x90skysn3k / brutespray Goto Github PK

View Code? Open in Web Editor NEW

1.9K 79.0 378.0 13.87 MB

Bruteforcing from various scanner output - Automatically attempts default creds on found services.

License: MIT License

Go 99.29% Dockerfile 0.71%

brutespray's Introduction

BruteSpray

Created by: Shane Young/@t1d3nio && Jacob Robles/@shellfail

Inspired by: Leon Johnson/@sho-luv

Description

Brutespray has been re-written in Golang, eliminating the requirement for additional tools. This enhanced version is more extensive and operates at a significantly faster pace than its Python counterpart. As of now, Brutespray accepts input from Nmap's GNMAP/XML output, newline-separated JSON files, Nexpose's XML Export feature, Nessus exports in .nessus format, and various lists. Its intended purpose is for educational and ethical hacking research only; do not use it for illegal activities.

Installation

Release Binaries

To Build:

go build -o brutespray main.go

Usage

If using Nmap, scan with -oA nmap_out. If using Nexpose, export the template XML Export.

If using Nessus, export your .nessus file.

Command: brutespray -h

Command: brutespray -f nmap.gnmap -u userlist -p passlist

Command: brutespray -f nmap.xml -u userlist -p passlist

Command: brutespray -H ssh://127.0.0.1:22 -u userlist -p passlist

Command: brutespray -H ssh://127.0.0.1 -C root:root

Examples

Using Custom Wordlists:

brutespray -f nmap.gnmap -u /usr/share/wordlist/user.txt -p /usr/share/wordlist/pass.txt -t 5

Brute-Forcing Specific Services:

brutespray -f nmap.gnmap -u admin -p password -s ftp,ssh,telnet -t 5

Specific Credentials:

brutespray -f nmap.gnmap -u admin -p password -t 5

Use Nmap XML Output

brutespray -f nmap.xml -u admin -p password -t 5

Use JSON Output

brutespray -f out.json -u admin -p password -t 5

Bruteforce a CIDR range

brutespray -H ssh://10.1.1.0/24:22 -t 1000

Print Found Services

brutespray -f nessus.nessus -P -q

Supported Services

ssh
ftp
telnet
mssql
postgresql
imap
pop3
smbnt
smtp
snmp
mysql
vmauthd
vnc
mongodb
nntp
asterisk
teamspeak
oracle
xmpp

Services in Beta

asterisk
nntp
oracle
xmpp

Feel free to open an issue if these work, or if you have any issues

Services in Progress

rdp - the issue is no one has written a good library for NLA

Data Specs

{"host":"127.0.0.1","port":"3306","service":"mysql"}
{"host":"127.0.0.10","port":"3306","service":"mysql"}

If using Nexpose, export the template XML Export.

If using Nessus, export your .nessus file.

List example

ssh:127.0.0.1:22
ftp:127.0.0.1:21
...

Combo wordlist example

user:pass
user1:pass1
user2:pass2
user3:pass
user4:pass1
...

Planned Features

Ability to set proxy
Ability to select interface
More modules
Better connection handling

Star History

brutespray's People

Contributors

Stargazers

Watchers

Forkers

clicknull olivierh59500 johnjohnsp1 dnkls barkinet songofhack nx4dm1n thanatoskira hagmar uditagarwal97 alvarosamudio jack51706 tobey123 akamajoris op3n-tor ausec methos2016 sudoferraz magma2 nusree iamtutu 5up3rc weeshlow mgcfish kaicastledine h1d3r caineqt coreb1t shizzz477 mgr3c0 r3dlight awesome-security bloodzer0 akpotter blueroutecn jiazhang0 l9c ossecfile lanzsec brucebusy 3453-315h webshell520 jesusmmago flying0er forstylewell hack-the-box maskertui anonymous09 bhasbor 0irebrwe longxiang090 d0ll4r linlovephz grukz victorv2k aroundight zamil2200 droberson mattparksdev alpah7 oofteerapud02 badfish5150 kcsec bardo1 kyhvedn ramsaut securitym0nk d0a1d1c7 grov zshell samyoyo hbxc0re xul4y expertasif 4n6strider aln7 phoenixml tyowell-r7 theralfbrown r3dfruitrollup vsbca rosetscmite liumorgan aihua jyarinm jjsmida aglaianwoman zhqlin zuoshouxu subzeroking ykankaya hybridious rwrobi zhengwuji wilsonleeee tauleroy limkokholefork xeit666h05t eltorobiz icysun

brutespray's Issues

bug：it was choked but only finished half of work. it still like this after one day！

TypeError: execv() arg 2 must contain only strings + line wrapping issue?

