcd changeme# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Linux-only for production use; Docker required for Windows/macOS. Requires system dependencies: unixodbc-dev (MSSQL), libpq-dev (PostgreSQL), PhantomJS (HTML reports). Plan environment setup accordingly.
- Credential database is YAML-based and stored in the repository. Verify if organization has process for adding/maintaining custom credentials or if predefined set suffices.
- Supports both Redis-backed (recommended as 'most stable') and in-memory queue modes. Redis adds operational complexity but enables distributed scanning across multiple workers.
- No built-in authentication or access control. Assume tool is run in trusted environments only; credentials and results are stored in plaintext.
- Threading and timeout configurability present but testing required for target responsiveness and false-negative rates in your environment.
When to avoid it — and what to weigh
- Requires Windows or macOS native support — README explicitly states known issues on Windows and OS X/macOS. Docker workaround exists but adds operational overhead. Project does not appear to prioritize cross-platform compatibility.
- Need enterprise SLA or vendor support — GPL-3.0 licensed community project with no commercial backing or support channels documented. Latest release (v1.2.3) is from April 2020; active maintenance resumed in 2025 but backward compatibility and upgrade path unknown.
- Regulatory compliance scanning required — Tool is designed for penetration testing and red team workflows. Not positioned as a compliance/audit-grade scanner. No mention of reporting formats suitable for formal compliance documentation or evidence chains.
- Need advanced features like remediation or continuous monitoring — Tool performs point-in-time scanning. No evidence of real-time monitoring, automated remediation, alerting, or integration with ticketing systems or SIEM platforms.
License & commercial use
GPL-3.0 (GNU General Public License v3.0). Copyleft license requiring any modifications or derivative works to be distributed under the same terms. Source code must remain open and available.
GPL-3.0 is a copyleft license. Running the tool internally for your own penetration testing is permissible. However, packaging, reselling, or distributing modified versions requires compliance review and mandatory source code disclosure. Consulting use (running scans for clients) may trigger copyleft obligations depending on how results are delivered and code is modified. Requires legal review before commercial deployment.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Tool performs credential testing against remote services and stores results locally. Credentials and plaintext results (CSV) are stored unencrypted; ensure secure file permissions and access controls. Scanning activity may trigger IDS/WAF alerts or be flagged as unauthorized access if run on production systems without explicit authorization. No built-in audit logging or activity tracking; recommend external logging if used in sensitive environments. YAML-based credential storage in repo is readable by anyone with repository access.
Alternatives to consider
Hydra
General-purpose credential brute-force tool supporting 50+ protocols. More actively maintained and cross-platform. Larger feature set but less focused on default/backdoor credentials specifically.
Nessus / OpenVAS
Shodan CLI + Custom Scripts
Lightweight alternative for querying exposed services directly via Shodan API and testing credentials programmatically. Requires more development effort but offers full flexibility and no GPL constraints if monetized.
Build on changeme with DEV.co software developers
changeme is ideal for penetration testers and security teams auditing internal infrastructure for default credentials. Verify GPL-3.0 compliance and test in your environment before production deployment. Consider Docker for cross-platform support.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
changeme FAQ
Can I use changeme on Windows?
How do I add custom default credentials?
Is changeme suitable for scanning production systems?
Can I use changeme commercially or resell it?
Software development & web development with DEV.co
Need help beyond evaluating changeme? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Evaluate changeme for Your Security Program
changeme is ideal for penetration testers and security teams auditing internal infrastructure for default credentials. Verify GPL-3.0 compliance and test in your environment before production deployment. Consider Docker for cross-platform support.