Signup/Sign In
PUBLISHED ON: FEBRUARY 13, 2023

How to create password brute force wordlist generator tool in Golang?

While trying to penetrate a web application, we often see passwords are a barrier to the sensitive information of a user or an organization. Now we need to bypass passwords somehow. So, there are mainly two approaches for us: either find a vulnerability in webapp authrising or guess (Brute Force) the right password.

Make sure you have installed Golang and properly set up the environment variable. Check out the Golang installation tutorial here.

How to start make a Golang program?

Let's use some mathematics that we learnt in high school. Recall permutation and combination (P&C), here we have a list of characters and we have to choose some of them (=passwordLength) with every possible method (combination). Also for every method (combination) we can arrange those characters in many unique ways.

If we use this approach and use google we can find itertools module to make our work easy.

1. Start by creating a file main.go and import the required Golang packages:

  • fmt - To print passwords.
  • strconv - strings manipulation functions
  • strings - To manipulate UTF-8 encoded strings.
  • github.com/ernestosuarez/itertools - .permutation and combination of characters list
package main

import	(
	// To print passwords.
	"fmt"
	
	// strings manipulation functions
	"strings"

	// convert string types to int types
	"strconv"


	// permutation and combination of charactersList
	"github.com/ernestosuarez/itertools"
)

2. Declare variables in Golang

Now, we can declare required variables in the main() function.

  • passwordLenth - length of generated password.
  • characters - character to compose the password.
func main()  {


	// The password length
	passwordLength := "1,2,4"

	// character to compose the password
	characters := "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-./"


}

3. String manipulation in Golang

Here, both variables are supposed to be an array.

  • passwordLengthList - split it into an array from every ',' character.
  • charactersList - Use characters string to create an array of all characters.
func main()  {


	// The password length
	passwordLength := "1,2,4"

	// character to compose the password
	characters := "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-./"


	// Split comma separated password length into slice.
	passwordLengthList := strings.Split(passwordLength, ",")
	
	// Splits a string into a list of strings.
	charactersList := strings.Split(characters, "")


}

4. Create for loop in Golang

To generate passwords for all lengths in the array passwordLengthList, we need to use a for loop.

func main()  {


	// The password length
	passwordLength := "1,2,4"

	// character to compose the password
	characters := "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-./"


	// Split comma separated password length into slice.
	passwordLengthList := strings.Split(passwordLength, ",")
	
	// Splits a string into a list of strings.
	charactersList := strings.Split(characters, "")


	// run permations for every password length.
	for _, passLen := range passwordLengthList {
	

		// convert integer strings to int.
		passLenInt, err := strconv.Atoi(passLen)
		
		// If an error is nil panic.
		if err != nil {
			panic(err)
		}
		
	}
}

5. Permutation and Combination in Golang

itertools provides a function that takes an array and length integer to calculate all different password strings that could be generated by these character arrays.

Take a look at this example use of itertools for reference.

func main()  {

	iterable := []string{"1", "2", "3", "4"}

	for v := range PermutationsStr(iterable, 3) {
		fmt.Println(v)
	}

}

7. Create brute force list generator in Golang

Let's use every piece to solve this puzzle to get a working program.

package main

import	(
	// To print passwords.
	"fmt"
	
	// strings manipulation functions
	"strings"

	// convert string types to int types
	"strconv"

	
	// permutation and combination of charactersList
	"github.com/ernestosuarez/itertools"
)


func main()  {


	// The password length
	passwordLength := "1,2,4"

	// character to compose the password
	characters := "abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-./"


	// Split comma separated password length into slice.
	passwordLengthList := strings.Split(passwordLength, ",")
	
	// Splits a string into a list of strings.
	charactersList := strings.Split(characters, "")


	// run permations for every password length.
	for _, passLen := range passwordLengthList {
	

		// convert integer strings to int.
		passLenInt, err := strconv.Atoi(passLen)
		
		// If an error is nil panic.
		if err != nil {
			panic(err)
		}


		// Prints a list of permutations of the characters.
		for v := range itertools.PermutationsStr(charactersList, passLenInt) {
			
			// Prints a string by joining all elements of the list.
			fmt.Println(strings.Join(v, ""))

		}
		
	}
}

Conclusion

In this tutorial we made a Golang program to generate a brute force wordlist with specific characters and length used.



About the author:
Pradeep has expertise in Linux, Go, Nginx, Apache, CyberSecurity, AppSec and various other technical areas. He has contributed to numerous publications and websites, providing his readers with insightful and informative content.