BruteLoops：一个协议无关的在线密码安全检测API

关于BruteLoopsBruteLoops是一个功能强大且与协议无关的在线密码安全检测API，研究人员可以使用BruteLoops实现在线密码猜测来检查用户使用的密码是否安全，或者识别密码中的安全问题。BruteLoops为认证接口提供密码爆破和猜测功能。代码库中提供了一个模块化的使用示例，演示了如何使用BruteLoops实现安全的密码分析。功能齐全，提供多种暴力破解模块。以下是其功能示例：http.accellion_ftpFTPHTTP接口登录加速模块http.basic_digest通用HTTP基本摘要认证http.basic_ntlm通用HTTP基本NTLM认证http.global_protectWeb界面全局保护http.mattermostMattermost登录Web界面http.netwrixNetwrix登录Web界面http.oktaOktaJSONAPIhttp.owa2010OWA2010Web界面http.owa2016OWA2016Web界面smb.smb针对单个SMB服务器执行任务testing.fake用于训练/测试的模拟身份验证模块主要功能与协议无关的SQLite支持PasswordSpraying和PasswordStuffingPasswordGuessing定时任务细粒度配置避免锁定事件TaskPausingandResuming3.7或更高版本的Python环境，以及SQLAlchemy1.3.0，后者可以通过pip工具和需求安装项目提供的.txt：python3.7-mpipinstall-rrequirements.txt工具安装广大研究人员可以使用如下命令将项目的源码clone到本地，安装工具需要的依赖组件：gitclonehttps://github.com/arch4ngel/bruteloopscdbruteloopspython3-mpipinstall-rrequirements.txt使用时工具，我们可以按照下面的步骤对密码安全测试进行拆分：找到一个需要测试的目标服务；如果目标在py[1]中不存在，则需要构建回调；搜索某些用户名、密码和凭证信息；认证数据建立数据库；如果相关，枚举或请求ActiveDirectory锁定策略以智能配置安全测试过程；根据目标锁定策略执行密码安全测试[1][3][4];工具使用示例（1）通过example.py执行爆破猜测模块命令：archangel@deskjet:bruteloops_dev~>./example.pytest.sqlite3testing.fake--helpoutput:usage:example.pydbfiletesting.fake[-h]--usernameUSERNAME--passwordPASSWORDFakeauthenticationmodulefortraining/testingoptionalarguments:-h,--helpshowthishelpmessageandexit--usernameUSERNAMErequired-str-Usernametocheckagainst--passwordPASSWORDrequired-str-Passwordtocheckagainst(2)通过dbmanager.py创建输入数据库命令：archangel:devsbrute_brute.py/dbmanager--help输出：usage:dbmanager.py[-h]dbfile{dump-valid,dump-credentials,import-values,import-credentials,delete-values,delete-credentials}...ManageBruteLoopsinputdatabasespositionalarguments:dbfileDatabasefiletomanipulate{dump-valid,转储凭证,导入值,导入凭证,删除值,删除凭证}将值导入目标数据库import-credentialsImportcredentialpairsintothetargetdatabasedelete-valuesDeletevaluesfromthetargetdatabasedelete-credentialsDeletecredentialpairsfromthetargetdatabaseoptionalarguments:-h,--helpshowthishelpmessageandexit(3)通过example.py执行模拟爆破猜测模块命令：./example.pytest.sqlite3\--4hold--aguess-countauth-jitter-min1s--auth-jitter-max5s\--threshold-jitter-min10s--threshold-jitter-max20s\-lftest.log\testing.fake--usernameadministrator--passwordP@ssw0rd输出：archangel@deskjet:bruteloops_dev~>./example.pytest.sqlite3-pgc4-at2-ajmin1s-ajmax5s-tjmin10s-tjmax20s-lftest.logtesting.fake--usernameadministrator--passwordP@ssw0rd2020-12-0815:22:50,077-example.py-GENERAL-Initializingattack2020-12-0815:22:50,078-BruteForcer-GENERAL-Initializing4process2020-12-0815:22:50,078-BruteForcer-GENERAL-Loggingattackconfigurationparameters2020-12-0815:22:50,078-BruteForcer-GENERAL-ConfigParameter--authentication_jitter:2020-12-0815:22:50,078-BruteForcer-GENERAL-ConfigParameter--max_auth_jitter:2020-12-0815:22:50,078-BruteForcer-GENERAL-ConfigParameter--max_auth_tries:22020-12-0815:22:50,078-BruteForcer-GENERAL-ConfigParameter--stop_on_valid:False2020-12-0815:22:50,078-BruteForcer-GENERAL-ConfigParameter--db_file:test.sqlite32020-12-0815:22:50,083-BruteForcer-GENERAL-开始攻击：15:22:50EST(20/12/08)2020-12-0815:22:51,572-BruteForcer-INVALID-user1:pass12020-12-0815:22:53,544-BruteForcer-INVALID-admin:password2020-12-0815:22:54,597-BruteForcer-INVALID-user1:password2020-12-0815:22:55,025-BruteForcer-INVALID-admin:pass12020-12-0815:22:55,247-BruteForcer-INVALID-user2:pass12020-12-0815:22:56,307-BruteForcer-INVALID-user2:password2020-12-0815:22:59,025-BruteForcer-INVALID-administrator:pass12020-12-0815:22:59,680-BruteForcer-INVALID-administrator:password2020-12-0815:23:07,384-BruteForcer-INVALID-user1:welcome12020-12-0815:23:07,955-BruteForcer-INVALID-user1:P@ssw0rd2020-12-0815:23:08,775-BruteForcer-INVALID-administrator:welcome12020-12-0815:23:09,631-BruteForcer-VALID-administrator:P@ssw0rd2020-12-0815:23:12,057-BruteForcer-INVALID-user2:welcome12020-12-0815:23:12,299-BruteForcer-INVALID-admin:welcome12020-12-0815:23:12,309-BruteForcer-INVALID-user2:P@ssw0rd2020-12-0815:23:12,534-BruteForcer-INVALID-admin:P@ssw0rd2020-12-0815:23:12,748-BruteForcer-GENERAL-Attackfinished2020-12-0815:23:12,748-BruteForcer-GENERAL-Shutting-attackdown202012-0815:23:12,755-BruteForcer-GENERAL-Closing/joiningProcesses2020-12-0815:23:12,758-example.py-GENERAL-Attackcomplete项目目标地址BruteLoops：【GitHub传送门】