BruteBot Password Brute-Forcing Tool
BruteBot Password Brute-Forcing Tool

BruteBot: Password Brute-Forcing Tool

Password brute-forcing tool built upon Python 3.7 and webbot.

BruteBot lets you brute-force login passwords. It is handy for login pages that have CSRF protection or any random tokens.

Basically, the script

  1. GETs the login page,
  2. consumes the username / email and passwords fed by you, and
  3. POSTs those values to the server along with additional random parameters if any
    (could be an Anti-CSRF token or a browser window identifier or a time-stamp, etc.);
  4. loops the entire process until you get a hit, that is, the correct password.

Then:

  • I specifically used webbot (a library derived from Selenium) because I wanted to mimic the actions of a user browsing the target website login page and attempting to brute-force the password themselves, in the cleanest possible way.
  • That way, any additional random tokens that might get generated upon visiting the login page shall be automatically passed along in the subsequent login POST request, and the password brute-forcing automation can be accomplished.
  • Plus, it lets you see the browser in action. So, it becomes easier to visualize and helps while troubleshooting.

Requirements

  1. Download and install the latest version of Python 3.x from here.
  2. Use the package manager pip to install ‘webbot’.
pip3 install webbot
  1. Download Brutebot.py to your local directory.
  2. Place your password list file in the same directory as BruteBot.py.

That’s it! You are good to go!

Usage

python3 BruteBot.py -t (LOGIN PAGE URL) -u USERNAME -p (PASSWORD LIST) --uid (USERNAME ELEMENT ID) --pid (PASSWORD ELEMENT ID) --bname (LOGIN BUTTON NAME) -m (visible / headless) -s (TIME IN SECONDS)

Here, this might “help”:

Command help in BruteBot
Command help in BruteBot

Quickstart guide

Demo 1 – To run BruteBot with default options:

python3 BruteBot.py -t https://demo.testfire.net/login.jsp -u admin -p passwords.txt --uid uid --pid passw --bname Login

Demo 2 – To see the browser(s) in action when BruteBot runs:

python3 BruteBot.py -t https://demo.testfire.net/login.jsp -u admin -p passwords.txt --uid uid --pid passw --bname Login -m visible

Demo 3 – To route the traffic through a proxy while running BruteBot:

python3 BruteBot.py -t https://demo.testfire.net/login.jsp -u admin -p passwords.txt --uid uid --pid passw --bname Login --proxy http://localhost:8080
Dark Mode