diff --git a/README.md b/README.md index f173f5b..fcfce32 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,42 @@ # owncloud_bruteforcer -simple tool to bruteforce owncloud instance -(the main purpose is bypass anti-CSRF token) +Simple tool to bruteforce owncloud instance +## Description + +Tool make GET request to acquire CSRF token + cookies and make POST request with given username and password wordlist. + +### Installation + +`go install git.sual.in/casual/owncloud_bruteforcer@latest` + +### Example + +`owncloud_bruteforce -u "https://target.com/login" -P ./rockyou.txt` + +### Help + +``` +Owncloud_bruteforcer - tool to bruteforce user + +Usage: + owncloud_bruteforcer [flags] + +Flags: +INPUT: + -url, -u string target's url to login page. Example "https://example.com/index.php/login, http://example.com/login " + -login, -l string username to bruteforce (default "admin") + -login-wordlist, -L string username wordlist + -password-wordlist, -P string password wordlist + -proxy, -x string HTTP proxy for packet inspection (Burp/Caidu/ZAP) (for example http://127.0.0.1:8080). But be aware, if you enable inspection then attack will fail because of delays + -threads, -t int threads to bruteforce (default 10) +``` + +## Notes (TODO) + + - Successful login detected by redirect location after POST request. If user have 2FA, then app will not show found login:password. + - If there is internet connection problem or WAF/rate-limit/etc blocked you, you may recieve `can't create (POST) request: Post "https://target.com/login": context deadline exceeded (Client.Timeout exceeded while awaiting headers)` + - There is way to bruteforce administrator account which use different endpoint, possibly can allow to bruteforce admin account in same time without slowing down current version of tool + +## License +This project is licensed under the MIT License - see the LICENSE file for details. I am not responsible for any actions or damage. \ No newline at end of file