How to bruteforce IT and server management apps with Hydra and the Password Auditor

Usually, phpMyAdmin login form is found at /mysqladmin/ or /phpmyadmin/ endpoint.

In your browser, go to the Network tab in Web Developer Tools to identify the parameters.

In phpMyAdmin, the token parameter is a security feature used to prevent Cross-Site Request Forgery (CSRF) attacks. This parameter ensures each request to phpMyAdmin is valid and comes from a user session.

After one invalid attempt, the following message is returned:

After multiple failed attempts, we didn’t find any protection mechanism. 

In the first scenario, we used the following Hydra commands:

Because the token parameter acts as a CSRF token, as shown in the output, Hydra failed to distinguish between invalid and valid credentials, marking both as valid.

Since the first scenario didn't work, we did not proceed with testing the second one.

For the first scenario, we adjusted the following parameters in the interface to conduct a more focused scan:

• Target: https://wordpress.pentest-ground.com/mysqladmin/

• Ports: Use port from target URL

• Services: HTTP

• Wordlists: pa-benchmark

Since the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.

As shown in the screenshots below, Password Auditor successfully identified the valid credentials.

The Password Auditor automatically includes a screenshot of the logged-in session to confirm the provided credentials are valid.

For the second, more realistic scenario, we modified the wordlist to include 3 users (1 invalid and 2 valid) and 13 passwords (12 invalid and 1 valid).

Usually, we can find the cPanel WHM form at the / or the /login endpoint on port 2087.

Use the Network tab in Web Developer Tools to identify the parameters.

After one invalid attempt, the following message is returned:

After multiple failed attempts, we didn’t find any protection mechanism. 

We used the following commands to bruteforce the cPanel WHM app with Hydra with one pair of valid credentials and one pair of invalid ones:

As the output shows, Hydra successfully identified the valid credentials. However, it cannot perform a brute-force attack on invalid credentials because the login returns a 401 status code, causing Hydra to mistakenly assume the target app is using basic authentication.

For the more complex, more realistic scenario, we used the following Hydra command:

As you can see, Hydra failed to identify any valid credentials because of the previously mentioned scenario.

For the first scenario, we adjusted the following parameters in the interface to conduct a more focused scan:

• Target: https://cpanel.pentest-ground.com:2087/login/

• Ports: Use port from target URL

• Services: HTTP

• Wordlists: pa-benchmark

Since the pa-benchmark wordlist includes the valid credentials, four attempts were made to the target (three with invalid credentials and one with valid credentials).

As shown in the screenshots below, the Password Auditor successfully identified the valid credentials.

What’s more, the Password Auditor includes a screenshot of the logged-in session to confirm the provided credentials are valid.

For the second scenario, we only changed the wordlist to include 2 users (1 invalid and 1 valid) and 14 passwords (13 invalid and 1 valid).

The Password Auditor identified the valid credentials when testing 2 users and 12 passwords.

You can usually find the cPanel login form at the / or /login endpoints on port 2083.

Use the Network tab in Web Developer Tools to identify the parameters.

After one invalid attempt, the following message is returned:

After multiple failed attempts, we didn’t detect any protection mechanism.

In the first scenario, we used the following Hydra commands:

As you can see from the output, Hydra identified the valid credentials, but on invalid credentials it can’t perform the bruteforce attack since the login returns 401 status code and it thinks it uses basic authentication.

For the second, more realistic scenario, we used the following command:

As you can see, Hydra failed to identify any valid credentials because of the previously mentioned scenario.

For the first scenario, we adjusted the following parameters in the interface to conduct a more focused scan:

• Target: https://cpanel.pentest-ground.com:2083/login/

• Ports: Use port from target URL

• Services: HTTP

• Wordlists: pa-benchmark

Since the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.

As the screenshots below reveals, the Password Auditor successfully identified the valid credentials.

What’s more, the Password Auditor included a screenshot of the logged-in session to confirm the provided credentials are valid.

For the second scenario, we only modified the wordlist to include 2 users (1 invalid and 1 valid) and 14 passwords (13 invalid and 1 valid).

The Password Auditor identified the valid credentials when testing 2 users and 12 passwords.

Usually, the Plesk login form sits on the /login endpoint on port 8443.

