How to create password brute force wordlist generator tool in Golang?
While trying to penetrate a web application, we often see passwords are a barrier to the sensitive information of a user or an organization. Now we need to bypass passwords somehow. So, there are mainly two approaches for us: either find a vulnerability in webapp authrising or guess (Brute Force) the right password.
Make sure you have installed Golang and properly set up the environment variable. Check out the Golang installation tutorial here.
How to start make a Golang program?
Let's use some mathematics that we learnt in high school. Recall permutation and combination (P&C), here we have a list of characters and we have to choose some of them (=passwordLength) with every possible method (combination). Also for every method (combination) we can arrange those characters in many unique ways.
If we use this approach and use google we can find itertools module to make our work easy.
1. Start by creating a file main.go
and import the required Golang packages:
fmt
- To print passwords.
strconv
- strings manipulation functions
strings
- To manipulate UTF-8 encoded strings.
github.com/ernestosuarez/itertools
- .permutation and combination of characters list
package main
import (
// To print passwords.
"fmt"
// strings manipulation functions
"strings"
// convert string types to int types
"strconv"
// permutation and combination of charactersList
"github.com/ernestosuarez/itertools"
)
2. Declare variables in Golang
Now, we can declare required variables in the main()
function.
passwordLenth
- length of generated password.
characters
- character to compose the password.
func main() {
// The password length
passwordLength := "1,2,4"
// character to compose the password
characters := "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-./"
}
3. String manipulation in Golang
Here, both variables are supposed to be an array.
passwordLengthList
- split it into an array from every ',
' character.
charactersList
- Use characters
string to create an array of all characters.
func main() {
// The password length
passwordLength := "1,2,4"
// character to compose the password
characters := "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-./"
// Split comma separated password length into slice.
passwordLengthList := strings.Split(passwordLength, ",")
// Splits a string into a list of strings.
charactersList := strings.Split(characters, "")
}
4. Create for
loop in Golang
To generate passwords for all lengths in the array passwordLengthList
, we need to use a for
loop.
func main() {
// The password length
passwordLength := "1,2,4"
// character to compose the password
characters := "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-./"
// Split comma separated password length into slice.
passwordLengthList := strings.Split(passwordLength, ",")
// Splits a string into a list of strings.
charactersList := strings.Split(characters, "")
// run permations for every password length.
for _, passLen := range passwordLengthList {
// convert integer strings to int.
passLenInt, err := strconv.Atoi(passLen)
// If an error is nil panic.
if err != nil {
panic(err)
}
}
}
5. Permutation and Combination in Golang
itertools provides a function that takes an array and length integer to calculate all different password strings that could be generated by these character arrays.
Take a look at this example use of itertools for reference.
func main() {
iterable := []string{"1", "2", "3", "4"}
for v := range PermutationsStr(iterable, 3) {
fmt.Println(v)
}
}
7. Create brute force list generator in Golang
Let's use every piece to solve this puzzle to get a working program.
package main
import (
// To print passwords.
"fmt"
// strings manipulation functions
"strings"
// convert string types to int types
"strconv"
// permutation and combination of charactersList
"github.com/ernestosuarez/itertools"
)
func main() {
// The password length
passwordLength := "1,2,4"
// character to compose the password
characters := "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-./"
// Split comma separated password length into slice.
passwordLengthList := strings.Split(passwordLength, ",")
// Splits a string into a list of strings.
charactersList := strings.Split(characters, "")
// run permations for every password length.
for _, passLen := range passwordLengthList {
// convert integer strings to int.
passLenInt, err := strconv.Atoi(passLen)
// If an error is nil panic.
if err != nil {
panic(err)
}
// Prints a list of permutations of the characters.
for v := range itertools.PermutationsStr(charactersList, passLenInt) {
// Prints a string by joining all elements of the list.
fmt.Println(strings.Join(v, ""))
}
}
}
Conclusion
In this tutorial we made a Golang program to generate a brute force wordlist with specific characters and length used.