I'm experiencing some strange line wrapping issues while using interactive mode (with an unmodified brutespray.py):

./brutespray.py --file tokyoneon.gnmap -i

Gnmap:

    > cat tokyoneon.gnmap 
# Nmap 7.70 scan initiated Thu Apr 12 2018 as: nmap -sVTU -p21,22,137,161 -oG tokyoneon.gnmap 192.168.1.103
Host: 192.168.1.103 ()	Status: Up
Host: 192.168.1.103 ()	Ports: 21/open/tcp//ftp//vsftpd 3.0.3/, 22/open/tcp//ssh//OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)/, 137/closed/tcp//netbios-ns///, 161/closed/tcp//snmp///, 21/closed/udp//ftp///, 22/closed/udp//ssh///, 137/open/udp//netbios-ns//Samba nmbd netbios-ns (workgroup: WORKGROUP)/, 161/open/udp//snmp//SNMPv1 server; net-snmp SNMPv3 server (public)/
# Nmap done at Thu Apr 12 2018 -- 1 IP address (1 host up) scanned in 0.60 seconds

Error:

Brute-Forcing...     
Process Process-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/multiprocessing/process.py", line 267, in _bootstrap
    self.run()
  File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "./brutespray.py.orig", line 287, in brute
    p = subprocess.Popen(['medusa', '-H', fname, uarg, userlist, parg, passlist, '-M', service, '-t', args.threads, '-n', port, '-T', args.hosts, cont, aarg, auth], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, bufsize=-1)
  File "/usr/lib/python2.7/subprocess.py", line 394, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1047, in _execute_child
    raise child_exception
TypeError: execv() arg 2 must contain only strings

CHANGELOG.md not updated

Hi,
It seems that your CHANGELOG.md is not updated with version 1.6.7 :)
Cheers.

Feature request

Can you include support for PPTP , ike2/3 and SNMP?

Adding debug & verbose mode

Hey @x90skysn3k ,

would it be possible to add a verbose and debug flag to the tool? essentially it would be passing the -w and -v flag to medusa. So when brutespray hangs i can see what is going on. Relates to #49

Service detection accuracy

Matching service names with medusa modules needs to be verified for accuracy

CRITICAL: Unknown rlogin.mod module state -1

Hello,

I get the error message below but not sure what it really means. I use version 1.6.4 of brutespray. I know 1.6.6 is the newest so I checked the changelog and decide to post this anyway.

CRITICAL: Unknown rlogin.mod module state -1
ERROR: rlogin.mod failed: medusaReceive returned no data.

Thanks for such a create tool!

Show port number with successful brute force

It will be better if brutespray also shows the port number with IP address, when there are two instances of ssh on a server it simply shows the success msg with credits but didn't mention which instances so if it possible to show the port number is will be great.

tmp and output dirs

Hi Shane,

I'm working on packaging your script for debian/ubuntu and of course kali. The package is done but your script does some things which will lead to unexpected results (e.g. it will basically perform the equivalent of rm tmp/* on each startup, which is something quite unexpected). As it should be installed in /usr/bin/brutespray, it is not possible to do so. Moreover, if 2 different users are using your script at the same time, it is going to remove tmp/* which is not what we want.
Instead, you should import tempfile and create a dynamic tmp dir for example :
try:
tmppath = tempfile.mkdtemp(prefix="brutespray-tmp")
except:
print "\nError while creating brutespray temp directory."
(see https://docs.python.org/2/library/tempfile.html)

Could you also update your shebang with : "/usr/bin/python" instead of "/usr/bin/env python2" ?

Another point is your output directory. This path should be an argument.
If you want me to, I can provide a merge-request to your script, let me know.

Thank you,
Regards.

How can I convert nmap .xml output to .gnmap?

Sorry, I know this is not a bug but I couldn't find anything on Google. Is there a way to convert my .xml outputs to .gnmap? Thanks and sorry for taking a bit of your time.

RDP

Please, add a "rdp" method for bruteforce :D

Set wordlist at command line

Add options for user wordlist and password wordlist

rdp

can you add rdp method ?

