NEW: automatically exploit Confluence OGNL injection with Sniper

Password Auditor - Find Weak Credentials

Find weak passwords in network services and web applications automatically

Sample Report | Use Cases | Technical Details

Need to see the full results?

Unlock the full power and feature of our Password Auditor - Find Weak Credentials! Compare pricing plans and discover more tools and features.

Sample Report

Here is a Password Auditor - Find Weak Credentials sample report:

Includes the network services which were found reachable
Shows the weak passwords that were found

Download Sample Report

Password Auditor - Find Weak Credentials - Use Cases

The tool scans an URL, IP address, or hostname for network services that require authentication (ex. HTTP web forms, SSH, FTP, MYSQL, RDP, etc) and detects weak credentials by trying to log in using the usernames and passwords from the input wordlists.

Network Penetration Testing

The tool can be used to easily check if any common username/password was used in any network service. This could be an easy entry point into the network.

Self-assessment for Sysadmins

As a system administrator, you want to check if any of your users have set weak passwords on the services exposed to the internet. This verification should be done periodically.

Network Audit

When auditing the configuration settings of a network infrastructure, it is always needed to check the usage of default passwords (ex. cisco/cisco, admin/admin, etc).

Technical Details

About

Password Auditor is an autonomous password auditing solution for network services and web applications.

Its purpose is to automate the manual work performed when using tools such as Medusa, Hydra, or Ncrack by automatically detecting the services which require authentication and launching the password audit with the right parameters.

One of the unique advantages of this tool is that it automatically detects web forms in web applications and it automatically attempts to log in with the given credentials. It can detect if a web form authentication was performed with success or not.

As a result, you can easily find web interfaces with weak passwords (ex. Jenkins, Tomcat, PhpMyAdmin, Cisco routers, etc) together with network services like SSH, FTP, MySQL, MSSQL, RDP, etc, having default credentials.

Parameters

Parameter	Description
Target	This is the hostname or IP address to scan
Ports	Choose which ports to check for authentication (default: Top 100 common ports)
Services	Choose the services you want to be audited (HTTP, SSH, FTP, etc). They will be automatically matched to the open ports. Example: Apache running on port 2174 will trigger the HTTP module.
Wordlists	Specify a custom wordlist for usernames/ passwords

How it works

The Password Auditor starts by doing a port scan and service discovery against the target systems to discover which services require authentication.

The next step is to try common username/password combinations (taken from a predefined wordlist) for each service found in the previous step. In case the service is web-based, Password Auditor automatically detects the login interfaces and parameters for authentication. The tool is capable of knowing if a web-form authentication was performed successfully or not.

Bruteforce ftp ports, mysql ports, mssql ports, rdp ports, ssh ports, login forms, etc.

Search option	Light scan	Full scan
HTTP (+web forms)
SSH
MySQL
MSSQL
RDP
FTP

You also get:

+ full access to all the 25+ tools on the platform

+ dedicated scanners for major new vulnerabilities

+ authenticated scans, reporting & a lot more!

Reconnaissance

Web Vulnerability Scanners

CMS Scanners

Network Vulnerability Scanners

Offensive Tools