Brute forcing web applications
Performing brute force password auditing against web applications is an essential step to evaluate the password strength of system accounts. There are powerful tools such as THC Hydra, but Nmap offers great flexibility as it is fully configurable and contains a database of popular web applications, such as WordPress, Joomla!, Django, Drupal, MediaWiki, and WebSphere.
This recipe shows how to perform brute force password auditing against popular and custom web applications with Nmap.
How to do it...
Use the following Nmap command to perform brute force password auditing against web applications using forms:
$ nmap --script http-form-brute -p 80 <target>
If credentials are found, they will be shown in the results:
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-form-brute: | Accounts | user:secret - Valid credentials | Statistics |_ Perfomed 60023 guesses in 467 seconds, average tps: 138
How it works...
The...