Add version 1.6.8

Hi,
By adding the new CHANGELOG.md file, you made two releases of the same version (implicitly hiding the old one) which is causing me problems with building the new debian package (I won't bother you with the details, but it's about generating the deltas on the pristine-tar git branch) so can I ask you to release a new 1.6.8 version so I can fix those problems?
Thank you for your help.

requirements.txt empty

The README.md lists that requirements.txt should be installed using pip -r install requirements.txt. But this file is empty.
Can that instruction be removed from the readme?

support for cred list and custom interface

Hello,
Could you please add support for credential combination list as input?
[username:passphrase] (first : will be separator because : is mostly not allowed in username but maybe used in passphrase)

And option to specify custom network interface to use for the process
Thank you.

error in selecting services

Command used:- python brutespray.py --file ~/recon//nmap/jio.gnmap -i --service ssh

Welcome to interactive mode!

WARNING: Leaving an option blank will leave it empty and refer to default

Available services to brute-force:
Service: ssh on port 22 with 2 hosts
Service: postgres on port 5432 with 3 hosts

Enter services you want to brute - default all (ssh,ftp,etc): ssh
Traceback (most recent call last):
File "brutespray.py", line 424, in
interactive()
File "brutespray.py", line 90, in interactive
args.service = input('\n' + colors.lightblue + 'Enter services you want to brute - default all (ssh,ftp,etc): ' + colors.red)
File "", line 1, in
NameError: name 'ssh' is not defined

System type: ubuntu 18

Format failed!

Loading File: \File is not correct format!
Format failed!

< ?xml version="1.0"?>

< !-- masscan v1.0 scan -->

< nmaprun scanner="masscan" start="1683087197" version="1.0-BETA" xmloutputversion="1.03">

< scaninfo type="syn" protocol="tcp" />

< host endtime="1683087197">

< state state="open" reason="syn-ack" reason_ttl="59"/>
< runstats>

< finished time="1683090418" timestr="2023-05-03 07:06:58" elapsed="3221" />

< hosts up="2193580" down="0" total="2193580" />

< /runstats>

< /nmaprun>

solve
: nmap -Pn -sS -p3389 -iL mylist.txt -oX nmap.xml

Requirements for stock kali

Im trying to run this on the latest stock kali linux vm provided by offensive security, is there anything I should do before running the script? When I try to run it it just exits. Below is what I see in the terminal.

root@kali:~/brutespray# python brutespray.py --file nmap.xml --threads 5 --hosts 5

                          #@                           @/              
                       @@@                               @@@           
                    %@@@                                   @@@.        
                  @@@@@                                     @@@@%      
                 @@@@@                                       @@@@@     
                @@@@@@@                  @                  @@@@@@@    
                @(@@@@@@@%            @@@@@@@            &@@@@@@@@@    
                @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    
                 @@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@     
                   @@@( @@@@@#@@@@@@@@@*@@@,@@@@@@@@@@@@@@@  @@@       
                       @@@@@@ .@@@/@@@@@@@@@@@@@/@@@@ @@@@@@           
                              @@@   @@@@@@@@@@@   @@@                  
                             @@@@*  ,@@@@@@@@@(  ,@@@@                 
                             @@@@@@@@@@@@@@@@@@@@@@@@@                 
                              @@@.@@@@@@@@@@@@@@@ @@@                  
                                @@@@@@ @@@@@ @@@@@@                    
                                   @@@@@@@@@@@@@                       
                                   @@   @@@   @@                       
                                   @@ @@@@@@@ @@                       
                                     @@% @  @@                 



    ██████╗ ██████╗ ██╗   ██╗████████╗███████╗███████╗██████╗ ██████╗  █████╗ ██╗   ██╗
    ██╔══██╗██╔══██╗██║   ██║╚══██╔══╝██╔════╝██╔════╝██╔══██╗██╔══██╗██╔══██╗╚██╗ ██╔╝
    ██████╔╝██████╔╝██║   ██║   ██║   █████╗  ███████╗██████╔╝██████╔╝███████║ ╚████╔╝ 
    ██╔══██╗██╔══██╗██║   ██║   ██║   ██╔══╝  ╚════██║██╔═══╝ ██╔══██╗██╔══██║  ╚██╔╝  
    ██████╔╝██║  ██║╚██████╔╝   ██║   ███████╗███████║██║     ██║  ██║██║  ██║   ██║   
    ╚═════╝ ╚═╝  ╚═╝ ╚═════╝    ╚═╝   ╚══════╝╚══════╝╚═╝     ╚═╝  ╚═╝╚═╝  ╚═╝   ╚═╝

brutespray.py v1.5
Created by: Shane Young/@x90skysn3k && Jacob Robles/@shellfail
Inspired by: Leon Johnson/@sho-luv
Credit to Medusa: JoMo-Kun / Foofus Networks [email protected]

Starting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and pStarting to brute, please make sure to use the right amount of threads(-t) and parallel hosts(-T)... \

Brute-Forcing...

root@kali:~/brutespray#

Color coded

Make it look pretty with colors

Error File Format

Hello, when i try to do any command with my file nmap.xml i get this.. https://imgur.com/a/5qhjYyZ

Nmap output f*cks up..

