1 00:00:00,330 --> 00:00:01,200 Instructor: Welcome back. 2 00:00:01,200 --> 00:00:05,070 In this video we are going to be creating a Brute Force tool 3 00:00:05,070 --> 00:00:07,110 using our Python skills. 4 00:00:07,110 --> 00:00:08,730 So in the previous section, 5 00:00:08,730 --> 00:00:11,340 where we talked about web application penetration testing, 6 00:00:11,340 --> 00:00:13,800 we covered tools that are used for Brute Forcing 7 00:00:13,800 --> 00:00:16,800 but this time I want to see whether we can create 8 00:00:16,800 --> 00:00:20,910 our own tool that will be able to Brute Force a Login Page. 9 00:00:20,910 --> 00:00:23,490 Now before we even start, I want to mention 10 00:00:23,490 --> 00:00:25,350 that this tool will not be universal. 11 00:00:25,350 --> 00:00:27,210 So for every different page you will have 12 00:00:27,210 --> 00:00:29,760 to perform some minor modifications, 13 00:00:29,760 --> 00:00:32,250 the same way that we did inside of our Hydra tool 14 00:00:32,250 --> 00:00:34,080 and inside of our Burp Suite. 15 00:00:34,080 --> 00:00:36,810 Nonetheless, let us see how we can create it. 16 00:00:36,810 --> 00:00:41,130 So if I type LS and navigate to my Desk Directory. 17 00:00:41,130 --> 00:00:44,400 Here we got the tools directory for our coding projects 18 00:00:44,400 --> 00:00:49,400 and here I'm going to create the Web App Pen Test Directory. 19 00:00:49,710 --> 00:00:53,880 So I will navigate there and currently this directory 20 00:00:53,880 --> 00:00:56,880 is empty, so let's Nano our Python program. 21 00:00:56,880 --> 00:01:01,323 We can type Nano and then Bruteforce.PY. 22 00:01:02,670 --> 00:01:03,503 Great. 23 00:01:03,503 --> 00:01:06,090 Now there is only one library that we are going 24 00:01:06,090 --> 00:01:08,907 to need to perform this project 25 00:01:08,907 --> 00:01:11,638 and that library is the Requests Library. 26 00:01:11,638 --> 00:01:14,340 It'll allow us to automate the process 27 00:01:14,340 --> 00:01:17,880 of sending the get and post requests. 28 00:01:17,880 --> 00:01:20,583 So let's just import it straight away, 29 00:01:22,620 --> 00:01:24,810 and let's start our program. 30 00:01:24,810 --> 00:01:27,720 So first thing that we must think about is, 31 00:01:27,720 --> 00:01:30,360 what are the information that we need from the user 32 00:01:30,360 --> 00:01:33,960 of this program in order to Brute Force a Login page. 33 00:01:33,960 --> 00:01:38,960 So we will need a URL link to that page and we are going 34 00:01:39,030 --> 00:01:42,630 to need a Username for that specific account. 35 00:01:42,630 --> 00:01:44,640 Then we're going to run a bunch of passwords 36 00:01:44,640 --> 00:01:47,481 onto that Username and if you manage 37 00:01:47,481 --> 00:01:48,360 to guess the correct Password, great. 38 00:01:48,360 --> 00:01:50,340 We are going to Print it to the screen. 39 00:01:50,340 --> 00:01:52,050 If we don't manage to find the password, 40 00:01:52,050 --> 00:01:55,200 we're going to Print Password Not In List. 41 00:01:55,200 --> 00:01:56,640 Simple as that. 42 00:01:56,640 --> 00:01:58,950 So let's start with those information. 43 00:01:58,950 --> 00:02:03,030 First, let's create a variable called URL 44 00:02:03,030 --> 00:02:06,480 and that variable is going to be the Input value, 45 00:02:06,480 --> 00:02:09,120 which means that the user of this program can input 46 00:02:09,120 --> 00:02:12,060 which webpage they want to Brute Force. 47 00:02:12,060 --> 00:02:16,170 Let's open double quotes and specify that to them. 48 00:02:16,170 --> 00:02:17,280 Let's do it like this. 49 00:02:17,280 --> 00:02:20,103 Enter + Page + URL. 50 00:02:21,600 --> 00:02:23,700 Here they can enter the page URL 51 00:02:23,700 --> 00:02:25,620 and right after we do that, 52 00:02:25,620 --> 00:02:28,290 we can create another variable called Username 53 00:02:28,290 --> 00:02:30,030 and this variable will do the same thing. 54 00:02:30,030 --> 00:02:32,190 So it'll be the same input value. 55 00:02:32,190 --> 00:02:35,700 Just this time we're going to ask for the Username. 56 00:02:35,700 --> 00:02:39,540 So let's just type Enter + Username + 57 00:02:39,540 --> 00:02:41,523 For The Account To Bruteforce. 58 00:02:44,790 --> 00:02:47,580 And this is pretty much it for now. 59 00:02:47,580 --> 00:02:48,540 Now later, we are going 60 00:02:48,540 --> 00:02:51,600 to add some other information regarding this project, 61 00:02:51,600 --> 00:02:54,300 but for now we only need these two variables. 62 00:02:54,300 --> 00:02:56,610 So how are we going to approach this? 63 00:02:56,610 --> 00:03:00,780 Well first, since we have the URL and the Username, 64 00:03:00,780 --> 00:03:03,850 we can start with opening a file 65 00:03:04,699 --> 00:03:05,850 that will contain the passwords, 66 00:03:05,850 --> 00:03:07,500 that we're going to use to Brute Force. 67 00:03:07,500 --> 00:03:09,400 So we can do that with Open 68 00:03:10,500 --> 00:03:14,490 and we can call that file Passwords.TXT. 69 00:03:14,490 --> 00:03:17,250 And this is also something that we can ask the user, 70 00:03:17,250 --> 00:03:20,250 for example, input the name of the password file to use 71 00:03:20,250 --> 00:03:22,350 and that would actually be a good thing. 