Brute forcing web applications
Performing brute-force password auditing against web applications is an essential step to evaluate the password strength of system accounts. Nmap offers excellent flexibility as it is fully configurable and contains a database of popular web applications, such as WordPress, Joomla!, Django, Drupal, MediaWiki, and WebSphere.
This recipe shows how to perform brute-force password auditing against popular and custom web applications with Nmap.
How to do it...
Use the following Nmap command to perform brute-force password auditing against web applications using forms:
$ nmap --script http-form-brute -sV <target>
Any credentials found will be shown in the scan result:
PORT STATE SERVICE REASON 80/tcp open     http syn-ack | http-form-brute: |     Accounts |     user:secret - Valid credentials |     Statistics |_    ...