Looks like my nmap output is going wrong.. could you give the right example cmd voor nmap with all (brutespray) supported services? I'm probily messing it up 😀 Thanks for the nice work!

brutespray erroring out

I noticed the below err when tried running the script on my Mac. I tried both with ~/ and calling the file explicitly. I still get the same error. This is the system I am running on Darwin HQSML-1689616 19.6.0 Darwin Kernel Version 19.6.0: Thu Jun 18 20:49:00 PDT 2020; root:xnu-6153.141.1~1/RELEASE_X86_64 x86_64

 python3 /opt/brutespray/brutespray.py --file YJ-2020Q3-nmap_portknock-2020.10.07-17.15.47.gnmap -U ~/path/to/file/usernames.list -P ~/path/to/file/passwords.list --threads 10 --hosts 10 -c --output ../l00tz

 brutespray.py v1.6.8
 Created by: Shane Young/@x90skysn3k && Jacob Robles/@shellfail
 Inspired by: Leon Johnson/@sho-luv
 Credit to Medusa: JoMo-Kun / Foofus Networks <[email protected]>

Starting to brute, please make sure to use the right amount of threads(-t) and parallel hosts(-T)...
Output will be written to the folder: ./../l00tz/ \

Brute-Forcing...
Process Process-1:
Traceback (most recent call last):
  File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/multiprocessing/process.py", line 315, in _bootstrap
    self.run()
  File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/multiprocessing/process.py", line 108, in run
    self._target(*self._args, **self._kwargs)
  File "/opt/brutespray/brutespray.py", line 245, in brute
    if args.userlist is None and args.username is None:
NameError: name 'args' is not defined
Process Process-2:
Traceback (most recent call last):
  File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/multiprocessing/process.py", line 315, in _bootstrap
    self.run()
  File "/usr/local/Cellar/[email protected]/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/multiprocessing/process.py", line 108, in run
    self._target(*self._args, **self._kwargs)
  File "/opt/brutespray/brutespray.py", line 245, in brute
    if args.userlist is None and args.username is None:
NameError: name 'args' is not defined

can't running tools

"command medusa not found. Please install medusa before using brutespray" how should I install it and where I put it ?

what‘s this "[E2][80][93]"?

[+] ACCOUNT FOUND: [telnet] Host: 127.0.0.1 User: [E2][80][93] Password: admin00 [SUCCESS]
kali4.0

Failed to open ...

It seems like Brutespray tries to open /usr/share/brutespray/wordlist/[service]/user.
But the wordlists are all in ~/brutespray/wordlist/[service]/ , not in /usr/share/brutespray/wordlist/[service]/user.

my command was : ./brutespray.py -t 10 --file test.xml

here the err msg:
Brute-Forcing... FATAL: Failed to open file /usr/share/brutespray/wordlist/ssh/user - No such file or directory FATAL: Failed to open file /usr/share/brutespray/wordlist/smtp/user - No such file or directory FATAL: Failed to open file /usr/share/brutespray/wordlist/mysql/user - No such file or directory FATAL: Failed to open file /usr/share/brutespray/wordlist/smbnt/user - No such file or directory FATAL: Failed to open file /usr/share/brutespray/wordlist/telnet/user - No such file or directory FATAL: Failed to open file /usr/share/brutespray/wordlist/rlogin/user - No such file or directory FATAL: Failed to open file /usr/share/brutespray/wordlist/postgres/user - No such file or directory FATAL: Failed to open file /usr/share/brutespray/wordlist/rexec/user - No such file or directory FATAL: Failed to open file /usr/share/brutespray/wordlist/ftp/user - No such file or directory FATAL: Failed to open file /usr/share/brutespray/wordlist/vnc/user - No such file or directory

Parallelism is not present anymore

Hi,

Thank you for sharing the tool some notes on the new release.

