i myBFF – BRUTE FORCE ATTACK TOOL – All things in moderation

myBFF – BRUTE FORCE ATTACK TOOL

Hi guy!
In this post, we will discuss a brute force attack tool. It is myBFF.

What is myBFF?
myBFF is a web application brute force framework (currently)
Point the framework at a file containing usernames, a host, and give it a password. The framework will determine what type of web application is in use, then attempt to brute force accounts. After brute forcing accounts, myBFF will then do a little more, like enumerating apps available, and reading in important data. Each module is different so try them out!

Current module

  • HP SiteScope (will attempt to give you a Meterpreter Shell!)
  • Citrix Gateway (also enumerates authorized applications)
  • Juniper Portal (Will look for 2FA bypass and list what is accessible)
  • MobileIron (Unknown. Have to find out what is accessible first!)
  • Outlook/Office365 (will parse email, contacts, and other data from email)
  • WordPress (Will be adding “SomethingCool” soon)
  • CiscoVPN (Enumerate User accounts (May not work on all configurations))
  • Okta (Enumerate Applications and check if 2FA is setup for account)
  • Jenkins (Will be adding “Something Cool” soon)
  • SMB (Check if user is an administrator) (must use –domain with this module. for host, use smb://)
  • FTP (List root dir contents)

How to install myBFF?

In ubuntu 16.04 LTS:

git clone https://github.com/MooseDojo/myBFF.git
sudo apt-get install python-lxml
sudo pip install pysmb

How to use myBFF?

cd myBFF
usage: myBFF.py [-h] --host HOST [-u USERNAME] [-p PASSWORD] [--domain DOMAIN]
                [-U USERFILE] [-o OUTPUT] [-P PASS_FILE] [-d] [--vhost VHOST]
                [--proxies PROXIES] [--timeout TIMEOUT] [--test]

optional arguments:
  -h, --help         show this help message and exit

inputs:
  --host HOST        Host to test against
  -u USERNAME        Username
  -p PASSWORD        Password
  --domain DOMAIN    Domain (Used for domain logins)
  -U USERFILE        File containing Usernames
  -o OUTPUT          File to output results to.
  -P PASS_FILE       File containing Passwords
  -d                 Dry run mode. Disables the 'SomethingCool' mode
  --vhost VHOST      Virtual Directory (i.e., for rapid7.com/owa enter owa).
                     This is used for fingerprinting purposes only.
  --proxies PROXIES  Comma-separated list of SOCKS proxies. (i.e.
                     127.0.0.1:9050,127.0.0.1:18085)
  --timeout TIMEOUT  Number of minutes to wait between password sprays (Brute
                     Force Mode Only)
  --test             Run against test module. Userful for building modules.

Demo
You can download list Password and list username in here or here.

With username file and password file:

With username file and password:

With username and password file:

Result:

[email protected]:~/myBFF$ sudo python myBFF.py --host http://www.example.com -u admin -P passlist.txt
[sudo] password for cloudi: 




                         `.-:-.`           `.-::-.`
                     `:oyhhyooooo+:`    -+osooooyhhs+.
                   `/yhhs:`      `.-.`-/:.      `./syyo.
                  `shyy:            `-.            .+yyy.
    \M:         `ohyy/             `               `/yys
    :M:          .hyyy-                              .yyy.
    :M:          -hyyy/                              .hhy`
    :M:          `shyyy:                            `ohh+
    :M:           .shyyy+.                         .shh+`
    :M:            .+hhhyyo-`                    `/yho-
    :M:             `-ohhhhhy+-`               .+yy+-
    /M:              `./syhhhhs/.          -/os+-`
                         `.-+syddho-     `:+/-`
                             `.-+yddo.  `/.
                                 `-ohh- ``
                                   `-yh.
                                     .yo
                                      -s
                                      ./
                                      `
                               -.`--:--:..`         -.//:.:-////://:.`/o/ `.-/:--::///:://-.`o+-
                              .hNdNNdyhmNmds.       .sMMMmMmyhhosshdm+NMh `-dMMNNMdyhyosyhdyyMM/
                               /MMNN:  .hMMMs        oMMMMMo       `:-NM-   dMMMMN-       `:oMd`
                               .MMMN-   +MMm-        /MMMMd`         `hM`   yMMMMo          .Mh
                               `MNNM+ .:mMs+`        -NMMMd       ``  sm`   sMMMMo       .   No
                               `NMMNsymMMh--``       `yMMMd      .yo  :o    .NMMM+     `:d.  s-
                               `dMMMMMMMMNMMddho:    -NMMMy    `sNM-  .:    oMMMM:    .dNh`  :.
                               .NMMmMd++//omMMMMM-   `NMMMNo+-+hMMm         /MMMMd+/:omMMo
                               `MMNmM:     -NMMMM/   /MMMMMNdmNNMMd         yMMMMMmdmNMMM+
                               `mmNds       sMMMM.   -MMMMm.``.:sNm         sMMMMs``..:dMo
                               `hNNm:       +MMMN`   `mMMMy`     -y`        :MMMM/     `+s
                               -MNmM:       :MMMy    -NMMMh.       `        oMMMMo
                               .NmMM+       yMMd`    `hMMMm`                -NMMMs
  yms`.:+o` `-//`               hNMMs       hMN/     .mMMMd                 +MMMM+
  sMNssoNMhyyodmh``dm/   -+yh`  oNMNd      .dM:      `hMMMm`                :NMMMs
  /md`  +MMo  `:N: mN.    omo  `NMMMh    `sNms       :dMMMm                 oNMMMo
   dd   `mM.   -N+ sd     oMo   hMMMN/-/yddo/        :MMMMm.                sMMMMh
  .N+    /N:   sMs ym-``-oNMo  .mMMMNdmds.           /MMMMM+`               yMMMMm:
  /ms:  `oh:   /hh-:ydyyo/+No ::/yhoso:`             ohdhydhs/             `hddyhdyo.
                      `   :No                                `                     `
                          `mo
                          `mo
                          `mo
                 :-      `sN:
                ++      -yNo
               oy   `-+hh+.
              -mdoooo+-`
               .. 
 ---a Brute Force Framework by l0gan (@kirkphayes)
 myBFF v1.5.1

[!]  WARNING! BRUTE FORCE MODE ENABLED! THIS LIKELY WILL LOCK OUT ACCOUNTS! ARE YOU SURE YOU WANT TO RUN? (type Y to continue)
Y
[+] Running wordpressBrute module...

Type “Y” to continue!

The above I have introduced to you myBFF tool. Hope it will help you. Please leave your comments for better article. Thank you!

Reference:
https://github.com

Leave a Reply