casual/owncloud_bruteforcer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

readme updatet

Browse Source
This commit is contained in:
Casual 2024-04-13 18:09:16 +03:00
parent 15aa148040
commit 16e0f73b33
2 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
README.md
View File

@ -1,10 +1,14 @@
# owncloud_bruteforcer
Simple tool to bruteforce owncloud instance
Simple tool to bruteforce owncloud instance accounts
## Description
Tool make GET request to acquire CSRF token + cookies and make POST request with given username and password wordlist.
Tool:
- make GET request to acquire CSRF token + cookies
- make POST request using given username and password wordlist.
A word of caution - tool by default can DOS owncloud instance.
### Installation
@ -34,9 +38,12 @@ INPUT:
## Notes (TODO)
- Successful login detected by redirect location after POST request. If user have 2FA, then app will not show found login:password.
- If there is internet connection problem or WAF/rate-limit/etc blocked you, you may recieve `can't create (POST) request: Post "https://target.com/login": context deadline exceeded (Client.Timeout exceeded while awaiting headers)`
- Expect to DOS service (100% CPU) (even if it have bruteforce protection enabled)
if you prefer not to, set `-t 5` or less (but it will slowdown attack)
- Successful login detected by redirect location after POST request. If user have 2FA, then app will not show found login:password. (Detects by redirect location)
- Bruteforce protection isn't detected (after hitting limit, response to POST - 403 instead 303)
- If there is internet connection problem or WAF/rate-limit/etc blocked you, you may recieve `can't create (POST) request: Post "https://target.com/login": context deadline exceeded (Client.Timeout exceeded while awaiting headers)` and attack will stop without a way to continue
- There is way to bruteforce administrator account which use different endpoint, possibly can allow to bruteforce admin account in same time without slowing down current version of tool
## License
This project is licensed under the MIT License - see the LICENSE file for details. I am not responsible for any actions or damage.
This project is licensed under the MIT License - see the LICENSE file for details. I am not responsible for any actions or damage.

3
main.go
View File

@ -228,10 +228,9 @@ func (options Options) bruteforce(user string) {
go func() {
for ! foundPass {
token,cookie := getCSRFtoken(options.URL)
// if tryPassword(options.URL,options.Proxy,token,cookie,user,password) {
password1,channelClosed := <-pass
if ! channelClosed {foundPass = true}
// fmt.Printf("try %s\n",password1)
if tryPassword(options.URL,options.Proxy,token,cookie,user,password1) {
fmt.Printf("[HIT] %s:%s\n",user,password1)
foundPass = true