Password Auditor
About this tool
The tool scans an URL, IP address, or hostname for network services that require authentication (ex. HTTP web forms, SSH, FTP, MYSQL, PostgreSQL, RDP, etc) and detects weak credentials by trying to log in using the usernames and passwords from the input wordlists.
Password Auditor is an autonomous password auditing solution for network services and web applications.
Its purpose is to automate the manual work performed when using tools such as Medusa, Hydra, or Ncrack by automatically detecting the services which require authentication and launching the password audit with the right parameters.
One of the unique advantages of this tool is that it automatically detects web forms in web applications and it automatically attempts to log in with the given credentials. It can detect if a web form authentication was performed with success or not.
As a result, you can easily find web interfaces with weak passwords (ex. Jenkins, Tomcat, PhpMyAdmin, Cisco routers, etc) together with network services like SSH, FTP, MySQL, MSSQL, PostgreSQL, RDP, etc., having default credentials.
Parameters
Target: This is the hostname or IP address to scan.
Ports: Choose which ports to check for authentication. Default: Top 100 common ports.
Services: Choose the services you want to be audited (HTTP, SSH, FTP, Telnet etc). They will be automatically matched to the open ports. Example: Apache running on port 2174 will trigger the HTTP module.
Wordlists: Specify a custom wordlist for usernames/passwords.
Attempt default credentials: Firstly, try to login with publicly known default credentials for each respective service and product. Default: enabled.
Delay between attempts: Time delay (in seconds) between two consecutive authentication attempts. Default: 0 (no delay enforced). The value must be an integer between 0 and 600.
Attack Type: The type of brute force attack Password Auditor will perform (Dictionary or Password Spraying).
Lockout period (Password Spray only): Time delay (in minutes) to wait between trying Attempts per period passwords for each username. This parameter is meant to be used for waiting until account lockout counters reset. Default: 5. The value must be an integer between 1 and 720.
Attempts per period (Password Spray only): The number of passwords to attempt for each username in the wordlist before waiting for Lockout period minutes for account lockout counters to reset. Default: 2. The value must be an integer between 1 and 50000.
How it works
The Password Auditor starts by doing a port scan and service discovery against the target systems to discover which services require authentication.
The next step is to try common username/password combinations (taken from a custom or predefined wordlist) for each service found in the previous step. In case the service is web-based, Password Auditor automatically detects the login interfaces and parameters for authentication. The tool is capable of knowing if a web-form authentication was performed successfully or not.