BruteLoops:协议无关的在线密码安全检测API
<p><img title="BruteLoops:协议无关的在线密码安全检测API" alt="BruteLoops:协议无关的在线密码安全检测API" border="0" height="auto" src="https://zhuji.jb51.net/uploads/img/202305/0ae475669a68233962644dfaeb704805.jpg" width="auto"></p>
<h3>
关于BruteLoops</h3>
<p>
BruteLoops是一款功能强大且协议无关的在线密码安全检测API,广大研究人员可以使用BruteLoops来实现在线密码猜解,以检查用户所使用的密码是否安全,或识别密码中的安全问题。</p>
<p>
BruteLoops针对身份验证接口提供了密码爆破猜解功能,代码库中提供了一个模块化的使用示例,并演示了如何使用BruteLoops来实现密码安全解析。它的功能非常齐全,并且提供了多个爆破模块,下面给出的是其功能示例:</p>
<ul>
<li>
http.accellion_ftp FTP HTTP接口登录加速模块</li>
<li>
http.basic_digest 通用HTTP基本摘要验证</li>
<li>
http.basic_ntlm 通用HTTP基本NTLM身份验证</li>
<li>
http.global_protectWeb接口全局保护</li>
<li>
http.mattermost Mattermost登录Web接口</li>
<li>
http.netwrix Netwrix登录Web接口</li>
<li>
http.okta Okta JSON API</li>
<li>
http.owa2010 OWA 2010Web接口</li>
<li>
http.owa2016 OWA 2016 Web接口</li>
<li>
smb.smb 针对单个SMB服务器执行任务</li>
<li>
testing.fake 用于培训/测试的模拟身份验证模块</li>
</ul>
<h3>
关键功能</h3>
<ul>
<li>
协议无关</li>
<li>
SQLite支持</li>
<li>
密码喷射和密码填充</li>
<li>
密码猜解计划任务</li>
<li>
细粒度可配置性以避免锁定事件</li>
<li>
任务暂停和继续</li>
<li>
多进程支持</li>
<li>
日志记录</li>
</ul>
<h3>
工具依赖</h3>
<p>
BruteLoops工具要求Python 3.7或更高版本的Python环境,以及SQLAlchemy 1.3.0,后者可以通过pip工具以及该项目提供的requirements.txt来安装:</p>
<ol class="dp-xml">
<li class="alt">
<span><span>python3.7 -m pip install -r requirements.txt </span></span>
</li>
</ol>
<h3>
工具安装</h3>
<p>
广大研究人员可以通过下列命令将该项目源码克隆至本地,并安装该工具所需的依赖组件:</p>
<ol class="dp-xml">
<li class="alt">
<span><span>git clone https://github.com/arch4ngel/bruteloops </span></span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>cd bruteloops </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>python3 -m pip install -r requirements.txt </span>
</li>
</ol>
<h3>
工具使用</h3>
<p>
在使用该工具时,我们可以按照以下步骤来对密码安全测试进行拆分:</p>
<ul>
<li>
寻找一个需要测试的目标服务;</li>
<li>
如果py【1】中没有存在该目标,则需要构建一个回调;</li>
<li>
搜索某些用户名、密码和凭证信息;</li>
<li>
通过向py【2】输入认证数据来构建一个数据库;</li>
<li>
如果相关,则枚举或请求活动目录锁定策略来智能地配置安全测试过程;</li>
<li>
根据目标锁定策略执行密码安全测试【1】【3】【4】;</li>
</ul>
<h3>
工具使用样例</h3>
<p>
(1) 通过example.py执行爆破猜解模块</p>
<p>
命令:</p>
<ol class="dp-xml">
<li class="alt">
<span><span>archangel@deskjet:bruteloops_dev~</span><span class="tag">></span><span> ./example.py test.sqlite3 testing.fake --help </span></span>
</li>
</ol>
<p>
输出:</p>
<ol class="dp-xml">
<li class="alt">
<span><span>usage: example.py dbfile testing.fake [-h] --username USERNAME --password PASSWORD </span></span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>Fake authentication module for training/testing </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>optional arguments: </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> -h, --help show this help message and exit </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> --username USERNAME required - str - Username to check against </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> --password PASSWORD required - str - Password to check against </span>
</li>
</ol>
<p>
(2) 通过dbmanager.py创建输入数据库</p>
<p>
命令:</p>
<ol class="dp-xml">
<li class="alt">
<span><span>archangel@deskjet:bruteloops_dev~</span><span class="tag">></span><span> ./dbmanager.py --help </span></span>
</li>
</ol>
<p>
输出:</p>
<ol class="dp-xml">
<li class="alt">
<span><span>usage: dbmanager.py [-h] dbfile {dump-valid,dump-credentials,import-values,import-credentials,delete-values,delete-credentials} ... </span></span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>Manage BruteLoops input databases </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>positional arguments: </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> dbfile Database file to manipulate </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> {dump-valid,dump-credentials,import-values,import-credentials,delete-values,delete-credentials} </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> SUBCOMMANDS: </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> dump-valid Dump valid credentials from the database </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> dump-credentials Dump all credential values from the database </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> import-values Import values into the target database </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> import-credentials Import credential pairs into the target database </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> delete-values Delete values from the target database </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> delete-credentials Delete credential pairs from the target database </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>optional arguments: </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> -h, --help show this help message and exit </span>
</li>
</ol>
<p>
(3) 通过example.py执行模拟爆破猜解模块</p>
<p>
命令:</p>
<ol class="dp-xml">
<li class="alt">