72 00:03:22,350 --> 00:03:25,290 So what I'm going to do, is this is another information 73 00:03:25,290 --> 00:03:27,510 that we are going to ask from the user, 74 00:03:27,510 --> 00:03:30,450 which is Password + File = Input + 75 00:03:30,450 --> 00:03:35,450 and then Enter Password File To Use. 76 00:03:37,650 --> 00:03:41,700 Simple as that, let's not forget the single quotes, 77 00:03:41,700 --> 00:03:44,220 otherwise this will throw us an error. 78 00:03:44,220 --> 00:03:47,400 And let's close the brackets at the end. 79 00:03:47,400 --> 00:03:51,240 Now we can Open that file by specifying Password + File 80 00:03:51,240 --> 00:03:54,540 and we want to Open it for reading. 81 00:03:54,540 --> 00:03:57,810 So we can specify just R between the single quotes 82 00:03:57,810 --> 00:04:01,200 which means opening file for reading text. 83 00:04:01,200 --> 00:04:03,510 Now here we need to specify how we want to open it. 84 00:04:03,510 --> 00:04:07,563 So with Open Password File as Passwords, 85 00:04:08,550 --> 00:04:11,133 that is how we're going to call our file object. 86 00:04:12,060 --> 00:04:14,670 Then we are going to enter a function 87 00:04:14,670 --> 00:04:16,500 which I'm going to call Cracking 88 00:04:16,500 --> 00:04:17,940 and this function doesn't exist. 89 00:04:17,940 --> 00:04:20,130 We'll have to code it, but nonetheless 90 00:04:20,130 --> 00:04:23,490 this function will perform the Brute Forcing. 91 00:04:23,490 --> 00:04:25,500 This function will take two arguments. 92 00:04:25,500 --> 00:04:27,750 The first one is going to be the Username, 93 00:04:27,750 --> 00:04:29,520 of course that we specify, 94 00:04:29,520 --> 00:04:31,890 at the beginning of the program execution 95 00:04:31,890 --> 00:04:34,953 and the second argument will be the URL. 96 00:04:36,180 --> 00:04:37,020 Great. 97 00:04:37,020 --> 00:04:39,150 Now that we've got this, 98 00:04:39,150 --> 00:04:42,630 we need to create the Cracking Function, 99 00:04:42,630 --> 00:04:45,630 and we're going to do it right here. 100 00:04:45,630 --> 00:04:49,470 So Define Cracking and we specify Username 101 00:04:49,470 --> 00:04:52,710 and URL as the arguments, that it needs. 102 00:04:52,710 --> 00:04:54,930 So how are we going to do this? 103 00:04:54,930 --> 00:04:56,460 Well, we already mentioned 104 00:04:56,460 --> 00:04:59,700 that we are going to perform reading of the passwords. 105 00:04:59,700 --> 00:05:02,850 So for each Password in this Password List, 106 00:05:02,850 --> 00:05:05,460 we're going to try to send our Request 107 00:05:05,460 --> 00:05:08,790 to that page with that Password and the Username 108 00:05:08,790 --> 00:05:11,310 and if the response contains some valid argument, 109 00:05:11,310 --> 00:05:14,077 that we have a valid Username and Password, 110 00:05:14,077 --> 00:05:14,910 we're going to Print it to the screen 111 00:05:14,910 --> 00:05:16,470 as the Correct Username and Password. 112 00:05:16,470 --> 00:05:18,990 And if we get something like login failed or something 113 00:05:18,990 --> 00:05:22,980 like that, we're going to move on to the next password. 114 00:05:22,980 --> 00:05:24,300 So how are we going to do that? 115 00:05:24,300 --> 00:05:26,040 Well, we already opened the file 116 00:05:26,040 --> 00:05:28,140 for reading that contains our passwords 117 00:05:28,140 --> 00:05:31,923 and now what we can do is, we can type For + Password, 118 00:05:32,880 --> 00:05:37,623 In + Passwords and remember passwords, is our file. 119 00:05:38,460 --> 00:05:41,740 Then for each password inside of that passwords file 120 00:05:41,740 --> 00:05:43,650 we can first strip it out 121 00:05:43,650 --> 00:05:46,320 of any additional characters using this strip function. 122 00:05:46,320 --> 00:05:50,790 So Password will be equal to Password.strip. 123 00:05:50,790 --> 00:05:53,460 This will remove any, for example, empty characters 124 00:05:53,460 --> 00:05:56,280 or something like that that might cause us a problem 125 00:05:56,280 --> 00:05:58,353 in Brute Forcing this page. 126 00:05:59,520 --> 00:06:01,770 Then once we do that we're going to print 127 00:06:01,770 --> 00:06:06,770 to the screen, Trying and then the Password 128 00:06:07,346 --> 00:06:08,910 that we are currently Trying, 129 00:06:08,910 --> 00:06:10,740 just so the user of the program can see 130 00:06:10,740 --> 00:06:14,370 which password is it currently trying to Brute Force. 131 00:06:14,370 --> 00:06:18,900 Once we do that, we need to send the request to that page. 132 00:06:18,900 --> 00:06:20,430 So how can we do that? 133 00:06:20,430 --> 00:06:23,590 Well in this case since we're going to Brute Force 134 00:06:24,630 --> 00:06:28,740 as usual our DVWA Login page first. 135 00:06:28,740 --> 00:06:32,190 If I log out we know that this is being sent 136 00:06:32,190 --> 00:06:35,760 with post form, so the method of sending the usernames 137 00:06:35,760 --> 00:06:39,930 and passwords is post and we can check that once again just 138 00:06:39,930 --> 00:06:43,953 by finding the form and we can see that the method is Post. 139 00:06:44,880 --> 00:06:47,370 That's why inside of our code we're going to 140 00:06:47,370 --> 00:06:52,370 type Requests.Post ,and we are posting, 141 00:06:52,380 --> 00:06:56,550 and this Request.Post takes two arguments in our case. 142 00:06:56,550 --> 00:06:59,580 The first one is going to be the URL which is logical 143 00:06:59,580 --> 00:07:01,800 because we need to tell our program where 144 00:07:01,800 --> 00:07:03,990 you want to post that data, 145 00:07:03,990 --> 00:07:07,140 and the data that we want to post will be equal 146 00:07:07,140 --> 00:07:09,633 to this, Data = Data. 147 00:07:10,470 --> 00:07:12,570 Just, we don't have the data yet. 148 00:07:12,570 --> 00:07:15,840 We need to tell our program what is our data. 149 00:07:15,840 --> 00:07:17,550 So how can we do that? 150 00:07:17,550 --> 00:07:18,840 Well, we can go right here 151 00:07:18,840 --> 00:07:23,220 and define Data and Data has to be a Dictionary. 152 00:07:23,220 --> 00:07:26,790 Inside of this Dictionary, we have a key and the value 153 00:07:26,790 --> 00:07:29,340 and we need to specify all the information that 154 00:07:29,340 --> 00:07:33,570 the program needs in order to perform a successful login. 155 00:07:33,570 --> 00:07:36,360 And that information would most likely be the Username 156 00:07:36,360 --> 00:07:39,600 the Password and Button that it has to click. 157 00:07:39,600 --> 00:07:42,060 Remember the same thing we had in Hydra tool. 158 00:07:42,060 --> 00:07:43,410 We need to click on this button, 159 00:07:43,410 --> 00:07:46,920 in order to successfully submit the username and password. 160 00:07:46,920 --> 00:07:49,050 So how can we define it right here? 161 00:07:49,050 --> 00:07:52,737 Well, we define it like this Username : Username 162 00:07:56,490 --> 00:07:59,310 and this Username is just the name of the field 163 00:07:59,310 --> 00:08:01,470 on our page and this is the part 164 00:08:01,470 --> 00:08:04,020 of the program that you might need to change depending 165 00:08:04,020 --> 00:08:06,090 on the page that you're Brute Forcing. 166 00:08:06,090 --> 00:08:07,170 If the Username field 167 00:08:07,170 --> 00:08:09,330 on the page that you're Brute Forcing is called something 168 00:08:09,330 --> 00:08:14,280 like user, then you must change this to User. 169 00:08:14,280 --> 00:08:16,680 And this right here is just the username 170 00:08:16,680 --> 00:08:19,470 that we are sending, which is the one that we ask the user 171 00:08:19,470 --> 00:08:22,623 of the program to input at the beginning of execution. 172 00:08:23,640 --> 00:08:25,560 The same thing we must do for passwords 173 00:08:25,560 --> 00:08:28,350 and the reason why I'm already typing the username fields is 174 00:08:28,350 --> 00:08:30,210 because I already know that the name 175 00:08:30,210 --> 00:08:33,929 of the fields is Username and Password 176 00:08:33,929 --> 00:08:35,370 because we already checked that 177 00:08:35,370 --> 00:08:38,880 in our web application penetration testing section. 178 00:08:38,880 --> 00:08:41,669 Okay, once we do that, we can do the same 179 00:08:41,669 --> 00:08:45,921 for Password and once again we need to put the Password 180 00:08:45,921 --> 00:08:48,180 into that Password Field 181 00:08:48,180 --> 00:08:50,970 and the password will be this stripped value 182 00:08:50,970 --> 00:08:53,310 that we've read from our Passwords File 183 00:08:53,310 --> 00:08:55,593 or from our Passwords List. 184 00:08:56,460 --> 00:08:58,080 And the last argument, 185 00:08:58,080 --> 00:09:01,260 that we need to specify is going to be the button. 186 00:09:01,260 --> 00:09:04,237 As you remember, once we send it, right here, 187 00:09:04,237 --> 00:09:08,790 the button name is Login and the type of button is Submit. 188 00:09:08,790 --> 00:09:10,740 So we must specify it like that. 189 00:09:10,740 --> 00:09:14,190 Just this time, both of these values are going to be 190 00:09:14,190 --> 00:09:15,720 between the single quotes 191 00:09:15,720 --> 00:09:19,140 because none of them is an actual variable. 192 00:09:19,140 --> 00:09:24,140 So this is going to be our data and in this requests.post 193 00:09:24,749 --> 00:09:28,650 we are sending that data to our URL 194 00:09:28,650 --> 00:09:31,530 and luckily our request library will perform everything else 195 00:09:31,530 --> 00:09:34,440 for us, so it'll know where to put this data 196 00:09:34,440 --> 00:09:36,090 that we are sending. 197 00:09:36,090 --> 00:09:39,510 Of course, instead of just sending this data, 198 00:09:39,510 --> 00:09:41,820 we also want to store the response somewhere. 199 00:09:41,820 --> 00:09:43,590 So we can create a response variable 200 00:09:43,590 --> 00:09:46,080 and that Response variable will be equal 201 00:09:46,080 --> 00:09:48,360 to whatever the return value is 202 00:09:48,360 --> 00:09:52,050 from this requests.post function. 