PinPulse: High-Performance PIN Brute-Forcing with Python and asyncio
🇬🇧 PinPulse is a high-performance security tool designed to test HTTP-based PIN authentication mechanisms using the power of Python's asynchronous architecture.
One of the most common hurdles in security testing (Pentesting) is rate limiting and time constraints. Especially when testing PIN-based authentication mechanisms, traditional synchronous tools can be painfully slow. To bridge this gap, I developed PinPulse, a tool that leverages Python’s asynchronous capabilities (asyncio & aiohttp). | 🇹🇷 Türkçe
What is PinPulse?
PinPulse 🚀 is a high-performance, asynchronous command-line tool designed for conducting PIN brute-force attacks against HTTP endpoints. It allows you to send hundreds of requests per second, testing the resilience of target systems in a fraction of the time.
Unlike traditional tools that wait for each request’s response before sending the next, PinPulse opens multiple concurrent connections. This means 4 or 6-digit PINs can be fully audited in just seconds.
Why PinPulse?
- Asynchronous Architecture: Utilizes
aiohttpfor non-blocking network I/O, ensuring maximum throughput. - Smart Termination: All active tasks are immediately cancelled as soon as the correct PIN is identified, preventing unnecessary resource consumption.
- Flexible Filtering: Success is determined not just by HTTP status codes, but also by the absence of specific error strings (e.g., “Invalid code”) in the response body.
- Real-time Monitoring: Integrated with
tqdmto provide a live progress bar, request speed, and estimated time remaining.
Installation
via PyPI (Recommended)
1
pip install pinpulse
From Source
1
2
3
git clone [https://github.com/fr0stb1rd/PinPulse.git](https://github.com/fr0stb1rd/PinPulse.git)
cd PinPulse
pip install -r requirements.txt
How It Works
PinPulse uses an asynchronous Semaphore to manage the maximum number of simultaneous requests. This ensures peak performance without overwhelming local system resources or file descriptors.
flowchart TD
Start(["🚀 Start"]) --> Config["Read Parameters\n(URL, Digits, Threads)"]
Config --> Loop{PIN Pool Exhausted?}
Loop -- No --> AsyncReq["Async HTTP Request"]
AsyncReq --> Check{"Success?\n(Status & Text Check)"}
Check -- Yes --> Found["✅ PIN Found!"]
Check -- No --> Loop
Found --> Stop["🛑 Stop All Tasks"]
Loop -- Yes --> Fail["❌ PIN Not Found"]
Usage Examples
PinPulse is highly customizable. Here are a few common scenarios:
1. Standard 6-Digit OTP Test:
1
pinpulse -u "[https://api.target.com/v1/verify](https://api.target.com/v1/verify)" -d 6 -p "otp"
2. Bypassing WAFs with High Speed: Define a custom User-Agent and increase the concurrency to 100:
1
pinpulse -u "[https://site.com/login](https://site.com/login)" -a "Mozilla/5.0 (PentestBot)" -c 100
3. Advanced Response Filtering: Define success by a 302 (Redirect) status and the absence of the word “Invalid”:
1
pinpulse -u "[https://api.site.com/auth](https://api.site.com/auth)" -s 302 -t "Invalid PIN Entered"
Technical Breakdown
The tool performs a two-stage verification for every request:
- HTTP Status Code: Does the response status match the
--statusflag (default 200)? - Body Content: Is the error message provided via
--textmissing from the response body?
If both conditions are met, PinPulse flags the PIN as correct and terminates the process immediately.
This tool is developed for educational purposes and authorized security testing (Pentesting) only. Running this against systems without explicit permission is illegal. The developer assumes no liability for any misuse or damage caused by this program.
Source Code: fr0stb1rd/PinPulse
PyPI Package: pypi.org/project/pinpulse