Shulou(Shulou.com)06/02 Report--

This article is about Python how to write a password brute force attack tester, the editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

What is HTTP basic Certification

HTTP basic authentication (HTTP Basic Authentication) is the simplest authentication method to realize Web resource access control in HTTP protocol. It provides authentication information by adding header header domain or by attaching parameters in URL, and transmits the authentication information by Base64 coding. Finally, the encoded characters are received by the server for decoding authentication.

When we visit a URL that requires basic HTTP authentication, it receives the authentication information entered by the user by responding to a 401 status code and returning an authentication box. If we fill in it incorrectly, the server will continue to return a 401 status code and authentication box, and if the authentication is successful, it will return a 200 request success status code.

One of the advantages of HTTP basic authentication is that almost all modern browsers support this authentication, which is very simple and convenient, but because of its technical characteristics, this authentication is not very secure, and now it mostly exists in the sites in the intranet environment.

Its use of Base64 coding encryption, but also belongs to the "anti-gentleman does not guard against villains" encryption. Using Python's base64 module, we can easily encrypt and decrypt:

The returned result is:

Does it feel like a fool, yes, it is. ^ _ ^

Write Python password brute force tester

Now that you understand some of the concepts of HTTP basic authentication, let's continue to write a penetration test password brute force cracker using Python.

As usual, we introduce the relevant modules

The functions of related modules have been mentioned in the last article writing Resource Explorer, and those who have forgotten can go to the blog to read: http://zmister.com/archives/180.html, http://zmister.com/archives/181.html

Because there will be many entries in the dictionary, we set a global variable to identify whether the password in the dictionary is valid:

Then as usual we define a banner function that decorates our monotonous command line:

Next, there is still an example of the parameter method used by the program:

Then comes our main class request_performer ():

Finally, there is the function launcher_thread () that starts the thread and the function start () that starts the program:

Finally, we still use the http://www.scruffybank.com/ in the virtual machine as the target machine to test the password attack on the admin users of http://www.scruffybank.com/Admin, using a weak password file as the dictionary:

Run the command on the command line terminal:

The result shows that a password "administrator" was found.

We open http://www.scruffybank.com/Admin and log in with the username admin and password administrator to see if we can log in successfully.

As a result, the authentication successfully entered a directory, indicating that our weak password brute force test was successful.

This is how Python writes a password brute force attack tester. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.