The -T option that was bringing parallel enumeration does not exist anymore which make the tool significant slow.
The output also option does not exist in the new release which was helpful for automation process, and finally
One general recommendation for improvement, a better error handling when requests are throttled or the service does not accept further attempts ( e.g. vnc service already blocking connection due to max amount of failed attempts )

Regards,
Nicolas

can't running tools

"command medusa not found. Please install medusa before using brutespray" how should I install it and where I put it ?

"Error loading file, please check your filename."

Getting the error messagge "Error loading file, please check your filename."

Command im using - python3 brutespray.py --file results.xml --service telnet --threads 100 --hosts 100

Also tried results.gnmap , same error.

include port number in output

It is great that you save the (Medusa) success in an output file. However, if the service was on a non-standard port, that is not shown/represented in that output file. It would be amazing if you could modify the output to include the port as well.

Stop On Success

Add option to stop after success.
Medusa has two options for this. We could probably wrap both options.

Brutespray hanging

Hello,

I have had this issue I noticed with brutespray where it hangs and does not close. Like it has been hanging on the output below for almost 24 hours. I tried killing it and restarting it and it seems to hang around the same point. Unfortunately I can not share the original gnmap file but I can say the file is 46MB. Would it be possible to add a max-time per host kinda like nmap or a max time to the entire program. So if it starts to hang the program can force-restart itself and resume where it left off.

NOTICE: [ssh] Host: 127.0.0.1 - Login thread (7) prematurely ended. The current number of parallel login threads may exceed what this service can reasonably handle. The total number of threads for this host will be decreased.
NOTICE: [ssh] Host: 127.0.0.1 User: REDACTED Password: Br0ken!! - The noted credentials have been added to the end of the queue for testing.
ERROR: ssh.mod: Failed establishing SSH session. The following credentials have been added to the missed queue for later testing: Host: 127.0.0.1 User: REDACTED Pass: REDACTED
ERROR: ssh.mod: Failed establishing SSH session (3/4): Host: 127.0.0.1 User: REDACTED Pass: REDACTED
ERROR: ssh.mod: Failed establishing SSH session (3/4): Host: 127.0.0.1 User: REDACTED Pass: REDACTED
ERROR: ssh.mod: Failed establishing SSH session (4/4): Host: 127.0.0.1 User: REDACTED Pass: REDACTED
NOTICE: [ssh] Host: 127.0.0.1 - Login thread (4) prematurely ended. The current number of parallel login threads may exceed what this service can reasonably handle. The total number of threads for this host will be decreased.
NOTICE: [ssh] Host: 127.0.0.1 User: REDACTED Password: REDACTED - The noted credentials have been added to the end of the queue for testing.
ERROR: ssh.mod: Failed establishing SSH session. The following credentials have been added to the missed queue for later testing: Host: 127.0.0.1 User: REDACTED Pass: REDACTED
ERROR: ssh.mod: Failed establishing SSH session (4/4): Host: 127.0.0.1 User: REDACTED Pass: REDACTED
NOTICE: [ssh] Host: 127.0.0.1 - Login thread (1) prematurely ended. The current number of parallel login threads may exceed what this service can reasonably handle. The total number of threads for this host will be decreased.
NOTICE: [ssh] Host: 127.0.0.1 User: REDACTED Password: REDACTED - The noted credentials have been added to the end of the queue for testing.
ERROR: ssh.mod: Failed establishing SSH session. The following credentials have been added to the missed queue for later testing: Host: 127.0.0.1 User: REDACTED Pass: REDACTED

Her eis the error dump i got when i kill it

^CError in atexit._run_exitfuncs:
Traceback (most recent call last):
  File "/usr/lib/python3.8/multiprocessing/popen_fork.py", line 27, in poll
    pid, sts = os.waitpid(self.pid, flag)
KeyboardInterrupt
Process Process-1:
Traceback (most recent call last):
  File "/usr/lib/python3.8/multiprocessing/process.py", line 315, in _bootstrap
    self.run()
  File "/usr/lib/python3.8/multiprocessing/process.py", line 108, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/bin/brutespray", line 286, in brute
    for line in iter(p.stdout.readline, b''):
KeyboardInterrupt

