Search...

Web-Brutator - Modular Web Interfaces Bruteforcer

2021-02-01T11:30:04

ID KITPLOIT:6650744777316252593
Type kitploit
Reporter KitPloit
Modified 2021-02-01T11:30:04

Description

Fast Modular Web Interfaces Bruteforcer

Install

python3 -m pip install -r requirements.txt

Usage

$ python3 web-brutator.py -h

 __      __      ___.            __________                __          __                  
/  \    /  \ ____\_ |__          \______   \_______ __ ___/  |______ _/  |_  ___________   
\   \/\/   // __ \| __ \   ______ |    |  _/\_  __ \  |  \   __\__  \   __\ /  _ \_  _ _\  
 \        /\  ___/| \_\ \ /_____/ |    |   \ |  | \/  |  /|  |  / __ \|  | (  &lt;_&gt; )  | \/  
  \__/\  /  \___  &gt;___  /         |______  / |__|  |____/ |__| (____  /__|  \____/|__|     
       \/       \/    \/                 \/                         \/                     
                                                                        Version 0.2

usage: web-brutator.py [-h] [--url URL] [--target TYPE] [-u USERNAME]  
                       [-U USERLIST] [-p PASSWORD] [-P PASSLIST]  
                       [-C COMBOLIST] [-t THREADS] [-s] [-v] [-e MAX_ERRORS]  
                       [--timeout TIMEOUT] [-l]

op   tional arguments:  
  -h, --help                   show this help message and exit  
  --url URL                    Target URL  
  --target TYPE                Target type  
  -u, --username USERNAME      Single username  
  -U, --userlist USERLIST      Usernames list  
  -p, --password PASSWORD      Single password  
  -P, --passlist PASSLIST      Passwords list  
  -C, --combolist COMBOLIST    Combos username:password list  
  -t, --threads THREADS        Number of threads [1-50] (default: 10)  
  -s, --stoponsuccess          Stop on success  
  -v, --verbose                Print every tested creds  
  -e, --max-errors MAX_ERRORS  Number of accepted consecutive errors (default: 10)  
  --timeout TIMEOUT            Time limit on the response (default: 20s)  
  -l, -   -list-modules           Display list of modules

Example:

python3 web-brutator.py --target jenkins --url https://mytarget.com -U ./usernames.txt -P ./passwords.txt -s -t 40

Available Modules

axis2
coldfusion
glassfish
htaccess
jboss
jenkins
joomla
railo
standardform
tomcat
weblogic
websphere

_ Notice: Some products implement account lockout after a given number of failed authentication attempts, by default (e.g. Weblogic, Tomcat...). web-brutator notices the user at the beginning of bruteforce attack it is the case. Take this into account before launching bruteforce on such targets. _

Standard Web Authentication Form Auto-Detection

web-brutator can automatically detect standard web authentication forms and perform bruteforce automatically. This feature is available via the module standardform , it is still experimental and can lead to false positives/negatives since it is based on several heuristics.

Not supported:

Web authentication using Javascript;
Authentication with CAPTCHA;
2-step authentication ...

Example:

python3 web-brutator.py --target standardform --url https://mytarget.com -U ./usernames.txt -P ./passwords.txt -s -t 40 -v

Add Module / Contribute

Adding a new authentication bruteforce module is pretty straightforward:

Create a new file with appropriate name under lib/core/modules/

Create a class in this file, using the following template. Development is very easy, check any existing module under lib/core/modules/ for some examples. Note that HTTP requests should be done via the static methods provided by Requester class: Requester.get() , Requester.post() , Requester.http_auth() .

