How to bruteforce IT and server management apps with Hydra and the Password Auditor

Bruteforcing login endpoints is essential for assessing the security of IT and server management applications. Gaining access to these web apps can expose critical administrative controls, server configurations, database access, email accounts, and other sensitive assets that attackers target. 

This guide provides real-world testing methodologies for cPanel, Plesk, Webmin, phpMyAdmin, and more, helping you discover login parameters, analyze authentication mechanisms, and test login security measures. By applying these techniques, you can pinpoint authentication weaknesses before malicious attackers do, ensuring a stronger security posture for the systems you audit.

Hydra vs password auditor hero image

How to check Plesk web pro for weak credentials

Deployment method: Vultr marketplace

1. Find the Plesk web app login endpoint

Usually, the Plesk login form sits on the /login endpoint on port 8443.

Plesk login form

2. Discover the Plesk login parameters

Use the Network tab in Web Developer Tools to identify the parameters.

Plesk Web Developer Tools

3. Identify error messages and protection mechanisms

After one invalid attempt, the following message is returned:

Plesk login error

After 5 invalid credentials, the IP address got blocked:

Plesk login IP block

Hydra commands and output

Hydra was not able to brute force Plesk because of its multipart body format. There is already an open issue for this on their official Github repository.

Password Auditor commands and results

For the first scenario, these are the parameters we adjusted to perform a more focused scan:


As the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.


As shown in the screenshots below, Password Auditor successfully identified the valid credentials.

Plesk Password Auditor scan results

Additionally, the Password Auditor includes a screenshot of the logged-in session in its results to confirm the provided credentials are valid.

Password Auditor screenshot of the Plesk logged-in session

For the second scenario, we used a wordlist with 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).


Because the scanner’s source IP address was blocked, the Pentest-Tools.com Password Auditor was unable to identify the valid credentials. However, it reported that website access was blocked after 6 attempts.

Password Auditor Plesk failed login attempts

Bruteforce commands and settings for Hydra and the Password Auditor

Learn when to use Hydra for brute-force attacks and when the Password Auditor’s automation, screenshot capture, and proof-based reporting provide a better alternative for correctly identifying login credentials with greater speed and accuracy. 

By testing these login security measures, you can identify risks that could lead to unauthorized server access, control panel takeovers, or database breaches, helping organizations stay ahead of real-world threats.