Our mission for this week's Community Byte was to create a Python program to crack web-based passwords, like the ones you would see on an email or router login. I wanted it to be universal in the sense that it could be easily modified and adapted to another website just by changing a few variables. That was a success! Even though people weren't on time to the coding session, everything went well.
Here is the link to our web cracker's source.
Let's break this program down, line-by-line.
- Line 1 is a shebang, this reveals where our python executable is.
- Lines 3-5 tell the program name, version and the authors.
- Line 10 is the login page we are attacking.
- Line 11 is the username that we want in the field.
- Line 12 is the wordlist that we will be using to attack the password field with.
- Line 13 contains the error that the attack target throws when a bad login happens.
- Line 15 is a variable that will read our dictionary line-by-line.
- Line 16 prints the status to the screen.
- Line 18 starts the loop that makes the program keep guessing until the password list is done.
- Line 19 removes extra lines.
- Lines 20-22 mimic the login sequence.
- Line 23 encodes the data for transmission.
- Line 24 opens our attack page.
- Line 25 spoofs a user agent header, this will trick people into thinking we are a browser.
- Line 26 gets the page source of the website.
- Line 27 searches the source for the bad login string; if it isn't there, the password is cracked.
That's all it took to code such a potent tool! This could easily be hacked to allow threading to greatly increase the speed. I encourage someone to do just that, I can't be the only one who takes initiative!
For next week, instead of coding, who would like to see some walkthroughs for HackThisSite? HackThisSite is a legal, safe practice ground for striving hackers to test their skills and knowledge.
Save 20% on everything in the Null Byte shop this Cyber Monday with coupon code CMSAVE20. Apps and software in the store have even bigger savings with code CMSAVE40. And for the largest discounts, check out the online courses for 70% off with CMSAVE70. Now's the time to learn hacking and get hacking gear.