NEXUS
Documentation menu

Docs · Tools

Password Auditor

Measure how resistant your accounts and password hashes really are. Online mode throttles guesses at a live service (Hydra); offline mode cracks captured hashes at full speed (Hashcat). Use it only where you are authorized.

Category
Offensive (authorized)
Powered by
hydra · hashcat · john
Edition
Pro
Where
Desktop → Password Auditor tab

What it does

Password Auditor answers a simple question with hard evidence: could an attacker get in with the credentials you have today? It has two complementary modes.

  • Online audit (Hydra) — attempts logins against a live service (SSH, FTP, HTTP form, RDP, SMB, …) using a username + wordlist, the way an attacker would, so you learn which accounts fall to common passwords.
  • Offline crack (Hashcat) — takes password hashes you already hold (from your own database or a pentest capture) and tries to recover the plaintext at GPU speed, proving how weak the stored hashes are.
  • Hash-type detection — paste a hash and Nexus guesses the algorithm (MD5, SHA-1, bcrypt, NTLM, …) so you pick the right crack mode.

How to use it

1
Pick a mode
Choose Online to test a running service, or Offline to crack a hash file you captured from a system you own.
2
Online: set the target & service
Enter the host, the service/protocol, a username (or user list), and a wordlist. Keep the thread count modest so you do not lock out real accounts.
text
Target:   ssh://10.0.0.20
User:     admin
Wordlist: rockyou.txt   (manage lists in the Wordlist Manager tool)
3
Offline: load hashes & detect the type
Paste or load the hashes, confirm the detected algorithm, and choose a dictionary or rule.
4
Run & read the results
Found credentials are listed with the account and the password that worked, plus timing — so a fast crack is itself a finding.

Modes & options

  • Services — common protocols Hydra supports (SSH/FTP/HTTP(S)/RDP/SMB/MySQL and more).
  • Wordlists — bring your own or pull SecLists with the Wordlist Manager.
  • Throttling — tune concurrency to avoid account lockouts and noisy traffic.
  • Hash modes — straight dictionary, or with mangling rules for realistic cracking.

What you get

A clear list of any cracked accounts/hashes with the recovered password and how long it took. Feed weak findings into your remediation plan: enforce length + MFA, rotate weak credentials, and move stored hashes to a strong algorithm (bcrypt/argon2).

Tips

  • Start online tests with a small, targeted wordlist before a large one.
  • For offline cracking, the right hash mode matters more than a huge wordlist.
  • Pair findings with the Security Score tool to track your password posture over time.
Authorized use only. Credential testing against systems you do not own or are not permitted to assess is illegal. Use Password Auditor strictly for authorized penetration testing and your own infrastructure. Throttle online attempts so you do not lock out or disrupt real users.
PreviousAPI TesterNext Hash Tools