Hydra or the Password Auditor: the best tool for brute-force attacks
When it comes to credential auditing, choosing the right tool can make all the difference.
This comparison puts Hydra and the Password Auditor to the test across 26 web applications - including Microsoft Exchange, WordPress, and Joomla - to evaluate how effectively they identify weak credentials, navigate complex login forms, and detect security defenses like CAPTCHAs and IP blocking.
Find out which tool gets you in faster, smarter, and with less hassle.
Overview of this bruteforce tools comparison
Necessary
Why compare these credential scanning tools?
This comparison dives into how Hydra and the Password Auditor actually perform in real-world scenarios to find weak credentials.
By testing both tools across different web apps, it shows how well they handle various login forms, error messages, and security defenses like CAPTCHA or IP blocking.
This isn't just about raw data; it's about helping you pick the right tool that’s effective, easy to use, and fits your specific needs when you're on a job, trying to efficiently audit targets for weak credentials.
Transparent
What kind of findings does this comparison include?
The findings cover the tool’s detection rates of valid credentials, how they detect defensive measures like CAPTCHA and IP blocking, and how accurately they identify login endpoints and parameters in 26 different web applications.
The key findings and full list of results include all the Hydra commands and Password Auditor parameters used, as well as proof for each tested web app.
Realistic and relevant
How does this comparison evaluate the tested bruteforce tools?
The comparison measures each tool's success rate by testing both Hydra and the Pentest-Tools.com Password Auditor across 26 HTTP applications, using two scenarios: a controlled lab environment with a mix of valid and invalid credentials, and a real-life setup with multiple invalid credentials.
It assesses each tool's ability to identify login endpoints, detect error messages, detect defenses like IP blocking and CAPTCHA, and accurately report results.
Methodology for this bruteforce tools comparison
Testing period: July-August 2024
Evaluated on the ability to identify:
login endpoints
login parameters
error messages & protection mechanisms
26
HTTP applications tested
2
replicable test scenarios
2
wordlists with valid + invalid usernames & passwords
7
defensive measures tested
Criteria for evaluating bruteforce tools
For a fair, objective evaluation of both Hydra (open-source) and our Password Auditor (proprietary), we chose transparent criteria and a replicable setup to open this analysis up to independent testing and validation.
This comparison test how each credential scanning tool interacts with the application login in two situations:
Lab scenario: when sending 1 valid and 1 invalid pairs of credentials
Realistic scenario: when sending 1 valid and 10+ invalid pairs of credentials.
Successful detection means the tool identified the credentials or provided a server error finding with a screenshot, along with bypass recommendations on how to override protections.
Testing bruteforce software in a lab scenario
Simulating a lab environment, we evaluated the tools’ ability to detect login parameters and validate two sets of credentials to confirm a successful login.
Testing bruteforce software in a realistic scenario
Replicating a real-life scenario, we tested the tools' ability to handle multiple sets of credentials and observe the application's defensive measures against brute force attacks - and how effectively the tools reported these defenses.
Defensive measures included: 2FA, IP whitelisting and IP blacklisting, CAPTCHA, account lockout, source IP blocking, rate-limiting, context-based authentication, and login attempt delay.
Watch the bruteforce tool comparison breakdown
Watch David Bors, Security Research Engineer, break down the results of this comparison and see how each credential scanning tool did against the 26 HTTP applications.
Comparison results: the most accurate brute forcing tool
Find out which bruteforce tool cracks faster and better
Identifying valid credentials in a lab scenario
The Password Auditor on Pentest-Tools.com consistently demonstrated superior accuracy in identifying valid credentials across all 26 web applications. It achieved a 100% success rate when tested with one valid and one invalid credential set.
Hydra, in contrast, identified only 7 valid credentials with a 27% success rate for the single credential test scenario.
Identifying valid credentials in a realistic scenario
When testing the 26 target apps with multiple credentials (one valid and 10+ invalid ones), the Password Auditor on Pentest-Tools.com maintained a high success rate of 84% in identifying credentials or detecting defensive measures.
In this more complex scenario, Hydra's success rate dropped to 15%, correctly identifying only 4 valid credentials. This suggests Hydra struggles more with identifying valid credentials under varying conditions.
Handling application-specific defensive mechanisms
The Password Auditor on Pentest-Tools.com was notably effective in recognizing various defensive mechanisms like IP blacklisting, CAPTCHA, account lockout, and rate limiting. It provided specific feedback and recommendations to bypass or handle these defenses, which is crucial for real-life penetration testing where such measures are common.
Hydra faced challenges with certain applications that use web CSRF tokens or dynamic form protections. Because of its inability to handle client-side JavaScript token generation or CSRF token rotation, Hydra often marked valid and invalid attempts similarly, reducing its effectiveness. Workarounds exist, but they require several tools and do not fit the scope of this benchmark.
Ease of use and setup
The Password Auditor on Pentest-Tools.com is more user-friendly with a pre-configured interface that simplifies the setup process. Security practitioners just need to specify the target, select the attack type, choose ports, and enable desired services. The tool also allows scheduling regular scans, enhancing its usability.
Hydra requires a more manual setup process, including crafting specific commands to find login endpoints and parameters, which is time-consuming. This setup complexity is a disadvantage in fast-paced testing environments where time efficiency is critical.
Ability to work around encryption and token mechanisms
The Password Auditor effectively managed to bypass client-side encoding and token mechanisms by using its pre-built configurations. This capability is particularly valuable for auditing web apps that implement client-side protections.
Hydra’s performance dropped significantly on platforms that used client-side hashing or encryption. Since Hydra doesn’t operate within a browser environment, it couldn’t replicate JavaScript-based hashing, limiting its effectiveness against applications like Adobe ColdFusion and JetBrains TeamCity, which use advanced encryption or client-side hashing.
Overall performance
For security specialists looking for a robust, easy-to-use tool with high accuracy in detecting weak credentials and handling modern web application defenses, the Password Auditor on Pentest-Tools.com is a recommended choice. Its high success rates, user-friendly interface, and ability to navigate advanced security mechanisms make it a more reliable option for comprehensive web app auditing.
Hydra remains a powerful tool, especially for scenarios where a more manual, command-line approach is suitable, or when dealing with simpler authentication mechanisms without complex client-side protections. However, for advanced, automated credential auditing across diverse environments, the Password Auditor offers more value and reliability.
Setup and specs for bruteforcing with Hydra and the Password Auditor
Tinkering with security tools is fun, but it can quickly become frustrating if it takes too long.
The most demanding part of this comparison was setting up Hydra correctly. Crafting the right command is time-consuming, so we're sharing the detailed steps for identifying parameters and configuring Hydra to test all 26 web apps.
Alongside it you’ll see how to use our Password Auditor - and what results it gets you.
Hydra
To determine the Hydra command, follow these steps:
1. Find the login endpoint
Find the application's login endpoint by either exploring the application in a browser or by fuzzing to discover login paths.
2. Discover the login parameters
Use Firefox's Web Developer Tools, specifically the Network tab, to find the parameters required for logging into the application.
3. Identify error messages and protection mechanisms
Input invalid credentials to identify possible error messages and observe how many invalid attempts trigger a protection mechanism.
The Password Auditor on Pentest-Tools.com
The Password Auditor on Pentest-Tools.com is pre-configured and ready to use.
Add your target.
Choose the attack type (dictionary or password spray).
Select the port range.
Enable the services you want to test.
Use the default wordlists or create/add your own.
Set a delay between attempts to avoid lockouts.
