Goodnight Byte: Coding a Web-Based Password Cracker in Python

Our mission for this week's Community Byte was to create a Python program to crack web-based passwords, like the ones you would see on an email or router login. I wanted it to be universal in the sense that it could be easily modified and adapted to another website just by changing a few variables. That was a success! Even though people weren't on time to the coding session, everything went well.

Here is the link to our web cracker's source.

Let's break this program down, line-by-line.

How Nullforce Works

1. Line 1 is a shebang, this reveals where our python executable is.
2. Lines 3-5 tell the program name, version and the authors.
3. Line 10 is the login page we are attacking.
4. Line 11 is the username that we want in the field.
5. Line 12 is the wordlist that we will be using to attack the password field with.
6. Line 13 contains the error that the attack target throws when a bad login happens.
7. Line 15 is a variable that will read our dictionary line-by-line.
8. Line 16 prints the status to the screen.
9. Line 18 starts the loop that makes the program keep guessing until the password list is done.
10. Line 19 removes extra lines.
11. Lines 20-22 mimic the login sequence.
12. Line 23 encodes the data for transmission.
13. Line 24 opens our attack page.
14. Line 25 spoofs a user agent header, this will trick people into thinking we are a browser.
15. Line 26 gets the page source of the website.
16. Line 27 searches the source for the bad login string; if it isn't there, the password is cracked.

That's all it took to code such a potent tool! This could easily be hacked to allow threading to greatly increase the speed. I encourage someone to do just that, I can't be the only one who takes initiative!

For next week, instead of coding, who would like to see some walkthroughs for HackThisSite? HackThisSite is a legal, safe practice ground for striving hackers to test their skills and knowledge.

Bring your thoughts to the Forums or the IRC!