203 00:09:52,050 --> 00:09:53,520 And the return value is going 204 00:09:53,520 --> 00:09:56,673 to be the HDML page of the response. 205 00:09:57,630 --> 00:09:59,280 Once we receive the response, 206 00:09:59,280 --> 00:10:03,330 we have to check whether the password was correct or not. 207 00:10:03,330 --> 00:10:05,070 So how can we do that? 208 00:10:05,070 --> 00:10:07,080 Well, we can do that the same way 209 00:10:07,080 --> 00:10:09,660 that we did inside of our Hydra. 210 00:10:09,660 --> 00:10:10,800 Remember that in Hydra, 211 00:10:10,800 --> 00:10:14,100 we had to specify the string that occurs. 212 00:10:14,100 --> 00:10:17,430 Once we specify the incorrect Username and Password 213 00:10:17,430 --> 00:10:21,210 which is this down here as we can see a Login Failed, 214 00:10:21,210 --> 00:10:24,570 well we can do something similar inside of our program. 215 00:10:24,570 --> 00:10:27,720 Let's ask the user of the program first. 216 00:10:27,720 --> 00:10:32,400 We can create a variable Login Failed String 217 00:10:32,400 --> 00:10:34,473 and we can ask the user, 218 00:10:38,070 --> 00:10:43,070 Enter + String That Occurs When Login Fails. 219 00:10:44,520 --> 00:10:46,020 Simple as that. 220 00:10:46,020 --> 00:10:48,090 And once they enter the string, hopefully they 221 00:10:48,090 --> 00:10:51,420 enter something like Failed or Login Failed. 222 00:10:51,420 --> 00:10:53,280 They don't have to enter the entire thing, 223 00:10:53,280 --> 00:10:55,440 they can just enter Failed. 224 00:10:55,440 --> 00:10:56,790 Which occurs on this page, 225 00:10:56,790 --> 00:10:59,820 once you specify incorrect username and password. 226 00:10:59,820 --> 00:11:03,450 Then what we can do is, we can check whether we find 227 00:11:03,450 --> 00:11:07,470 that string inside of our response. 228 00:11:07,470 --> 00:11:11,490 Now to do that, we must type the If Statement 229 00:11:11,490 --> 00:11:13,860 and if statement will be something like this. 230 00:11:13,860 --> 00:11:18,570 If + Login underscore Failed, underscore String + 231 00:11:18,570 --> 00:11:23,343 In Response.Content.Decode, 232 00:11:24,660 --> 00:11:27,420 then we have the incorrect password. 233 00:11:27,420 --> 00:11:29,280 And the reason why we're decoding this, 234 00:11:29,280 --> 00:11:31,320 is because otherwise it won't be able 235 00:11:31,320 --> 00:11:33,900 to find this value inside of our content. 236 00:11:33,900 --> 00:11:35,790 So we must decode it first 237 00:11:35,790 --> 00:11:38,610 and then it is basically searching for this string 238 00:11:38,610 --> 00:11:41,613 inside of the HTML page of the response. 239 00:11:42,480 --> 00:11:43,950 If it finds that string, 240 00:11:43,950 --> 00:11:45,930 that means we found the incorrect password 241 00:11:45,930 --> 00:11:48,738 because that occurs only when it is incorrect. 242 00:11:48,738 --> 00:11:51,000 That's why we are just going to Pass. 243 00:11:51,000 --> 00:11:52,860 We're not going to do anything. 244 00:11:52,860 --> 00:11:56,463 And if it doesn't find which would be the Else statement, 245 00:11:57,828 --> 00:12:01,510 then what we can do is, we can Print + Found + Username 246 00:12:06,210 --> 00:12:08,583 and we can + the Username. 247 00:12:10,050 --> 00:12:14,133 And we can Print the same thing for the passwords. 248 00:12:15,396 --> 00:12:17,480 So Found + Password and + password. 249 00:12:22,590 --> 00:12:24,750 So this will Print the current Username 250 00:12:24,750 --> 00:12:26,160 which is always the same 251 00:12:26,160 --> 00:12:28,380 and it'll Print the current Password. 252 00:12:28,380 --> 00:12:33,060 Which is currently in this iteration of this loop, 253 00:12:33,060 --> 00:12:34,470 Which will be the correct password 254 00:12:34,470 --> 00:12:36,963 because it didn't find this string inside of it, 255 00:12:38,070 --> 00:12:39,180 After we find it. 256 00:12:39,180 --> 00:12:40,830 We can just exit the program. 257 00:12:40,830 --> 00:12:43,742 There is no need to continue Brute Forcing, 258 00:12:43,742 --> 00:12:46,230 so we can just Exit out of the program. 259 00:12:46,230 --> 00:12:48,510 Okay, now that we did this 260 00:12:48,510 --> 00:12:51,420 I'll let us see whether this works. 261 00:12:51,420 --> 00:12:53,673 So if I go down here, 262 00:12:54,780 --> 00:12:57,990 and once we finish the cracking of the function, 263 00:12:57,990 --> 00:13:00,183 we can also Print at the end. 264 00:13:01,350 --> 00:13:03,483 In case it doesn't find anything, 265 00:13:05,670 --> 00:13:08,880 Password + Not In List. 266 00:13:08,880 --> 00:13:10,800 So we can just do it like this. 267 00:13:10,800 --> 00:13:12,690 Once it finishes the cracking function, 268 00:13:12,690 --> 00:13:14,160 it'll go to this statement 269 00:13:14,160 --> 00:13:16,530 and it'll print password not in list. 270 00:13:16,530 --> 00:13:17,700 If it finds the password, 271 00:13:17,700 --> 00:13:19,620 it'll go to these statements right here 272 00:13:19,620 --> 00:13:21,330 and it'll exit out to the program. 273 00:13:21,330 --> 00:13:23,043 So this will never get printed. 