Bruteforce a login page using Blazy tool

Tutorials & Methods
1

What is Blazy?

Blazy is a python script to bruteforce login pages. The script takes input from usernames.txt and passwords.txt and try every possible combination to find the correct authentication credentials. It can also check for login bypass via SQL injection and CSRF.

Common usernames and passwords can be downladed online. kali linux has a built in tool called CRUNCH which can generate every possible usernames and password according to your need. How to create custom wordlist using crunch?

Features

  1. Easy target selections
  2. Smart form and error detection
  3. CSRF and Clickjacking Scanner
  4. Cloudflare and WAF Detector
  5. 90% accurate results
  6. Checks for login bypass via SQL injection
  7. Multi-threading
  8. 100% accurate results
  9. Better form detection and compatibility

Installation

git clone https://github.com/UltimateHackers/Blazy.git cd Blazy pip install -r requirements.txt

Inside the downloaded folder you can see two files username and password, Replace it with your custom wordlist or common wordlist.

now in the terminal type:

python blazy.py

now paste the url of your target login page. depending on the network speed and password strength, this may take quite a while.

6 Likes
2

Has anyone tried this stuff? Please help me because am stuck somewhere

3

@odirachukwu_onyejefu: All this app does (if it works at all, as you can see on the git issues page for this app, which also has had no updates in over a year) is try one combo of username and pw after another.

And it does so using a username and pw text file that you need to provide it. So somehow you would have to find a giant (and I mean GIANT) combo list that provides all the combinations for usernames and passwords that you can come up with. The pws of course, need to be in 6 characters, using uppercase and lowercase letters, as well as digits, and a few additional special characters. (This is assuming the website does not require a 8-digit pw, as has become standard. And that you know what special characters the site forbids or allows.)

Once you have the files with these millions of combos, you can let this app work for a few years straight and see if can find the username and password. Make sure to pray every day of those years that the website you are trying has zero security and people managing it cannot see that something is trying combos on this single log in page every second for many years.

As you know the poster tells you on “Feature Number 8” that this app provides “100% accurate results.” (That is, after telling you in “Feature Number 5” that it provides “90% accurate results.”) Putting aside the question of that missing 10%, the poster is quite correct; but only assuming you provide the correct username and pw in that GIANT list I was talking about.

See? All very simple, right? No wonder the tool is called “Blazy” as in blazing fast—that is, if your idea of blazing fast is taking four years non-stop to brute force a log in page.

Let us know how it goes. Hopefully we all will be still around in four years.

4

that’s a 3 years old tool…

5

@cetipabo: Good point. That is what I was saying. Brute forcing does not work these days.