Our mission for this week's Community Byte was to create a Python program to crack web-based passwords, like the ones you would see on an email or router login. I wanted it to be universal in the sense that it could be easily modified and adapted to another website just by changing a few variables. That was a success! Even though people weren't on time to the coding session, everything went well.
Here is the link to our web cracker's source.
Let's break this program down, line-by-line.
- Line 1 is a shebang, this reveals where our python executable is.
- Lines 3-5 tell the program name, version and the authors.
- Line 10 is the login page we are attacking.
- Line 11 is the username that we want in the field.
- Line 12 is the wordlist that we will be using to attack the password field with.
- Line 13 contains the error that the attack target throws when a bad login happens.
- Line 15 is a variable that will read our dictionary line-by-line.
- Line 16 prints the status to the screen.
- Line 18 starts the loop that makes the program keep guessing until the password list is done.
- Line 19 removes extra lines.
- Lines 20-22 mimic the login sequence.
- Line 23 encodes the data for transmission.
- Line 24 opens our attack page.
- Line 25 spoofs a user agent header, this will trick people into thinking we are a browser.
- Line 26 gets the page source of the website.
- Line 27 searches the source for the bad login string; if it isn't there, the password is cracked.
That's all it took to code such a potent tool! This could easily be hacked to allow threading to greatly increase the speed. I encourage someone to do just that, I can't be the only one who takes initiative!
For next week, instead of coding, who would like to see some walkthroughs for HackThisSite? HackThisSite is a legal, safe practice ground for striving hackers to test their skills and knowledge.