274 00:13:24,180 --> 00:13:26,310 Let's give it a try to see whether this works. 275 00:13:26,310 --> 00:13:27,887 So if a Control Code to Save 276 00:13:27,887 --> 00:13:31,110 and the first thing that I want to do is I want to 277 00:13:31,110 --> 00:13:33,630 copy the Passwords.TXT file 278 00:13:33,630 --> 00:13:38,253 that I got on my Desktop, to the Home. 279 00:13:39,128 --> 00:13:40,380 Mr Hacker + Desktop + Tools 280 00:13:40,380 --> 00:13:44,070 and then Web App Penetration Testing. 281 00:13:44,070 --> 00:13:45,630 And if I LS here, 282 00:13:45,630 --> 00:13:49,440 we are going to have our Passwords.TXT File. 283 00:13:49,440 --> 00:13:52,890 And since this seems to be an incorrect passwords.TXT File, 284 00:13:52,890 --> 00:13:54,510 I'm just going to delete this 285 00:13:54,510 --> 00:13:57,090 and I'm going to create a new one. 286 00:13:57,090 --> 00:13:59,460 Not really sure what is the last one, but let's just 287 00:13:59,460 --> 00:14:01,380 create it real fast. 288 00:14:01,380 --> 00:14:03,810 So the passwords can be something like test, test 289 00:14:03,810 --> 00:14:08,810 1, 2, 3, 1, 2, 3, 4, 5, 6, 7, password, 1, 2, 3, admin route 290 00:14:10,800 --> 00:14:12,360 and then the correct password. 291 00:14:12,360 --> 00:14:14,550 So we're just going to write Password right here 292 00:14:14,550 --> 00:14:17,940 and let's also write the Password for the Gordon account 293 00:14:17,940 --> 00:14:20,460 just so we can test two different accounts. 294 00:14:20,460 --> 00:14:22,620 And let's write another incorrect password 295 00:14:22,620 --> 00:14:26,223 at the end which could be ABC ABC, 296 00:14:27,210 --> 00:14:30,300 okay, this is just the test example of the program 297 00:14:30,300 --> 00:14:34,290 and let's Control + O and let's Python3 298 00:14:34,290 --> 00:14:36,870 our Bruteforcer.PY. 299 00:14:36,870 --> 00:14:40,440 So the first argument that it asks is the Page URL. 300 00:14:40,440 --> 00:14:43,410 So what we can do is we can visit that page, 301 00:14:43,410 --> 00:14:48,150 Copy the link to that Page, and Paste it right here. 302 00:14:48,150 --> 00:14:52,538 HTTP : slash slash 192 . 168 . 1 . 2 slash DVWA and then 303 00:14:52,538 --> 00:14:55,920 slash Login.PHP. 304 00:14:55,920 --> 00:14:57,120 Click Enter. 305 00:14:57,120 --> 00:15:00,150 It asks for the username for the account Bruteforce, 306 00:15:00,150 --> 00:15:02,190 we're going to use ADMIN. 307 00:15:02,190 --> 00:15:06,000 The Password File to use is Passwords.TXT. 308 00:15:06,000 --> 00:15:08,190 And make sure if the Password File that you want 309 00:15:08,190 --> 00:15:10,980 to use is outside of the Directory of your program, 310 00:15:10,980 --> 00:15:14,550 you will need to specify the entire path to that file. 311 00:15:14,550 --> 00:15:16,890 Once we do that, let's click Enter 312 00:15:16,890 --> 00:15:20,310 and it asks us for the string that occurs when login fails, 313 00:15:20,310 --> 00:15:23,017 and we can just type Login Failed, 314 00:15:23,017 --> 00:15:26,790 Because that is what occurs on our Page right here. 315 00:15:26,790 --> 00:15:30,240 For different pages this will be different. 316 00:15:30,240 --> 00:15:34,170 Press Enter and it found the correct Username 317 00:15:34,170 --> 00:15:38,340 and correct Password, and it did it really fast. 318 00:15:38,340 --> 00:15:41,790 It tried these seven passwords, none of those worked. 319 00:15:41,790 --> 00:15:44,910 Then it ran onto the password and it printed out 320 00:15:44,910 --> 00:15:47,523 Found Username and Found Password. 321 00:15:48,360 --> 00:15:49,920 Let's also try for the Gordon 322 00:15:49,920 --> 00:15:51,570 just to make sure everything works. 323 00:15:51,570 --> 00:15:54,810 So I'm going to Paste the, whoops 324 00:15:54,810 --> 00:15:59,703 I'm going to Paste the link or just type it in. 325 00:16:03,090 --> 00:16:05,763 The Username is this time going to be Gordon B. 326 00:16:07,028 --> 00:16:10,210 The passwords file is going to be Passwords.TXT 327 00:16:11,196 --> 00:16:14,400 and the string is going to be once again Login Failed. 328 00:16:14,400 --> 00:16:17,370 Press Enter and it also finds the Username 329 00:16:17,370 --> 00:16:20,310 and the Password for that account as well. 330 00:16:20,310 --> 00:16:24,750 Great, our program works, but let's also see how 331 00:16:24,750 --> 00:16:28,380 would we be able to Brute Force the inner page 332 00:16:28,380 --> 00:16:32,610 of this DVWA program or application. 333 00:16:32,610 --> 00:16:35,700 We also got this Brute Force Page right here 334 00:16:35,700 --> 00:16:37,620 but this is something that we'll have 335 00:16:37,620 --> 00:16:39,060 to Brute Force differently. 336 00:16:39,060 --> 00:16:43,590 Why? Well first, it requires different type of request. 337 00:16:43,590 --> 00:16:46,980 It requires to GET request and the second thing is, 338 00:16:46,980 --> 00:16:50,310 this can only be Brute Forced within a current session. 339 00:16:50,310 --> 00:16:52,740 So if we are not logged into this page, 340 00:16:52,740 --> 00:16:54,990 we cannot even access this Brute Force page 341 00:16:54,990 --> 00:16:57,510 and therefore we cannot really Brute Force. 