Mandolin0 is a web form bruteforce tool useful during security assessment activities for testing weak account password. It was built in order to be highly efficient, portable across different OS and easy to use.

Mandolin0 can be used by a command prompt, to see all the available options run:

Mandolino.exe -h

Most of the available options can be also configured in the configuration file mandolin0.config. In this way isn't necessary to specify every time a given option.

In order to create an efficient tool Mandolin0 run every request in parallel and in an asynchronous way. This mean that you can cause a Denial Of Service to the audited application, so please pay attention to what you do.

The number of threads used is not fixed and is calculated based on an heuristic that take into account the current response time of the web server. This will ensure to have always an optimal number of threads without asking to the user to set this number.

Two important concept behind Mandolin0 are Template and Oracle. Both of them are located in the Data directory and are used to define the request that must be sent to login to the application and how to recognise if the tool discovered a user password.

To know more about them take a look at the page listed on the right side panel.

Mandolin0 was created by using only .NET libraries supported by the Mono framework. In this way you can run Mandolin0 also on Linux by just installing mono. After you have installed Mono run:

mono Mandolin0.exe -h

to execute Mandolin0 and showing the help menù.