!/usr/bin/env python3

-- coding: utf-8 --

from lib.core.Exceptions import AuthException, RequestException
from lib.core.Logger import logger
from lib.core.Requester import AuthMode, Requester

class Mymodule:

def __init__(self, url, verbose=False):  
    self.url = url  
    # Other self variables can go here

def check(self):  
    """  
    This method is used to detect the presence of the targeted authentication  
    interface.  
    :return: Boolean indicating if the authentication interface has been detected  
    """  
    # Implement code here

def try_auth(self, username, password):  
    """  
    This method is used to perform one authentication attempt.  
    :param str username: Username to check  
    :param str password: Password to check  
    :return: Boolean indicating authentication status  
    :raise AuthException:  
    "   ""  
    # Implement code here

Module is then automatically available (check using -l option) from the command-line.
Test the module to make sure it is working as expected !
Make a pull request to add the module to the project ;)

Download Web-Brutator

JSON Vulners Source

Initial Source

{"id": "KITPLOIT:6650744777316252593", "bulletinFamily": "tools", "title": "Web-Brutator - Modular Web Interfaces Bruteforcer", "description": "[ ![](https://1.bp.blogspot.com/-UAgIuVKTsdU/YBdyijU1M5I/AAAAAAAAVLc/pobFn0iGo2IAaufYFnJlmiuVBf62RL_QwCNcBGAsYHQ/w640-h304/web-brutator_1_demo.gif) ](<https://1.bp.blogspot.com/-UAgIuVKTsdU/YBdyijU1M5I/AAAAAAAAVLc/pobFn0iGo2IAaufYFnJlmiuVBf62RL_QwCNcBGAsYHQ/s1096/web-brutator_1_demo.gif>)\n\n \n\n\nFast Modular Web Interfaces Bruteforcer \n\n \n\n\n** Install ** \n\n \n \n python3 -m pip install -r requirements.txt \n \n\n \n** Usage ** \n\n \n \n $ python3 web-brutator.py -h \n \n __ __ ___. __________ __ __ \n / \\ / \\ ____\\_ |__ \\______ \\_______ __ ___/ |______ _/ |_ ___________ \n \\ \\/\\/ // __ \\| __ \\ ______ | | _/\\_ __ \\ | \\ __\\__ \\ __\\ / _ \\_ _ _\\ \n \\ /\\ ___/| \\_\\ \\ /_____/ | | \\ | | \\/ | /| | / __ \\| | ( <_> ) | \\/ \n \\__/\\ / \\___ >___ / |______ / |__| |____/ |__| (____ /__| \\____/|__| \n \\/ \\/ \\/ \\/ \\/ \n Version 0.2 \n \n usage: web-brutator.py [-h] [--url URL] [--target TYPE] [-u USERNAME] \n [-U USERLIST] [-p PASSWORD] [-P PASSLIST] \n [-C COMBOLIST] [-t THREADS] [-s] [-v] [-e MAX_ERRORS] \n [--timeout TIMEOUT] [-l] \n \n op tional arguments: \n -h, --help show this help message and exit \n --url URL Target URL \n --target TYPE Target type \n -u, --username USERNAME Single username \n -U, --userlist USERLIST Usernames list \n -p, --password PASSWORD Single password \n -P, --passlist PASSLIST Passwords list \n -C, --combolist COMBOLIST Combos username:password list \n -t, --threads THREADS Number of threads [1-50] (default: 10) \n -s, --stoponsuccess Stop on success \n -v, --verbose Print every tested creds \n -e, --max-errors MAX_ERRORS Number of accepted consecutive errors (default: 10) \n --timeout TIMEOUT Time limit on the response (default: 20s) \n -l, - -list-modules Display list of modules \n \n\nExample: \n \n \n python3 web-brutator.py --target jenkins --url https://mytarget.com -U ./usernames.txt -P ./passwords.txt -s -t 40 \n \n\n \n** Available Modules ** \n\n\n * axis2 \n * coldfusion \n * glassfish \n * htaccess \n * jboss \n * jenkins \n * joomla \n * railo \n * standardform \n * tomcat \n * weblogic \n * websphere \n\n_ Notice: Some products implement account lockout after a given number of failed authentication attempts, by default (e.g. Weblogic, Tomcat...). ` web-brutator ` notices the user at the beginning of [ bruteforce ](<https://www.kitploit.com/search/label/Bruteforce> \"bruteforce\" ) attack it is the case. Take this into account before launching bruteforce on such targets. _\n\n \n** Standard Web Authentication Form Auto-Detection ** \n\n\n` web-brutator ` can automatically detect ** standard ** web authentication forms and perform bruteforce automatically. This feature is available via the module ` standardform ` , it is still experimental and can lead to false positives/negatives since it is based on several heuristics. \n\nNot supported: \n\n * Web authentication using Javascript; \n * Authentication with CAPTCHA; \n * 2-step authentication ... \n\nExample: \n \n \n python3 web-brutator.py --target standardform --url https://mytarget.com -U ./usernames.txt -P ./passwords.txt -s -t 40 -v \n \n\n \n\n\n[ ![](https://1.bp.blogspot.com/-UAgIuVKTsdU/YBdyijU1M5I/AAAAAAAAVLc/pobFn0iGo2IAaufYFnJlmiuVBf62RL_QwCNcBGAsYHQ/w640-h304/web-brutator_1_demo.gif) ](<https://1.bp.blogspot.com/-UAgIuVKTsdU/YBdyijU1M5I/AAAAAAAAVLc/pobFn0iGo2IAaufYFnJlmiuVBf62RL_QwCNcBGAsYHQ/s1096/web-brutator_1_demo.gif>)\n\n \n** Add Module / Contribute ** \n\n\nAdding a new authentication bruteforce module is [ pretty ](<https://www.kitploit.com/search/label/PRETty> \"pretty\" ) straightforward: \n\n 1. Create a new file with appropriate name under ` lib/core/modules/ `\n 2. Create a class in this file, using the following template. Development is very easy, check any existing module under ` lib/core/modules/ ` for some examples. Note that HTTP requests should be done via the static methods provided by ` Requester ` class: ` Requester.get() ` , ` Requester.post() ` , ` Requester.http_auth() ` . \n \n \n #!/usr/bin/env python3 \n # -*- coding: utf-8 -*- \n from lib.core.Exceptions import AuthException, RequestException \n from lib.core.Logger import logger \n from lib.core.Requester import AuthMode, Requester \n \n \n class Mymodule: \n \n def __init__(self, url, verbose=False): \n self.url = url \n # Other self variables can go here \n \n \n def check(self): \n \t\"\"\" \n \tThis method is used to detect the presence of the targeted authentication \n \tinterface. \n \t:return: Boolean indicating if the authentication interface has been detected \n \t\"\"\" \n \t# Implement code here \n \n \n def try_auth(self, username, password): \n \t\"\"\" \n \tThis method is used to perform one authentication attempt. \n \t:param str username: Username to check \n \t:param str password: Password to check \n \t:return: Boolean indicating authentication status \n \t:raise AuthException: \n \t\" \"\" \n # Implement code here \n \n \n\n 3. Module is then automatically available (check using ` -l ` option) from the command-line. \n 4. Test the module to make sure it is working as expected ! \n 5. Make a pull request to add the module to the project ;) \n \n \n\n\n** [ Download Web-Brutator ](<https://github.com/koutto/web-brutator> \"Download Web-Brutator\" ) **\n", "published": "2021-02-01T11:30:04", "modified": "2021-02-01T11:30:04", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://www.kitploit.com/2021/02/web-brutator-modular-web-interfaces.html", "reporter": "KitPloit", "references": ["https://github.com/koutto/web-brutator"], "cvelist": [], "type": "kitploit", "lastseen": "2021-02-01T15:29:47", "edition": 1, "viewCount": 149, "enchantments": {"dependencies": {"references": [], "modified": "2021-02-01T15:29:47", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2021-02-01T15:29:47", "rev": 2}, "vulnersScore": -0.1}, "toolHref": "https://github.com/koutto/web-brutator"}