Login Attacks

Whenever an application is identified with a login page, try the following

• empty username and password field ( Might show something in error message / lets you log directly in )

• Known username and password root:password, admin:password, admin:admin

• Default credentials for the particular CMS

• Bruteforce with hydra

hydra -L <users.txt> -P /usr/share/wordlists/rockyou.txt $ip http-post-form "/loginpage:payload:^USER^&password:^PASS^:error_message" 

• Known attacks

PHP Logins