关于BruteLoops
BruteLoops在线密码安全检测功能强大,与协议无关API,研究人员可以使用BruteLoops为了检查用户使用的密码是否安全,或码是否安全,或识别密码中的安全问题。
BruteLoops密码爆破猜解功能为身份验证接口提供,代码库提供模块化使用示例,演示如何使用BruteLoops实现密码安全分析。其功能齐全,并提供多个爆破模块,以下是其功能示例:
- http.accellion_ftp FTP HTTP接口登录加速模块
- http.basic_digest 通用HTTP验证基本摘要
- http.basic_ntlm 通用HTTP基本NTLM身份验证
- http.global_protectWeb全局保护接口
- http.mattermost Mattermost登录Web接口
- http.netwrix Netwrix登录Web接口
- http.okta Okta JSON API
- http.owa2010 OWA 2010Web接口
- http.owa2016 OWA 2016 Web接口
- smb.smb 针对单个SMB服务器执行任务
- testing.fake 模拟身份验证模块用于培训/测试
关键功能
- 协议无关
- SQLite支持
- 密码喷射和密码填充
- 计划任务的密码猜测
- 可配置细粒度,避免锁定事件
- 暂停和继续任务
- 多进程支持
- 日志记录
工具依赖
BruteLoops工具要求Python 3.7或更高版本Python环境,以及SQLAlchemy 1.3.0,后者可以通过pip项目提供的工具和工具requirements.txt来安装:
python3.7-mpipinstall-rrequirements.txt工具安装
大多数研究人员可以通过以下命令将项目源代码克隆到当地,并安装工具所需的依赖组件:
gitclonehttps://github.com/arch4ngel/bruteloopscdbruteloopspython3-mpipinstall-rrequirements.txt工具使用
使用此工具时,可按以下步骤拆分密码安全测试:
- 寻找需要测试的目标服务;
- 如果py【1】如果没有这个目标,需要建立回调;
- 搜索用户名、密码和凭证信息;
- 通过向py2输入认证数据构建数据库;
- 如相关,则列举或要求活动目录锁定策略智能配置安全测试过程;
- 密码安全测试134按目标锁定策略执行;
样品用于工具
(1) 通过example.py执行爆破猜解模块
命令:
archangel@deskjet:bruteloops_dev~>./example.pytest.sqlite3testing.fake--help输出:
usage:example.pydbfiletesting.fake[-h]--usernameUSERNAME--passwordPASSWORDFakeauthenticationmodulefortraining/testingoptionalarguments:-h,--helpshowthishelpmessageandexit--usernameUSERNAMErequired-str-Usernametocheckagainst--passwordPASSWORDrequired-str-Passwordtocheckagainst(2) 通过dbmanager.py创建输入数据库
命令:
archangel@deskjet:bruteloops_dev~>./dbmanager.py--help输出:
usage:dbmanager.py[-h]dbfile{dump-valid,dump-credentials,import-values,import-credentials,delete-values,delete-credentials}...ManageBruteLoopsinputdatabasespositionalarguments:dbfileDatabasefiletomanipulate{dump-valid,dump-credentials,import-values,import-credentials,delete-values,delete-credentials}SUBCOMMANDS:dump-validDumpvalidcredentialsfromthedatabasedump-credentialsDumpallcredentialvaluesfromthedatabaseimport-valuesImportvaluesintothetargetdatabaseimport-credentialsImportcredentialpairsintothetargetdatabasedelete-valuesDeletevaluesfromthetargetdatabasedelete-credentialsDeletecredentialpairsfromthetargetdatabaseoptionalarguments:-h,--helpshowthishelpmessageandexit(3) 通过example.py执行模拟爆破猜解模块
命令:
./example.pytest.sqlite3\--parallel-guess-count4--auth-threshold2\--auth-jitter-min1s--auth-jitter-max5s\--threshold-jitter-min10s--threshold-jitter-max20s\-lftest.log\testing.fake--usernameadministrator--passwordP@ssw0rd输出:
archangel@deskjet:bruteloops_dev~>./example.pytest.sqlite3-pgc4-at2-ajmin1s-ajmax5s-tjmin10s-tjmax20s-lftest.logtesting.fake--usernameadministrator--passwordP@ssw0rd2020-12-0815:22:50,077-example.py-GENERAL-Initializingattack2020-12-0815:22:50,078-BruteForcer-GENERAL-Initializing4process2020-12-0815:22:50,078-BruteForcer-GENERAL-Loggingattackconfigurationparameters2020-12-0815:22:50,078-BruteForcer-GENERAL-ConfigParameter--authentication_jitter:<Jitter(min="1s",max="5s")>2020-12-0815:22:50,078-BruteForcer-GENERAL-ConfigParameter--max_auth_jitter:<Jitter(min="10s",max="20s")>2020-12-0815:22:50,078-BruteForcer-GENERAL-ConfigParameter--max_auth_tries:22020-12-0815:22:50,078-BruteForcer-GENERAL-ConfigParameter--stop_on_valid:False2020-12-0815:22:50,078-BruteForcer-GENERAL-ConfigParameter--db_file:test.sqlite32020-12-0815:22:50,083-BruteForcer-GENERAL-Beginningattack:15:22:50EST(20/12/08)2020-12-0815:22:51,572-BruteForcer-INVALID-user1:pass12020-12-0815:22:53,544-BruteForcer-INVALID-admin:password2020-12-0815:22:54,597-BruteForcer-INVALID-user1:password2020-12-0815:22:55,025-BruteForcer-INVALID-admin:pass12020-12-0815:22:55,247-BruteForcer-INVALID-user2:pass12020-12-0815:22:56,307-BruteForcer-INVALID-user2:password2020-12-0815:22:59,025-BruteForcer-INVALID-administrator:pass12020-12-0815:22:59,680-BruteForcer-INVALID-administrator:password2020-12-0815:23:07,384-BruteForcer-INVALID-user1:welcome12020-12-0815:23:07,955-BruteForcer-INVALID-user1:P@ssw0rd2020-12-0815:23:08,775-BruteForcer-INVALID-administrator:welcome12020-12-0815:23:09,631-BruteForcer-VALID-administrator:P@ssw0rd2020-12-0815:23:12,057-BruteForcer-INVALID-user2:welcome12020-12-0815:23:12,299-BruteForcer-INVALID-admin:welcome12020-12-0815:23:12,309-BruteForcer-INVALID-user2:P@ssw0rd2020-12-0815:23:12,534-BruteForcer-INVALID-admin:P@ssw0rd2020-12-0815:23:12,748-BruteForcer-GENERAL-Attackfinished2020-12-0815:23:12,748-BruteForcer-GENERAL-Shuttingattackdown2020-12-0815:23:12,755-BruteForcer-GENERAL-Closing/joiningProcesses2020-12-0815:23:12,758-example.py-GENERAL-Attackcomplete项目地址
BruteLoops:【GitHub传送门】