owncloud_bruteforcer

command module

v0.0.0-...-729612f Latest Latest Go to latest Published: Apr 13, 2024 License: MIT Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

git.sual.in/casual/owncloud_bruteforcer

Links

Open Source Insights

README ¶

owncloud_bruteforcer

Simple tool to bruteforce owncloud instance accounts

A word of caution - tool by default can DOS owncloud instance.

Description

Tool:

make GET request to acquire CSRF token + cookies
make POST request using given username and password wordlist.

Installation

go install git.sual.in/casual/owncloud_bruteforcer@latest

Example

owncloud_bruteforce -u "https://target.com/login" -P ./rockyou.txt

Help

Owncloud_bruteforcer - tool to bruteforce user

Usage:
  owncloud_bruteforcer [flags]

Flags:
INPUT:
   -url, -u string                target's url to login page. Example "https://example.com/index.php/login, http://example.com/login "
   -login, -l string              username to bruteforce (default "admin")
   -login-wordlist, -L string     username wordlist
   -password-wordlist, -P string  password wordlist
   -proxy, -x string              HTTP proxy for packet inspection (Burp/Caidu/ZAP) (for example http://127.0.0.1:8080). But be aware, if you enable inspection then attack will fail because of delays
   -threads, -t int               threads to bruteforce (default 10)

Notes (TODO)

Expect to DOS service (100% CPU) (even if it have bruteforce protection enabled) if you prefer not to, set -t 5 or less (but it will slowdown attack)
Successful login detected by redirect location after POST request. If user have 2FA, then app will not show found login:password. (Detects by redirect location)
Bruteforce protection isn't detected (after hitting limit, response to POST - 403 instead 303)
If there is internet connection problem or WAF/rate-limit/etc blocked you, you may recieve can't create (POST) request: Post "https://target.com/login": context deadline exceeded (Client.Timeout exceeded while awaiting headers) and attack will stop without a way to continue
There is way to bruteforce administrator account which use different endpoint, possibly can allow to bruteforce admin account in same time without slowing down current version of tool

License

This project is licensed under the MIT License - see the LICENSE file for details. I am not responsible for any actions or damage.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL