Home Pentest-Tools.com Logo
Infrastructure Testing

Password Auditor

Find weak passwords in network services and web applications automatically.

This tool is only available for paying customers

Here is a sneak peek of what the Password Auditor can do for you.

Sign up for a Pentest-Tools.com account now

Reporting

Sample Password Auditor report

Here is a sample report from our Password Auditor that gives you a taste of how our tools save you time and reduce repetitive manual work.

  • Includes the network services which were found reachable

  • Shows the weak passwords that were found

Password Auditor Report Sample

How to use the pentesting tool

Use Cases for Password Auditor

The tool scans an URL, IP address, or hostname for network services that require authentication (e.g. HTTP web forms, SSH, FTP, MySQL, MsSQL, PostgreSQL, RDP, etc.) and detects weak credentials by trying to log in using the usernames and passwords from the input wordlists.

  • Network Penetration Testing

    Try this scanner to check if network services use common usernames and passwords. It could be an easy entry point into the network for malicious actors.

  • Self-assessment for Sysadmins

    If you are a system administrator, you can check if one of your users has set weak passwords on the services exposed to the internet. Try to do these assessments periodically.

  • Network Audit

    When you audit the configuration settings of network infrastructure, always check the usage of default passwords (e.g. cisco/cisco, admin/admin, etc.)

Better vulnerability discovery. Faster pentest reporting.

Get instant access to custom vulnerability scanners and automation features that simplify the pentesting process and produce valuable results. The platform helps you cover all the stages of an engagement, from information gathering to website scanning, network scanning, exploitation and reporting.

Pentest-Tools.com Password Auditor Sample Report

Password Auditor

Technical details

Password Auditor is an autonomous password auditing solution for network services and web applications.

Its purpose is to automate the manual work performed when using tools such as Medusa, Hydra, or Ncrack by automatically detecting the services which require authentication and launching the password audit with the right parameters.

One of the unique advantages of this tool is that it automatically detects web forms in web applications and it automatically attempts to log in with the given credentials. It can detect if a web form authentication was performed with success or not.

As a result, you can easily find web interfaces with weak passwords (e.g. Jenkins, Tomcat, PhpMyAdmin, Cisco routers, etc.) together with network services (like SSH, FTP, MySQL, MSSQL, PostgreSQL, RDP, etc.), having default credentials.

Parameters

ParameterDescription
TargetThis is the hostname or IP address to scan
PortsChoose which ports to check for authentication (default: Top 100 common ports)
ServicesChoose the services you want to have audited (HTTP, SSH, FTP, Telnet, etc.) They will be automatically matched to the open ports. Example: Apache running on port 2174 will trigger the HTTP module.
WordlistsSpecify a custom wordlist for usernames/passwords

How it works

The Password Auditor starts by doing a port scan and service discovery against the target systems to discover which services require authentication.

The next step is to try common username/password combinations (taken from a predefined wordlist) for each service found in the previous step. In case the service is web-based, Password Auditor automatically detects the login interfaces and parameters for authentication. The tool is capable of knowing if a web-form authentication was performed successfully or not.