[](<https://1.bp.blogspot.com/-UAgIuVKTsdU/YBdyijU1M5I/AAAAAAAAVLc/pobFn0iGo2IAaufYFnJlmiuVBf62RL_QwCNcBGAsYHQ/s1096/web-brutator_1_demo.gif>)
Fast Modular Web Interfaces Bruteforcer
**Install**
python3 -m pip install -r requirements.txt
**Usage**
$ python3 web-brutator.py -h
__ __ ___. __________ __ __
/ \ / \ ____\_ |__ \______ \_______ __ ___/ |______ _/ |_ ___________
\ \/\/ // __ \| __ \ ______ | | _/\_ __ \ | \ __\__ \ __\ / _ \_ _ _\
\ /\ ___/| \_\ \ /_____/ | | \ | | \/ | /| | / __ \| | ( <_> ) | \/
\__/\ / \___ >___ / |______ / |__| |____/ |__| (____ /__| \____/|__|
\/ \/ \/ \/ \/
Version 0.2
usage: web-brutator.py [-h] [--url URL] [--target TYPE] [-u USERNAME]
[-U USERLIST] [-p PASSWORD] [-P PASSLIST]
[-C COMBOLIST] [-t THREADS] [-s] [-v] [-e MAX_ERRORS]
[--timeout TIMEOUT] [-l]
op tional arguments:
-h, --help show this help message and exit
--url URL Target URL
--target TYPE Target type
-u, --username USERNAME Single username
-U, --userlist USERLIST Usernames list
-p, --password PASSWORD Single password
-P, --passlist PASSLIST Passwords list
-C, --combolist COMBOLIST Combos username:password list
-t, --threads THREADS Number of threads [1-50] (default: 10)
-s, --stoponsuccess Stop on success
-v, --verbose Print every tested creds
-e, --max-errors MAX_ERRORS Number of accepted consecutive errors (default: 10)
--timeout TIMEOUT Time limit on the response (default: 20s)
-l, - -list-modules Display list of modules
Example:
python3 web-brutator.py --target jenkins --url https://mytarget.com -U ./usernames.txt -P ./passwords.txt -s -t 40
**Available Modules**
* axis2
* coldfusion
* glassfish
* htaccess
* jboss
* jenkins
* joomla
* railo
* standardform
* tomcat
* weblogic
* websphere
_Notice: Some products implement account lockout after a given number of failed authentication attempts, by default (e.g. Weblogic, Tomcat...). `web-brutator` notices the user at the beginning of [bruteforce](<https://www.kitploit.com/search/label/Bruteforce> "bruteforce" ) attack it is the case. Take this into account before launching bruteforce on such targets._
**Standard Web Authentication Form Auto-Detection**
`web-brutator` can automatically detect **standard** web authentication forms and perform bruteforce automatically. This feature is available via the module `standardform`, it is still experimental and can lead to false positives/negatives since it is based on several heuristics.
Not supported:
* Web authentication using Javascript;
* Authentication with CAPTCHA;
* 2-step authentication ...
Example:
python3 web-brutator.py --target standardform --url https://mytarget.com -U ./usernames.txt -P ./passwords.txt -s -t 40 -v
[](<https://1.bp.blogspot.com/-UAgIuVKTsdU/YBdyijU1M5I/AAAAAAAAVLc/pobFn0iGo2IAaufYFnJlmiuVBf62RL_QwCNcBGAsYHQ/s1096/web-brutator_1_demo.gif>)
**Add Module / Contribute**
Adding a new authentication bruteforce module is [pretty](<https://www.kitploit.com/search/label/PRETty> "pretty" ) straightforward:
1. Create a new file with appropriate name under `lib/core/modules/`
2. Create a class in this file, using the following template. Development is very easy, check any existing module under `lib/core/modules/` for some examples. Note that HTTP requests should be done via the static methods provided by `Requester` class: `Requester.get()`, `Requester.post()`, `Requester.http_auth()`.
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from lib.core.Exceptions import AuthException, RequestException
from lib.core.Logger import logger
from lib.core.Requester import AuthMode, Requester
class Mymodule:
def __init__(self, url, verbose=False):
self.url = url
# Other self variables can go here
def check(self):
"""
This method is used to detect the presence of the targeted authentication
interface.
:return: Boolean indicating if the authentication interface has been detected
"""
# Implement code here
def try_auth(self, username, password):
"""
This method is used to perform one authentication attempt.
:param str username: Username to check
:param str password: Password to check
:return: Boolean indicating authentication status
:raise AuthException:
" ""
