How to bruteforce IT and server management apps with Hydra and the Password Auditor

Bruteforcing login endpoints is essential for assessing the security of IT and server management applications. Gaining access to these web apps can expose critical administrative controls, server configurations, database access, email accounts, and other sensitive assets that attackers target. 

This guide provides real-world testing methodologies for cPanel, Plesk, Webmin, phpMyAdmin, and more, helping you discover login parameters, analyze authentication mechanisms, and test login security measures. By applying these techniques, you can pinpoint authentication weaknesses before malicious attackers do, ensuring a stronger security posture for the systems you audit.

Hydra vs password auditor hero image

How to check cPanel login for weak credentials

Deployment method: Vultr marketplace

1. Find the cPanel web app login endpoint

You can usually find the cPanel login form at the / or /login endpoints on port 2083.

cPanel login form

2. Discover the cPanel login parameters

Use the Network tab in Web Developer Tools to identify the parameters.

cPanel Web Developer Tools

3. Identify error messages and protection mechanisms

After one invalid attempt, the following message is returned:

cPanel login error

After multiple failed attempts, we didn’t detect any protection mechanism.

Hydra commands and output

In the first scenario, we used the following Hydra commands:

hydra -l benchmarkuser -p bad-password -s 2083 cpanel.pentest-ground.com https-post-form "/login/:user=^USER^&pass=^PASS^:The login is invalid." -I
hydra -l benchmarkuser -p tq6nAhfAhqtwBn7WXWqoaMXWF -s 2083 cpanel.pentest-ground.com https-post-form "/login/:user=^USER^&pass=^PASS^:The login is invalid." -I
hydra -l benchmarkuser -p tq6nAhfAhqtwBn7WXWqoaMXWF -s 2083 cpanel.pentest-ground.com https-get "/login/:user=^USER^&pass=^PASS^:The login is invalid." -I
cPanel Hydra output

As you can see from the output, Hydra identified the valid credentials, but on invalid credentials it can’t perform the bruteforce attack since the login returns 401 status code and it thinks it uses basic authentication.


For the second, more realistic scenario, we used the following command:

hydra -L users.txt -P pass.txt -s 2083 cpanel.pentest-ground.com https-get "/login/:user=^USER^&pass=^PASS^:The login is invalid." -I
cPanel Hydra output multiple credentials

As you can see, Hydra failed to identify any valid credentials because of the previously mentioned scenario.

Password Auditor commands and results

For the first scenario, we adjusted the following parameters in the interface to conduct a more focused scan:


Since the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.


As the screenshots below reveals, the Password Auditor successfully identified the valid credentials.

cPanel Password Auditor scan resultscPanel Password Auditor HTTPS Weak Password

What’s more, the Password Auditor included a screenshot of the logged-in session to confirm the provided credentials are valid.

Password Auditor screenshot of cPanel logged-in session

For the second scenario, we only modified the wordlist to include 2 users (1 invalid and 1 valid) and 14 passwords (13 invalid and 1 valid).

cPanel Password Auditor scan findings

The Password Auditor identified the valid credentials when testing 2 users and 12 passwords.

Bruteforce commands and settings for Hydra and the Password Auditor

Learn when to use Hydra for brute-force attacks and when the Password Auditor’s automation, screenshot capture, and proof-based reporting provide a better alternative for correctly identifying login credentials with greater speed and accuracy. 

By testing these login security measures, you can identify risks that could lead to unauthorized server access, control panel takeovers, or database breaches, helping organizations stay ahead of real-world threats.