342 00:16:57,510 --> 00:17:00,210 So we must also see how we can send this session, 343 00:17:00,210 --> 00:17:02,460 inside of our program so we can be able 344 00:17:02,460 --> 00:17:05,430 to Brute Force this Username and Password. 345 00:17:05,430 --> 00:17:06,930 Let's give it a try. 346 00:17:06,930 --> 00:17:08,470 If I go to our program 347 00:17:09,723 --> 00:17:12,960 And Nano + Bruteforce.PY. 348 00:17:12,960 --> 00:17:15,450 First thing that we must specify, as I already said, 349 00:17:15,450 --> 00:17:19,192 we're going to need to specify the session so we need to ask 350 00:17:19,192 --> 00:17:23,970 for the user for the Cookie Value of that session 351 00:17:23,970 --> 00:17:26,099 and they can just read it from the Burp Suite 352 00:17:26,099 --> 00:17:28,560 just like we did once we covered our Hydra tools. 353 00:17:28,560 --> 00:17:33,160 So we can specify right here Enter Cookie Value 354 00:17:34,110 --> 00:17:35,430 and this can be optional 355 00:17:35,430 --> 00:17:37,181 because we don't need it always, 356 00:17:37,181 --> 00:17:39,780 just like we didn't need it currently. 357 00:17:39,780 --> 00:17:42,180 But if they're Brute Forcing something within a session 358 00:17:42,180 --> 00:17:45,300 then they must specify this as well. 359 00:17:45,300 --> 00:17:49,650 Now what we can do, is inside of our cracking function, 360 00:17:49,650 --> 00:17:51,690 right above the if statement, 361 00:17:51,690 --> 00:17:53,610 we can write another if statement. 362 00:17:53,610 --> 00:17:58,610 So If Cookie Value is not equal to an empty string 363 00:18:01,170 --> 00:18:03,270 and if it is equal to an empty string 364 00:18:03,270 --> 00:18:06,390 that means that the user doesn't require the cookie value 365 00:18:06,390 --> 00:18:09,390 and in that case it will not send the cookie value 366 00:18:09,390 --> 00:18:12,870 and it'll just Brute Force without the session. 367 00:18:12,870 --> 00:18:15,750 If it is set to something, then we are going 368 00:18:15,750 --> 00:18:18,930 to send the cookie value inside of our request. 369 00:18:18,930 --> 00:18:22,110 So in this case, if Response 370 00:18:22,110 --> 00:18:26,580 if cookie value is not empty, that means we must send it. 371 00:18:26,580 --> 00:18:31,580 So the Response will be equal to Requests.GET. 372 00:18:31,860 --> 00:18:33,660 And this time we are using GET 373 00:18:33,660 --> 00:18:38,620 because inside of this page our form is 374 00:18:39,464 --> 00:18:40,920 using the method GET. 375 00:18:40,920 --> 00:18:44,280 That's why this time we're using the Requests.GET. 376 00:18:44,280 --> 00:18:46,620 This is something that you want to change depending 377 00:18:46,620 --> 00:18:49,260 on the page that you're Brute Forcing. 378 00:18:49,260 --> 00:18:50,970 So Requests.GET 379 00:18:50,970 --> 00:18:54,120 and the first parameter is going to be the URL. 380 00:18:54,120 --> 00:18:57,390 The second parameter, we're going to set our Parameters 381 00:18:57,390 --> 00:19:00,120 which we specify like Params 382 00:19:00,120 --> 00:19:02,460 and those Params are going to be equal 383 00:19:02,460 --> 00:19:04,270 to once again a Dictionary 384 00:19:05,130 --> 00:19:08,463 and that Dictionary will be rather the same like this. 385 00:19:09,600 --> 00:19:13,083 Just a few minor changes we're going to set. 386 00:19:13,920 --> 00:19:18,920 So Copy this and we're just going to Paste it right here. 387 00:19:19,110 --> 00:19:21,480 The first change is under the Button. 388 00:19:21,480 --> 00:19:25,140 So the username and password field are named the same, 389 00:19:25,140 --> 00:19:27,750 like in our last page as we can see right here, 390 00:19:27,750 --> 00:19:31,470 inside the form the name for the Username is just Username 391 00:19:31,470 --> 00:19:34,980 and the name for the Password is Password, 392 00:19:34,980 --> 00:19:37,800 but the Login is not the same. 393 00:19:37,800 --> 00:19:39,930 We got the value for Login to be Login 394 00:19:39,930 --> 00:19:42,660 and the name for Login to also be Login. 395 00:19:42,660 --> 00:19:45,720 So we can set it like this Login 396 00:19:45,720 --> 00:19:48,513 and then : and once again Login. 397 00:19:49,350 --> 00:19:52,380 And the last parameter to this function 398 00:19:52,380 --> 00:19:54,180 or the last argument to this function 399 00:19:54,180 --> 00:19:57,984 is going to be Cookies that are equal 400 00:19:57,984 --> 00:20:02,187 to a Dictionary of Cookie value : 401 00:20:05,310 --> 00:20:08,193 and then Cookie value variable. 402 00:20:09,060 --> 00:20:12,270 And you can read the name of that field by going 403 00:20:12,270 --> 00:20:15,483 to a Burp Suite and once say, for example, 404 00:20:16,488 --> 00:20:19,110 specified test and test one, two, three as our Username 405 00:20:19,110 --> 00:20:20,103 and Password here. 406 00:20:21,180 --> 00:20:23,100 And then I go and find that request 407 00:20:23,100 --> 00:20:24,363 inside of our Burp Suite. 