A “modular” example is included with the library that demonstrates how to use this package. It’s fully functional and provides multiple brute force modules. Below is a sample of its capabilities:
<div authentication class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="http.accellion_ftp Accellion FTP HTTP interface login module http.basic_digest Generic HTTP basic digest auth http.basic_ntlm Generic HTTP basic NTLM authentication http.global_protect Global Protect web interface http.mattermost Mattermost login web interface http.netwrix Netwrix web login http.okta Okta JSON API http.owa2010 OWA 2010 web interface http.owa2016 OWA 2016 web interface smb.smb Target a single SMB server testing.fake Fake authentication module for training/testing “>
http.accellion_ftp Accellion FTP HTTP interface login module http.basic_digest Generic HTTP basic digest auth http.basic_ntlm Generic HTTP basic NTLM authentication http.global_protect Global Protect web interface http.mattermost Mattermost login web interface http.netwrix Netwrix web login http.okta Okta JSON API http.owa2010 OWA 2010 web interface http.owa2016 OWA 2016 web interface smb.smb Target a single SMB server testing.fake Fake authentication module for training/testing
Key Features
Protocol agnostic – If a callback can be written in Python, BruteLoops can be used to attack it
SQLite support – All usernames, passwords, and credentials are maintained in an SQLite database.
A companion utility (dbmanager.py) that creates and manages input databases accompanies BruteLoops
Spray and Stuffing Attacks in One Tool – BruteLoops supports both spray and stuffing attacks in the same attack logic and database, meaning that you can configure a single database and run the attack without heavy reconfiguration and confusion.
Guess scheduling – Each username in the SQLite database is configured with a timestamp that is updated after each authentication event. This means we can significantly reduce likelihood of locking accounts by scheduling each authentication event with precision.
Fine-grained configurability to avoid lockout events – Microsoft’s lockout policies can be matched 1-to-1 using BruteLoop’s parameters:
auth_threshold = Lockout Threshold
max_auth_jitter = Lockout Observation Window
Timestampes associated with each authentication event are tracked in BruteLoops’ SQLite database. Each username receives a distinct timestamp to assure that authentication events are highly controlled.
Attack resumption – Stopping and resuming an attack is possible without worrying about losing your place in the attack or locking accounts.
Multiprocessing – Speed up attacks using multiprocessing! By configuring the`parallel guess count, you’re effectively telling BruteLoops how many usernames to guess in parallel.
Logging – Each authentication event can optionally logged to disk. This information can be useful during red teams by providing customers with a detailed attack timeline that can be mapped back to logged events.
Dependencies
BruteLoops requires Python3.7 or newer and SQLAlchemy 1.3.0, the latter of which can be obtained via pip and the requirements.txt file in this repository: python3.7 -m pip install -r requirements.txt
