Tartarus is a multi-threaded HTTP dictionary brute force tool written in Python with a GTK+ graphical user interface. It makes use of the powerful Mechanize library to automate the analysis of complex HTML pages for input points that can then be targeted with a custom brute-force attack.
Whilst a number of HTTP brute force tools exist, many of these target only HTTP BASIC authentication, or require a complex set of command line arguments to enter parameters for testing logins, utilising GET and POST requests.
Tartarus completely automates this process within an easy to use GUI, whilst still providing the user with enough flexibility to modify the parameters of the test – a key component of any manual penetration test.
Tartarus has been developed using the Linux operating system, specifically Ubuntu Linux, however, due to the cross-platform nature of Python and GTK+, it should run wherever these can be found. For installation on Ubuntu 12.04, the following packages are required:
On Windows, the Python interpreter is required, as well as the GTK+ runtime and the Mechanize library. These can be found at the following locations:
On Ubuntu execute the command:
On Windows, double click tartarus.py
Firstly, enter the URL to the target page containing the form to be tested in to the URL entry field and click Load. Tartarus will then fetch the page and retrieve all input forms. The appropriate form can then be selected from the Form drop down menu.
The GET or POST parameters corresponding to username and password should then be selected using the radio buttons in the Parameters table. Any other parameters submitted by the selected form will also be loaded. These values can be edited by double-clicking on the item within the table. The right-click context menu can be used to add and delete POST and GET parameters.
The usernames and passwords to be used for the test can then be entered via the appropriate entry fields. Either a single value or a new-line separated text file containing each entry can be input at this stage.
Success criteria is used to determine if a login attempt has been successful. This can be entered as a string, which is either found or not found on the page returned by the HTTP request. Python regular expressions (http://docs.python.org/2/library/re.html) can also be used to determine the success of the login attempt.
Once ready, click the Start button. Any username/password combinations that create responses matching the success criteria will then be displayed in the Username/Password table.
Please use the bug reporting tool on our Google Code page to submit any bugs or feature requests.