search

CERT-Polska / Artemis

A modular vulnerability scanner with automatic report generation capabilities.
https://cert.pl/en/posts/2024/01/artemis-security-scanner/
BSD 3-Clause "New" or "Revised" License
559 stars 48 forks source link

Add a generic tool that is able to bruteforce login forms, regardless of what type of login form it is #249

Open kazet opened 1 year ago

kazet commented 1 year ago

joomla,phppgadmin,nextcloud,jenkins,...

kazet commented 1 year ago

high-level purpose: be able to check whether admin/admin login/password pair works on any type of admin panel - a tool that is able to bruterforce login forms regardless of what type of form is it

subtasks:

  1. build a small Docker-based test suite with a couple (5-10) admin panels (skip WordPress as we already have support) including e.g. Django and some diy cms
  2. research whether there exist tools that do this. check them
  3. if there are no such tools, write one (initially as a standalone Python script)
  4. wrap chosen tool (existing or custom-built one) into Artemis as Artemis module (you may get the general skeleton from https://github.com/CERT-Polska/Artemis/blob/main/artemis/modules/mysql_bruter.py)
  5. add Artemis reporting module that will send automatic e-mail reports (inspired by e.g. https://github.com/CERT-Polska/Artemis/tree/main/artemis/reporting/modules/mysql_bruter) 6 make sure the test suite passes (the test could be inspired e.g. by https://github.com/CERT-Polska/Artemis/blob/main/test/reporting/test_bruter_autoreporter_integration.py)
kazet commented 1 year ago

does hydra solve the problem?