[Optional] Enable default credentials check.
[Optional] Set a custom scan time.
[Optional] Choose a “follow redirects” policy.
And scan - or schedule a regular scan.
How to bruteforce web apps with Hydra and the Password Auditor
How to check Wordpress for weak credentials
Deployment method: Vultr marketplace
1. Find the Wordpress web app login endpoint
The WordPress administrator login usually sits on the /wp-login.php endpoint.
2. Discover the Wordpress login parameters
Use the Network tab in the browser’s Web Developer Tools to find the login parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, the WordPress app returns the following message:
After 10 invalid attempts, the Wordfence plugin (pre-installed in the deployed environment) gets triggered. Note that the block only works for active accounts.
Hydra commands and output
For bruteforcing Wordpress with 1 valid and 1 invalid pairs of credentials, we used the following commands:
hydra -l wpauserAt32pBC2 -p bad-password wordpress.pentest-ground.com -V https-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:The username or password you entered is invalid.'hydra -l wpauserAt32pBC2 -p D5nZ9UzELriBpENkATlgWR7jqeamvr7j wordpress.pentest-ground.com -V https-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:The username or password you entered is invalid.'
As shown in the output, Hydra successfully distinguished between invalid and valid credentials.
For the second scenario that used multiple sets of credentials, we used the following Hydra command:
hydra -L users.txt -P pass.txt wordpress.pentest-ground.com -V https-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:The username or password you entered is invalid.'Wordfence was activated after multiple failed attempts, and Hydra generated numerous incorrect credentials.
Password Auditor commands and results
For the first scenario, we adjusted the following parameters in the interface to run a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
Since the pa-benchmark wordlist includes the valid credentials, the Password Auditor will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.
The Pentest-Tools.com Password Auditor also includes a screenshot of the logged-in session to confirm the provided credentials are valid.
For the scenario with multiple credentials, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid). The Password Auditor reports the IP address was temporarily blocked.
To automatically avoid IP blocking, you can use the “Delay between attempts” option in the Password Auditor to set a custom delay duration and ensure your attacks are effective and get you the results you need.
How to check Drupal for weak credentials
Deployment method: Vultr marketplace
1. Find the Drupal web app login endpoint
You can usually find the Drupal login at the /user/login endpoint.
2. Discover the Drupal login parameters
Use the Network tab in the browser’s Web Developer Tools to identify the login parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, the following message is returned:
After 5 invalid login attempts, the protection mechanism is activated, and the account is temporarily blocked.
After multiple failed attempts, the source IP address will be blocked.
Hydra commands and output
In the first scenario, we used the following Hydra commands:
hydra -l benchmark-user -p bad-password drupal.pentest-ground.com -V https-form-post "/user/login/:name=^USER^&pass=^PASS^&form_build_id=form-8B10wX9zca3XsUyefKATrbS3W5C0yAFH0Ko1jIeWg6Q&form_id=user_login_form&op=Log+in:Unrecognized username or password"hydra -l benchmark-user -p tq6nAhfAhqtwBn7WXWqoaMXWF drupal.pentest-ground.com -V https-form-post "/user/login/:name=^USER^&pass=^PASS^&form_build_id=form-8B10wX9zca3XsUyefKATrbS3W5C0yAFH0Ko1jIeWg6Q&form_id=user_login_form&op=Log+in:Unrecognized username or password"
As shown in the output, Hydra accurately identified the invalid and valid credentials.
For the second, more complex scenario, we used the following command:
hydra -L users.txt -P pass.txt drupal.pentest-ground.com -V https-form-post "/user/login/:name=^USER^&pass=^PASS^&form_build_id=form-8B10wX9zca3XsUyefKATrbS3W5C0yAFH0Ko1jIeWg6Q&form_id=user_login_form&op=Log+in:Unrecognized username or password"
Drupal activated its protection mechanism after multiple failed attempts, and Hydra was unable to find the valid credentials.
Password Auditor commands and results
To run a quicker, more focused scan in the first scenario, we adjusted the following parameters:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
Since the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.
As shown in the screenshots below, the Pentest-Tools.com Password Auditor successfully identified the valid credentials.
The Password Auditor also includes a screenshot of the logged-in session to confirm that the provided credentials are valid.
For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
The Password Auditor reported both a temporary account lockout and an IP address block error.
How to check Joomla login for weak credentials
Deployment method: Vultr marketplace
1. Find the Joomla web app login endpoint
Usually, the Joomla login form is found on the / or on the /index.php/component/users/login endpoints.
2. Discover the Joomla login parameters
Use the Network tab in your browser’s Web Developer Tools to identify the parameters.
The "return" parameter is a base64-encoded URL to which the user will be redirected after a successful login. Decoding this base64 string would reveal the actual URL.
3. Identify error messages and protection mechanisms
After one invalid attempt, the following message is returned:
After multiple failed attempts, no protection mechanism came up.
Hydra commands and output
In the first scenario, we used the following Hydra commands to bruteforce the Joomla app:
hydra -l benchmark-user -p bad-password joomla.pentest-ground.com -V https-form-post "/index.php:username=^USER^&passwd=^PASS^&option=com_users&task=user.login&&return=aHR0cHM6Ly9qb29tbGEucGVudGVzdC1ncm91bmQuY29tLw%3D%3D&195456de3e96e3936aa12ea30f4462d4=1:Username and password do not match or you do not have an account yet."hydra -l benchmark-user -p tq6nAhfAhqtwBn7WXWqoaMXWF joomla.pentest-ground.com -V https-form-post "/index.php:username=^USER^&passwd=^PASS^&option=com_users&task=user.login&&return=aHR0cHM6Ly9qb29tbGEucGVudGVzdC1ncm91bmQuY29tLw%3D%3D&195456de3e96e3936aa12ea30f4462d4=1:Username and password do not match or you do not have an account yet."
As visible in the output, Hydra failed to distinguish between invalid and valid credentials, marking both as valid.
For the second scenario, we’ve used the following command:
hydra -L users.txt -P pass.txt joomla.pentest-ground.com https-form-post "/index.php:username=^USER^&passwd=^PASS^&option=com_users&task=user.login&&return=aHR0cHM6Ly9qb29tbGEucGVudGVzdC1ncm91bmQuY29tLw%3D%3D&195456de3e96e3936aa12ea30f4462d4=1:Username and password do not match or you do not have an account yet."
As you can see, Hydra failed to identify any valid credentials, marking all attempts as valid.
Password Auditor commands and results
For the first scenario, we adjusted the following parameters in the interface to conduct a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
Since the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.
As shown in the screenshots below, Password Auditor successfully identified the valid credentials.
The Password Auditor on Pentest-Tools.com also includes a screenshot of the logged-in session to confirm the provided credentials are valid.
For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
The Password Auditor identified the valid credentials when testing 2 users and 12 passwords.
How to bruteforce web apps with Hydra and the Password Auditor
How to check Joomla administrator for weak credentials
Deployment method: Vultr marketplace
1. Find the web app login endpoint for Joomla administrator
Usually, Joomla administrator login form is found at /administrator endpoint.
2. Discover the Joomla administrator login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
The "return" parameter is a base64-encoded URL to which the user will be redirected after a successful login. Decoding this base64 string reveals the actual URL.
3. Identify error messages and protection mechanisms
After one invalid attempt, the following message is returned:
After multiple failed attempts, we didn’t find any protection mechanism.
