How to bruteforce IT and server management apps with Hydra and the Password Auditor

Bruteforcing login endpoints is essential for assessing the security of IT and server management applications. Gaining access to these web apps can expose critical administrative controls, server configurations, database access, email accounts, and other sensitive assets that attackers target. 

This guide provides real-world testing methodologies for cPanel, Plesk, Webmin, phpMyAdmin, and more, helping you discover login parameters, analyze authentication mechanisms, and test login security measures. By applying these techniques, you can pinpoint authentication weaknesses before malicious attackers do, ensuring a stronger security posture for the systems you audit.

Hydra vs password auditor hero image

How to check phpMyAdmin for weak credentials

Deployment method: Vultr marketplace

1. Find the web app login endpoint for phpMyAdmin

Usually, phpMyAdmin login form is found at /mysqladmin/ or /phpmyadmin/ endpoint.

phpMyAdmin login form

2. Discover the login parameters in phpMyAdmin

In your browser, go to the Network tab in Web Developer Tools to identify the parameters.

phpMyAdmin Web Developer Tools

In phpMyAdmin, the token parameter is a security feature used to prevent Cross-Site Request Forgery (CSRF) attacks. This parameter ensures each request to phpMyAdmin is valid and comes from a user session.

3. Identify error messages and protection mechanisms

After one invalid attempt, the following message is returned:

phpMyAdmin login error

After multiple failed attempts, we didn’t find any protection mechanism. 

Hydra commands and output

In the first scenario, we used the following Hydra commands:

hydra -l pmausers0DdIXFt -p bad-password wordpress.pentest-ground.com https-form-post "/mysqladmin/index.php:pma_username=^USER^&pma_password=^PASS^&set_session=6lf49aspt3l4afa6is1nfld3sn&server=1&route=%2F&lang=en&token=555a3b4c7631212f3e7161443b263b28:Cannot log in to the MySQL server"
hydra -l pmausers0DdIXFt -p iW9Endo6W9Kfav0scVPDKQ545hPpfOAH wordpress.pentest-ground.com https-form-post "/mysqladmin/index.php:pma_username=^USER^&pma_password=^PASS^&set_session=6lf49aspt3l4afa6is1nfld3sn&server=1&route=%2F&lang=en&token=555a3b4c7631212f3e7161443b263b28:Cannot log in to the MySQL server"
phpMyAdmin Hydra output

Because the token parameter acts as a CSRF token, as shown in the output, Hydra failed to distinguish between invalid and valid credentials, marking both as valid.

Since the first scenario didn't work, we did not proceed with testing the second one.

Password Auditor commands and results

For the first scenario, we adjusted the following parameters in the interface to conduct a more focused scan:

Since the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.

As shown in the screenshots below, Password Auditor successfully identified the valid credentials.

phpMyAdmin Password Auditor scan resultsphpMyAdmin Password Auditor HTTPS Weak Password

The Password Auditor automatically includes a screenshot of the logged-in session to confirm the provided credentials are valid.

Password Auditor screenshot of phpMyAdmin logged-in session

For the second, more realistic scenario, we modified the wordlist to include 3 users (1 invalid and 2 valid) and 13 passwords (12 invalid and 1 valid).

phpMyAdmin Password Auditor tool parametersphpMyAdmin Password Auditor scan findings

Bruteforce commands and settings for Hydra and the Password Auditor

Learn when to use Hydra for brute-force attacks and when the Password Auditor’s automation, screenshot capture, and proof-based reporting provide a better alternative for correctly identifying login credentials with greater speed and accuracy. 

By testing these login security measures, you can identify risks that could lead to unauthorized server access, control panel takeovers, or database breaches, helping organizations stay ahead of real-world threats.