Password Attacks

W3Brute – Automatic Web Application Brute Force Attack Tool

W3Brute - Automatic Web Application Brute Force Attack Tool

w3brute is an open source penetration testing tool that automates attacks directly to the website’s login page. w3brute is also supported for carrying out brute force attacks on all websites.


  1. Scanner:

w3brute has a scanner feature that serves to support the bruteforce attack process. this is a list of available scanners:

  • automatically detects target authentication type.
  • admin page scanner.
  • SQL injection scanner vulnerability.
  1. Attack Method:

w3brute can attack using various methods of attack. this is a list of available attack methods:

  • SQL injection bypass authentication
  • mixed credentials (username + SQL injection queries)
  1. Support:
  • multiple target
  • google dorking
  • a list of supported web interface types to attack:
    • web shell
    • HTTP 401 UNAUTHORIZED (Basic and Digest)
  • create file results brute force attack. supported file format type:
    • CSV (default)
    • HTML
    • SQLITE3
  • custom credentials (username, password, domain) (supported zip file)
  • custom HTTP requests (User-Agent, timeout, etc)
  • and much more…

You can download the latest version of the tarball file here or zipball here. If you have installed the git package, you can clone the Git repository in a way, as below:

git clone

w3brute can be run with Python version 2.6.x or 2.7.x on all platforms.

To get all list of options on w3brute tool:

python -h


# basic usage
$ python -t
# look for the admin page
$ python -t --admin
# uses a password file zip list. (syntax => <path><;filename>[:password])
$ python -t --admin -u admin -p /path/to/;filename.txt # (if the file is encrypted: /path/to/;filename.txt:password)
# slice the password from the list. (syntax => <start>[:stop][:step])
$ python -t --admin -u admin -sP 20000



About the author

Mazen Elzanaty

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: