Password Auditor - Discover weak credentials

Sample Report

Here is a Password Auditor - Discover weak credentials sample report:

Includes the network services which were found reachable
Shows the weak passwords that were found

Password Auditor - Discover weak credentials - Use Cases

The tool scans a range of IP addresses for network services that require authentication (ex. HTTP web forms, SSH, FTP, MYSQL, etc) and detects weak credentials by trying to login using a set of common usernames and passwords

Network Penetration Testing

The tool can be used to easily check if any common username/password was used in any network service. This could be an easy entry point into the network.

Self-assessment for Sysadmins

As a system administrator, you want to check if any of your users have set weak passwords on the services exposed to the internet. This verification should be done periodically.

Network Audit

When auditing the configuration settings of a network infrastructure, it is always needed to check the usage of default passwords (ex. cisco/cisco, admin/admin, etc).

Technical Details

About

Password Auditor is an autonomous password auditing solution for network services and web applications.

Its purpose is to automate the manual work performed when using tools such as Medusa, Hydra or Ncrack by automatically detecting the services which require authentication and launching the password audit with the right parameters.

One of the unique advantages of this tool is that it automatically detects web forms in web applications and it automatically attempts to login with default and weak credentials. It has the capability to detect if a web form authentication was performed with success or not.

As a result, you can easily find web interfaces with weak passwords (ex. Jenkins, Tomcat, PhpMyAdmin, Cisco routers, etc) together with network services as SSH, FTP, MySQL, etc, having default credentials.

Parameters

Parameter	Description
Target	This is the hostname, IP or IP range to scan
Services	Choose which services you want to audit (WWW, SSH, FTP, etc)
Credentials	Specify custom credentials to use when doing authentication attempts
Parallel requests	Set the number of parallel authentication attempts against a target host
Delay between attempts	Specify a delay (in seconds) between consecutive authentication attempts
Retries per credential	How many times we should retry a combination of username/password in case it has timedout or returned an error
Mutate passwords	Apply password mutation techniques to the input passwords (ex. first letter uppercase, add various suffixes)

How it works

The Password Auditor starts by doing a port scan and service discovery against the target systems in order to discover which services require authentication.

The next step is to try common username/password combinations (taken from a predefined wordlist) for each service found in the previous step. In case the service is web based, Password Auditor automatically detects the login interfaces and parameters for authentication. The tool is capable of knowing if a web-form authentication was performed successfully or not.

500 Credits	$45	via FastSpring
3000 Credits	$250	via FastSpring
Unlimited Credits	$950	via FastSpring

Search option	Light scan	Full scan
HTTP (+web forms)
SSH
MySQL
FTP

Information Gathering

Web Application Testing

CMS Tests

Infrastructure Testing

SSL Tests

Exploit Helpers & Utils

Security Research

Most Popular