Brute-force Attacks On Admin Panels

D4rkhunt3r · April 12, 2019, 1:30pm

How can i bruteforce admin panel of a website?

S0B0 · April 12, 2019, 5:09pm

Always try simple combinations like “admin/admin”. You could also try bruteforcing or phishing.

D4rkhunt3r · April 13, 2019, 3:28am

I actually wanted to know the best way to bruteforce panel when phishing is not possible.

lolt3under · April 13, 2019, 3:48am

@D4rkhunt3r please be specific there is no one magic way to brute force every admin login panel, it depends upon the underlying tech it’s using or frameworks in work or maybe a CMS(Like WordPress)

D4rkhunt3r · April 13, 2019, 5:33am

Sorry but my question was not specific about any CMS. I wanted to know how can we bruteforce admin panel login. The specific one can be understood easily if the basic is clear. Thank you.

Al0ne · April 13, 2019, 5:01pm

hi @D4rkhunt3r so i really recommend you using a tool named “Dirbuster” or “GoBuster” both are the same so those tools can really help you in your progress with penetesting and things it’s like a directory scanner and grabber a relly helpfull tool
availble on kali linux you can excute it from the menu or by typing dirbuster(gui) or just type dirb + your site or you can download it from here : https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
peace ^^

x0r3r · November 2, 2019, 4:48am

brute forcing the credential you just need to resend http request and every request change the value of username,password paramaters so you can use burpsuite or hydra :

brute forcing the admin panel location: do infoGathering about targeted website get the hosted service / CMS [then search about the default admin panel for them]

and try understand this code :

github.com

The404Hacking/Admin-Page-Finder/blob/master/admin-page-finder.py

#This is IR-SQL Admin Page Finder Script
#Coded By Mr.Hidden
#Programming Language: Python
#Telegram: @The404Hacking

import httplib
import socket
import sys


try:
    var1=0
    var2=0

    php = ['admin/','administrator/','admin1/','admin2/','admin3/','admin4/','admin5/','usuarios/','usuario/','administrator/','moderator/','webadmin/','adminarea/','bb-admin/','adminLogin/','admin_area/','panel-administracion/','instadmin/',
'memberadmin/','administratorlogin/','adm/','admin/account.php','admin/index.php','admin/login.php','admin/admin.php','admin/account.php',
'admin_area/admin.php','admin_area/login.php','siteadmin/login.php','siteadmin/index.php','siteadmin/login.html','admin/account.html','admin/index.html','admin/login.html','admin/admin.html',
'admin_area/index.php','bb-admin/index.php','bb-admin/login.php','bb-admin/admin.php','admin/home.php','admin_area/login.html','admin_area/index.html',
'admin/controlpanel.php','admin.php','admincp/index.asp','admincp/login.asp','admincp/index.html','admin/account.html','adminpanel.html','webadmin.html',
'webadmin/index.html','webadmin/admin.html','webadmin/login.html','admin/admin_login.html','admin_login.html','panel-administracion/login.html',

This file has been truncated. show original

and search about web spidering …

Rootsec · November 2, 2019, 5:20am

@D4rkhunt3r I would suggest to use Thc hydra. It is easy to use and also fast.

D4rkhunt3r · November 24, 2019, 1:56pm

Thc hydra is buggy af. It is tend to give false positives and one can use Burpsuite or those scripts from GitHub.