Hydra commands and output
In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:
hydra -l benchmark-user -p bad-password joomla.pentest-ground.com -V https-form-post "/index.php:username=^USER^&passwd=^PASS^&option=com_login&task=login&return=aW5kZXgucGhw&98f2024c36194d35d02bb2903380a573=1:Username and password do not match or you do not have an account yet."hydra -l benchmark-user -p tq6nAhfAhqtwBn7WXWqoaMXWF joomla.pentest-ground.com -V https-form-post "/index.php:username=^USER^&passwd=^PASS^&option=com_login&task=login&return=aW5kZXgucGhw&98f2024c36194d35d02bb2903380a573=1:Username and password do not match or you do not have an account yet."
As shown in the output, Hydra failed to distinguish between invalid and valid credentials, marking both as valid.
For the second, more realistic scenario, we used the following command:
hydra -L users.txt -P pass.txt joomla.pentest-ground.com -V https-form-post "/index.php:username=^USER^&passwd=^PASS^&option=com_login&task=login&return=aW5kZXgucGhw&98f2024c36194d35d02bb2903380a573=1:Username and password do not match or you do not have an account yet."
As you can see, Hydra failed to identify any valid credentials.
Password Auditor commands and results
For the first scenario, we adjusted the following parameters in the interface to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
Since the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.
As shown in the screenshots below, the Password Auditor successfully identified the valid credentials.
The Pentest-Tools.com Password Auditor also provides a screenshot of the logged-in session to confirm that the provided credentials are valid.
For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
The Password Auditor identified the valid credentials when testing 2 users and 12 passwords.
How to check phpMyAdmin for weak credentials
Deployment method: Vultr marketplace
1. Find the web app login endpoint for phpMyAdmin
Usually, phpMyAdmin login form is found at /mysqladmin/ or /phpmyadmin/ endpoint.
2. Discover the login parameters in phpMyAdmin
In your browser, go to the Network tab in Web Developer Tools to identify the parameters.
In phpMyAdmin, the token parameter is a security feature used to prevent Cross-Site Request Forgery (CSRF) attacks. This parameter ensures each request to phpMyAdmin is valid and comes from a user session.
3. Identify error messages and protection mechanisms
After one invalid attempt, the following message is returned:
After multiple failed attempts, we didn’t find any protection mechanism.
Hydra commands and output
In the first scenario, we used the following Hydra commands:
hydra -l pmausers0DdIXFt -p bad-password wordpress.pentest-ground.com https-form-post "/mysqladmin/index.php:pma_username=^USER^&pma_password=^PASS^&set_session=6lf49aspt3l4afa6is1nfld3sn&server=1&route=%2F&lang=en&token=555a3b4c7631212f3e7161443b263b28:Cannot log in to the MySQL server"hydra -l pmausers0DdIXFt -p iW9Endo6W9Kfav0scVPDKQ545hPpfOAH wordpress.pentest-ground.com https-form-post "/mysqladmin/index.php:pma_username=^USER^&pma_password=^PASS^&set_session=6lf49aspt3l4afa6is1nfld3sn&server=1&route=%2F&lang=en&token=555a3b4c7631212f3e7161443b263b28:Cannot log in to the MySQL server"
Because the token parameter acts as a CSRF token, as shown in the output, Hydra failed to distinguish between invalid and valid credentials, marking both as valid.
Since the first scenario didn't work, we did not proceed with testing the second one.
Password Auditor commands and results
For the first scenario, we adjusted the following parameters in the interface to conduct a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
Since the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.
As shown in the screenshots below, Password Auditor successfully identified the valid credentials.
The Password Auditor automatically includes a screenshot of the logged-in session to confirm the provided credentials are valid.
For the second, more realistic scenario, we modified the wordlist to include 3 users (1 invalid and 2 valid) and 13 passwords (12 invalid and 1 valid).
How to check cPanel WHM for weak credentials
Deployment method: Vultr marketplace
1. Find the web app login endpoint in cPanel WHM
Usually, we can find the cPanel WHM form at the / or the /login endpoint on port 2087.
2. Discover the cPanel WHM login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, the following message is returned:
After multiple failed attempts, we didn’t find any protection mechanism.
Hydra commands and output
We used the following commands to bruteforce the cPanel WHM app with Hydra with one pair of valid credentials and one pair of invalid ones:
hydra -l root -p bad-password -s 2087 cpanel.pentest-ground.com https-post-form "/login/:user=^USER^&pass=^PASS^:The login is invalid." -Ihydra -l root -p "fH_7]Dw%KdzH8hRa" -s 2087 cpanel.pentest-ground.com https-post-form "/login/:user=^USER^&pass=^PASS^:The login is invalid." -I
As the output shows, Hydra successfully identified the valid credentials. However, it cannot perform a brute-force attack on invalid credentials because the login returns a 401 status code, causing Hydra to mistakenly assume the target app is using basic authentication.
For the more complex, more realistic scenario, we used the following Hydra command:
hydra -L users.txt -P pass.txt -s 2087 cpanel.pentest-ground.com https-post-form "/login/:user=^USER^&pass=^PASS^:The login is invalid." -I
As you can see, Hydra failed to identify any valid credentials because of the previously mentioned scenario.
Password Auditor commands and results
For the first scenario, we adjusted the following parameters in the interface to conduct a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
Since the pa-benchmark wordlist includes the valid credentials, four attempts were made to the target (three with invalid credentials and one with valid credentials).
As shown in the screenshots below, the Password Auditor successfully identified the valid credentials.
What’s more, the Password Auditor includes a screenshot of the logged-in session to confirm the provided credentials are valid.
For the second scenario, we only changed the wordlist to include 2 users (1 invalid and 1 valid) and 14 passwords (13 invalid and 1 valid).
The Password Auditor identified the valid credentials when testing 2 users and 12 passwords.
How to bruteforce web apps with Hydra and the Password Auditor
How to check cPanel login for weak credentials
Deployment method: Vultr marketplace
1. Find the cPanel web app login endpoint
You can usually find the cPanel login form at the / or /login endpoints on port 2083.
2. Discover the cPanel login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, the following message is returned:
After multiple failed attempts, we didn’t detect any protection mechanism.
Hydra commands and output
In the first scenario, we used the following Hydra commands:
hydra -l benchmarkuser -p bad-password -s 2083 cpanel.pentest-ground.com https-post-form "/login/:user=^USER^&pass=^PASS^:The login is invalid." -Ihydra -l benchmarkuser -p tq6nAhfAhqtwBn7WXWqoaMXWF -s 2083 cpanel.pentest-ground.com https-post-form "/login/:user=^USER^&pass=^PASS^:The login is invalid." -Ihydra -l benchmarkuser -p tq6nAhfAhqtwBn7WXWqoaMXWF -s 2083 cpanel.pentest-ground.com https-get "/login/:user=^USER^&pass=^PASS^:The login is invalid." -I
As you can see from the output, Hydra identified the valid credentials, but on invalid credentials it can’t perform the bruteforce attack since the login returns 401 status code and it thinks it uses basic authentication.
For the second, more realistic scenario, we used the following command:
hydra -L users.txt -P pass.txt -s 2083 cpanel.pentest-ground.com https-get "/login/:user=^USER^&pass=^PASS^:The login is invalid." -I
As you can see, Hydra failed to identify any valid credentials because of the previously mentioned scenario.
Password Auditor commands and results
For the first scenario, we adjusted the following parameters in the interface to conduct a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
Since the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.
As the screenshots below reveals, the Password Auditor successfully identified the valid credentials.
What’s more, the Password Auditor included a screenshot of the logged-in session to confirm the provided credentials are valid.
