How to bruteforce IT and server management apps with Hydra and the Password Auditor
Bruteforcing login endpoints is essential for assessing the security of IT and server management applications. Gaining access to these web apps can expose critical administrative controls, server configurations, database access, email accounts, and other sensitive assets that attackers target.
This guide provides real-world testing methodologies for cPanel, Plesk, Webmin, phpMyAdmin, and more, helping you discover login parameters, analyze authentication mechanisms, and test login security measures. By applying these techniques, you can pinpoint authentication weaknesses before malicious attackers do, ensuring a stronger security posture for the systems you audit.

How to check cPanel WHM for weak credentials
Deployment method: Vultr marketplace
1. Find the web app login endpoint in cPanel WHM
Usually, we can find the cPanel WHM form at the / or the /login endpoint on port 2087.

2. Discover the cPanel WHM login parameters
Use the Network tab in Web Developer Tools to identify the parameters.

3. Identify error messages and protection mechanisms
After one invalid attempt, the following message is returned:

After multiple failed attempts, we didn’t find any protection mechanism.
Hydra commands and output
We used the following commands to bruteforce the cPanel WHM app with Hydra with one pair of valid credentials and one pair of invalid ones:
hydra -l root -p bad-password -s 2087 cpanel.pentest-ground.com https-post-form "/login/:user=^USER^&pass=^PASS^:The login is invalid." -Ihydra -l root -p "fH_7]Dw%KdzH8hRa" -s 2087 cpanel.pentest-ground.com https-post-form "/login/:user=^USER^&pass=^PASS^:The login is invalid." -I
As the output shows, Hydra successfully identified the valid credentials. However, it cannot perform a brute-force attack on invalid credentials because the login returns a 401 status code, causing Hydra to mistakenly assume the target app is using basic authentication.
For the more complex, more realistic scenario, we used the following Hydra command:
hydra -L users.txt -P pass.txt -s 2087 cpanel.pentest-ground.com https-post-form "/login/:user=^USER^&pass=^PASS^:The login is invalid." -I
As you can see, Hydra failed to identify any valid credentials because of the previously mentioned scenario.
Password Auditor commands and results
For the first scenario, we adjusted the following parameters in the interface to conduct a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
Since the pa-benchmark wordlist includes the valid credentials, four attempts were made to the target (three with invalid credentials and one with valid credentials).
As shown in the screenshots below, the Password Auditor successfully identified the valid credentials.


What’s more, the Password Auditor includes a screenshot of the logged-in session to confirm the provided credentials are valid.

For the second scenario, we only changed the wordlist to include 2 users (1 invalid and 1 valid) and 14 passwords (13 invalid and 1 valid).


The Password Auditor identified the valid credentials when testing 2 users and 12 passwords.
Bruteforce commands and settings for Hydra and the Password Auditor
Learn when to use Hydra for brute-force attacks and when the Password Auditor’s automation, screenshot capture, and proof-based reporting provide a better alternative for correctly identifying login credentials with greater speed and accuracy.
By testing these login security measures, you can identify risks that could lead to unauthorized server access, control panel takeovers, or database breaches, helping organizations stay ahead of real-world threats.


