Password Auditor
Technical Details
Password Auditor is an autonomous password auditing solution for network services and web applications.
Its purpose is to automate the manual work performed when using tools such as Medusa
, Hydra
, or Ncrack
by automatically detecting the services which require authentication and launching the password audit with the right parameters.
One of the unique advantages of this tool is that it automatically detects web forms in web applications and it automatically attempts to log in with the given credentials. It can detect if a web form authentication was performed with success or not.
As a result, you can easily find web interfaces with weak passwords (e.g. Jenkins
, Tomcat
, PhpMyAdmin
, Cisco
routers, etc.) together with network services (like SSH
, FTP
, MySQL
, MSSQL
, PostgreSQL
, RDP
, etc.), having default credentials.
Parameters
Parameter | Description |
---|---|
Target | This is the hostname or IP address to scan |
Ports | Choose which ports to check for authentication (default: Top 100 common ports) |
Services | Choose the services you want to have audited (HTTP , SSH , FTP , Telnet , etc.) They will be automatically matched to the open ports. Example: Apache running on port 2174 will trigger the HTTP module. |
Wordlists | Specify a custom wordlist for usernames/passwords |
How it works
The Password Auditor starts by doing a port scan and service discovery against the target systems to discover which services require authentication.
The next step is to try common username/password combinations (taken from a predefined wordlist) for each service found in the previous step. In case the service is web-based, Password Auditor automatically detects the login interfaces and parameters for authentication. The tool is capable of knowing if a web-form authentication was performed successfully or not.