For the second scenario, we only modified the wordlist to include 2 users (1 invalid and 1 valid) and 14 passwords (13 invalid and 1 valid).
The Password Auditor identified the valid credentials when testing 2 users and 12 passwords.
How to check Jira for weak credentials
Deployment method: Vultr marketplace
1. Find the web app login endpoint for Jira
Usually, the Jira login form is found at the /login.jsp endpoint .
2. Discover the Jira login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, the following message is returned:
After two failed attempts, the CAPTCHA is activated.
Hydra commands and output
In the first scenario, we used the following commands:
hydra -l benchmark-user -p bad-password -s 8080 jira.pentest-ground.com http-post-form "/login.jsp:os_username=^USER^&os_password=^PASS^&os_destination=&user_role=&atl_token=&login=Log+In:Sorry, your username and password are incorrect" -Ihydra -l benchmark-user -p tq6nAhfAhqtwBn7WXWqoaMXWF -s 8080 jira.pentest-ground.com http-post-form "/login.jsp:os_username=^USER^&os_password=^PASS^&os_destination=&user_role=&atl_token=&login=Log+In:Sorry, your username and password are incorrect" -I
As you can see from the output, Hydra validly identified both the invalid and the valid credentials.
The following command is what we used for the second scenario, with multiple usernames and passwords:
hydra -L users.txt -P pass.txt -s 8080 jira.pentest-ground.com http-post-form "/login.jsp:os_username=^USER^&os_password=^PASS^&os_destination=&user_role=&atl_token=&login=Log+In:Sorry, your username and password are incorrect" -I
Jira activated the CAPTCHA mechanism during the brute-force attack, preventing Hydra from identifying any valid credentials and causing it to mark all credentials as valid.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
Because the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.
As the screenshot below shows, the Password Auditor successfully identified the valid credentials.
Additionally, it also provided a screenshot of the logged-in session to confirm the tested credentials are valid.
In the second scenario, we only adjusted the wordlist to include 2 users (1 invalid and 1 valid) and 14 passwords (13 invalid and 1 valid).
The Password Auditor reported the Jira server activated its CAPTCHA protection. In the Details section, we recommend using the Password Spray attack type or splitting the scan into multiple scans with smaller wordlists.
How to check Bitbucket for weak credentials
Deployment method: Atlassian Dockerhub
1. Find the web app login endpoint for Bitbucket
The Bitbucket login form usually sits on the /login endpoint.
2. Discover the Bitbucket login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, the following message is returned:
After two failed attempts, the CAPTCHA is activated.
Hydra commands and output
We used the following commands to bruteforce Bitbucket with Hydra with one pair of valid credentials and one pair of invalid ones:
hydra -l benchmark-user -p tq6nAhfAhqtwBn7WXWqoaMXWF -s 7990 bitbucket.pentest-ground.com http-post-form "/j_atl_security_check:j_username=^USER^&j_password=^PASS^&_atl_remember_me=on&next=%2Fdashboard&queryString=next%3D%252Fdashboard&submit=Log+in:Invalid username or password."hydra -l benchmark-user -p bad-password -s 7990 bitbucket.pentest-ground.com http-post-form "/j_atl_security_check:j_username=^USER^&j_password=^PASS^&_atl_remember_me=on&next=%2Fdashboard&queryString=next%3D%252Fdashboard&submit=Log+in:Invalid username or password."
As shown in the output, Hydra correctly identified both invalid and valid credentials.
For the second scenario with multiple usernames and passwords, we used the following command:
hydra -L users.txt -P pass.txt -s 7990 bitbucket.pentest-ground.com http-post-form "/j_atl_security_check:j_username=^USER^&j_password=^PASS^&_atl_remember_me=on&next=%2Fdashboard&queryString=next%3D%252Fdashboard&submit=Log+in:Invalid username or password." -V
Hydra identified the valid credentials when testing 2 users and 13 passwords.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
Because the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.
As the screenshot below shows, the Password Auditor successfully identified the valid credentials.
It also delivered a screenshot of the logged-in session to confirm the provided credentials are valid.
For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
The Password Auditor reports that the Bitbucket server activated its CAPTCHA protection. In the Details section, we recommend using the Password Spray attack type or splitting the scan into multiple scans with smaller wordlists.
How to bruteforce web apps with Hydra and the Password Auditor
How to check Confluence for weak credentials
Deployment method: Vulhub
1. Find the Confluence web app login endpoint
Usually, Confluence login form sits at the /login.action endpoint.
2. Discover the Confluence login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, the Confluence server returns the following message:
After 3 failed attempts, the CAPTCHA activates.
Hydra commands and output
For the first scenario, we used the following commands to bruteforce Confluence with Hydra:
hydra -l benchmark-user -p tq6nAhfAhqtwBn7WXWqoaMXWF -s 8090 confluence.pentest-ground.com http-post-form "/dologin.action:os_username=^USER^&os_password=^PASS^&login=Log+in&os_destination=:The following error"hydra -l benchmark-user -p bad-password -s 8090 confluence.pentest-ground.com http-post-form "/dologin.action:os_username=^USER^&os_password=^PASS^&login=Log+in&os_destination=:The following error"
As you can see from the output, Hydra validly identified both the invalid and the valid credentials.
For the second bruteforcing scenario, we used the following command:
hydra -L users.txt -P pass.txt -s 8090 confluence.pentest-ground.com http-post-form "/dologin.action:os_username=^USER^&os_password=^PASS^&login=Log+in&os_destination=:The following error" -V
Hydra identified the valid credentials, when 2 users and 13 passwords were tested.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Target: http://confluence.pentest-ground.com:8090/dologin.action
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
Because the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.
As highlighted in the screenshots below, the Password Auditor successfully identified the valid credentials.
The tool also included a screenshot of the logged-in session to confirm the validity of the provided credentials.
For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
Finally, the Password Auditor reports that the Confluence server activated its CAPTCHA protection. In the Details section, we recommend using the Password Spray attack type or splitting the scan into multiple scans with smaller wordlists.
How to check Microsoft Exchange for weak credentials
Deploy method: On-prem installation, Exchange 2016, version 15.01.1591.010
1. Find the web app login endpoint for Microsoft Exchange
You can usually find the Exchange login form at the /owa/auth/logon.aspx endpoint.
2. Discover the Microsoft Exchange login parameters
Use Burp Community Edition to determine the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, the Microsoft Exchange returns the following message:
Hydra commands and output
In the first scenario, we used the following Hydra commands:
hydra -l Administrator -p bad-password mail.pentest-ground.com https-post-form "/owa/auth.owa:destination=https%3A%2F%2Fmail.pentest-ground.com%2Fowa%2F&flags=4&forcedownlevel=0&username=^USER^&password=^PASS^&passwordText=&isUtf8=1:The user name or password you entered isn't correct. Try entering it again." -Vhydra -l Administrator -p tq6nAhfAhqtwBn7WXWqoaMXWF mail.pentest-ground.com https-post-form "/owa/auth.owa:destination=https%3A%2F%2Fmail.pentest-ground.com%2Fowa%2F&flags=4&forcedownlevel=0&username=^USER^&password=^PASS^&passwordText=&isUtf8=1:The user name or password you entered isn't correct. Try entering it again." -V
As you can see from the output, Hydra did not identify the invalid and valid credentials, marking both as valid credentials.