program waiting longtime , some errors username

root@kali:~/src/nmap/brutespray/brutespray-output# more telnet-success.txt
[+] ACCOUNT FOUND: [telnet] Host: x.29.139.93 User: [E2][80][93] Password: 0P3N [SUCCESS]
[+] ACCOUNT FOUND: [telnet] Host: x.29.139.93 User: [E2][80][93] Password: 1064 [SUCCESS]
[+] ACCOUNT FOUND: [telnet] Host: x.29.139.93 User: [E2][80][93] Password: 10023 [SUCCESS]
[+] ACCOUNT FOUND: [telnet] Host: x.29.139.93 User: [E2][80][93] Password: 0 [SUCCESS]
[+] ACCOUNT FOUND: [telnet] Host: x.29.139.93 User: [E2][80][93] Password: 1111 [SUCCESS]

nessus scan not working

brutespray --file Host_discovery_FULL_mhifsw.nessus --threads 5 --threads 5 --hosts 5

run but problem error

No brutable services found.
 Please check your Nmap file.

brutespray not parsing properly

Hello,

I ran brutespray against a target and it only scanned the ssh port even though the file had both ssh and ftp. The command i ran was identical to this one #44 only i ran it on my ubuntu server

No such file or directory: error

Hey guys, can you write in some way to gracefully deal with "No such file" errors when users (shamefully) point to a file that no longer exist?

 brutespray.py v1.6.0
 Created by: Shane Young/@x90skysn3k && Jacob Robles/@shellfail
 Inspired by: Leon Johnson/@sho-luv
 Credit to Medusa: JoMo-Kun / Foofus Networks <[email protected]>

Traceback (most recent call last):
  File "/usr/bin/brutespray", line 365, in <module>
	make_dic_gnmap()
  File "/usr/bin/brutespray", line 134, in make_dic_gnmap
	with open(args.file, 'r') as nmap_file:
IOError: [Errno 2] No such file or directory: '/root/Desktop/brutespray.xml'
Loading File: |^C

The Brutespray terminal freezes and pressing Ctrl + c doesn't work. I had to forcefully kill the PID.

Tag missing

Could you please tag your master branch ?
-> git tag brutespay-1.5

I need these tags to build clean debian packages...
Thank you

Debian packaging broken

Opening this as a placeholder.

False Positive Telnet Results

Hi I have been testing it against a bunch of HP printers with telnet services.

I have got the following results which I was not able to verify:

# cat telnet-success.txt 
[+] ACCOUNT FOUND: [telnet] Host: xxx User: [E2][80][93] Password: 0 [SUCCESS]
[+] ACCOUNT FOUND: [telnet] Host: xxx User: [E2][80][93] Password: 0 [SUCCESS]
[+] ACCOUNT FOUND: [telnet] Host: xxx User: [E2][80][93] Password: 0P3N [SUCCESS]
[+] ACCOUNT FOUND: [telnet] Host: xxx User: [E2][80][93] Password: 0P3N [SUCCESS]
....

After digging up a bit E2 80 93 is the hex characters in UTF-8 encoding for dash "-".

no module named readline

i have a problem when i tap (python brutespray.py)
and it display (
Traceback (most recent call last):
File "brutespray.py", line 4, in
import readline, glob
ImportError: No module named readline )

No output; stopped working

v1.6.0, found in Kali, stopped working, so I tried cloning the git. But that didn't help. I'm not sure if this is a bug or maybe I'm misunderstanding the usage.

    > ./brutespray.py --file '/root/Desktop/brutespray.xml' --username user --passlist '/root/Desktop/passwords.list' --output brutespray_cracked.txt --service smtp

 brutespray.py v1.6.1
 Created by: Shane Young/@x90skysn3k && Jacob Robles/@shellfail
 Inspired by: Leon Johnson/@sho-luv
 Credit to Medusa: JoMo-Kun / Foofus Networks <[email protected]>

Starting to brute, please make sure to use the right amount of threads(-t) and parallel hosts(-T)...  
Output will be written to the folder: ./brutespray_cracked.txt/ \

Brute-Forcing...     
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>

That's it, brutespray just quits with no warnings or errors. This happens with or without the --service and --output args. Brutespray worked fine with SSH until I tried SMTP and VNC.

