Overview
The Password Auditor tests network services and web applications for weak, default, or commonly used passwords. It automatically detects authentication interfaces and attempts to log in using provided wordlists.
The Password Auditor is a vulnerability scanner: it actively tests for authentication weaknesses. It does not add data to your Attack Surface. Discovered weak credentials are reported as findings.
Supported targets
| Target type | Examples |
|---|
| IP address | 192.168.1.1, 10.0.0.5 |
| Hostname | server.example.com |
| URL | https://app.example.com/login |
Supported services
| Service | Default ports | Description |
|---|
| AMQP | 5672 | Advanced Message Queuing Protocol |
| Docker | 2375, 2376 | Docker API |
| FTP | 21 | File Transfer Protocol |
| HTTP | 80 | Web forms and HTTP Basic authentication |
| HTTPS | 443 | Web forms and HTTP Basic authentication over TLS |
| MQTT | 1883, 8883 | Message Queuing Telemetry Transport |
| MSSQL | 1433 | Microsoft SQL Server |
| MySQL | 3306 | MySQL/MariaDB databases |
| PostgreSQL | 5432 | PostgreSQL databases |
| RDP | 3389 | Remote Desktop Protocol |
| Redis | 6379 | Redis database |
| SMB | 445 | Windows file shares |
| SSH | 22 | Secure Shell |
| STOMP | 61613 | Simple Text Oriented Messaging Protocol |
| Telnet | 23 | Telnet protocol |
| VNC | 5900 | Virtual Network Computing |
| WinRM | 5985, 5986 | Windows Remote Management |
SMB is disabled by default due to potential account lockout risks. Enable it explicitly when needed.
Attack types
| Type | Description | Use case |
|---|
| Dictionary | Try all password/username combinations | Standard auditing |
| Password Spray | Try few passwords per user with delays | Avoid account lockouts |
Parameters comparison
| Parameter | Dictionary | Password Spray |
|---|
| Tests all combinations | ✓ | ✗ |
| Lockout period | ✗ | 1-720 min (default: 5) |
| Attempts per period | ✗ | 1-50,000 (default: 2) |
| Account lockout risk | High | Low |
Password testing can lock out accounts. Coordinate with system owners and understand lockout policies before testing. Use Password Spray mode for production systems.
Dictionary attack
Tests all combinations of usernames and passwords from the wordlists. Fastest approach but may trigger account lockouts on systems with lockout policies.
Password spray attack
Tests a limited number of passwords per username, then waits before trying more. Designed to avoid triggering account lockout policies.
| Parameter | Description | Default | Range |
|---|
| Lockout period | Minutes to wait between password batches | 5 | 1-720 |
| Attempts per period | Passwords to try before waiting | 2 | 1-50,000 |
Scan options
Port selection
| Option | Description |
|---|
| Top 100 ports | Scan ~100 common ports for each service (default) |
| Custom port list | Specify exact ports to test |
| From URL | Extract port from the target URL |
Wordlists
| Option | Description |
|---|
| Default usernames | Common usernames (admin, root, user, etc.) |
| Default passwords | Common and default passwords |
| Custom wordlist | Upload your own username or password list |
Build targeted wordlists using company name variations, product names, and patterns like Summer2024! or Company123. See Wordlists for wordlist management. Additional options
| Option | Description | Default |
|---|
| Check default credentials | Try known vendor default credentials first | Enabled |
| Delay between attempts | Seconds to wait between login attempts (0-600) | 0 |
How it works
The Password Auditor works in these steps:
- Port scanning: Identifies open ports running supported authentication services
- Service detection: Fingerprints services to determine authentication type
- Form detection: For HTTP, identifies login forms, fields, and success/failure indicators
- Default credentials: If enabled, tries known vendor defaults for detected products
- Wordlist testing: Attempts login with username/password combinations respecting attack type settings
- Reporting: Records successful authentications as findings
The Password Auditor automatically detects login forms in web applications like Jenkins, Tomcat Manager, phpMyAdmin, and router admin interfaces.
Follow-up actions
After discovering weak credentials:
- Change passwords immediately: Weak credentials are critical findings
- Implement password policies: Enforce complexity and length requirements
- Enable account lockout: Prevent brute force attacks
- Deploy MFA: Add multi-factor authentication where possible
- Run Network Scanner: Check for additional vulnerabilities
- Run Port Scanner: Discover additional services to audit