For the second scenario with multiple usernames and passwords, we used the following command:
hydra -L users.txt -P pass.txt mail.pentest-ground.com https-post-form "/owa/auth.owa:destination=https%3A%2F%2Fmail.pentest-ground.com%2Fowa%2F&flags=4&forcedownlevel=0&username=^USER^&password=^PASS^&passwordText=&isUtf8=1:The user name or password you entered isn't correct. Try entering it again." -I
When testing 2 users and 13 passwords, Hydra failed to differentiate between invalid and valid credentials, marking all as valid.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
As the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.
The Password Auditor successfully identified the valid credentials, as visible in these screenshots.
A screenshot of the logged-in session offers additional confirmation that the provided credentials are valid.
For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
The Password Auditor accurately identified the valid credentials when testing 2 users and 12 passwords.
How to check Plesk web pro for weak credentials
Deployment method: Vultr marketplace
1. Find the Plesk web app login endpoint
Usually, the Plesk login form sits on the /login endpoint on port 8443.
2. Discover the Plesk login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, the following message is returned:
After 5 invalid credentials, the IP address got blocked:
Hydra commands and output
Hydra was not able to brute force Plesk because of its multipart body format. There is already an open issue for this on their official Github repository.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
As the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.
As shown in the screenshots below, Password Auditor successfully identified the valid credentials.
Additionally, the Password Auditor includes a screenshot of the logged-in session in its results to confirm the provided credentials are valid.
For the second scenario, we used a wordlist with 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
Because the scanner’s source IP address was blocked, the Pentest-Tools.com Password Auditor was unable to identify the valid credentials. However, it reported that website access was blocked after 6 attempts.
How to bruteforce web apps with Hydra and the Password Auditor
How to check Jenkins for weak credentials
Deployment method: Vultr marketplace
1. Find the Jenkins web app login endpoint
The Jenkins login form is usually found on the /login endpoint.
2. Discover the Jenkins login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, Jenkins returns the following message:
Hydra commands and output
In the first scenario, we used the following Hydra commands to bruteforce Jenkins:
hydra -l user -p bad-password jenkins.pentest-ground.com https-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username or password" -Vhydra -l user -p oljHMj12WK24 jenkins.pentest-ground.com https-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username or password" -Vhydra -l user -p oljHMj12WK24 jenkins.pentest-ground.com https-post-form "/login:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username or password" -V
As shown in the output, Hydra failed to identify the invalid and valid credentials, marking both as invalid.
For the second, multi-credentials scenario, we used the following Hydra command:
hydra -L users.txt -P pass.txt jenkins.pentest-ground.com https-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username or password" -V
When testing 2 users and 13 passwords, Hydra failed to identify the invalid and valid credentials, marking all as invalid.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
The screenshots below show that Password Auditor successfully identified the valid credentials.
The Password Auditor provides a screenshot of the logged-in session to verify the validity of the provided credentials.
For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
The Password Auditor identified the valid credentials when testing 2 users and 12 passwords.
How to check Grafana for weak credentials
Deployment method: Grafana Docker
1. Find the Grafana web app login endpoint
Usually, the Grafana login form sits on the /login endpoint.
2. Discover the Grafana login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, Grafana returns the following message:
The login form seems to shadow ban your IP after multiple failed login attempts. You still get the “Invalid username or password” message in the browser even if you use the correct credentials.
Hydra commands and output
In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:
hydra -s 3000 -l admin -p bad-password grafana.pentest-ground.com http-post-form "/login:{\"user\"\:\"^USER^\",\"password\"\:\"^PASS^\"}:H=Content-Type\: application/json:F=Invalid username or password" -V -Ihydra -s 3000 -l admin -p bad-password grafana.pentest-ground.com http-get "/login:{\"user\"\:\"^USER^\",\"password\"\:\"^PASS^\"}:H=Content-Type\: application/json:F=Invalid username or password" -V -I
As you can see from the output, the server returned a 401 status code and suggested to use the “http-get” module. Using http-get, Hydra returned [ERROR] Caught unknown return code, exiting!.
We did not test the second scenario since the first one did not work.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
The screenshots below demonstrate that the Password Auditor successfully identified the valid credentials.
The Password Auditor provides a screenshot of the logged-in session to verify the validity of the provided credentials.
For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
The Password Auditor couldn’t identify the valid credentials when testing 2 users and 12 passwords because of the shadow IP blacklisting.
How to check Webmin for weak credentials
Deployment method: Vultr marketplace
1. Find the web app login endpoint for Webmin
You can customarily find the Webmin login form on the / endpoint on port 10000.
2. Discover the Webmin login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, Webmin returns the following message:
After more than 5 invalid tries, the IP got blocked.
Hydra commands and output
In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:
hydra -s 10000 -l root -p bad-password webmin.pentest-ground.com https-post-form "/:user=^USER^&pass=^PASS^:Login failed. Please try again." -Vhydra -s 10000 -l root -p iH6$6KEXNKpqUSHG webmin.pentest-ground.com https-post-form "/:user=^USER^&pass=^PASS^:Login failed. Please try again." -V
As you can see from the output, Hydra marked both tries as valid credentials.
We did not test the second scenario since the first one did not work.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
The screenshots below show that the Pentest-Tools.com Password Auditor successfully identified the valid credentials.
The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.
For the second scenario, the wordlist we used included 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
Because Webmin activated its protection mechanism and blocked the scanner's source IP address, the Password Auditor was unable to identify the valid credentials. However, it reported the block as an informational finding.
How to bruteforce web apps with Hydra and the Password Auditor
How to check Kibana for weak credentials
Deployment method: Docker compose ELK
1. Find the web app login endpoint for Kibana
The Kibana login form often sits on the /login endpoint on port 5601.
2. Discover the Kibana login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, Kibana returns the following message:
Hydra commands and output
In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:
hydra -s 5601 -l elastic -p test kibana.pentest-ground.com http-post-form "/login:{\"providerType\"\:\"basic\",\"providerName\"\:\"basic\",\"currentURL\"\:\"http\:\/\/kibana.pentest-ground.com\:5601\/login\",\"params\"\:{\"username\"\:\"elastic\",\"password\"\:\"test\"}}:H=Content-Type\: application/json:F=Username or password is incorrect. Please try again." -V -Ihydra -s 5601 -l elastic -p changeme kibana.pentest-ground.com http-post-form "/login:{\"providerType\"\:\"basic\",\"providerName\"\:\"basic\",\"currentURL\"\:\"http\:\/\/kibana.pentest-ground.com\:5601\/login\",\"params\"\:{\"username\"\:\"elastic\",\"password\"\:\"test\"}}:H=Content-Type\: application/json:F=Username or password is incorrect. Please try again." -V -I
As you can see from the output, Hydra marked both tries as invalid credentials.
Since the first scenario didn't work, we did not proceed with testing the second one.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
The screenshots below show that the Pentest-Tools.com Password Auditor successfully identified the valid credentials.
The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.
For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
The Password Auditor identified the valid credentials when testing 2 users and 12 passwords.
How to check Adobe Coldfusion for weak credentials
Deployment method: Docker
1. Find the web app login endpoint for Adobe Coldfusion
You will usually find the Adobe Coldfusion login form at the /CFIDE/administrator/index.cfm endpoint on port 8500.
2. Discover the login parameters for Adobe Coldfusion
Use the Network tab in Web Developer Tools to identify the parameters.
When a user submits a password to an Adobe ColdFusion application, a JavaScript function in the user's web browser hashes the password on the client-side before transmitting it to the server. This prevents the password from being sent in plain text over the network.
