Repository files navigation

• BruteBot is a Python-based tool that leverages thewebbot library to automate the process of brute-forcing login passwords,particularly useful for login pages fortified with CSRF protection or random tokens.

• The choice of webbot, a library derived from Selenium, was intentional. The goal was to emulate a user navigating the target website’s login page and attempting to brute-force the password in the most unobtrusive manner.

• This approach ensures that any random tokens that are generated when the login page gets loaded are automatically included in the subsequent login POST requests, thereby making the automation of password brute-forcing possible.

• Furthermore, it gives you a chance to visualize the browser's operations in real time, which can be useful for troubleshooting.
  
  

• It retrieves the login page via a GET request.

• It utilizes the username / email address and the password list provided by you.

• It submits these credentials to the server via multiple POST requests (each containing a unique username-password combination), alongside any additional random tokens if present (such as: an anti-CSRF token, an arbitrary browser identifier, timestamp, etc.)

• It repeats this process until it successfully discovers the correct password.
  
  

1. Installwebbot using the following command:

pip install webbot

2. Download or clone the repository.

3. Place your password list file in the same directory as BruteBot.py.
   
   That's it! You are good to go!
   
   

python BruteBot.py -t (LOGIN PAGE URL) -u USERNAME -p (PASSWORD LIST) --uid (USERNAME ELEMENT ID) --pid (PASSWORD ELEMENT ID) --bname (LOGIN BUTTON NAME) -m (visible / headless) -s (TIME IN SECONDS)

• -t /--target : URL of the target website's login page

• -u /--username : A valid username / email address

• -p /--plist : Path of the password list file

• --uid : Username Element ID

• --pid : Password Element ID

• --bname : Name of the login button element

• -m /--mode : Sets the mode of operation

  • headless : To have all operations run in the background (Default mode:headless)

  • visible : To view the operations happening in your browser

• -s /--time : Duration, in seconds, for which the browser will wait before commencing the brute-forcing

• -h /--help : Shows the help message and exits
  
  

Demo 1 - To run BruteBot with the default options:

pythonBruteBot.py-thttps://demo.testfire.net/login.jsp-uadmin-ppasswords.txt--uiduid--pidpassw--bnameLogin

Demo 2 - To see the browser tab(s) in action when BruteBot runs:

pythonBruteBot.py-thttps://demo.testfire.net/login.jsp-uadmin-ppasswords.txt--uiduid--pidpassw--bnameLogin-mvisible

Demo 3 - To route the traffic through a network proxy while running BruteBot:

pythonBruteBot.py-thttps://demo.testfire.net/login.jsp-uadmin-ppasswords.txt--uiduid--pidpassw--bnameLogin--proxyhttp://localhost:8080

• Please refrain from using this tool on websites without explicit permission, as doing so may be considered illegal or unethical.
• I bear no responsibility for any misuse of this tool.
  
  

• This project utilizes thewebbot library, originally developed by the author@nateshmbhat.
• Special thanks to@m-uma for their invaluable offline contributions that were instrumental in the development of this tool.
  
  

• This project is licensed under the terms of the MIT license. Feel free to contribute, go ahead and submit aPull Request.
• However, if you are considering making significant modifications, I would insist that you discuss with me first by opening anIssue.
  
  

Like my work?Buy me a coffee maybe?