How to Brute-force with Go (Golang)

Few weeks ago, I did an assignment for a CTO position in an ed-tech startup. They asked me to find flaws in their system. I started from the simplest thing: authentication. I noticed that there was no login attempt limiter in their website. Then I checked the Network tab in Chrome Dev Tools (F12 > “Network” tab), the request, endpoint, and the response was all there. With the endpoint and request format, I figured that I can build some kind of automated trial-and-error login attempts.

Network tab, as we can see we have the request payload

So I built it in Go. I have never built any brute-force apps, but from the first principles I figured that I need to build:

• Combinations of password that fit the password rule (minimum length of 8, has to include uppercase and number, etc)
• POST request app to the login endpoint, and check whether the status response (success or error)
• Tracking system so I can pause the brute force and continue later (I’m using plain txt file)

Then I initiated the project folder and go mod init project_name

mkdir go-bruteforce
cd go-bruteforce
go mod init go-bruteforce

I want to generate the password combination list first, so I created a method that generates a try.txt file that will be used for password attempts. The reason I built the try.txt is because I don’t want to rely on memory to store all the possible password, and I can add manually the password combinations by using a leaked password database, or other lists like the worst password list 2021.

So I created a helper package and helper.go to write the random password combinations and write it to a “.txt” file.

helper/helper.go to generate password combinations and append file

You can modify the string inside the []rune("...") line 10 to fit your password rule. I used abcdefghijklmnopqrstuvwxyzABCDEFG... because my targeted auth requires uppercase, lowercase, and numeric values.

You can generate the “try.txt” file with running this code in main.go

for i := 0; i < 1000; i++ {
    s := helper.RandStringRunes(11)
    helper.WriteOrAppendFile("try.txt", s)
}

We are generating 1000 password combinations from our code. You can add more in try.txt from your own guesses or leaked password database.

Now we have the “try.txt” file in our root folder. We will replace main.go so we can use all the passwords in try.txt to make POST request to the URL to attempt the brute-force.

Create a .env file in the root directory with the attempted username and url endpoint. Here’s the example of the .env file.

USERNAME=febriliankr
URL=https://endpoint.com/wp-admin/admin-ajax.php?action=stm_lms_login&nonce=912c7b85e4

If the password is correct, we will write it in correct_password.txt, and all the wrong passwords will be in wrong_password.txt file. Here’s also what was logged in the console.

Logging all the password attempts in console. We can see the correct password.

If you are blocked by the API, try using a VPN. If it’s still not working, then good, it means the website is safe from simple brute-force attacks.

Here is the repository to the Go code.