{"id":19034752,"url":"https://github.com/koutto/web-brutator","last_synced_at":"2025-05-07T21:40:51.207Z","repository":{"id":43600048,"uuid":"180816374","full_name":"koutto/web-brutator","owner":"koutto","description":"Fast Modular Web Interfaces Bruteforcer","archived":false,"fork":false,"pushed_at":"2021-11-16T14:31:37.000Z","size":17289,"stargazers_count":224,"open_issues_count":5,"forks_count":43,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-03-31T14:21:20.594Z","etag":null,"topics":["application-servers","brute-force","bruteforce","bruteforce-attacks","cms","hacking","hacking-tool","pentest","pentesting","web-hacking"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/koutto.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-04-11T15:02:03.000Z","updated_at":"2025-03-31T06:41:14.000Z","dependencies_parsed_at":"2022-07-19T03:32:20.242Z","dependency_job_id":null,"html_url":"https://github.com/koutto/web-brutator","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koutto%2Fweb-brutator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koutto%2Fweb-brutator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koutto%2Fweb-brutator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koutto%2Fweb-brutator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/koutto","download_url":"https://codeload.github.com/koutto/web-brutator/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252961177,"owners_count":21832181,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["application-servers","brute-force","bruteforce","bruteforce-attacks","cms","hacking","hacking-tool","pentest","pentesting","web-hacking"],"created_at":"2024-11-08T21:47:18.125Z","updated_at":"2025-05-07T21:40:51.180Z","avatar_url":"https://github.com/koutto.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Web Brutator\n\nFast Modular Web Interfaces Bruteforcer\n\n# :inbox_tray: Install\n```\npython3 -m pip install -r requirements.txt\n```\n\n# :fast_forward: Usage\n```\n$ python3 web-brutator.py -h\n\n __ __ ___. __________ __ __ \n/ \\ / \\ ____\\_ |__ \\______ \\_______ __ ___/ |______ _/ |_ ___________ \n\\ \\/\\/ // __ \\| __ \\ ______ | | _/\\_ __ \\ | \\ __\\__ \\ __\\ / _ \\_ _ _\\\n \\ /\\ ___/| \\_\\ \\ /_____/ | | \\ | | \\/ | /| | / __ \\| | ( \u003c_\u003e ) | \\/\n \\__/\\ / \\___ \u003e___ / |______ / |__| |____/ |__| (____ /__| \\____/|__| \n \\/ \\/ \\/ \\/ \\/ \n Version 0.2\n\nusage: web-brutator.py [-h] [--url URL] [--target TYPE] [-u USERNAME]\n [-U USERLIST] [-p PASSWORD] [-P PASSLIST]\n [-C COMBOLIST] [-t THREADS] [-s] [-v] [-e MAX_ERRORS]\n [--timeout TIMEOUT] [-l]\n\noptional arguments:\n -h, --help show this help message and exit\n --url URL Target URL\n --target TYPE Target type\n -u, --username USERNAME Single username\n -U, --userlist USERLIST Usernames list\n -p, --password PASSWORD Single password\n -P, --passlist PASSLIST Passwords list\n -C, --combolist COMBOLIST Combos username:password list\n -t, --threads THREADS Number of threads [1-50] (default: 10)\n -s, --stoponsuccess Stop on success\n -v, --verbose Print every tested creds\n -e, --max-errors MAX_ERRORS Number of accepted consecutive errors (default: 10)\n --timeout TIMEOUT Time limit on the response (default: 20s)\n -l, --list-modules Display list of modules\n```\n\nExample:\n```\npython3 web-brutator.py --target jenkins --url https://mytarget.com -U ./usernames.txt -P ./passwords.txt -s -t 40\n```\n\n# :rocket: Available Modules\n- axis2\n- coldfusion\n- glassfish\n- htaccess\n- jboss\n- jenkins\n- joomla\n- railo\n- standardform\n- tomcat\n- weblogic\n- websphere\n\n*Notice: Some products implement account lockout after a given number of failed authentication attempts, by default (e.g. Weblogic, Tomcat...).\n`web-brutator` notices the user at the beginning of bruteforce attack if it is the case. Take this into account before launching bruteforce on such \ntargets.*\n\n# :bulb: Standard web authentication form Auto-Detection\n`web-brutator` can automatically detect **standard** web authentication forms and perform bruteforce automatically.\nThis feature is available via the module `standardform`, it is **still experimental** and can lead to false positives/negatives \nsince it is based on several heuristics. \n\nNot supported:\n- Web authentication using Javascript;\n- Authentication with CAPTCHA;\n- 2-step authentication\n...\n\nExample:\n```\npython3 web-brutator.py --target standardform --url https://mytarget.com -U ./usernames.txt -P ./passwords.txt -s -t 40 -v\n```\n![Demo](./img/demo.gif)\n*This demo is against a phpMyAdmin interface*\n\n\n# :wrench: Add new module / Contribute\nAdding a new authentication bruteforce module is pretty straightforward:\n\n1. Create a new file with appropriate name under `lib/core/modules/`\n2. Create a class in this file, using the following template. Development is very easy, check any existing module \nunder `lib/core/modules/` for some examples. Note that HTTP requests should be done via the static methods provided by\n`Requester` class: `Requester.get()`, `Requester.post()`, `Requester.http_auth()`.\n```\n#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\nfrom lib.core.Exceptions import AuthException, RequestException\nfrom lib.core.Logger import logger\nfrom lib.core.Requester import AuthMode, Requester\n\n\nclass Mymodule:\n\n def __init__(self, url, verbose=False):\n self.url = url\n # Other self variables can go here\n\n\n def check(self):\n \t\"\"\"\n \tThis method is used to detect the presence of the targeted authentication\n \tinterface.\n \t:return: Boolean indicating if the authentication interface has been detected\n \t\"\"\"\n \t# Implement code here\n\n\n def try_auth(self, username, password):\n \t\"\"\"\n \tThis method is used to perform one authentication attempt.\n \t:param str username: Username to check\n \t:param str password: Password to check\n \t:return: Boolean indicating authentication status\n \t:raise AuthException:\n \t\"\"\"\n # Implement code here \n\n```\n3. Module is then automatically available (check using `-l` option) from the command-line.\n4. Test the module to make sure it is working as expected !\n5. Make a pull request to add the module to the project ;)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkoutto%2Fweb-brutator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkoutto%2Fweb-brutator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkoutto%2Fweb-brutator/lists"}