Black Hat Python — Brute-Forcing HTML Authentication Forms

Expanding on the previous post, where we brute-forced URL directories and file locations for a target website, the same can be done for HTML Authentication Forms.

HTML Authentication Forms typically look like this:

<form class="form-signin" action="./" method="post">
<input type="text" name="username" placeholder="Username" required="" autofocus="">
<input type="password" name="password" placeholder="Password" required="">
<button><span></span> Log in </button>

The above shows us that this form is to be submitted to path “./” and requires inputs username and password. We can parse this HTML and perform a brute-force of these input fields with the help of a password list file. Here is the script:

So I decided to use this script on a web server on my network. It has a landing page where the user has to authenticate to gain admin access. This was HTML Authentication Form that I had to parse and brute-force with passwords derived from my custom password list file. Here is the output:

[*] Started HTML Form Brute-Forcer Script
[*] Building Password Queue
[*] Password Queue Build Successful
[*] Brute-Forcing with 5 threads
[*] Attempting admin/p@$$w0rd
[*] Attempting admin/monkey123
[*] Attempting admin/password
[*] Attempting admin/1keshav
[*] Attempting admin/109At35Rg
[*] Attempting admin/kegiatrang111
[*] Attempting admin/ji3g4gp6
[*] Attempting admin/jz1456bl8989
[*] Attempting admin/qgn8so536ueprdtz
[*] Attempting admin/gp125cc
[*] Attempting admin/12ab78
[*] Attempting admin/harket1610
[*] Attempting admin/jayro6
[*] Attempting admin/auts6=ints6
[*] Attempting admin/yie018343
[*] Attempting admin/B0gu$p@zzw0rd
[*] Brute-Force Attempt is Successful!
[*] Username: admin
[*] Password: B0gu$p@zzw0rd

[*] Done

Now, that’s cool! Obviously, there are many areas where this script can be improved on like adding HTTPS support or having more robust error checking/ handling techniques. However; its a a good starting point!