Skip to content
/ bruteforce Public

A tool used to test the vulnerability of database passwords

License

MIT license
9 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

qiwi/bruteforce

BranchesTags

Repository files navigation

Bruteforce

A tool used to test the vulnerability of database passwords. Hashcat is used as a password guessing program.

Requirements

  • Python 3.7.x
  • PostgreSQL 11.x
  • RabbitMQ
  • Hashcat

Can grab from

  • PostgreSQL
  • MSSQL
  • Oracle

Usage

1. Install and configure

1.1. Clone repo, create virtual environment, install requirements, create log dir

cd BASE_DIR
git clone https://github.com/qiwi/bruteforce.git
cd bruteforce
python3.7 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
mkdir /var/log/bruteforce

1.2. Create file BASE_DIR/bruteforce/bruteforce/settings/prod.py based on BASE_DIR/bruteforce/bruteforce/settings/prod_template.py

Fill empty fields.

1.3. Migrate

python3.7 manage.py migrate

1.4. Collect static files

python3.7 manage.py collectstatic

1.5. Start django

python3.7 manage.py runserver

2. Run celery and flower

2.1. Run worker and beat

celery -A bruteforce beat --scheduler django_celery_beat.schedulers:DatabaseScheduler
celery -A bruteforce worker

2.2. Run flower for monitoring tasks

flower -A bruteforce

3. Install hashcat (macOS)

3.1. Clone, build and install hashcat

git clone https://github.com/hashcat/hashcat.git
cd hashcat
make
sudo make install

3.2. Make sure hashcat path is correct in crypto/hashcat.py

which hashcat
# goes to
/usr/bin/hashcat
class Hashcat:
    def __init__(self):
        self.hashcat = '/usr/bin/hashcat'

4. Create and grant user accounts

Create local user accounts in databases and add credentials to prod.py CONN_CREDENTIALS. If you have unique credentials for specific database, add it to prod.py CUSTOM_CREDENTIALS like in example from prod_template.py.

Permissions:

  • PostgreSQL
select for pg_authid
  • Oracle
select for sys.user$, dba_users
  • MSSQL
select for sys.sql_logins/sys.syslogins
CONTROL SERVER

5. Create first tasks

5.1. Open project's browser page

5.2. Click "Dictionaries" and add dictionary record with name and path

5.3. Click "Databases" and add database record with host and db type

5.4. Click "Periodic tasks: ⁣⁣⁣Dictionary" and add task with new dictionary (5.2) and database (5.3) arguments

5.5. Run new task

6. Results

You can see results in "Checked hashes" page

Other tasks

"Magnifier" counts errors and words in dictionaries

"Change checker" checks hash relevance in databases

License

Distributed under the MIT License.

About

A tool used to test the vulnerability of database passwords

Topics

database bruteforce db hashcat

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

9 stars

Watchers

9 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 6

Languages