The client-side hashing mechanism uses a combination of the following:
MD5 hashing: The password is first hashed using the MD5 algorithm, which produces a 32-character hexadecimal string.
Salt value: A random salt value that the Adobe ColdFusion server generates is appended to the MD5-hashed password. The salt value prevents rainbow table attacks.
Base64 encoding: The resulting string (MD5 hash + salt value) is then Base64 encoded to produce a final hashed password string.
The ColdFusion server receives the hashed password string and either stores it in a database or compares it to an existing hash value for authentication.
3. Identify error messages and protection mechanisms
After one invalid attempt, Adobe ColdFusion returns the following message:
Hydra commands and output
In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:
hydra -s 8500 -l admin -p bad-password coldfusion.pentest-ground.com http-post-form "/CFIDE/administrator/index.cfm:cfadminUserId=^USER^&cfadminPassword=^PASS^&requestedURL=%2FCFIDE%2Fadministrator%2Fenter.cfm:Invalid User name or Password. Please try again" -Vhydra -s 8500 -l admin -p ColdFusion123 coldfusion.pentest-ground.com http-post-form "/CFIDE/administrator/index.cfm:cfadminUserId=^USER^&cfadminPassword=^PASS^&requestedURL=%2FCFIDE%2Fadministrator%2Fenter.cfm:Invalid User name or Password. Please try again" -V
Unfortunately, as mentioned in the “Find the web app login endpoint for Adobe ColdFusion” section for this application, the password is hashed client-side, and Hydra cannot use the JavaScript function available in a browser to hash the password. As a result, Hydra cannot identify valid credentials on Adobe ColdFusion.
Since the first scenario didn't work, we didn’t go forward with testing the second one.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Target: http://coldfusion.pentest-ground.com:8500/CFIDE/administrator/index.cfm
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
The screenshots below show that the Pentest-Tools.com Password Auditor successfully identified the valid credentials.
The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.
For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
The Password Auditor identified the valid credentials when testing 2 users and 12 passwords.
How to check Zabbix for weak credentials
Deployment method: Docker compose - docker-compose_v3_ubuntu_pgsql_latest.yaml
1. Find the Zabbix web app login endpoint
Usually, you can find the Zabbix login form on the / endpoint on port 80 or 443.
2. Discover the Zabbix login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, Zabbix returns the following message:
After 5 incorrect credentials, the user gets temporarily blocked. From our tests, the lock duration was about 5 minutes.
Hydra commands and output
In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:
hydra -s 80 -l Admin -p test zabbix.pentest-ground.com http-post-form "/index.php:name=^USER^&password=^PASS^&autologin=1&enter=Sign+in:Incorrect user name or password or account is temporarily blocked." -Vhydra -s 80 -l Admin -p zabbix zabbix.pentest-ground.com http-post-form "/index.php:name=^USER^&password=^PASS^&autologin=1&enter=Sign+in:Incorrect user name or password or account is temporarily blocked." -V
Hydra successfully identified the valid credentials.
For the second, more realistic scenario, we used the following command:
hydra -s 80 -L users.txt -P pass.txt zabbix.pentest-ground.com http-post-form "/index.php:name=^USER^&password=^PASS^&autologin=1&enter=Sign+in:Incorrect user name or password or account is temporarily blocked." -V
Hydra identified the valid credentials, when 2 users and 13 passwords were tested.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
The screenshots below show that the Pentest-Tools.com Password Auditor successfully identified the valid credentials.
The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.
For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
Because of the temporary lockout mechanism, the Pentest-Tools.com Password Auditor couldn’t identify the valid credentials with 2 users and 12 passwords.
How to bruteforce web apps with Hydra and the Password Auditor
How to check Oracle Weblogic for weak credentials
Deployment method: Docker compose from Vulhub
1. Find the web app login endpoint in Oracle Weblogic
Usually, the Weblogic login form sits on the /console/login/LoginForm.jsp endpoint on port 7001.
2. Discover the login parameters for Oracle Weblogic
Use the Network tab in Web Developer Tools to identify the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, Oracle Weblogic returns the following message:
After 5 invalid login attempts to the Oracle Weblogic server, the user gets locked out for 30 minutes.
Hydra commands and output
In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands to bruteforce Oracle Weblogic:
hydra -s 7001 -l weblogic -p test weblogic.pentest-ground.com http-post-form "/console/j_security_check:j_username=^USER^&j_password=^PASS^&j_character_encoding=UTF-8:Authentication Denied" -Vhydra -s 7001 -l weblogic -p gU5JEufe weblogic.pentest-ground.com http-post-form "/console/j_security_check:j_username=^USER^&j_password=^PASS^&j_character_encoding=UTF-8:Authentication Denied" -V
For the second scenario using multiple credentials, we used the following command:
hydra -s 7001 -L users.txt -P pass.txt weblogic.pentest-ground.com http-post-form "/console/j_security_check:j_username=^USER^&j_password=^PASS^&j_character_encoding=UTF-8:Authentication Denied" -V
Because Oracle WebLogic locks out the user for 30 minutes after 5 invalid attempts, Hydra did not identify the valid credentials when testing 2 users and 13 passwords.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Target: http://weblogic.pentest-ground.com:7001/console/login/LoginForm.jsp
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.
For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
Because Oracle Weblogic locked out the user for 30 minutes after 5 invalid attempts, the Pentest-Tools.com Password Auditor didn’t identify the valid credentials, when testing the target app with 2 users and 13 passwords.
How to check Gitlab CE for weak credentials
Deployment method: Docker Gitlab
1. Find the web app login endpoint in Gitlab CE
Most often, the Gitlab CE login form sits on the /users/sign_in endpoint on port 80 or port 443.
2. Discover the Gitlab CE login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
Note that GitLab CE uses authenticity_token as a CSRF token.
3. Identify error messages and protection mechanisms
After one invalid attempt, Gitlab Community Edition returns the following message:
The login form seems to shadow ban your IP after multiple failed login attempts. You still get the Login failed message in the browser even if you use the correct credentials.
Hydra commands and output
In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:
hydra -l root -p bad-password gitlab.pentest-ground.com http-post-form "/users/sign_in:authenticity_token=kqQc3fpC32LIpnAa_ArJLVE05av1xq3hezFXlZABOJxptlcsqcREz-xhX-9qyVqwJQpujx9JijRRTCjLatiD1g&user%5Blogin%5D=^USER^&user%5Bpassword%5D=^PASS^&user%5Bremember_me%5D=0:Invalid login or password." -Vhydra -l root -p JejPqA3mCFxM1F8nzYNHzDLo/h+9JEbH6bxVAlEhYPs= gitlab.pentest-ground.com http-post-form "/users/sign_in:authenticity_token=kqQc3fpC32LIpnAa_ArJLVE05av1xq3hezFXlZABOJxptlcsqcREz-xhX-9qyVqwJQpujx9JijRRTCjLatiD1g&user%5Blogin%5D=^USER^&user%5Bpassword%5D=^PASS^&user%5Bremember_me%5D=0:Invalid login or password." -V
GitLab uses authenticity_token as a CSRF token, which is different for each request. Since Hydra requires this parameter to be configured as static, it cannot generate these tokens. Consequently, Hydra marked both attempts as valid credentials.
Since the first scenario didn't work, we did not proceed with testing the second one.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
The screenshots below show that the Pentest-Tools.com Password Auditor successfully identified the valid credentials.
The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.
For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
As mentioned in the Identify error messages and protection mechanisms section, it seems that the target shadow bans the source IP of the attack. Therefore, the Password Auditor didn’t identify the valid credentials, when testing the target app with 2 users and 13 passwords.