I thought maybe it was my Nmap outputs but here's what I'm working with:

> nmap --top-ports 1000 -oG /root/Desktop/brutespray.gnmap 192.168.1.103

Read the file:

> cat /root/Desktop/brutespray.gnmap
# Nmap 7.60 scan initiated Mon Apr  9  2018 as: nmap --top-ports 1000 -oG /root/Desktop/brutespray.gnmap 192.168.1.103
Host: 192.168.1.103 ()	Status: Up
Host: 192.168.1.103 ()	Ports: 25/open/tcp//smtp///, 5901/open/tcp//vnc-1///, 6001/open/tcp//X11:1///	Ignored State: closed (997)
# Nmap done at Mon Apr  9  2018 -- 1 IP address (1 host up) scanned in 0.14 seconds

Nmap output:

Not shown: 997 closed ports
Reason: 997 resets
PORT     STATE SERVICE REASON         VERSION
25/tcp   open  smtp    syn-ack ttl 64 Postfix smtpd
5901/tcp open  vnc     syn-ack ttl 64 VNC (protocol 3.8)
6001/tcp open  X11     syn-ack ttl 64 (access denied)
MAC Address: XX:XX:XX:XX:XX:XX (Unknown)
Service Info: Host:  unknown

The installation seemed to go over well:

  `/ tokyoneon ~/Desktop/brutespray
    > pip install -r requirements.txt
Collecting argcomplete==1.8.1 (from -r requirements.txt (line 1))
  Using cached argcomplete-1.8.1-py2.py3-none-any.whl
Collecting pyscreenshot==0.4.2 (from -r requirements.txt (line 2))
  Using cached pyscreenshot-0.4.2.tar.gz
Collecting pytesseract==0.1.7 (from -r requirements.txt (line 3))
  Using cached pytesseract-0.1.7.tar.gz
Collecting lxml==3.8.0 (from -r requirements.txt (line 4))
  Using cached lxml-3.8.0-cp27-cp27mu-manylinux1_x86_64.whl
Collecting requests==2.12.4 (from -r requirements.txt (line 5))
  Downloading requests-2.12.4-py2.py3-none-any.whl (576kB)
    100% |████████████████████████████████| 583kB 311kB/s 
Collecting Pillow==4.2.1 (from -r requirements.txt (line 6))
  Downloading Pillow-4.2.1-cp27-cp27mu-manylinux1_x86_64.whl (5.8MB)
    100% |████████████████████████████████| 5.8MB 172kB/s 
Requirement already satisfied: beautifulsoup4==4.6.0 in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 7))
Collecting EasyProcess (from pyscreenshot==0.4.2->-r requirements.txt (line 2))
  Downloading EasyProcess-0.2.3.tar.gz
Collecting olefile (from Pillow==4.2.1->-r requirements.txt (line 6))
  Downloading olefile-0.45.1.zip (112kB)
    100% |████████████████████████████████| 112kB 322kB/s 
Building wheels for collected packages: pyscreenshot, pytesseract, EasyProcess, olefile
  Running setup.py bdist_wheel for pyscreenshot ... done
  Stored in directory: /root/.cache/pip/wheels/f9/d2/28/37910fb87d578015ead157046445933451e9a56f6fb697b0a0
  Running setup.py bdist_wheel for pytesseract ... done
  Stored in directory: /root/.cache/pip/wheels/ff/06/21/4b0d1e4d3e0e7a1c46c72a8a66a629473316f8e02614e9fdda
  Running setup.py bdist_wheel for EasyProcess ... done
  Stored in directory: /root/.cache/pip/wheels/81/f2/d3/78eeb2274410b1469562677f4704f86de4d44b90d436b99f1a
  Running setup.py bdist_wheel for olefile ... done
  Stored in directory: /root/.cache/pip/wheels/75/f2/18/9f073aab5b308aaccec50c17d4afb33dffc3265254e7962d67
Successfully built pyscreenshot pytesseract EasyProcess olefile
Installing collected packages: argcomplete, EasyProcess, pyscreenshot, olefile, Pillow, pytesseract, lxml, requests
  Found existing installation: lxml 4.2.0
    Not uninstalling lxml at /usr/lib/python2.7/dist-packages, outside environment /usr
Successfully installed EasyProcess-0.2.3 Pillow-4.2.1 argcomplete-1.8.1 lxml-3.8.0 olefile-0.45.1 pyscreenshot-0.4.2 pytesseract-0.1.7 requests-2.12.4

And medusa is installed.

    > apt-cache policy medusa 
medusa:
  Installed: 2.2-5
  Candidate: 2.2-5
  Version table:
 *** 2.2-5 500
	500 http://http.kali.org/kali kali-rolling/main amd64 Packages
	100 /var/lib/dpkg/status

Any ideas?

ERROR: Failed to match regex pattern within server's response.