408 00:20:27,150 --> 00:20:29,040 Let's find it real quick. 409 00:20:29,040 --> 00:20:31,530 And I believe it is this one right here. 410 00:20:31,530 --> 00:20:32,670 Yeah, here it is. 411 00:20:32,670 --> 00:20:36,510 We can see that the Cookie field is named just Cookie. 412 00:20:36,510 --> 00:20:39,270 That's why we specified right here as Cookie 413 00:20:39,270 --> 00:20:40,650 between the single quotes 414 00:20:40,650 --> 00:20:44,133 and we space the cookie value to that field. 415 00:20:45,060 --> 00:20:48,900 Once we do all of that, we have all of our parameters 416 00:20:48,900 --> 00:20:49,800 to this function 417 00:20:49,800 --> 00:20:53,910 and this seems to not be able to fit inside of my screen, 418 00:20:53,910 --> 00:20:56,550 but it doesn't matter, it is there. 419 00:20:56,550 --> 00:20:58,710 And all we are left to do right now 420 00:20:58,710 --> 00:21:01,210 is create the Else statement as well 421 00:21:03,960 --> 00:21:07,833 and the Else statement is going to be Else. 422 00:21:08,700 --> 00:21:11,640 In this case, we don't have the cookie value, 423 00:21:11,640 --> 00:21:15,520 so we can just Copy this part of code 424 00:21:18,330 --> 00:21:20,040 and Paste it right here 425 00:21:20,040 --> 00:21:22,050 and now we can delete it from here 426 00:21:22,050 --> 00:21:24,000 because we no longer need it. 427 00:21:24,000 --> 00:21:27,690 So this program is pretty much only used to Brute Force 428 00:21:27,690 --> 00:21:30,470 the Main Login Page to the DVWA 429 00:21:30,470 --> 00:21:35,040 and this Brute Force Page inside of the DVWA. 430 00:21:35,040 --> 00:21:37,290 You will need to adjust a few things right here, 431 00:21:37,290 --> 00:21:39,210 once trying to Brute Force a different page. 432 00:21:39,210 --> 00:21:41,610 This is for example the name of the fields, the name 433 00:21:41,610 --> 00:21:44,310 of the cookie, and you will also have to adjust 434 00:21:44,310 --> 00:21:48,120 whether it is a get request or a post request. 435 00:21:48,120 --> 00:21:50,463 Everything else I believe can stay the same. 436 00:21:51,300 --> 00:21:53,940 Now that we've got our code ready, 437 00:21:53,940 --> 00:21:55,920 let us see whether this works. 438 00:21:55,920 --> 00:21:58,510 So if I Save this 439 00:22:00,960 --> 00:22:05,370 And I go and try to run this, let's first of all 440 00:22:05,370 --> 00:22:08,040 try once again to Brute Force the Main Login Page 441 00:22:08,040 --> 00:22:11,553 by typing DVWA slash Login.PHP. 442 00:22:13,020 --> 00:22:14,760 The Username is going to be Admin 443 00:22:14,760 --> 00:22:18,420 the Passwords File is going to be Passwords.TXT 444 00:22:18,420 --> 00:22:22,473 and the string that occurs is going to be Login Failed. 445 00:22:24,060 --> 00:22:25,470 Cookie is going to be optional, 446 00:22:25,470 --> 00:22:27,900 so I'm just going to press Enter because I don't need it 447 00:22:27,900 --> 00:22:32,040 for the Main Login Page and it'll still manage to find it. 448 00:22:32,040 --> 00:22:33,840 But let's see whether it'll manage to 449 00:22:33,840 --> 00:22:35,880 find the correct Username and Password, 450 00:22:35,880 --> 00:22:38,940 if I use the Cookie Value and if I Brute Force 451 00:22:38,940 --> 00:22:42,123 inside of this session, let's give it a try. 452 00:22:44,430 --> 00:22:46,140 I will enter the page URL 453 00:22:46,140 --> 00:22:50,310 and the page URL is going to be the URL 454 00:22:50,310 --> 00:22:52,350 to this page right here, which is this one. 455 00:22:52,350 --> 00:22:57,350 So let's Copy it, Paste it right here, press Enter. 456 00:22:58,497 --> 00:23:00,480 The Username is going to be the same 457 00:23:00,480 --> 00:23:02,400 so it is going to be Admin. 458 00:23:02,400 --> 00:23:04,623 The Password's File is going to be the same. 459 00:23:05,580 --> 00:23:08,070 The string that occurs is not going to be the same. 460 00:23:08,070 --> 00:23:10,380 So let's give it a try and see what happens. 461 00:23:10,380 --> 00:23:13,810 Once we send Hello as Username and Hello as Password 462 00:23:15,450 --> 00:23:18,240 We get Username and or Password incorrect. 463 00:23:18,240 --> 00:23:20,940 Now we don't need to specify this entire statement 464 00:23:20,940 --> 00:23:23,580 we can just specify Incorrect 465 00:23:23,580 --> 00:23:26,130 and if it just finds the Incorrect 466 00:23:26,130 --> 00:23:29,130 that means we specify the Incorrect Password 467 00:23:29,130 --> 00:23:31,920 therefore it is going to go onto the next one. 468 00:23:31,920 --> 00:23:33,330 So let's press Enter. 469 00:23:33,330 --> 00:23:35,550 And the Cookie value is something that we can read 470 00:23:35,550 --> 00:23:36,990 from our Burp Suite. 471 00:23:36,990 --> 00:23:40,890 So let's find the request that we use to send Hello 472 00:23:40,890 --> 00:23:42,570 and Hello as Username and Password. 473 00:23:42,570 --> 00:23:43,403 And here it is. 474 00:23:44,460 --> 00:23:46,890 All we need to do from here is find the Cookie Field 475 00:23:46,890 --> 00:23:49,290 and Copy the Cookie Value. 