To check your website on brutforce attacks you can use this.
- If you want to test attack like a real one, then use a VPN to change your IP.
- Use PROXIES and ideally not free ones if possible, as these could save your data. But with VPN that doesn't matter, you can also use free proxies.
- The USER AGENT is also added and changed here.
- Sessions are also used to maintain the session.
If you don't use PROXIES and VPNs, your real information will be sent along.
However, you don't need to worry because you are testing your own website. It's about protecting your website against real attacks.
But to simulate a real attack you should also consider VPN and PROXIES, because a real attacker will not do otherwise in order not to transmit his information and also bypass your blocks.
The script for all possible combinations of letters, numbers and special characters. Starting with a.
Using such extensive brute force methods can be very resource intensive, especially for longer passwords, as the number of combinations increases exponentially with the length of the password.
Use this approach wisely and ensure that your testing is ethical and legal, especially when conducted against systems you do not own.
Check if package is installed:
$ pip3 list
If not installed, install the packages:
$ pip3 install requests
$ pip3 install "requests[socks]"
$ pip3 install beautifulsoup4
Set your settings first and then start the script.
EMAIL = "email@localhost" # Set the email for login
LOGIN_URL = "http://localhost:8000/login/" # Set the login page url
ERROR_DIV_CLASS = "error-message" # Set the error message class name
MAX_PASS_LENGTH = 10
RESPONSE_DELAY = 1
DEBUG_FORM = True # Set this to True to print form debugging information
DEBUG_FORM_LENGTH = 1000 # Set this to True to print form debugging information
If you use the script with user agent only.
USER AGENTS:
user_agents = [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
# Add more user agents as needed
]
If you use the script with proxies and user agents.
HTTP PROXY:
proxy_list = [
{'http': 'http://proxy1:port', 'https': 'http://proxy1:port'},
{'http': 'http://proxy2:port', 'https': 'http://proxy2:port'},
{'http': 'http://proxy3:port', 'https': 'http://proxy3:port'},
# Add more proxies as needed
]
OR SOCKS PROXY:
proxy_list = [
{'http': 'socks5://proxy1:port', 'https': 'socks5://proxy1:port'},
{'http': 'socks5://proxy2:port', 'https': 'socks5://proxy2:port'},
{'http': 'socks5://proxy3:port', 'https': 'socks5://proxy3:port'},
# Add more proxies as needed
]
Start the brutforce:
$ python3 bruteforce.py
Output
/*-------------------------------------------------------------------------------------*/
/* BRUTEFORCE ATTACK */
/*-------------------------------------------------------------------------------------*/
/* Don't use for illegal activities */
/*-------------------------------------------------------------------------------------*/
Test combination: admin a
Status Code: 200, Final URL: http://localhost/user/login/
...
Test combination: adm0\
Test combination: adm0]
Test combination: adm0^
Test combination: adm0_
Test combination: adm0`
Test combination: adm0{
Test combination: adm0|
Test combination: adm0}
Test combination: adm0~
Test combination: adm1!
Test combination: adm1"
Test combination: adm1#
/*-------------------------------------------------------------------------------------*/
/* PASSWORD FOUND */
/*-------------------------------------------------------------------------------------*/
/* Time (ms) | Tries | Name | Password */
/* 1322.645 | 454533 | admin | adm1# */
/*-------------------------------------------------------------------------------------*/
If you debug the form, you will also see the form in the output
<form method="post" action="http://localhost/user/login/">
<input type="email">
<input type="password">
<input type="submit">
</form>
A VPN creates a secure, encrypted connection between your device and a server operated by the VPN provider. Below are some key points about VPNs:
- Encryption: VPNs encrypt all of your internet traffic, meaning everything you send and receive is protected and cannot be seen or manipulated by anyone along the way.
- IP Hide: Similar to a proxy, a VPN replaces your IP address with that of the VPN server. Websites and online services only see the IP address of the VPN server.
- Bypass geo-blocking: VPNs are effective at bypassing geo-restrictions because they allow you to choose the location of the server you are connecting from.
- Security on public networks: VPNs are particularly useful for protecting your data on public and unsecure networks (like public Wi-Fi).
A proxy server acts as an intermediary between your device and the internet. When you send a request through a proxy, your request first goes to the proxy server, which then forwards the request to the destination on your behalf. Here are some key aspects of proxies:
- IP Hide: Your actual IP address will be replaced with the proxy server’s IP address. Websites see the proxy's IP address and not your own.
- No encryption: Most standard proxy servers do not encrypt your traffic. This means that information transmitted between your device and the proxy server could be viewed by third parties unless it is otherwise encrypted.
- Different types:
- HTTP Proxy: Suitable for web browsing.
- SOCKS Proxy: More flexible and compatible with all types of internet traffic, but slower.
- Transparent proxies: They don't actually hide your IP address and are often used in businesses and educational institutions to monitor or filter internet traffic.
Please use the issue tab to request a:
- Bug
- Feature
Choose template and report a bug or feature you want issues.
Please read the contributing to contribute.
Please use the Security section for privately reporting a vulnerability.