Roptcher is a multi-threaded, visually styled brute-forcing utility designed to test login endpoints that use a 2-step login flow (like username → password on separate pages). It is ideal for educational, auditing, or red teaming use cases. It does not use proxies, so VPN or multihop usage is strongly advised.
- Multi-threaded brute forcing (
--threadssupport) - Keyboard controls: pause/resume with
CTRL+P, quit instantly withCTRL+C - Styled console output (with emoji fallback)
- Custom wordlist support
- Auto-handles CSRF/XSRF and AI tokens
- Logs successful credentials to
hits.txt - Saves last server response to
last_response.htmlfor debugging
Ensure Python 3.x is installed. Roptcher auto-installs dependencies:
requestsbeautifulsoup4coloramakeyboard
⚠️ On Windows,keyboardmay require admin privileges to function correctly.
python Roptcherv1.1.py <login_url> <username> <wordlist.txt> --threads 5python Roptcherv1.1.py https://accounts.example.com/accounts/v2/login YouKnowWho wordlist.txt --threads 5- Connects to the login page with the target username.
- Base64-encodes the username to generate the
ai_token. - Extracts
xsrf_tokenfrom cookies. - Sends a POST to
/accounts/v2/password?ai=<token>with the password. - Checks if the final redirect is
/accounts/welcomeor if login succeeded. - If success, logs to
hits.txt. If not, moves to next password.
- Use a VPN, proxy, or Tor to mask activity. This script does not use built-in proxy rotation.
- Enable multihop on VPN for added stealth.
- Respect terms of service and laws in your country. This tool is intended for testing only with permission.
hits.txt→ Stores any successful logins.last_response.html→ Stores the latest server response for inspection.
Built by @joshyboo25 with lots of thc and caffeine ☕ — have fun guys just be carful and please remember i am not responsible for your stupidity.
MIT License — free to use, modify, and distribute.