How to bruteforce IT and server management apps with Hydra and the Password Auditor
Bruteforcing login endpoints is essential for assessing the security of IT and server management applications. Gaining access to these web apps can expose critical administrative controls, server configurations, database access, email accounts, and other sensitive assets that attackers target.
This guide provides real-world testing methodologies for cPanel, Plesk, Webmin, phpMyAdmin, and more, helping you discover login parameters, analyze authentication mechanisms, and test login security measures. By applying these techniques, you can pinpoint authentication weaknesses before malicious attackers do, ensuring a stronger security posture for the systems you audit.

How to check Plesk web pro for weak credentials
Deployment method: Vultr marketplace
1. Find the Plesk web app login endpoint
Usually, the Plesk login form sits on the /login endpoint on port 8443.

2. Discover the Plesk login parameters
Use the Network tab in Web Developer Tools to identify the parameters.

3. Identify error messages and protection mechanisms
After one invalid attempt, the following message is returned:

After 5 invalid credentials, the IP address got blocked:

Hydra commands and output
Hydra was not able to brute force Plesk because of its multipart body format. There is already an open issue for this on their official Github repository.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
As the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.
As shown in the screenshots below, Password Auditor successfully identified the valid credentials.

Additionally, the Password Auditor includes a screenshot of the logged-in session in its results to confirm the provided credentials are valid.

For the second scenario, we used a wordlist with 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).
Because the scanner’s source IP address was blocked, the Pentest-Tools.com Password Auditor was unable to identify the valid credentials. However, it reported that website access was blocked after 6 attempts.

Bruteforce commands and settings for Hydra and the Password Auditor
Learn when to use Hydra for brute-force attacks and when the Password Auditor’s automation, screenshot capture, and proof-based reporting provide a better alternative for correctly identifying login credentials with greater speed and accuracy.
By testing these login security measures, you can identify risks that could lead to unauthorized server access, control panel takeovers, or database breaches, helping organizations stay ahead of real-world threats.


