DEV.co
Open-Source Security · ztgrace

changeme

changeme is a Python-based default credential scanner that identifies hardcoded and backdoor credentials across multiple protocols (HTTP, SSH, SQL databases, SNMP, FTP, MongoDB). It stores credential definitions in YAML files, making it easy to add new credentials without code changes. Primary use case is penetration testing and infrastructure security audits.

Source: GitHub — github.com/ztgrace/changeme
1.5k
GitHub stars
254
Forks
Python
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryztgrace/changeme
Ownerztgrace
Primary languagePython
LicenseGPL-3.0 — OSI-approved
Stars1.5k
Forks254
Open issues16
Latest releasev1.2.3 (2020-04-26)
Last updated2025-07-08
Sourcehttps://github.com/ztgrace/changeme

What changeme is

A modular security scanner written in Python that loads target lists from various sources (IP ranges, NMAP XML, Shodan queries) and tests them against a YAML-based credential database. Supports multi-protocol testing (HTTP/HTTPS, MySQL, PostgreSQL, MSSQL, SSH, SSH keys, SNMP, FTP, MongoDB) with optional Redis-backed queuing for distributed scanning and threaded concurrency.

Quickstart

Get the changeme source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/ztgrace/changeme.gitcd changeme# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Penetration Testing & Red Team Operations

Quick identification of default credentials on target infrastructure. Covers protocols and services beyond what commercial scanners focus on. Allows custom credential sets to be added via YAML without code modification.

Infrastructure Security Audits

Scan internal subnets or Shodan-sourced targets to detect publicly exposed services with unchanged defaults. YAML-based credential format allows easy maintenance of organization-specific backdoor and legacy system credentials.

Security Research & Lab Environments

Lightweight, modular design suitable for testing credential detection logic. Docker deployment removes platform constraints, enabling reproducible scanning environments.

Implementation considerations

  • Linux-only for production use; Docker required for Windows/macOS. Requires system dependencies: unixodbc-dev (MSSQL), libpq-dev (PostgreSQL), PhantomJS (HTML reports). Plan environment setup accordingly.
  • Credential database is YAML-based and stored in the repository. Verify if organization has process for adding/maintaining custom credentials or if predefined set suffices.
  • Supports both Redis-backed (recommended as 'most stable') and in-memory queue modes. Redis adds operational complexity but enables distributed scanning across multiple workers.
  • No built-in authentication or access control. Assume tool is run in trusted environments only; credentials and results are stored in plaintext.
  • Threading and timeout configurability present but testing required for target responsiveness and false-negative rates in your environment.

When to avoid it — and what to weigh

  • Requires Windows or macOS native support — README explicitly states known issues on Windows and OS X/macOS. Docker workaround exists but adds operational overhead. Project does not appear to prioritize cross-platform compatibility.
  • Need enterprise SLA or vendor support — GPL-3.0 licensed community project with no commercial backing or support channels documented. Latest release (v1.2.3) is from April 2020; active maintenance resumed in 2025 but backward compatibility and upgrade path unknown.
  • Regulatory compliance scanning required — Tool is designed for penetration testing and red team workflows. Not positioned as a compliance/audit-grade scanner. No mention of reporting formats suitable for formal compliance documentation or evidence chains.
  • Need advanced features like remediation or continuous monitoring — Tool performs point-in-time scanning. No evidence of real-time monitoring, automated remediation, alerting, or integration with ticketing systems or SIEM platforms.

License & commercial use

GPL-3.0 (GNU General Public License v3.0). Copyleft license requiring any modifications or derivative works to be distributed under the same terms. Source code must remain open and available.

GPL-3.0 is a copyleft license. Running the tool internally for your own penetration testing is permissible. However, packaging, reselling, or distributing modified versions requires compliance review and mandatory source code disclosure. Consulting use (running scans for clients) may trigger copyleft obligations depending on how results are delivered and code is modified. Requires legal review before commercial deployment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tool performs credential testing against remote services and stores results locally. Credentials and plaintext results (CSV) are stored unencrypted; ensure secure file permissions and access controls. Scanning activity may trigger IDS/WAF alerts or be flagged as unauthorized access if run on production systems without explicit authorization. No built-in audit logging or activity tracking; recommend external logging if used in sensitive environments. YAML-based credential storage in repo is readable by anyone with repository access.

Alternatives to consider

Hydra

General-purpose credential brute-force tool supporting 50+ protocols. More actively maintained and cross-platform. Larger feature set but less focused on default/backdoor credentials specifically.

Nessus / OpenVAS

Shodan CLI + Custom Scripts

Lightweight alternative for querying exposed services directly via Shodan API and testing credentials programmatically. Requires more development effort but offers full flexibility and no GPL constraints if monetized.

Software development agency

Build on changeme with DEV.co software developers

changeme is ideal for penetration testers and security teams auditing internal infrastructure for default credentials. Verify GPL-3.0 compliance and test in your environment before production deployment. Consider Docker for cross-platform support.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

changeme FAQ

Can I use changeme on Windows?
README states known issues on Windows and macOS. Docker is the recommended workaround. Native Windows support is not prioritized.
How do I add custom default credentials?
Credentials are stored in YAML files. Use `./changeme.py --mkcred` to create new credential entries via interactive prompts without writing code. Place YAML files in the designated credentials directory.
Is changeme suitable for scanning production systems?
Tool is designed for authorized penetration testing and red team exercises. Ensure explicit authorization before running scans. Results are stored in plaintext; implement secure file handling. No audit logging built-in.
Can I use changeme commercially or resell it?
GPL-3.0 requires any distribution or modification to be open-source under the same license. Internal use for your own pentesting is permissible. Commercial redistribution or consulting services require legal review to ensure compliance.

Software development & web development with DEV.co

Need help beyond evaluating changeme? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Evaluate changeme for Your Security Program

changeme is ideal for penetration testers and security teams auditing internal infrastructure for default credentials. Verify GPL-3.0 compliance and test in your environment before production deployment. Consider Docker for cross-platform support.