search

x90skysn3k / brutespray

Bruteforcing from various scanner output - Automatically attempts default creds on found services.
MIT License
1.96k stars 381 forks source link

No output; stopped working #19

Closed tokyoneon closed 6 years ago

tokyoneon commented 6 years ago

v1.6.0, found in Kali, stopped working, so I tried cloning the git. But that didn't help. I'm not sure if this is a bug or maybe I'm misunderstanding the usage.

    > ./brutespray.py --file '/root/Desktop/brutespray.xml' --username user --passlist '/root/Desktop/passwords.list' --output brutespray_cracked.txt --service smtp

 brutespray.py v1.6.1
 Created by: Shane Young/@x90skysn3k && Jacob Robles/@shellfail
 Inspired by: Leon Johnson/@sho-luv
 Credit to Medusa: JoMo-Kun / Foofus Networks <jmk@foofus.net>

Starting to brute, please make sure to use the right amount of threads(-t) and parallel hosts(-T)...  
Output will be written to the folder: ./brutespray_cracked.txt/ \

Brute-Forcing...     
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

That's it, brutespray just quits with no warnings or errors. This happens with or without the --service and --output args. Brutespray worked fine with SSH until I tried SMTP and VNC.

I thought maybe it was my Nmap outputs but here's what I'm working with:

> nmap --top-ports 1000 -oG /root/Desktop/brutespray.gnmap 192.168.1.103

Read the file:

> cat /root/Desktop/brutespray.gnmap
# Nmap 7.60 scan initiated Mon Apr  9  2018 as: nmap --top-ports 1000 -oG /root/Desktop/brutespray.gnmap 192.168.1.103
Host: 192.168.1.103 ()  Status: Up
Host: 192.168.1.103 ()  Ports: 25/open/tcp//smtp///, 5901/open/tcp//vnc-1///, 6001/open/tcp//X11:1///   Ignored State: closed (997)
# Nmap done at Mon Apr  9  2018 -- 1 IP address (1 host up) scanned in 0.14 seconds

Nmap output:

Not shown: 997 closed ports
Reason: 997 resets
PORT     STATE SERVICE REASON         VERSION
25/tcp   open  smtp    syn-ack ttl 64 Postfix smtpd
5901/tcp open  vnc     syn-ack ttl 64 VNC (protocol 3.8)
6001/tcp open  X11     syn-ack ttl 64 (access denied)
MAC Address: XX:XX:XX:XX:XX:XX (Unknown)
Service Info: Host:  unknown

The installation seemed to go over well:

  `/ tokyoneon ~/Desktop/brutespray
    > pip install -r requirements.txt
Collecting argcomplete==1.8.1 (from -r requirements.txt (line 1))
  Using cached argcomplete-1.8.1-py2.py3-none-any.whl
Collecting pyscreenshot==0.4.2 (from -r requirements.txt (line 2))
  Using cached pyscreenshot-0.4.2.tar.gz
Collecting pytesseract==0.1.7 (from -r requirements.txt (line 3))
  Using cached pytesseract-0.1.7.tar.gz
Collecting lxml==3.8.0 (from -r requirements.txt (line 4))
  Using cached lxml-3.8.0-cp27-cp27mu-manylinux1_x86_64.whl
Collecting requests==2.12.4 (from -r requirements.txt (line 5))
  Downloading requests-2.12.4-py2.py3-none-any.whl (576kB)
    100% |████████████████████████████████| 583kB 311kB/s 
Collecting Pillow==4.2.1 (from -r requirements.txt (line 6))
  Downloading Pillow-4.2.1-cp27-cp27mu-manylinux1_x86_64.whl (5.8MB)
    100% |████████████████████████████████| 5.8MB 172kB/s 
Requirement already satisfied: beautifulsoup4==4.6.0 in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line 7))
Collecting EasyProcess (from pyscreenshot==0.4.2->-r requirements.txt (line 2))
  Downloading EasyProcess-0.2.3.tar.gz
Collecting olefile (from Pillow==4.2.1->-r requirements.txt (line 6))
  Downloading olefile-0.45.1.zip (112kB)
    100% |████████████████████████████████| 112kB 322kB/s 
Building wheels for collected packages: pyscreenshot, pytesseract, EasyProcess, olefile
  Running setup.py bdist_wheel for pyscreenshot ... done
  Stored in directory: /root/.cache/pip/wheels/f9/d2/28/37910fb87d578015ead157046445933451e9a56f6fb697b0a0
  Running setup.py bdist_wheel for pytesseract ... done
  Stored in directory: /root/.cache/pip/wheels/ff/06/21/4b0d1e4d3e0e7a1c46c72a8a66a629473316f8e02614e9fdda
  Running setup.py bdist_wheel for EasyProcess ... done
  Stored in directory: /root/.cache/pip/wheels/81/f2/d3/78eeb2274410b1469562677f4704f86de4d44b90d436b99f1a
  Running setup.py bdist_wheel for olefile ... done
  Stored in directory: /root/.cache/pip/wheels/75/f2/18/9f073aab5b308aaccec50c17d4afb33dffc3265254e7962d67
Successfully built pyscreenshot pytesseract EasyProcess olefile
Installing collected packages: argcomplete, EasyProcess, pyscreenshot, olefile, Pillow, pytesseract, lxml, requests
  Found existing installation: lxml 4.2.0
    Not uninstalling lxml at /usr/lib/python2.7/dist-packages, outside environment /usr
Successfully installed EasyProcess-0.2.3 Pillow-4.2.1 argcomplete-1.8.1 lxml-3.8.0 olefile-0.45.1 pyscreenshot-0.4.2 pytesseract-0.1.7 requests-2.12.4

And medusa is installed.

