BruteBot Password Brute-Forcing Tool
BruteBot Password Brute-Forcing Tool
Hacking
·2 min read

BruteBot: Password Brute-Forcing Tool

Password brute-forcing tool built upon Python 3.7 and webbot.

BruteBot lets you brute-force login passwords. It is handy for login pages that have CSRF protection or any random tokens.

Basically, the script

  1. GETs the login page,
  2. consumes the username / email and passwords fed by you, and
  3. POSTs those values to the server along with additional random parameters if any
    (could be an Anti-CSRF token or a browser window identifier or a time-stamp, etc.);
  4. loops the entire process until you get a hit, that is, the correct password.

Then:

  • I specifically used webbot (a library derived from Selenium) because I wanted to mimic the actions of a user browsing the target website login page and attempting to brute-force the password themselves, in the cleanest possible way.
  • That way, any additional random tokens that might get generated upon visiting the login page shall be automatically passed along in the subsequent login POST request, and the password brute-forcing automation can be accomplished.
  • Plus, it lets you see the browser in action. So, it becomes easier to visualize and helps while troubleshooting.

Requirements

  1. Download and install the latest version of Python 3.x from here.
  2. Use the package manager pip to install ‘webbot’.
pip3 install webbot
  1. Download Brutebot.py to your local directory.
  2. Place your password list file in the same directory as BruteBot.py.

That’s it! You are good to go!

Usage

python3 BruteBot.py -t (LOGIN PAGE URL) -u USERNAME -p (PASSWORD LIST) --uid (USERNAME ELEMENT ID) --pid (PASSWORD ELEMENT ID) --bname (LOGIN BUTTON NAME) -m (visible / headless) -s (TIME IN SECONDS)

Here, this might “help”:

Command help in BruteBot
Command help in BruteBot

Quickstart guide

Demo 1 – To run BruteBot with default options:

See also
python3 BruteBot.py -t https://demo.testfire.net/login.jsp -u admin -p passwords.txt --uid uid --pid passw --bname Login

Demo 2 – To see the browser(s) in action when BruteBot runs:

python3 BruteBot.py -t https://demo.testfire.net/login.jsp -u admin -p passwords.txt --uid uid --pid passw --bname Login -m visible

Demo 3 – To route the traffic through a proxy while running BruteBot:

python3 BruteBot.py -t https://demo.testfire.net/login.jsp -u admin -p passwords.txt --uid uid --pid passw --bname Login --proxy http://localhost:8080
Backup
Dark Mode

BruteBot (this link opens in a new window) by navin-maverick (this link opens in a new window)

Password brute-forcing tool built upon Python 3.7 and ‘webbot’ library.

3 Subscribers 8 Watchers 2 Forks Check out this repository on GitHub.com (this link opens in a new window)

Privacy settings

Decide which cookies you want to allow. You can change these settings at any time. However, this can result in some functions no longer being available. For information on deleting the cookies, please consult your browser’s help function. Learn more about the cookies we use.

With the slider, you can enable or disable different types of cookies:

This website will

  • Essential: Remember your cookie permission setting
  • Essential: Allow session cookies
  • Essential: Gather information you input into a contact forms newsletter and other forms across all pages
  • Essential: Keep track of what you input in a shopping cart
  • Essential: Authenticate that you are logged into your user account
  • Essential: Remember language version you selected

This website won't

  • Remember your login details
  • Functionality: Remember social media settings
  • Functionality: Remember selected region and country
  • Analytics: Keep track of your visited pages and interaction taken
  • Analytics: Keep track about your location and region based on your IP number
  • Analytics: Keep track of the time spent on each page
  • Analytics: Increase the data quality of the statistics functions
  • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies)
  • Advertising: Gather personally identifiable information such as name and location

This website will

  • Essential: Remember your cookie permission setting
  • Essential: Allow session cookies
  • Essential: Gather information you input into a contact forms newsletter and other forms across all pages
  • Essential: Keep track of what you input in a shopping cart
  • Essential: Authenticate that you are logged into your user account
  • Essential: Remember language version you selected
  • Functionality: Remember social media settings
  • Functionality: Remember selected region and country

This website won't

  • Analytics: Keep track of your visited pages and interaction taken
  • Analytics: Keep track about your location and region based on your IP number
  • Analytics: Keep track of the time spent on each page
  • Analytics: Increase the data quality of the statistics functions
  • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies)
  • Advertising: Gather personally identifiable information such as name and location

This website will

  • Essential: Remember your cookie permission setting
  • Essential: Allow session cookies
  • Essential: Gather information you input into a contact forms newsletter and other forms across all pages
  • Essential: Keep track of what you input in a shopping cart
  • Essential: Authenticate that you are logged into your user account
  • Essential: Remember language version you selected
  • Functionality: Remember social media settings
  • Functionality: Remember selected region and country
  • Analytics: Keep track of your visited pages and interaction taken
  • Analytics: Keep track about your location and region based on your IP number
  • Analytics: Keep track of the time spent on each page
  • Analytics: Increase the data quality of the statistics functions

This website won't

  • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies)
  • Advertising: Gather personally identifiable information such as name and location

This website will

  • Functionality: Remember social media settings
  • Functionality: Remember selected region and country
  • Analytics: Keep track of your visited pages and interaction taken
  • Analytics: Keep track about your location and region based on your IP number
  • Analytics: Keep track of the time spent on each page
  • Analytics: Increase the data quality of the statistics functions
  • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies)
  • Advertising: Gather personally identifiable information such as name and location

This website won't

  • Remember your login details
Save & Close