Just ran /brutespray.py -f test.xml -U /Users/jasper/medusa/sample/usernames.txt -P /Users/jasper/medusa/sample/1000000-password-seclists.txt --threads 5 --hosts 5 and received an error telling that the regular expression pattern cannot be matched to the server's response:

ERROR: Failed to match regex pattern within server's response.
ERROR: Failed to match regex pattern within server's response.
ERROR: Failed to match regex pattern within server's response.
ERROR: No supported authentication methods located.
ERROR: No supported authentication methods located.
ERROR: No supported authentication methods located.
ERROR: No supported authentication methods located.
ERROR: No supported authentication methods located.
2020-11-03 12:04:03 ACCOUNT CHECK: [ssh] Host: xxx.xxx.xxx.xx (1 of 1, 0 complete) User: Aaren (1 of 362904, 0 complete) Password: 123456789 (1 of 1000000 complete)
2020-11-03 12:04:03 ACCOUNT CHECK: [ssh] Host: xxx.xxx.xxx.xx (1 of 1, 0 complete) User: Aaren (1 of 362904, 0 complete) Password: password (2 of 1000000 complete)
2020-11-03 12:04:03 ACCOUNT CHECK: [ssh] Host: xxx.xxx.xxx.xx (1 of 1, 0 complete) User: Aaren (1 of 362904, 0 complete) Password: qwerty (3 of 1000000 complete)
2020-11-03 12:04:03 ACCOUNT CHECK: [ssh] Host: xxx.xxx.xxx.xx (1 of 1, 0 complete) User: Aaren (1 of 362904, 0 complete) Password: 123456 (4 of 1000000 complete)
2020-11-03 12:04:03 ACCOUNT CHECK: [ssh] Host: xxx.xxx.xxx.xx (1 of 1, 0 complete) User: Aaren (1 of 362904, 0 complete) Password: 12345678 (5 of 1000000 complete)
ERROR: Failed to match regex pattern within server's response.
ERROR: Failed to match regex pattern within server's response.

This though I ran the nmap command nmap -v -sV -oA test staging.domain.com before and stored the data. Any ideas why this is happening? Could it be because the domain root hits a 302 redirecting to a login?

Non standard ports

right now non standard ports can be searched, but it will only take the first non standard port on a host and use that. :(

Feature Request - Parsing vuln scanner output

Hello,

Would it be possible to add support of nessus files? And I guess expose and qualys? The idea, I can pass that file to brutespray and it can parse the XML file and launch attacks.

Command medusa not found [termux]

medusa is installed
command is working too

Python 3 - NameError: name 'args' is not defined

Set things up on macOS Catalina and have Medusa running as well as nmap. But now on using the following command ./brutespray.py -f test.xml -U /Users/jasper/medusa/sample/usernames.txt -P /Users/jasper/medusa/sample/1000000-password-seclists.txt --threads 5 --hosts 5

I get

Brute-Forcing...
Process Process-1:
Process Process-2:
Traceback (most recent call last):
  File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/multiprocessing/process.py", line 315, in _bootstrap
    self.run()
  File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/multiprocessing/process.py", line 108, in run
    self._target(*self._args, **self._kwargs)
  File "/Users/jasper/brutespray/brutespray.py", line 245, in brute
    if args.userlist is None and args.username is None:
NameError: name 'args' is not defined
Traceback (most recent call last):
  File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/multiprocessing/process.py", line 315, in _bootstrap
    self.run()
  File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/multiprocessing/process.py", line 108, in run
    self._target(*self._args, **self._kwargs)
  File "/Users/jasper/brutespray/brutespray.py", line 245, in brute
    if args.userlist is None and args.username is None:
NameError: name 'args' is not defined

I do have Python 2 and three installed

brew list --formula | grep python
[email protected]
[email protected]
[email protected]

but currently run 2:

python --version
Python 2.7.17

Seems there is an issue here with loading the proper one.. Any ideas?

x90skysn3k / brutespray Goto Github PK

brutespray's Introduction

BruteSpray

Description

Installation

Usage

Examples

Using Custom Wordlists:

Brute-Forcing Specific Services:

Specific Credentials:

Use Nmap XML Output

Use JSON Output

Bruteforce a CIDR range

Print Found Services

Supported Services

Services in Beta

Services in Progress

Data Specs

Planned Features

Star History

brutespray's People

Contributors

Stargazers

Watchers

Forkers

brutespray's Issues

Recommend Projects

Recommend Topics

Recommend Org