<span><span>./example.py test.sqlite3 \ </span></span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> --parallel-guess-count 4 --auth-threshold 2 \ </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> --auth-jitter-min 1s --auth-jitter-max 5s \ </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> --threshold-jitter-min 10s --threshold-jitter-max 20s \ </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> -lf test.log \ </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span> testing.fake --username administrator --password P@ssw0rd </span>
</li>
</ol>
<p>
输出:</p>
<ol class="dp-xml">
<li class="alt">
<span><span>archangel@deskjet:bruteloops_dev~</span><span class="tag">></span><span> ./example.py test.sqlite3 -pgc 4 -at 2 -ajmin 1s -ajmax 5s -tjmin 10s -tjmax 20s -lf test.log testing.fake --username administrator --password P@ssw0rd </span></span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:50,077 - example.py - GENERAL - Initializing attack </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:50,078 - BruteForcer - GENERAL - Initializing 4 process </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:50,078 - BruteForcer - GENERAL - Logging attack configuration parameters </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:50,078 - BruteForcer - GENERAL - Config Parameter -- authentication_jitter: <span class="tag"><</span><span class="tag-name">Jitter</span><span>(</span><span class="attribute">min</span><span>=</span><span class="attribute-value">"1s"</span><span>, </span><span class="attribute">max</span><span>=</span><span class="attribute-value">"5s"</span><span>)</span><span class="tag">></span><span> </span></span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:50,078 - BruteForcer - GENERAL - Config Parameter -- max_auth_jitter: <span class="tag"><</span><span class="tag-name">Jitter</span><span>(</span><span class="attribute">min</span><span>=</span><span class="attribute-value">"10s"</span><span>, </span><span class="attribute">max</span><span>=</span><span class="attribute-value">"20s"</span><span>)</span><span class="tag">></span><span> </span></span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:50,078 - BruteForcer - GENERAL - Config Parameter -- max_auth_tries: 2 </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:50,078 - BruteForcer - GENERAL - Config Parameter -- stop_on_valid: False </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:50,078 - BruteForcer - GENERAL - Config Parameter -- db_file: test.sqlite3 </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:50,083 - BruteForcer - GENERAL - Beginning attack: 15:22:50 EST (20/12/08) </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:51,572 - BruteForcer - INVALID - user1:pass1 </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:53,544 - BruteForcer - INVALID - admin:password </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:54,597 - BruteForcer - INVALID - user1:password </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:55,025 - BruteForcer - INVALID - admin:pass1 </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:55,247 - BruteForcer - INVALID - user2:pass1 </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:56,307 - BruteForcer - INVALID - user2:password </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:59,025 - BruteForcer - INVALID - administrator:pass1 </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:22:59,680 - BruteForcer - INVALID - administrator:password </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:23:07,384 - BruteForcer - INVALID - user1:welcome1 </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:23:07,955 - BruteForcer - INVALID - user1:P@ssw0rd </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:23:08,775 - BruteForcer - INVALID - administrator:welcome1 </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:23:09,631 - BruteForcer - VALID - administrator:P@ssw0rd </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:23:12,057 - BruteForcer - INVALID - user2:welcome1 </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:23:12,299 - BruteForcer - INVALID - admin:welcome1 </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:23:12,309 - BruteForcer - INVALID - user2:P@ssw0rd </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:23:12,534 - BruteForcer - INVALID - admin:P@ssw0rd </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:23:12,748 - BruteForcer - GENERAL - Attack finished </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:23:12,748 - BruteForcer - GENERAL - Shutting attack down </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:23:12,755 - BruteForcer - GENERAL - Closing/joining Processes </span>
</li>
<li>
<span> </span>
</li>
<li class="alt">
<span>2020-12-08 15:23:12,758 - example.py - GENERAL - Attack complete </span>
</li>
</ol>
<h3>
项目地址</h3>
<p>
BruteLoops:【GitHub传送门】</p>
<p>
原文地址:https://www.freebuf.com/articles/database/305541.html</p>
頁:
[1]