casual/owncloud_bruteforcer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
729612f266
owncloud_bruteforcer/README.md
casual 729612f266 Update README.md
2024-04-13 15:11:34 +00:00

51 lines
2.1 KiB
Markdown
Raw Blame History

# owncloud_bruteforcer
Simple tool to bruteforce owncloud instance accounts
> A word of caution - tool by default can DOS owncloud instance.
## Description
Tool:
- make GET request to acquire CSRF token + cookies
- make POST request using given username and password wordlist.
### Installation
`go install git.sual.in/casual/owncloud_bruteforcer@latest`
### Example
`owncloud_bruteforce -u "https://target.com/login" -P ./rockyou.txt`
### Help
```
Owncloud_bruteforcer - tool to bruteforce user
Usage:
owncloud_bruteforcer [flags]
Flags:
INPUT:
-url, -u string target's url to login page. Example "https://example.com/index.php/login, http://example.com/login "
-login, -l string username to bruteforce (default "admin")
-login-wordlist, -L string username wordlist
-password-wordlist, -P string password wordlist
-proxy, -x string HTTP proxy for packet inspection (Burp/Caidu/ZAP) (for example http://127.0.0.1:8080). But be aware, if you enable inspection then attack will fail because of delays
-threads, -t int threads to bruteforce (default 10)
```
## Notes (TODO)
- Expect to DOS service (100% CPU) (even if it have bruteforce protection enabled)
if you prefer not to, set `-t 5` or less (but it will slowdown attack)
- Successful login detected by redirect location after POST request. If user have 2FA, then app will not show found login:password. (Detects by redirect location)
- Bruteforce protection isn't detected (after hitting limit, response to POST - 403 instead 303)
- If there is internet connection problem or WAF/rate-limit/etc blocked you, you may recieve `can't create (POST) request: Post "https://target.com/login": context deadline exceeded (Client.Timeout exceeded while awaiting headers)` and attack will stop without a way to continue
- There is way to bruteforce administrator account which use different endpoint, possibly can allow to bruteforce admin account in same time without slowing down current version of tool
## License
This project is licensed under the MIT License - see the LICENSE file for details. I am not responsible for any actions or damage.
Reference in New Issue View Git Blame Copy Permalink