Can you Brute-Force MailACCs with python using only smtplib?

Discuss how to write good code, break bad code, your current pet projects, or the best way to approach novel problems

Can you Brute-Force MailACCs with python using only smtplib?

Post by mitrek on Thu Mar 02, 2017 9:37 am
([msg=93494]see Can you Brute-Force MailACCs with python using only smtplib?[/msg])

I understand the ethical issue behind this topic, but if this isn't the place to ask about this, where is it then? :roll:

I intend to elaborate, but my main question is: Can you brute-force an e-mail account password using only python and the standard smtplib?

There is a disturbing number of ready for use scripts or tutorials about brute forcing an email account with python on the web, but most of them are rather stupid, for two reasons:

    1- The mathematical issue: Most of those 'tutorials' or 'scripts' use random ascii characters, in a eight digit combination (What is the minimum allowed in standard mail servers those days) it would take a single process of python which can produce thousands of entries by second, millions of years to cover it all. So the chance of you guessing it is pretty much zero.

    Even though I can understand that people would still try this fully randomic scripts in the hope that it MAY work.
    My solution to that was to create few functions, briefly one that after you input the target data (such as complete name, date of birth, relatives names, anything you want since it is under the *args parameter.) It returns to you a bunch of password material, and then another where I combine that with commonly used senteces/combinations (such as: 123, qwerty, password, 987, etc.). This highly increases the chance of positive result when using this sort of script. But that's not enough because of the reason 2:

    2- Gmail SMTP server for instance will block your IP after a few tries, this is the obvious awnser to prevent a Brute-Force attack.

    Since there are SO MANY scripts and tutorials out there, I'm guessing that maybe there is a way to prevent it that I'm overseeing, is there? How could I work around that? Any tips?

One way to solve this to people that are stucked in the same spot as I am: is to output the possible passwords in a .txt file and use a third party software to try them such as THC Hydra.

P.S.: I honestly don't intend to do any harm with this, I just want to know if I can, I guess that this is much of what this website is about.
New User
New User
Posts: 1
Joined: Thu Mar 02, 2017 8:36 am
Blog: View Blog (0)

Re: Can you Brute-Force MailACCs with python using only smtplib?

Post by 000000ffffff on Fri Apr 14, 2017 7:14 pm
([msg=93600]see Re: Can you Brute-Force MailACCs with python using only smtplib?[/msg])

I don't have a definitive answer for you, but from a software-engineering perspective I'm going to say probably not. I say probably because as a dynamically-typed interpreted language, python is going to be much slower at most things as opposed to C or C++. Even worse, the bottleneck in most systems is actually the network, not the language, and that's exactly what you alluded to in your post. The protocol isn't meant to be quick, and providers have a vested interest in synthetically slowing down the process, because client-side users who care about server loads and speed are usually either DDOSing or brute-forcing.

A slow language plus a slow network is a no-go, but like I said, I'm not sure it's not possible, it's not really my area of expertise. I'm curious to hear what other people have to say about it
New User
New User
Posts: 10
Joined: Thu Apr 06, 2017 10:26 am
Blog: View Blog (0)

Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests