Simple tool to bruteforce owncloud instance
go.mod | ||
go.sum | ||
LICENSE | ||
main.go | ||
options.go | ||
README.md |
owncloud_bruteforcer
Simple tool to bruteforce owncloud instance accounts
A word of caution - tool by default can DOS owncloud instance.
Description
Tool:
- make GET request to acquire CSRF token + cookies
- make POST request using given username and password wordlist.
Installation
go install git.sual.in/casual/owncloud_bruteforcer@latest
Example
owncloud_bruteforce -u "https://target.com/login" -P ./rockyou.txt
Help
Owncloud_bruteforcer - tool to bruteforce user
Usage:
owncloud_bruteforcer [flags]
Flags:
INPUT:
-url, -u string target's url to login page. Example "https://example.com/index.php/login, http://example.com/login "
-login, -l string username to bruteforce (default "admin")
-login-wordlist, -L string username wordlist
-password-wordlist, -P string password wordlist
-proxy, -x string HTTP proxy for packet inspection (Burp/Caidu/ZAP) (for example http://127.0.0.1:8080). But be aware, if you enable inspection then attack will fail because of delays
-threads, -t int threads to bruteforce (default 10)
Notes (TODO)
- Expect to DOS service (100% CPU) (even if it have bruteforce protection enabled)
if you prefer not to, set
-t 5
or less (but it will slowdown attack) - Successful login detected by redirect location after POST request. If user have 2FA, then app will not show found login:password. (Detects by redirect location)
- Bruteforce protection isn't detected (after hitting limit, response to POST - 403 instead 303)
- If there is internet connection problem or WAF/rate-limit/etc blocked you, you may recieve
can't create (POST) request: Post "https://target.com/login": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
and attack will stop without a way to continue - There is way to bruteforce administrator account which use different endpoint, possibly can allow to bruteforce admin account in same time without slowing down current version of tool
License
This project is licensed under the MIT License - see the LICENSE file for details. I am not responsible for any actions or damage.