Login Attacks

Whenever an application is identified with a login page, try the following

  • empty username and password field ( Might show something in error message / lets you log directly in )

  • Known username and password root:password, admin:password, admin:admin

  • Default credentials for the particular CMS

  • Bruteforce with hydra

hydra -L <users.txt> -P /usr/share/wordlists/rockyou.txt $ip http-post-form "/loginpage:payload:^USER^&password:^PASS^:error_message" 
  • Known attacks

PHP Logins

Last updated