Skip to content

hoangthanhnguyen/BruteforceHTTP

 
 

Repository files navigation

BruteforceHTTP

An automated brute forcing tool

About this project

A HTTP brute force tool bases on Mechanize browser.

Installation

Requirements

name
python2
python2-pip
python-regex
sudo apt install python python-regex git
git clone https://github.com/dmknght/BruteforceHTTP.git

Options

Usage: main.py [options] <url>

Options:

-u <word_list> : Add word list for username field
-p <word_list> : Add word list for password field
-U <username>: user1:user2:user3

Usage

Use default userlist and passlit:

python main.py <Target URL>

Use default passlist for user admin (for multiple usernames, use user1:user2:user3):

python main.py -U admin <Target URL>

Use custom userlist and custom passlist:

python main.py -u <path to userlist> -p <path to passlist> <Target URL>

How this tool work

This tool will detect form field automatically, collect information and submit data therefor it can handle csrf token.

  • Update 1/1/2019: Auto choose HTTP Get authentication and HTTP POST form mode

Problems:

  • Detect form field error for some special cases. We will try to improve our function.
  • Wrong password matching: matching condition is not completed.

Further improvement (See TODO.md)

Limitation

  • Javascript website (mechanize library problem)
  • Login with captcha (Please read WEBNOTE.md for test cases)

Why this / that (FAQ)

  • Q: What is this tool?
  • A: This tool is a brute-force attack tool, based on mechanize browser project. It means this tool can submit login request simulately.
  • Q: Why not python3?
  • A: Currently, mechanize supports python2 only. And because python3 has some different syntaxes so this project doesn't support python3 by now
  • Q: What can it do?
  • A: This tool is aimed to perform a brute-force attack automatically to all website with easy options.
  • Q: Why not other tools?
  • A: There are other tools can do brute force http. But...
    • Almost scripts are static. They can attack 1 or few website only (based on form name)
    • Hydra can do http login. But it has complex options, can't do login with CSRF token (and you have to give name of submit fields manually)
    • Burp suite: can't do CSRF form by default, doesn't show you the readable report, complex steps and free version is not very fast.
  • Q: This tool is aimed to brute-force all website, why it can't do this site:
  • A: There are known issues:
    • Javascript websites: mechanize can't do anything with javascript. Execute javascript brings security problems to client-side as well so, ... it is impossible right now.
    • Gmail, Yahoo: this 2 sites use 2 submit times. I am trying to combine this case to project
    • There are some login pages has wrong html syntax. I am working with mechanize to fix it
    • Captcha: This is not easy one. But I am trying my best.
  • Q: How about bypassing techniques?
  • A: I am trying to combine SQL injection login bypass as well. Be patient!
  • Q: Why does this tool show wrong result (multiple passwords for 1 username)
  • A: There are 2 known cases:
    • Web server shows block message with 200 HTTP Response (or error message in some cases). I am unable to analysis it exactly by now.
    • I've found "Bypass authentication" issue in some CCTV. I think it is a "race condition" vulnerability.
  • Q: You mentioned CCTV. So can this tool attack HTTP GET Authentication?
  • A: Yes it can. It will choose HTTP GET / HTTP POST FORM attack automatically
  • Q: How about wordlist? Secure password?
  • A: This tool brings some default wordlists. You can use your custom wordlist as well. But becareful with huge file, there is a memory management issue that i can't fix it right now. I am trying with generating password from keywords as well.
  • Q: Sounds like this tool is trash
  • A: Not really. I did some succesful real-world attacks with this tool and I can say it deserve to try. Ofcourse you can do it with other tools, or your own script. But as I said, my tool is easy to use and it will save your time.
  • Q: Why do you do this so slow?
  • A: I have to do almost everything: test, debug, analysis, research, ... @ZeroX-DG is doing his project, so I have to do it myself. I am not a good developer is an other reason. Actually I am not even a developer.
  • Q: Can I customize your tool?
  • A: Yes, you are welcome. But if you find something good, please hep me by make a pull request. It will help me (and others ;) ) so much.

Author

Additional information

  • This tool was created in Parrot Security OS 3.11, python 2.7.15rc1.
  • Fully tested on Parrot Security OS 4.4 and Debian 10.
  • Windows platform is unsupported

Credit

Special thank to all authors of these projects:

About

Brute Forcing HTTP form automatically

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%