brutemap: automates testing accounts to the site’s login page
Brutemap
Brutemap is an open source penetration testing tool that automates testing accounts to the site’s login page, based on Dictionary Attack. With this, you no longer need to search for other bruteforce tools and you also no longer need to ask CMS What is this? (only to find parameter forms), because brutemap will do it automatically. Brutemap is also equipped with an attack method that makes it easy for you to do account checking or test forms with the SQL injection bypass authentication technique.
Attack method
On the brutemap tool, there are several attack methods that make it easy for you to check accounts or test forms.
Twin
The Twin Method is a method that tests passwords based on the current username index. And the purpose of this method is to simplify checking accounts
For example, I have 2 usernames:
| Usernames |
|---|
| admin |
| root |
And, 1 password:
| Passwords |
|---|
| default |
And it will come out, like this:
=> admin : default
The root username will not be tested, because it has no partner password.
Use the option –twin to activate this method
SQL Injection Bypass Authentication
This method will test the page form with SQL injection payloads, for more information see here
Use the option (-sB or –sqli-bypass) to activate this method
SQL Injection Payloads
This method is the same as the SQL Injection Bypass Authentication method, but it will insert SQL injection payloads into the username.
For example, I have 2 usernames:
| Usernames |
|---|
| admin |
| root |
And, 2 payloads:
| Payloads |
|---|
| ‘) or true– |
| ‘)) or 1– |
And it will come out, like this:
=> admin') or true-- : ... => admin')) or 1-- : ...
Use the option (-sP or –sqli-payloads) to activate this method
Installation
git clone https://github.com/brutemap-dev/brutemap.git
pip install -r requirements.txt
Usage
Copyright (C) 2019 Aprila Hijriyan <hijriyan23@gmail.com>
