Login Attacks

Whenever an application is identified with a login page, try the following
  • empty username and password field ( Might show something in error message / lets you log directly in )
  • Known username and password root:password, admin:password, admin:admin
  • Default credentials for the particular CMS
  • Bruteforce with hydra
hydra -L <users.txt> -P /usr/share/wordlists/rockyou.txt $ip http-post-form "/loginpage:payload:^USER^&password:^PASS^:error_message"
  • Known attacks
​