# Implement code here
3. Module is then automatically available (check using `-l` option) from the command-line.
4. Test the module to make sure it is working as expected !
5. Make a pull request to add the module to the project ;)
**[Download Web-Brutator](<https://github.com/koutto/web-brutator> "Download Web-Brutator" )**
{"id": "KITPLOIT:6650744777316252593", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "Web-Brutator - Modular Web Interfaces Bruteforcer", "description": "[](<https://1.bp.blogspot.com/-UAgIuVKTsdU/YBdyijU1M5I/AAAAAAAAVLc/pobFn0iGo2IAaufYFnJlmiuVBf62RL_QwCNcBGAsYHQ/s1096/web-brutator_1_demo.gif>)\n\n \n\n\nFast Modular Web Interfaces Bruteforcer\n\n \n\n\n**Install** \n\n \n \n python3 -m pip install -r requirements.txt \n \n\n \n**Usage** \n\n \n \n $ python3 web-brutator.py -h \n \n __ __ ___. __________ __ __ \n / \\ / \\ ____\\_ |__ \\______ \\_______ __ ___/ |______ _/ |_ ___________ \n \\ \\/\\/ // __ \\| __ \\ ______ | | _/\\_ __ \\ | \\ __\\__ \\ __\\ / _ \\_ _ _\\ \n \\ /\\ ___/| \\_\\ \\ /_____/ | | \\ | | \\/ | /| | / __ \\| | ( <_> ) | \\/ \n \\__/\\ / \\___ >___ / |______ / |__| |____/ |__| (____ /__| \\____/|__| \n \\/ \\/ \\/ \\/ \\/ \n Version 0.2 \n \n usage: web-brutator.py [-h] [--url URL] [--target TYPE] [-u USERNAME] \n [-U USERLIST] [-p PASSWORD] [-P PASSLIST] \n [-C COMBOLIST] [-t THREADS] [-s] [-v] [-e MAX_ERRORS] \n [--timeout TIMEOUT] [-l] \n \n op tional arguments: \n -h, --help show this help message and exit \n --url URL Target URL \n --target TYPE Target type \n -u, --username USERNAME Single username \n -U, --userlist USERLIST Usernames list \n -p, --password PASSWORD Single password \n -P, --passlist PASSLIST Passwords list \n -C, --combolist COMBOLIST Combos username:password list \n -t, --threads THREADS Number of threads [1-50] (default: 10) \n -s, --stoponsuccess Stop on success \n -v, --verbose Print every tested creds \n -e, --max-errors MAX_ERRORS Number of accepted consecutive errors (default: 10) \n --timeout TIMEOUT Time limit on the response (default: 20s) \n -l, - -list-modules Display list of modules \n \n\nExample:\n \n \n python3 web-brutator.py --target jenkins --url https://mytarget.com -U ./usernames.txt -P ./passwords.txt -s -t 40 \n \n\n \n**Available Modules** \n\n\n * axis2\n * coldfusion\n * glassfish\n * htaccess\n * jboss\n * jenkins\n * joomla\n * railo\n * standardform\n * tomcat\n * weblogic\n * websphere\n\n_Notice: Some products implement account lockout after a given number of failed authentication attempts, by default (e.g. Weblogic, Tomcat...). `web-brutator` notices the user at the beginning of [bruteforce](<https://www.kitploit.com/search/label/Bruteforce> \"bruteforce\" ) attack it is the case. Take this into account before launching bruteforce on such targets._\n\n \n**Standard Web Authentication Form Auto-Detection** \n\n\n`web-brutator` can automatically detect **standard** web authentication forms and perform bruteforce automatically. This feature is available via the module `standardform`, it is still experimental and can lead to false positives/negatives since it is based on several heuristics.\n\nNot supported:\n\n * Web authentication using Javascript;\n * Authentication with CAPTCHA;\n * 2-step authentication ...\n\nExample:\n \n \n python3 web-brutator.py --target standardform --url https://mytarget.com -U ./usernames.txt -P ./passwords.txt -s -t 40 -v \n \n\n \n\n\n[](<https://1.bp.blogspot.com/-UAgIuVKTsdU/YBdyijU1M5I/AAAAAAAAVLc/pobFn0iGo2IAaufYFnJlmiuVBf62RL_QwCNcBGAsYHQ/s1096/web-brutator_1_demo.gif>)\n\n \n**Add Module / Contribute** \n\n\nAdding a new authentication bruteforce module is [pretty](<https://www.kitploit.com/search/label/PRETty> \"pretty\" ) straightforward:\n\n 1. Create a new file with appropriate name under `lib/core/modules/`\n 2. Create a class in this file, using the following template. Development is very easy, check any existing module under `lib/core/modules/` for some examples. Note that HTTP requests should be done via the static methods provided by `Requester` class: `Requester.get()`, `Requester.post()`, `Requester.http_auth()`.\n \n \n #!/usr/bin/env python3 \n # -*- coding: utf-8 -*- \n from lib.core.Exceptions import AuthException, RequestException \n from lib.core.Logger import logger \n from lib.core.Requester import AuthMode, Requester \n \n \n class Mymodule: \n \n def __init__(self, url, verbose=False): \n self.url = url \n # Other self variables can go here \n \n \n def check(self): \n \t\"\"\" \n \tThis method is used to detect the presence of the targeted authentication \n \tinterface. \n \t:return: Boolean indicating if the authentication interface has been detected \n \t\"\"\" \n \t# Implement code here \n \n \n def try_auth(self, username, password): \n \t\"\"\" \n \tThis method is used to perform one authentication attempt. \n \t:param str username: Username to check \n \t:param str password: Password to check \n \t:return: Boolean indicating authentication status \n \t:raise AuthException: \n \t\" \"\" \n # Implement code here \n \n \n\n 3. Module is then automatically available (check using `-l` option) from the command-line.\n 4. Test the module to make sure it is working as expected !\n 5. Make a pull request to add the module to the project ;)\n \n \n\n\n**[Download Web-Brutator](<https://github.com/koutto/web-brutator> \"Download Web-Brutator\" )**\n", "published": "2021-02-01T11:30:00", "modified": "2021-02-01T11:30:04", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2021/02/web-brutator-modular-web-interfaces.html", "reporter": "KitPloit", "references": ["https://github.com/koutto/web-brutator"], "cvelist": [], "immutableFields": [], "lastseen": "2022-04-07T12:02:16", "viewCount": 167, "enchantments": {"dependencies": {}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "_state": {"dependencies": 1659893093, "score": 1659842276}, "_internal": {"score_hash": "83ad0ccdd607f163555137fd3cac4994"}, "toolHref": "https://github.com/koutto/web-brutator"}