    > apt-cache policy medusa 
medusa:
  Installed: 2.2-5
  Candidate: 2.2-5
  Version table:
 *** 2.2-5 500
    500 http://http.kali.org/kali kali-rolling/main amd64 Packages
    100 /var/lib/dpkg/status

Any ideas?

jrobles-r7 commented 6 years ago

when you are running brutespray you specify /root/Desktop/brutespray.xml but your nmap is /root/Desktop/brutespray.gnmap. would that be the issue? does the xml file exist?

jrobles-r7 commented 6 years ago

i guess it should exist since it looks like medusa seems to start up...

jrobles-r7 commented 6 years ago

i'm thinking the error might be occurring because parsing the xml will probably show vnc-1 vs vnc. i think the matching there might fail.

tokyoneon commented 6 years ago

Oh, sorry, forgot to clarify, I was alternative between an xml and gnmap. I got the same results using either. Just modified the gnmap and removed the "-1" and got this output:

Starting to brute, please make sure to use the right amount of threads(-t) and parallel hosts(-T)...  
Output will be written to the folder: ./brutespray-output/ \

Brute-Forcing...     
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [vnc] Host: 192.168.1.103 (1 of 1, 0 complete) User: user (1 of 1, 0 complete) Password: 123456 (1 of 60 complete)
ACCOUNT CHECK: [vnc] Host: 192.168.1.103 (1 of 1, 0 complete) User: user (1 of 1, 0 complete) Password: 123456789 (2 of 60 complete)

It started this time but stopped after 2 password attempts.

tokyoneon commented 6 years ago

Tried changing medusa's verbosity level in the script, thought it might help debug.

    p = subprocess.Popen(['medusa', '-v 6','-H', fname, uarg, userlist, parg, passlist, '-M', service, '-t', args.threads, '-n', port, '-T', args.hosts, cont], stdout=subprocess.PIPE, stderr=subprocess.PIPE, bufsize=-1)

Got this:

Starting to brute, please make sure to use the right amount of threads(-t) and parallel hosts(-T)...  
Output will be written to the folder: ./brutespray-output/ \

Brute-Forcing...     
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

GENERAL: Parallel Hosts: 1 Parallel Logins: 2
GENERAL: Total Hosts: 1 
GENERAL: Total Users: 1
GENERAL: Total Passwords: 60
GENERAL: Medusa has finished.
tokyoneon commented 6 years ago

What's interesting is bruteforcing SSH still works.

    > ./brutespray.py --file '/root/Desktop/brutespray.gnmap' --username user --passlist '/root/Desktop/passwords.list' --service ssh

Starting to brute, please make sure to use the right amount of threads(-t) and parallel hosts(-T)...  
Output will be written to the folder: ./brutespray-output/ \

Brute-Forcing...     
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

GENERAL: Parallel Hosts: 1 Parallel Logins: 2
GENERAL: Total Hosts: 1 
GENERAL: Total Users: 1
GENERAL: Total Passwords: 60
ACCOUNT CHECK: [ssh] Host: 192.168.1.103 (1 of 1, 0 complete) User: user (1 of 1, 0 complete) Password: 123456789 (1 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.103 (1 of 1, 0 complete) User: user (1 of 1, 0 complete) Password: 123456 (2 of 60 complete)

...

ACCOUNT CHECK: [ssh] Host: 192.168.1.103 (1 of 1, 0 complete) User: user (1 of 1, 0 complete) Password: 11111111 (58 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.103 (1 of 1, 0 complete) User: user (1 of 1, 0 complete) Password: wonderhow2 (59 of 60 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.103 User: user Password: wonderhow2 [SUCCESS]

GENERAL: Medusa has finished.
tokyoneon commented 6 years ago

Thought maybe it was my test SMTP/VNC servers but just tried using brutespray on a VNC server I found on Shodan. Using lsof I could see medusa established a connection to the server (79.173.XX.XXX:5901) for a few moments...

    > watch lsof -i
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
medusa  5533 root    6u  IPv4  27857      0t0  TCP 192.168.1.17:36604->79.173.XX.XXX:5901 (ESTABLISHED)
medusa  5533 root    7u  IPv4  27858      0t0  TCP 192.168.1.17:36606->79.173.XX.XXX:5901 (ESTABLISHED)

But no output in my brutespray terminal.


Starting to brute, please make sure to use the right amount of threads(-t) and parallel hosts(-T)...  
Output will be written to the folder: ./brutespray-output/ \

Brute-Forcing...     
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

GENERAL: Parallel Hosts: 1 Parallel Logins: 2
GENERAL: Total Hosts: 1 
GENERAL: Total Users: 1
GENERAL: Total Passwords: 60
GENERAL: Medusa has finished.
x90skysn3k commented 6 years ago

i tested on VNC metasploitable2, and it worked just fine. SMTP required an AUTH:PLAIN or AUTH:LOGIN argument which i added, i also enabled medusa errors to print out