myBFF: a Brute Force Framework

by do son · Published · Updated

myBFF

myBFF is a web application brute force framework.

Point the framework at a file containing usernames, a host, and give it a password. The framework will determine what type of web application is in use, then attempt to brute force accounts. After brute forcing accounts, myBFF will then do a little more, like enumerating apps available and reading in important data. Each module is different so try them out!

Current modules:

  • HP SiteScope (will attempt to give you a Meterpreter Shell!)
  • Citrix Gateway (also enumerates authorized applications)
  • Juniper Portal (Will look for 2FA bypass and list what is accessible)
  • MobileIron (Unknown. Have to find out what is accessible first!)
  • Outlook/Office365 (will parse email, contacts, and other data from email)
  • WordPress (Will be adding “SomethingCool” soon)
  • CiscoVPN (Enumerate User accounts (May does not work on all configurations))
  • Okta (Enumerate Applications and check if 2FA is set up for the account)
  • Jenkins (Will be adding “Something Cool” soon)
  • SMB (Check if a user is an administrator) (must use –domain with this module. for the host, use smb://)
  • FTP (List root dir contents)

Installing

git clone https://github.com/MooseDojo/myBFF.git

sudo apt-get install python-lxml

sudo pip install pysmb

 

 Usage

usage: myBFF.py [-h] --host HOST [-u USERNAME] [-p PASSWORD] [--domain DOMAIN] [-U USERFILE] [-t THREADS] [-o OUTPUT] [--vhost VHOST]



optional arguments:

  -h, --help       show this help message and exit



inputs:

  --host HOST      Host to test against

  -u USERNAME      Username

  -p PASSWORD      Password

  --domain DOMAIN  Domain (Used for domain logins)

  -U USERFILE      File containing Usernames

  -o OUTPUT        File to output results to.

  --vhost VHOST    Virtual Directory (i.e., for rapid7.com/owa enter owa).

 

Example:



python myBFF.py --host http://192.168.108.21 -U userlist.txt -p Summer2016



For non-standard ports:



python myBFF.py --host http://192.168.108.21:8080 -u admin -p admin



Save standard out:



python myBFF.py --host https://192.168.108.22:8443 -U userlist.txt -p Sup3rS3cretP@ss123! -o pwdspray1.txt

Copyright (c) 2016 Kirk Hayes

Source: https://github.com/MooseDojo/

Tags: Brute Forcebrute force attackmyBFF