A number of great open source bruteforce tools exist. However they are not able to handle the nonce-based CSRF protection embedded into Rails and Django. This tool addresses this by first grabbing the CSRF token from the login page and then sending a login POST request. It comes pre-configured for Rails Devise and Django Admin interface and supports custom configuration for other variations. An option to set the maximum number of concurrent requests prevents overloading the target server.
Rails Devise and Django Admin default login screens are supported by default through the -T flag. In case some settings have been modified or for applications with a similar set up, users can create a custom config file to use through the -c flag. See the template for a skeleton config to get started.
$ git clone firstname.lastname@example.org:foxjerem/node-bruteforce.git
$ cd node-bruteforce
$ chmod 755 run.js
$ npm install -g
Source : https://github.com/ministryofjustice