Server-side brute-force module. Brute-force (dictionary attack, jk) attack that supports multiple protocols and services.
1. Introduction
brut3k1t is a server-side bruteforce module that supports dictionary attacks for several protocols. The current protocols that are complete and in support are:
ssh
ftp
smtp
XMPP
instagram
facebook2. Installation
Installation is simple. brut3k1t requires several dependencies, although they will be installed by the program if you do not have it.
- argparse - utilized for parsing command line arguments
- paramiko - utilized for working with SSH connections and authentication
- ftplib - utilized for working with FTP connections and authentication
- smtplib - utilized for working with SMTP (email) connections and authentication
- fbchat - utilized for connecting with Facebook
- selenium - utilized for web scraping, which is used with Instagram (and later Twitter)
- xmppy - utiized for XMPP connections ...and more within the future!
git clone . git clone https://github.com/ex0dus-0x/brut3k1tcd /path/to/brut3k1t3. Usage
Utilizing brut3k1t is a little more complicated than just running a Python file.
Typing
python brut3k1t -h shows the help menu: usage: brut3k1t.py [-h] [-s SERVICE] [-u USERNAME] [-w PASSWORD] [-a ADDRESS]
[-p PORT] [-d DELAY]
Server-side bruteforce module written in Python
optional arguments:
-h, --help show this help message and exit
-a ADDRESS, --address ADDRESS
Provide host address for specified service. Required
for certain protocols
-p PORT, --port PORT Provide port for host address for specified service.
If not specified, will be automatically set
-d DELAY, --delay DELAY
Provide the number of seconds the program delays as
each password is tried
required arguments:
-s SERVICE, --service SERVICE
Provide a service being attacked. Several protocols
and services are supported
-u USERNAME, --username USERNAME
Provide a valid username for service/protocol being
executed
-w PASSWORD, --wordlist PASSWORD
Provide a wordlist or directory to a wordlistExamples of usage:
Cracking SSH server running on
192.168.1.3 using root and wordlist.txt as a wordlist. python brut3k1t.py -s ssh -a 192.168.1.3 -u root -w wordlist.txt -p flag. Cracking email
test@gmail.com with wordlist.txt on port 25 with a 3 second delay. For email it is necessary to use the SMTP server's address. For e.g Gmail = smtp.gmail.com . You can research this using Google. python brut3k1t.py -s smtp -a smtp.gmail.com -u test@gmail.com -w wordlist.txt -p 25 -d 3 test@creep.im with wordlist.txt on default port 5222 . XMPP also is similar to SMTP, whereas you will need to provide the address of the XMPP server, in this case creep.im . python brut3k1t.py -s xmpp -a creep.im -u test -w wordlist.txtpython brut3k1t.py -s facebook -u 1234567890 -w wordlist.txt test with wordlist wordlist.txt and a 5 second delay python brut3k1t.py -s instagram -u test -w wordlist.txt -d 5- If you do not supply the port
-pflag, the default port for that service will be used. You do not need to provide it for Facebook and Instagram, since they are um... web-based. :)
- If you do not supply the delay
-dflag, the default delay in seconds will be 1.
- Remember, use the SMTP server address and XMPP server address for the address
-aflag, when cracking SMTP and XMPP, respectively.
- Facebook requires the username ID. This is a little bit of a setback since some people do not display their ID publicly on their profile.
- Make sure the wordlist and its directory is specified. If it is in
/usr/local/wordlists/wordlist.txtspecify that for the wordlist-wflag.
- Remember that some protocols are not based on their default port. A FTP server will not necessarily always be on port
21. Please keep that in mind.
- Use this for educational and ethical hacking purposes, as well as the sake of learning code and security-oriented practices. No script kiddies!
Tags
Attack
brut3k1t
Brute-force
Connections
Cracking
Dictionary attacks
Facebook
FTP
Hacking
Linux
Protocols
Python
SMTP
SSH
SSH server
Wordlist