Skip to main content

A tool for asynchronously testing password login on several protocols

Project description

Aiobrute

Aiobrute is a tool for asynchronously testing password login on several protocols. It use the asyncio librairie instead of threads for testing password concurrently and efficiently.

DISCLAIMER: This software is for educational purposes only. This software should not be used for illegal activity.


The following modules are currently supported

* http  :  test login for http protocol
* ftp   :  test login for ftp protocol
* ssh   :  test login for ssh protocol
* mysql :  test login for mysql protocol

Some modules support multiple protocol

Module Protocol Description
http http-form Testing html form authentication
http basic-auth Testing http basic authentication
http wp-xmlrpc Testing wordpress xml-rpc authentication

Some wordlists are also included

Name Size Description
rockyou 59187 Shorter version of the popular rockyou wordlist
hotmail 8929 Some Passwords from an old hotmail leak
myspace 37120 Some Passwords from an old myspace leak
adobe 90 Some Passwords from an old adobe leak
mostused 200 Most commonly used passwords

Installation & Usage

  • Run aiobrute with docker

docker run -it --name aiobrute --rm blackice22/aiobrute <MODULE> <OPTIONS>
  • Install aiobrute with pip

pip install aiobrute

Output Examples

When no verbosity option are specified, a progress bar is displayed to the user with some statistics.

aiobrute http -t http://localhost:8080/wp-login.php -u admin -m POST -p http-form -c 302 -f USER:log PASS:pwd

    ░█████╗░██╗░█████╗░██████╗░██████╗░██╗░░░██╗████████╗███████╗
    ██╔══██╗██║██╔══██╗██╔══██╗██╔══██╗██║░░░██║╚══██╔══╝██╔════╝
    ███████║██║██║░░██║██████╦╝██████╔╝██║░░░██║░░░██║░░░█████╗░░
    ██╔══██║██║██║░░██║██╔══██╗██╔══██╗██║░░░██║░░░██║░░░██╔══╝░░
    ██║░░██║██║╚█████╔╝██████╦╝██║░░██║╚██████╔╝░░░██║░░░███████╗
    ╚═╝░░╚═╝╚═╝░╚════╝░╚═════╝░╚═╝░░╚═╝░╚═════╝░░░░╚═╝░░░╚══════╝

              https://github.com/jylanglois/aiobrute

                    version: [0.1.0 - alpha]

[-] Loading data from the 'rockyou' build in wordlist

Worker Type: http | Target: http://localhost:8080/wp-login.php | Workers: 15 | Wordlist Size: 59188

|█████████▏                              | ▅▃▁ 13455/59188 [23%] in 18s (730.3/s, eta: 1:03)

if verbosity options are specified, the status for each requests are printed in the console.

2022-04-15 11:16:20,925 - [HTTP] [INFO] - method: [POST] - status: [200] - target: http://localhost:8080/wp-login.php - username: admin - password: 1234567 - (6 of 59188) - [worker 6]
2022-04-15 11:16:20,926 - [HTTP] [INFO] - method: [POST] - status: [200] - target: http://localhost:8080/wp-login.php - username: admin - password: daniel - (10 of 59188) - [worker 10]
2022-04-15 11:16:20,927 - [HTTP] [INFO] - method: [POST] - status: [200] - target: http://localhost:8080/wp-login.php - username: admin - password: 123456789 - (3 of 59188) - [worker 3]
2022-04-15 11:16:20,928 - [HTTP] [INFO] - method: [POST] - status: [200] - target: http://localhost:8080/wp-login.php - username: admin - password: abc123 - (8 of 59188) - [worker 8]
2022-04-15 11:16:20,928 - [HTTP] [INFO] - method: [POST] - status: [200] - target: http://localhost:8080/wp-login.php - username: admin - password: 12345 - (2 of 59188) - [worker 2]
2022-04-15 11:16:20,929 - [HTTP] [INFO] - method: [POST] - status: [200] - target: http://localhost:8080/wp-login.php - username: admin - password: nicole - (9 of 59188) - [worker 9]
2022-04-15 11:16:20,929 - [HTTP] [INFO] - method: [POST] - status: [200] - target: http://localhost:8080/wp-login.php - username: admin - password: 123456 - (1 of 59188) - [worker 1]
2022-04-15 11:16:20,930 - [HTTP] [INFO] - method: [POST] - status: [200] - target: http://localhost:8080/wp-login.php - username: admin - password: iloveyou - (4 of 59188) - [worker 4]
2022-04-15 11:16:20,930 - [HTTP] [INFO] - method: [POST] - status: [200] - target: http://localhost:8080/wp-login.php - username: admin - password: 12345678 - (7 of 59188) - [worker 7]
2022-04-15 11:16:20,931 - [HTTP] [INFO] - method: [POST] - status: [200] - target: http://localhost:8080/wp-login.php - username: admin - password: princess - (5 of 59188) - [worker 5]

Usage Examples

HTTP modules examples

  • Test http html login form and validate the candidate if 302 status code is returned
aiobrute http -t http://localhost:8080/wp-login.php -u admin -m POST -p http-form -c 302 -f USER:log PASS:pwd
  • Test http html login with a csrf token and validate the candidate if 302 status code is returned
aiobrute http -t http://localhost:8080/admin/login/ -u root -m POST -p http-form -c 302 -f USER:user PASS:pwd CSRF:csrftoken
  • Test http login with basic authentication and validate the candidate if 401 status code is not returned
aiobrute http -t http://localhost:8080/ -u admin -m GET -p basic-auth -c ^401
  • Test wordpress xml-rpc login and validate the candidate if the faultCode string is not found in the response
aiobrute http -t http://localhost:8080/xmlrpc.php -u admin -m POST -p wp-xmlrpc -s '^faultCode'

Other modules examples

  • Test ssh login with 5 concurrent worker and using the mostused built-in wordlist
aiobrute ssh -u admin -t localhost -w 5 -l mostused

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

License

GNU GPLv3

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aiobrute-0.1.0.tar.gz (459.9 kB view hashes)

Uploaded Source

Built Distribution

aiobrute-0.1.0-py3-none-any.whl (465.6 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page