myBFF: a Brute Force Framework

myBFF is a web application brute force framework.

Point the framework at a file containing usernames, a host, and give it a password. The framework will determine what type of web application is in use, then attempt to brute force accounts. After brute forcing accounts, myBFF will then do a little more, like enumerating apps available and reading in important data. Each module is different so try them out!

Current modules:

  • HP SiteScope (will attempt to give you a Meterpreter Shell!)
  • Citrix Gateway (also enumerates authorized applications)
  • Juniper Portal (Will look for 2FA bypass and list what is accessible)
  • MobileIron (Unknown. Have to find out what is accessible first!)
  • Outlook/Office365 (will parse email, contacts, and other data from email)
  • WordPress (Will be adding “SomethingCool” soon)
  • CiscoVPN (Enumerate User accounts (May does not work on all configurations))
  • Okta (Enumerate Applications and check if 2FA is set up for the account)
  • Jenkins (Will be adding “Something Cool” soon)
  • SMB (Check if a user is an administrator) (must use –domain with this module. for the host, use smb://)
  • FTP (List root dir contents)


git clone

sudo apt-get install python-lxml
sudo pip install pysmb



usage: [-h] --host HOST [-u USERNAME] [-p PASSWORD] [--domain DOMAIN] [-U USERFILE] [-t THREADS] [-o OUTPUT] [--vhost VHOST]

optional arguments:
-h, --help show this help message and exit

--host HOST Host to test against
-u USERNAME Username
-p PASSWORD Password
--domain DOMAIN Domain (Used for domain logins)
-U USERFILE File containing Usernames
-o OUTPUT File to output results to.
--vhost VHOST Virtual Directory (i.e., for enter owa).



python --host -U userlist.txt -p Summer2016

For non-standard ports:

python --host -u admin -p admin

Save standard out:

python --host -U userlist.txt -p Sup3rS3cretP@ss123! -o pwdspray1.txt

Copyright (c) 2016 Kirk Hayes