Whenever an application is identified with a login page, try the following
- empty username and password field ( Might show something in error message / lets you log directly in )
- Known username and password
root:password, admin:password, admin:admin
- Default credentials for the particular CMS
- Bruteforce with hydra
hydra -L <users.txt> -P /usr/share/wordlists/rockyou.txt $ip http-post-form "/loginpage:payload:^USER^&password:^PASS^:error_message"
- Known attacks