How to check PrestaShop for weak credentials
Deployment method: Vultr marketplace
1. Find the web app login endpoint for PrestaShop
The default admin login page for PrestaShop is typically located at /admin. However, during installation, PrestaShop prompts you to rename the /admin directory for security reasons.
The renamed endpoint would look something like /admin123, where admin123 is a randomly generated or manually chosen name.
Vultr has created the /admin_area/ link as a convenient static URL.
2. Discover the PrestaShop login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
In PrestaShop, the redirect parameter often contains a CSRF (Cross-Site Request Forgery) token. This is used to ensure the security of redirect actions by verifying they are legitimate and come from a trusted source.
3. Identify error messages and protection mechanisms
After one invalid attempt, PrestaShop returns the following message:
Hydra commands and output
In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:
hydra -l "root@pentest-ground.com" -p bad-password prestashop.pentest-ground.com https-post-form "/admin_area/index.php:ajax=1&token=&controller=AdminLogin&submitLogin=1&passwd=^PASS^&email=^USER^&redirect=https%3A%2F%2F108.61.179.203%2Fadmin_area%2F%26token%3Dfd2e9ec78690e5340b24d24565fa0373&stay_logged_in=1:Invalid password." -Vhydra -l "root@pentest-ground.com" -p iY5Na7ZIa3WPgrh3zrVgYdQmF6rnNCtb prestashop.pentest-ground.com https-post-form "/admin_area/index.php:ajax=1&token=&controller=AdminLogin&submitLogin=1&passwd=^PASS^&email=^USER^&redirect=https%3A%2F%2F108.61.179.203%2Fadmin_area%2F%26token%3Dfd2e9ec78690e5340b24d24565fa0373&stay_logged_in=1:Invalid password." -V
PrestaShop uses the redirect parameter as a CSRF token, which changes with each request. Since Hydra requires this parameter to be configured as static, it cannot generate these tokens. Consequently, Hydra marked both attempts as valid credentials.
Since the first scenario didn't work, we did not proceed with testing the second one.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Target: https://prestashop.pentest-ground.com/admin_area/index.php
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
The screenshots below show that the Pentest-Tools.com Password Auditor successfully identified the valid credentials.
The Pentest-Tools.com Password Auditor also includes a screenshot of the logged-in session to confirm the provided credentials are valid.
For the second scenario, we only changed the wordlist to include 2 users (1 invalid and 1 valid) and 13 passwords (12 invalid and 1 valid).
In the second scenario, the Password Auditor on Pentest-Tools.com identified the valid credentials.
How to bruteforce web apps with Hydra and the Password Auditor
How to check JetBrains TeamCity for weak credentials
Deployment method: Vulhub docker-compose
1. Find the web app login endpoint for JetBrains TeamCity
The default admin login page for JetBrains TeamCity is typically located on the /login.html endpoint on port 8111.
2. Discover the login parameters for JetBrains TeamCity
Use the Network tab in Web Developer Tools to identify the parameters.
In JetBrains TeamCity, the login page uses the publicKey and encryptedPassword parameters as part of the authentication process to enhance security.
Here's a brief explanation of each concept:
publicKey: This is the public portion of a key pair (public/private key) used for RSA encryption. JetBrains TeamCity provides this public key to the client (browser) during the login process. The public key is used to encrypt sensitive information, specifically the password, before it gets sent to the server. This helps protect the password during transmission, even if the data is intercepted.
encryptedPassword: This is the user's password, encrypted using the RSA public key provided by TeamCity. When a user enters their password, it is encrypted client-side using JavaScript with the public key. The resulting encryptedPassword value is then sent to the server instead of the plain text password. On the server side, TeamCity uses the corresponding private key to decrypt the password and authenticate the user.
This mechanism prevents the plain text password from being exposed during transmission, adding an extra layer of security against potential interception or eavesdropping attacks.
3. Identify error messages and protection mechanisms
After one invalid attempt, JetBrains TeamCity returns the following message:
After 5 failed login attempts, the user gets locked out for 1 minute.
Hydra commands and output
Since Hydra can’t use the Javascript that encrypts the password using the public key, we considered that the scenarios cannot be tested.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
As shown in the screenshots below, the Password Auditor on Pentest-Tools.com successfully identified the valid credentials.
The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.
For the second scenario, we adjusted the wordlist to contain 2 users (1 invalid and 1 valid) and 13 passwords (12 invalid and 1 valid).
JetBrains TeamCity temporarily locks the account/source IP and the Password Auditor can’t identify the valid credentials.
How to check F5 BIG-IP for weak credentials
Deployment method: ISO image with v15.1.0
1. Find the web app login endpoint for F5 BIG-IP
The default admin login page for F5 BIG-IP is typically located on the /tmui/login.jsp endpoint on port 8443 or 443.
2. Discover the login parameters for F5 BIG-IP
Use the Network tab in Web Developer Tools to identify the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, F5 BIG-IP returns the following message:
Hydra commands and output
In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:
hydra -s 8443 -l admin -p bad-password big-ip.pentest-ground.com https-post-form "/tmui/logmein.html?:username=^USER^&passwd=^PASS^:Login failed" -V -IHydra suggests using the https-get module, since the application returned 401 HTTP error code.
hydra -s 8443 -l admin -p bad-password big-ip.pentest-ground.com https-get "/tmui/logmein.html?username=^USER^&passwd=^PASS^:F=Login failed" -V -Ihydra -s 8443 -l admin -p tq6nAhfAhqtwBn7WXWqoaMXWF big-ip.pentest-ground.com https-get "/tmui/logmein.html?username=^USER^&passwd=^PASS^:F=Login failed" -V -I
Since the first scenario didn't work, we did not proceed with testing the second one.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Target: https://big-ip.pentest-ground.com:8443/tmui/login.jsp
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
As shown in the screenshots below, Password Auditor successfully identified the valid credentials.
The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.
For the second scenario, we only adjusted the wordlist to include 2 users (1 invalid and 1 valid) and 13 passwords (12 invalid and 1 valid).
In the second scenario, the Password Auditor on Pentest-Tools.com identified the valid credentials.
How to check Roxy-WI for weak credentials
Deployment method: Vultr marketplace
1. Find the web app login endpoint for Roxy-WI
The default admin login page for Roxy-WI is typically located on the /app/login.py endpoint on port 443.
2. Discover the login parameters for Roxy-WI
Use the Network tab in Web Developer Tools to identify the parameters.
3. Identify error messages and protection mechanisms
After one invalid attempt, Roxy-WI returns the following message:
The Roxy-WI application has a minimal anti-bruteforce mechanism because the login button gets disabled for just 10 seconds when you enter an invalid set of credentials.
Hydra commands and output
In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:
hydra -l admin -p bad-password roxy-wi.pentest-ground.com https-post-form "/app/login.py:login=^USER^&pass=^PASS^:Your login or password is incorrect " -Vhydra -l admin -p admin roxy-wi.pentest-ground.com https-post-form "/app/login.py:login=^USER^&pass=^PASS^:Your login or password is incorrect " -V
The server returns an HTTP status code of 200 with the text "ban" when it receives invalid credentials. This response confuses Hydra, leading it to consider the login attempt successful.
Since the first scenario didn't work, we did not proceed with testing the second one.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
The screenshots below show that the Pentest-Tools.com Password Auditor successfully identified the valid credentials.
The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.
For the second scenario, we only changed the wordlist to include 2 users (1 invalid and 1 valid) and 13 passwords (12 invalid and 1 valid).