476 00:23:49,290 --> 00:23:51,180 So Security equals High 477 00:23:51,180 --> 00:23:55,530 and the PHP session ID is set to a random value. 478 00:23:55,530 --> 00:23:59,793 All we need to do is Paste that right here and press Enter. 479 00:24:00,870 --> 00:24:02,640 This will start the Brute Forcing 480 00:24:02,640 --> 00:24:04,110 of our page and you will notice 481 00:24:04,110 --> 00:24:06,270 that this time it goes a little bit slower 482 00:24:06,270 --> 00:24:09,240 because we are Brute Forcing inside of a session. 483 00:24:09,240 --> 00:24:12,030 Let's see whether it'll manage to find once it gets 484 00:24:12,030 --> 00:24:14,403 to the correct username and correct password. 485 00:24:15,270 --> 00:24:17,160 Let's give it a few seconds. 486 00:24:17,160 --> 00:24:20,670 And here it is, it worked successfully. 487 00:24:20,670 --> 00:24:22,350 We found the correct Username 488 00:24:22,350 --> 00:24:25,680 which is Admin and the correct Password, which is Password. 489 00:24:25,680 --> 00:24:29,343 And now we can use that to log in to this page. 490 00:24:30,780 --> 00:24:33,993 As it says, welcome to the Password Protected Area Admin. 491 00:24:35,010 --> 00:24:38,070 So we successfully coded a Brute Forcer. 492 00:24:38,070 --> 00:24:40,560 Now you can perform some minor changes to 493 00:24:40,560 --> 00:24:43,980 make it even better, such as for example, 494 00:24:43,980 --> 00:24:48,980 importing From Termcolor Import the function Colored. 495 00:24:49,200 --> 00:24:51,660 And this will allow us to print everything 496 00:24:51,660 --> 00:24:52,620 in a different color. 497 00:24:52,620 --> 00:24:55,440 For example, let's go down here 498 00:24:55,440 --> 00:24:57,780 and this first print statement, we can Print 499 00:24:57,780 --> 00:25:02,780 like this Colored and at the end we specify 500 00:25:02,940 --> 00:25:06,990 inside of the, for example, let's print this in Red, 501 00:25:06,990 --> 00:25:08,610 we close two brackets. 502 00:25:08,610 --> 00:25:11,090 And once we also find the correct Username and Password 503 00:25:11,090 --> 00:25:13,320 we can Print this in Green. 504 00:25:13,320 --> 00:25:18,320 So print Colored at the end we add Comma 505 00:25:19,590 --> 00:25:23,790 and then Green and we close two brackets. 506 00:25:23,790 --> 00:25:25,713 Same thing we can do right here. 507 00:25:27,390 --> 00:25:29,940 And let's not forget the Colored Function right here. 508 00:25:29,940 --> 00:25:34,940 So Colored, and now if we run this Python3 Bruteforce.PY. 509 00:25:36,600 --> 00:25:39,810 let's use the Regular Main Page 510 00:25:39,810 --> 00:25:43,143 which is DVWA slash Login.PHP. 511 00:25:44,070 --> 00:25:47,430 Admin is the account Passwords.TXT is the file 512 00:25:47,430 --> 00:25:51,300 and Failed is going to be the string that occurs 513 00:25:51,300 --> 00:25:52,830 and it is even better right now. 514 00:25:52,830 --> 00:25:55,860 It prints the incorrect passwords in red color 515 00:25:55,860 --> 00:25:57,900 and once it finds the correct username 516 00:25:57,900 --> 00:26:00,713 and correct password it prints it in green. 517 00:26:00,713 --> 00:26:04,830 Great. We coded our project, everything works perfectly. 518 00:26:04,830 --> 00:26:08,280 Just don't forget to change certain values 519 00:26:08,280 --> 00:26:09,540 inside of our program, 520 00:26:09,540 --> 00:26:12,600 once you try this on a different webpage. 521 00:26:12,600 --> 00:26:15,540 The two main things that you need to keep an eye on, 522 00:26:15,540 --> 00:26:18,870 is the name of the fields inside of our source code. 523 00:26:18,870 --> 00:26:20,490 So you just find the Form 524 00:26:20,490 --> 00:26:23,760 and you see how the fields are named. 525 00:26:23,760 --> 00:26:25,860 Then you use that inside of your Dictionary. 526 00:26:25,860 --> 00:26:28,200 And the next thing that you need to pay attention to, 527 00:26:28,200 --> 00:26:31,230 is the method that is used to send these Usernames 528 00:26:31,230 --> 00:26:35,190 and Passwords, whether it is a GET method or POST method. 529 00:26:35,190 --> 00:26:38,700 And at last, you also need to check the name of the Button. 530 00:26:38,700 --> 00:26:40,620 So this can basically be named anything. 531 00:26:40,620 --> 00:26:43,080 That's why you always need to View Page Source 532 00:26:43,080 --> 00:26:45,333 check it out before running your program. 533 00:26:46,320 --> 00:26:48,780 Great, thank you for watching this coding project. 534 00:26:48,780 --> 00:26:50,640 We're getting better and better in Python. 535 00:26:50,640 --> 00:26:52,800 And in the next lecture we're going to create 536 00:26:52,800 --> 00:26:54,990 another small project in Python 537 00:26:54,990 --> 00:26:57,690 that will be used to Brute Force Directory Names 538 00:26:57,690 --> 00:26:59,130 inside of a Web Page. 539 00:26:59,130 --> 00:27:01,440 This will be a smaller program that this one 540 00:27:01,440 --> 00:27:04,980 but nonetheless it'll still be a useful program 541 00:27:04,980 --> 00:27:07,680 that you will use in your penetration tests. 542 00:27:07,680 --> 00:27:08,980 See you in the next video.