How to bruteforce development, CI/CD, and other apps with Hydra and the Password Auditor

Compromising development and CI/CD tools can give attackers access to source code repositories, automation pipelines, and deployment systems, making them high-value targets. 

This guide provides real-world testing methodologies for Bitbucket, GitLab CE, Jenkins, JetBrains TeamCity, and more, helping you discover login endpoints, analyze authentication mechanisms, and test credential security. By applying these techniques, you can uncover authentication weaknesses before attackers do, ensuring a stronger security posture for the systems you audit.

Hydra vs password auditor hero image

How to check Jenkins for weak credentials

Deployment method: Vultr marketplace

1. Find the Jenkins web app login endpoint

The Jenkins login form is usually found on the /login endpoint.

Jenkins web app login

2. Discover the Jenkins login parameters

Use the Network tab in Web Developer Tools to identify the parameters.

Jenkins Web Developer Tools

3. Identify error messages and protection mechanisms

After one invalid attempt, Jenkins returns the following message:

Jenkins login error

Hydra commands and output

In the first scenario, we used the following Hydra commands to bruteforce Jenkins:

hydra -l user -p bad-password jenkins.pentest-ground.com https-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username or password" -V
hydra -l user -p oljHMj12WK24 jenkins.pentest-ground.com https-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username or password" -V
hydra -l user -p oljHMj12WK24 jenkins.pentest-ground.com https-post-form "/login:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username or password" -V

Jenkins Hydra outputJenkins Hydra output 2

As shown in the output, Hydra failed to identify the invalid and valid credentials, marking both as invalid.


For the second, multi-credentials scenario, we used the following Hydra command:

hydra -L users.txt -P pass.txt jenkins.pentest-ground.com https-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username or password" -V
Jenkins Hydra output multiple credentials

When testing 2 users and 13 passwords, Hydra failed to identify the invalid and valid credentials, marking all as invalid.

Password Auditor commands and results

For the first scenario, these are the parameters we adjusted to perform a more focused scan:

  • Target: https://jenkins.pentest-ground.com/login

  • Ports: Use port from target URL

  • Services: HTTP

  • Wordlists: pa-benchmark


The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.


The screenshots below show that Password Auditor successfully identified the valid credentials.

Jenkins Password Auditor scan results

The Password Auditor provides a screenshot of the logged-in session to verify the validity of the provided credentials.

Password Auditor screenshot of the Jenkins logged-in session

For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).

Password Auditor Jenkins scan findings

The Password Auditor identified the valid credentials when testing 2 users and 12 passwords.

Bruteforce commands and settings for Hydra and the Password Auditor

Since authentication security varies across different platforms - some using CAPTCHAs, CSRF tokens, or IP-based rate limiting - choosing the right testing approach is essential. These detailed Hydra commands for manual bruteforcing are ready to use, along with steps that demonstrate how the Password Auditor automates credential testing for more efficient, reliable assessments. 


You’ll see how Hydra interacts with authentication defenses and how the Password Auditor captures screenshots and proof of valid credentials to streamline your security audits.