In the second scenario, the Password Auditor identified all the valid credentials.
How to bruteforce web apps with Hydra and the Password Auditor
How to check Magento for weak credentials
Deployment method: Vultr marketplace
1. Find the web app login endpoint for Magento
The default admin login page for Magento is typically located on the /admin endpoint on port 443.
2. Discover the Magento login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
In Magento, the form_key parameter is a critical security feature used to prevent Cross-Site Request Forgery (CSRF) attacks. It ensures the form submission is coming from the same site and session, protecting the website and its users from malicious actions.
3. Identify error messages and protection mechanisms
After one invalid attempt, Magento returns the following message:
The application has a basic anti-brute-force mechanism: the CAPTCHA gets activated after several failed login attempts, and the account can be temporarily disabled.
Hydra commands and output
In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands to bruteforce Magento:
hydra -l user -p bad-password magento.pentest-ground.com http-post-form "/admin/:form_key=7sqshgljTsjOGZtB&login%5Busername%5D=^USER^&login%5Bpassword%5D=^PASS^:The account sign-in was incorrect" -Vhydra -l user -p 5CIaEBMqlcwN magento.pentest-ground.com http-post-form "/admin/:form_key=7sqshgljTsjOGZtB&login%5Busername%5D=^USER^&login%5Bpassword%5D=^PASS^:The account sign-in was incorrect" -V
As explained in the section about discovering Magento parameters, the `form_key` is used as a CSRF token and is dynamically set. Hydra cannot use a session to automatically set this parameter, so it incorrectly marks both invalid and valid credentials as valid.
Since the first scenario didn't work, we did not proceed with testing the second one.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
The screenshots below show that the Pentest-Tools.com Password Auditor successfully identified the valid credentials.
The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.
For the second scenario, we adjusted the wordlist to include 2 users (1 invalid and 1 valid) and 13 passwords (12 invalid and 1 valid).
Because Magento activated the CAPTCHA mechanism, the Password Auditor on Pentest-Tools.com reported with an informational finding that the bruteforce stopped because of this.
How to check CloudPanel for weak credentials
Deployment method: Vultr marketplace
1. Find the web app login endpoint for CloudPanel
The default admin login page for CloudPanel is typically located on the /login endpoint on port 8443.
2. Discover the CloudPanel login parameters
Use the Network tab in Web Developer Tools to identify the parameters.
In Cloudpanel, the csrftoken parameter is a critical security feature used to prevent Cross-Site Request Forgery (CSRF) attacks. It ensures the form submission is coming from the same site and session, protecting the website and its users from malicious actions.
3. Identify error messages and protection mechanisms
After one invalid attempt, CloudPanel returns the following message:
Hydra commands and output
In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:
hydra -s 8443 -l namedame -p bad-password cloudpanel.pentest-ground.com https-post-form "/login:userName=^USER^&password=^PASS^&_csrf_token=8662edda832bd09b91ef351af3ffccf0.P7XJW8hraBMweBYkcs4HkRMIuMEqBVk9oP9yseTmNJY.aYWFFIA4BlpRTURwG6Z2xEBR_Khda24I1qcZgdGyBK5y3r085VsHfXRNdQ&submit=:Invalid credentials." -Vhydra -s 8443 -l namedame -p CloudPanel4321 cloudpanel.pentest-ground.com https-post-form "/login:userName=^USER^&password=^PASS^&_csrf_token=8662edda832bd09b91ef351af3ffccf0.P7XJW8hraBMweBYkcs4HkRMIuMEqBVk9oP9yseTmNJY.aYWFFIA4BlpRTURwG6Z2xEBR_Khda24I1qcZgdGyBK5y3r085VsHfXRNdQ&submit=:Invalid credentials." -V
As explained in the login parameters discovery section, the csrftoken is used as a CSRF token and is dynamically set. Since Hydra cannot use a session to automatically set this parameter, it marks both invalid and valid credentials as valid.
Since the first scenario didn't work, we did not proceed with testing the second one.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
The screenshots below show that the Pentest-Tools.com Password Auditor successfully identified the valid credentials.
The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.
For the second scenario, we just changed the wordlist to include 2 users (1 invalid and 1 valid) and 13 passwords (12 invalid and 1 valid).
In the second scenario, the Password Auditor on Pentest-Tools.com identified the valid credentials.
9 things you can do with this comparison of bruteforcing tools
1. Choose the most effective bruteforcing tool for your target
Based on the results from this comparison, you can select the right tool for bruteforcing credentials based on the type of system or web application you’re targeting (e.g., WordPress, Drupal, Joomla).
Case in point, the Password Auditor demonstrated superior performance across more complex login scenarios (e.g., dynamic forms, CAPTCHA, IP blocking), while Hydra was more limited in handling client-side security mechanisms like JavaScript hashing.
2. Confidently automate credential auditing - at scale
If you need an automated tool for auditing web apps with a focus on ease of use and minimal configuration, the Password Auditor is a reliable choice. You can simply select the attack type (dictionary or password spray), enable services, and configure the port range to launch scans quickly.
The tool’s ability to schedule regular scans and automate credential auditing across multiple targets makes it a valuable tool for large-scale projects. You can automate routine checks for weak credentials and have reports generated without manual intervention. This helps manage multiple clients or a large number of assets efficiently.
3. Adapt attacks to application-specific configurations
Many web applications, such as Jira, Bitbucket, or Microsoft Exchange, use unique login forms and parameters. The comparison outlines specific commands and configurations for each tool, allowing you to adapt your brute-force attacks to each application’s setup.
For instance, Hydra requires manual setup but allows for deep configuration of attacks, making it suitable when you need fine-tuned control over the process, especially in simpler environments that don’t implement client-side security mechanisms.
4. Detect CAPTCHA and IP blocking
The comparison reveals that the Password Auditor is more effective at recognizing defensive mechanisms like CAPTCHA and IP blocking and providing bypass recommendations. You can use this capability to audit web apps that deploy such protections.
5. Adjust attack speed and avoid detection
Both the Password Auditor and Hydra can set delays between attempts to avoid triggering account lockouts or rate-limiting mechanisms. This feature is useful for flying under the radar while performing brute-force attacks, reducing the risk of detection.
6. Validate web app login endpoints and error messages
This comparison shows how both Hydra and the Password Auditor detect login endpoints and error messages, a critical first step in assessing web applications for brute-force vulnerabilities. You can compare their effectiveness and accuracy to choose the most reliable tool for simulating attacks against your targets.
7. Handle client-side hashing mechanisms
The comparison shows how the Password Auditor was able to bypass complex security mechanisms like client-side encryption and token generation. This makes it ideal for environments like Adobe ColdFusion where Hydra failed because it was unable to replicate client-side security processes.
8. Generate detailed attack reports
The Password Auditor provides detailed feedback on defenses it encounters during an attack, including IP blacklisting, CAPTCHA, and login attempt delays. This level of detail allows you to generate comprehensive reports for clients or colleagues, outlining the strength of their authentication defenses and the bypasses that can override them.
9. Benchmark bruteforce tool performance for future tests
These detailed comparison results offer a benchmark for future bruteforce testing. By understanding how each tool performed across the 26 tested applications, you can set realistic expectations for similar tools or when using Hydra or the Password Auditor in your environment.
Bruteforce tools comparison FAQs
The Password Auditor is more effective at recognizing CAPTCHA and IP blocking mechanisms, offering detailed feedback, screenshots, and ready to use reports.