How to bruteforce IT and server management apps with Hydra and the Password Auditor
Bruteforcing login endpoints is essential for assessing the security of IT and server management applications. Gaining access to these web apps can expose critical administrative controls, server configurations, database access, email accounts, and other sensitive assets that attackers target.
This guide provides real-world testing methodologies for cPanel, Plesk, Webmin, phpMyAdmin, and more, helping you discover login parameters, analyze authentication mechanisms, and test login security measures. By applying these techniques, you can pinpoint authentication weaknesses before malicious attackers do, ensuring a stronger security posture for the systems you audit.

How to check Roxy-WI for weak credentials
Deployment method: Vultr marketplace
1. Find the web app login endpoint for Roxy-WI
The default admin login page for Roxy-WI is typically located on the /app/login.py endpoint on port 443.

2. Discover the login parameters for Roxy-WI
Use the Network tab in Web Developer Tools to identify the parameters.

3. Identify error messages and protection mechanisms
After one invalid attempt, Roxy-WI returns the following message:

The Roxy-WI application has a minimal anti-bruteforce mechanism because the login button gets disabled for just 10 seconds when you enter an invalid set of credentials.
Hydra commands and output
In the first 1 set of valid and 1 set of invalid credentials scenario, we used the following Hydra commands:
hydra -l admin -p bad-password roxy-wi.pentest-ground.com https-post-form "/app/login.py:login=^USER^&pass=^PASS^:Your login or password is incorrect " -Vhydra -l admin -p admin roxy-wi.pentest-ground.com https-post-form "/app/login.py:login=^USER^&pass=^PASS^:Your login or password is incorrect " -V
The server returns an HTTP status code of 200 with the text "ban" when it receives invalid credentials. This response confuses Hydra, leading it to consider the login attempt successful.

Since the first scenario didn't work, we did not proceed with testing the second one.
Password Auditor commands and results
For the first scenario, these are the parameters we adjusted to perform a more focused scan:
Ports: Use port from target URL
Services: HTTP
Wordlists: pa-benchmark
The pa-benchmark wordlist includes valid credentials, so the process involves making four attempts to the target: 3 with invalid credentials and 1 with valid credentials.
The screenshots below show that the Pentest-Tools.com Password Auditor successfully identified the valid credentials.

The Password Auditor also provides a screenshot of the logged-in session to verify the validity of the provided credentials.

For the second scenario, we only changed the wordlist to include 2 users (1 invalid and 1 valid) and 13 passwords (12 invalid and 1 valid).

In the second scenario, the Password Auditor identified all the valid credentials.
Bruteforce commands and settings for Hydra and the Password Auditor
Learn when to use Hydra for brute-force attacks and when the Password Auditor’s automation, screenshot capture, and proof-based reporting provide a better alternative for correctly identifying login credentials with greater speed and accuracy.
By testing these login security measures, you can identify risks that could lead to unauthorized server access, control panel takeovers, or database breaches, helping organizations stay ahead of real-world threats.