Use the Network tab in Web Developer Tools to identify the parameters.

After one invalid attempt, the following message is returned:

After 5 invalid credentials, the IP address got blocked:

Hydra was not able to brute force Plesk because of its multipart body format. There is already an open issue for this on their official Github repository.

For the first scenario, these are the parameters we adjusted to perform a more focused scan:

• Target: https://mail.pentest-ground.com/owa/auth/logon.aspx

• Ports: Use port from target URL

• Services: HTTP

• Wordlists: pa-benchmark

As the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.

As shown in the screenshots below, Password Auditor successfully identified the valid credentials.

Additionally, the Password Auditor includes a screenshot of the logged-in session in its results to confirm the provided credentials are valid.

For the second scenario, we used a wordlist with 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).

Because the scanner’s source IP address was blocked, the Pentest-Tools.com Password Auditor was unable to identify the valid credentials. However, it reported that website access was blocked after 6 attempts.

You can customarily find the Webmin login form on the / endpoint on port 10000.

Use the Network tab in Web Developer Tools to identify the parameters.

After one invalid attempt, Webmin returns the following message:

After more than 5 invalid tries, the IP got blocked.

In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:

As you can see from the output, Hydra marked both tries as valid credentials.

We did not test the second scenario since the first one did not work.

For the first scenario, these are the parameters we adjusted to perform a more focused scan:

• Target: https://webmin.pentest-ground.com:10000

• Ports: Use port from target URL

• Services: HTTP

• Wordlists: pa-benchmark

The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.

The screenshots below show that the Pentest-Tools.com Password Auditor successfully identified the valid credentials.

The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.

For the second scenario, the wordlist we used included 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).

Because Webmin activated its protection mechanism and blocked the scanner's source IP address, the Password Auditor was unable to identify the valid credentials. However, it reported the block as an informational finding.

The default admin login page for Roxy-WI is typically located on the /app/login.py endpoint on port 443.

Use the Network tab in Web Developer Tools to identify the parameters.

After one invalid attempt, Roxy-WI returns the following message:

The Roxy-WI application has a minimal anti-bruteforce mechanism because the login button gets disabled for just 10 seconds when you enter an invalid set of credentials.

In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:

The server returns an HTTP status code of 200 with the text "ban" when it receives invalid credentials. This response confuses Hydra, leading it to consider the login attempt successful.

Since the first scenario didn't work, we did not proceed with testing the second one.

For the first scenario, these are the parameters we adjusted to perform a more focused scan:

• Target: https://roxy-wi.pentest-ground.com/app/login.py

• Ports: Use port from target URL

• Services: HTTP

• Wordlists: pa-benchmark

The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.

The screenshots below show that the Pentest-Tools.com Password Auditor successfully identified the valid credentials.

The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.

For the second scenario, we only changed the wordlist to include 2 users (1 invalid and 1 valid) and 13 passwords (12 invalid and 1 valid). 

In the second scenario, the Password Auditor identified all the valid credentials.

The default admin login page for CloudPanel is typically located on the /login endpoint on port 8443.

Use the Network tab in Web Developer Tools to identify the parameters.

In Cloudpanel, the csrftoken parameter is a critical security feature used to prevent Cross-Site Request Forgery (CSRF) attacks. It ensures the form submission is coming from the same site and session, protecting the website and its users from malicious actions.

After one invalid attempt, CloudPanel returns the following message:

In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:

As explained in the login parameters discovery section, the csrftoken is used as a CSRF token and is dynamically set. Since Hydra cannot use a session to automatically set this parameter, it marks both invalid and valid credentials as valid.

Since the first scenario didn't work, we did not proceed with testing the second one.

For the first scenario, these are the parameters we adjusted to perform a more focused scan:

• Target: https://cloudpanel.pentest-ground.com:8443/login

• Ports: Use port from target URL

• Services: HTTP

• Wordlists: pa-benchmark

The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.

The screenshots below show that the Pentest-Tools.com Password Auditor successfully identified the valid credentials.

The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.

For the second scenario, we just changed the wordlist to include 2 users (1 invalid and 1 valid) and 13 passwords (12 invalid and 1 valid). 

In the second scenario, the Password Auditor on Pentest-Tools.com identified the valid credentials.