A tool used to test the vulnerability of database passwords. Hashcat is used as a password guessing program.
- Python 3.7.x
- PostgreSQL 11.x
- RabbitMQ
- Hashcat
- PostgreSQL
- MSSQL
- Oracle
1.1. Clone repo, create virtual environment, install requirements, create log dir
cd BASE_DIR
git clone https://github.com/qiwi/bruteforce.git
cd bruteforce
python3.7 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
mkdir /var/log/bruteforce
1.2. Create file BASE_DIR/bruteforce/bruteforce/settings/prod.py
based on BASE_DIR/bruteforce/bruteforce/settings/prod_template.py
Fill empty fields.
1.3. Migrate
python3.7 manage.py migrate
1.4. Collect static files
python3.7 manage.py collectstatic
1.5. Start django
python3.7 manage.py runserver
2.1. Run worker and beat
celery -A bruteforce beat --scheduler django_celery_beat.schedulers:DatabaseScheduler
celery -A bruteforce worker
2.2. Run flower for monitoring tasks
flower -A bruteforce
3.1. Clone, build and install hashcat
git clone https://github.com/hashcat/hashcat.git
cd hashcat
make
sudo make install
3.2. Make sure hashcat path is correct in crypto/hashcat.py
which hashcat
# goes to
/usr/bin/hashcat
class Hashcat:
def __init__(self):
self.hashcat = '/usr/bin/hashcat'
Create local user accounts in databases and add credentials to prod.py
CONN_CREDENTIALS
. If you have unique credentials for specific database, add it to prod.py
CUSTOM_CREDENTIALS
like in example from prod_template.py
.
Permissions:
- PostgreSQL
select for pg_authid
- Oracle
select for sys.user$, dba_users
- MSSQL
select for sys.sql_logins/sys.syslogins
CONTROL SERVER
5.1. Open project's browser page
5.2. Click "Dictionaries" and add dictionary record with name and path
5.3. Click "Databases" and add database record with host and db type
5.4. Click "Periodic tasks: Dictionary" and add task with new dictionary (5.2) and database (5.3) arguments
5.5. Run new task
You can see results in "Checked hashes" page
"Magnifier" counts errors and words in dictionaries
"Change checker" checks hash relevance in databases
Distributed under the MIT License.