Forum Thread: GMail Brute Force Dictionary Attack Script

GMail Brute Force Dictionary Attack Script

Hey everybody.

So this week I've been making it my mission to learn a bit about THC Hydra and all the little bells and whistles it has to offer — trust me, there are A LOT.

I've noticed a lot on this forum and other sites that Gmail is really difficult to crack with Hydra, mostly because companies like Google have taken precautions against it. I've had some decent success with Hydra against Gmail, but decided to write my own dictionary attack script to see if I could do any better.

Well, I wrote my script to use TLS on port 587 instead of Hydra using SSL on 465. So far I've found I've had a MUCH higher success rate, whereas using Hydra kept getting me locked out. The script is really basic (less than 20 lines of actual code), but seems to be really powerful so far, so I decided to share.

http://pastebin.com/VLVHWyZq

I wrote this in Python and it takes no command line arguments. Just run the script and it will prompt you for what it needs.

Happy Hacking!

40 Responses

Wow, this is what i have been looking for! I have tried many times to brute force gmail but it blocks me everytime when i reach something like 200 attempts :D

TY, I hope it works :D

Awesome! Please let me know how it works out for you. For whatever reason it seems like certain addresses are more "secure" than others and lockouts occur a lot sooner.

actually i know nothing about programming :/
i thought i just could copy your script into python? but i cant even find python in kali ><

can you please explain to a "noobie" how to try this. details pls.
thank you

make a file with a .py extension. for example, gmail.py

then, open that file paste BURNCT's code in it, and save it.

then open a terminal, and type:

python3 (PATH TO WHERE YOU SAVED THE FILE)

if you don't have python installed, install it from the repos.

apt-get update && apt-get install python3

you didnt explain it good enough xD
I got this error (A syntaxError: invalid syntax) - I have no idea what that means.

Don't edit the file at all. When you run the program you'll be prompted for the email address and the password file from the command line.

You're not in the right directory on the command line. Pull up your terminal and type these commands
cd Desktop
cd test
python 'brute force.py'

Then enter the email address, then enter the name of your list when prompted.

what is the meaning of password file name ??? did it mean my wordlist.. or what ???

to Phonenix: this is python2 syntax not python3.

to Hacker1234125 : just save program with py extension and run it from terminal... python (name of program) plus you need have wordlist in same directory

to burnCT : really nice tutorial :)

Edit - Yes it works now thanks :D

my bad, it is just python2 syntax.

but who still writes in python2, honestly?

-Phoenix750

us "old" people still do! Hell, I installed a VM of Windows 3.1 this past weekend.

there is still just one problem, Gmail closed the connection to me?
I think you need to add in a proxy, that change ip every 100 attemp.
Cause its pretty useless when the bruteforce attack only can handle 100 attempts :/

But keep the good work up :)

-It closed the connection when i reased 90. attempt

Do you know how to modify his code to change proxy after every 100 attempts or so?

Ok friend. What you want to do is you want to open the terminal and type cd /root/Desktop/
nano gmail.py
paste the contents
press ctrl + x
y
enter
then do chmod 775 gmail.py
python gmail.py
and it should start doing the program

can you please help me, It is saying that my correct password is incorrect

found it but can you please tell me how to get this to work with other mail services?

Se7enpeace:

The two scripts do the exact same thing using different programs, but written in two different languages. Thanks for pointing that out though!

That script actually uses Hydra to do the work. The one I wrote is completely independent of Hydra and uses a different encryption connection method (TLS instead of SSL).

i also think that because Python is slower, you are less likely to be locked out, am i right? i once wrote a facebook brute forcer by brute forcing the web forms, and it's strength was that it only could do like 30 passwords/min.

-Phoenix750

That's a valid point. Obviously with so few lines of code I didn't program it to use multiple threads. LOL

Has anybody tested the script out? I'm not being able to put it to work..

What happens when you try to run it?

I tried to use the script against an e-mail account I've created, and when it gets to the real password it label's it as incorrect.

I have tried it, but gmail will block you after 100 attempts. Its not worth it. Unless you know a way to pass this block?

you could use proxys. but then, you'll need to modify his code.

-Phoenix750

Do you know how to modify his code to change proxy after every 100 attempts or so?

wtf, its not working. i have entered my password in passlist and then i do that but it dosent work. an any one help me?

Well, Gmail terminates the connection after every 100 attempts or so... this makes it pretty useless. Solution might be to include change of proxy in the present code..Can someone post the code of that or give an idea how to code it?

Thanks!

Someone mentioned earlier that for some accounts, Gmail seems to terminate/block the IP much earlier, in my case... after a feeble 12 attempts! I was using Hydra though, have not tried this script - has it been update to change proxy every xxx attempts? Could you make it so that we can adjust the number of attempts - as others have quoted 100-150, but mine was as low as 12??? Thanks!

Do this script proxy server and send me

Do you actually know if a proxy will thwart their brute force protection? Or is this just based on assumptions.

They may have different levels of throttling: e.g., 100 attempts per IP in (x) hours, ban that IP for a couple hours, 200 attempts by ANY IP in (x) hours, prevent all logins to account (any IP) for a couple hours, etc.

help please
NameError: name 'passwordfile

everytime i make this script this comes up Name error passwordfile help guys

Hello, I'm sorry to sound stupid because I am not very experienced with using python. After I enter the target's email address, the code asks for a password file name. What does this mean and what do I need to do?

You need to tell program where password file is(file path) . For example, if your password file is in /home/user/Desktop and name of file is password.txt , you should write /home/user/Desktop/password.txt and thats it. Hit enter and watch magic happens. Cheers !

What is password file.
What should i do if I'm trying to run the program by my smartphone??

@BURNCT im trying to get in contact with you. how do i msg you directly? im stuck at the same spot you were in another post and i dont know if anyone ever figured it out. skype>djmasentertainment

Dude i am a learner to python.
I don't know how to apply this program.
What things i will have to put manually??
Every time i run this, it says syntax error.
Please help me.

Step 1:

Help me

Dude i am a learner to python.
I don't know how to apply this program.
What things i will have to put manually??
Every time i run this, it says syntax error.
Please help me

Share Your Thoughts

  • Hot
  • Active